[syzbot] kernel BUG in __ext4_journal_stop

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: cf562a45a0d5 Merge tag 'pull-fixes' of git://git.kernel.or..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=111947ed880000
kernel config: https://syzkaller.appspot.com/x/.config?x=8d01b6e3197974dd
dashboard link: https://syzkaller.appspot.com/bug?extid=bdab24d5bf96d57c50b0
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=128220a1880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11859d55880000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6a92dc058341/disk-cf562a45.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c320c2307225/vmlinux-cf562a45.xz
kernel image: https://storage.googleapis.com/syzbot-assets/00049e41b3c5/bzImage-cf562a45.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/1c3d3c1b6bda/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bdab24...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 2048
EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none.
------------[ cut here ]------------
kernel BUG at fs/ext4/ext4_jbd2.c:53!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 3634 Comm: syz-executor383 Not tainted 6.1.0-rc6-syzkaller-00375-gcf562a45a0d5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]
RIP: 0010:__ext4_journal_stop+0x18b/0x190 fs/ext4/ext4_jbd2.c:116
Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 11 ff ff ff e8 3f cb af ff e9 07 ff ff ff e8 85 b1 5b ff <0f> 0b 0f 1f 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 10 89 d5 89
RSP: 0018:ffffc90003cef840 EFLAGS: 00010293
RAX: ffffffff822ee66b RBX: 0000000000000000 RCX: ffff888024c81d40
RDX: 0000000000000000 RSI: 0000000000000323 RDI: ffffffff8cabd2f1
RBP: 0000000000000323 R08: ffffffff8234d69d R09: fffffbfff1cebdfe
R10: fffffbfff1cebdfe R11: 1ffffffff1cebdfd R12: ffff888074426750
R13: 1ffff1100e884cea R14: 0000000000000012 R15: ffffffff8cabd2f1
FS: 00007f91dbeb5700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91dbe94718 CR3: 000000002916b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_write_inline_data_end+0x743/0xcd0 fs/ext4/inline.c:803
generic_perform_write+0x3dc/0x5e0 mm/filemap.c:3764
ext4_buffered_write_iter+0x122/0x3a0 fs/ext4/file.c:285
ext4_file_write_iter+0x1d0/0x18d0
call_write_iter include/linux/fs.h:2199 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x7dc/0xc50 fs/read_write.c:584
ksys_write+0x177/0x2a0 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f91dbf09579
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f91dbeb52f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f91dbf8e7a0 RCX: 00007f91dbf09579
RDX: 0000000000000009 RSI: 0000000020000f80 RDI: 0000000000000004
RBP: 00007f91dbf5b828 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f91dbf5b0c0
R13: 0000000020000800 R14: 0030656c69662f2e R15: 00007f91dbf8e7a8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_put_nojournal fs/ext4/ext4_jbd2.c:53 [inline]
RIP: 0010:__ext4_journal_stop+0x18b/0x190 fs/ext4/ext4_jbd2.c:116
Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 11 ff ff ff e8 3f cb af ff e9 07 ff ff ff e8 85 b1 5b ff <0f> 0b 0f 1f 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 10 89 d5 89
RSP: 0018:ffffc90003cef840 EFLAGS: 00010293
RAX: ffffffff822ee66b RBX: 0000000000000000 RCX: ffff888024c81d40
RDX: 0000000000000000 RSI: 0000000000000323 RDI: ffffffff8cabd2f1
RBP: 0000000000000323 R08: ffffffff8234d69d R09: fffffbfff1cebdfe
R10: fffffbfff1cebdfe R11: 1ffffffff1cebdfd R12: ffff888074426750
R13: 1ffff1100e884cea R14: 0000000000000012 R15: ffffffff8cabd2f1
FS: 00007f91dbeb5700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000204 CR3: 000000002916b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

[Theodore Ts'o]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git ext4_for_linus_stable

Subject: [PATCH v2] ext4: fix race condition between buffer write and page_mkwrite
From: Baokun Li <liba...@huawei.com>

diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index d101b3b0c7da..9df82d72eb90 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -795,7 +795,8 @@ static const struct vm_operations_struct ext4_file_vm_ops = {
static int ext4_file_mmap(struct file *file, struct vm_area_struct *vma)
{
struct inode *inode = file->f_mapping->host;
- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ struct super_block *sb = inode->i_sb;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
struct dax_device *dax_dev = sbi->s_daxdev;

if (unlikely(ext4_forced_shutdown(sbi)))
@@ -808,6 +809,27 @@ static int ext4_file_mmap(struct file *file, struct vm_area_struct *vma)
if (!daxdev_mapping_supported(vma, dax_dev))
return -EOPNOTSUPP;

+ /*
+ * Writing via mmap has no logic to handle inline data, so we
+ * need to call ext4_convert_inline_data() to convert the inode
+ * to normal format before doing so, otherwise a BUG_ON will be
+ * triggered in ext4_writepages() due to the
+ * EXT4_STATE_MAY_INLINE_DATA flag. Moreover, we need to grab
+ * i_rwsem during conversion, since clearing and setting the
+ * inline data flag may race with ext4_buffered_write_iter()
+ * to trigger a BUG_ON.
+ */
+ if (ext4_has_feature_inline_data(sb) &&
+ vma->vm_flags & VM_SHARED && vma->vm_flags & VM_MAYWRITE) {
+ int err;
+
+ inode_lock(inode);
+ err = ext4_convert_inline_data(inode);
+ inode_unlock(inode);
+ if (err)
+ return err;
+ }
+
file_accessed(file);
if (IS_DAX(file_inode(file))) {
vma->vm_ops = &ext4_dax_vm_ops;
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index ce5f21b6c2b3..31844c4ec9fe 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -6043,10 +6043,6 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)

filemap_invalidate_lock_shared(mapping);

- err = ext4_convert_inline_data(inode);
- if (err)
- goto out_ret;
-
/*
* On data journalling we skip straight to the transaction handle:
* there's no delalloc; page truncated will be checked later; the
--
2.31.1

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+bdab24...@syzkaller.appspotmail.com

Tested on:

commit: eb1f822c ext4: enable the lazy init thread when remoun..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git ext4_for_linus_stable
console output: https://syzkaller.appspot.com/x/log.txt?x=1128cb69280000
kernel config: https://syzkaller.appspot.com/x/.config?x=3da6c5d3e0a6c932
dashboard link: https://syzkaller.appspot.com/bug?extid=bdab24d5bf96d57c50b0
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=12b82c71280000

Note: testing is done by a robot and is best-effort only.

[Theodore Ts'o]

@syz fix: ext4: fix race condition between buffer write and page_mkwrite

[Aleksandr Nogikh]

#syz fix: ext4: fix race condition between buffer write and page_mkwrite

On Sat, Jun 3, 2023 at 6:08 AM Theodore Ts'o <ty...@mit.edu> wrote:
>
> @syz fix: ext4: fix race condition between buffer write and page_mkwrite
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20230603040840.GB1128875%40mit.edu.

[syzbot]

This bug is marked as fixed by commit:

ext4: fix race condition between buffer write and page_mkwrite

But I can't find it in the tested trees[1] for more than 90 days.
Is it a correct commit? Please update it by replying:

#syz fix: exact-commit-title

Until then the bug is still considered open and new crashes with
the same signature are ignored.

Kernel: Linux
Dashboard link: https://syzkaller.appspot.com/bug?extid=bdab24d5bf96d57c50b0

---
[1] I expect the commit to be present in:

1. for-kernelci branch of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git

2. master branch of
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git

3. master branch of
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git

4. main branch of
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git

The full list of 9 trees can be found at
https://syzkaller.appspot.com/upstream/repos

[syzbot]

[syzbot]

[Aleksandr Nogikh]

On Wed, Oct 4, 2023 at 10:49 AM syzbot
<syzbot+bdab24...@syzkaller.appspotmail.com> wrote:
>
> This bug is marked as fixed by commit:
> ext4: fix race condition between buffer write and page_mkwrite

There's been such a series, but it apparently did not get through.
Let's unfix the bug, syzbot will either do a fix bisection and find
the actual fix commit or auto-invalidate the bug.

#syz unfix

[syzbot]

syzbot suspects this issue was fixed by commit:

commit 6f861765464f43a71462d52026fbddfc858239a5
Author: Jan Kara <ja...@suse.cz>
Date: Wed Nov 1 17:43:10 2023 +0000

fs: Block writes to mounted block devices

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12d23c97e80000
start commit: eeac8ede1755 Linux 6.3-rc2
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=dbab9019ad6fc418
dashboard link: https://syzkaller.appspot.com/bug?extid=bdab24d5bf96d57c50b0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e5a788c80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141e64e2c80000

If the result looks correct, please mark the issue as fixed by replying with:

#syz fix: fs: Block writes to mounted block devices

For information about bisection process see: https://goo.gl/tpsmEJ#bisection