[syzbot] [v9fs?] WARNING in v9fs_begin_writeback

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: c0ecd6388360 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=133ac8d3980000
kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ffa365980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15e4b703980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-c0ecd638.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/4e795892c4ac/vmlinux-c0ecd638.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e387ec3cd3f/bzImage-c0ecd638.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0b74d3...@syzkaller.appspotmail.com

------------[ cut here ]------------
folio expected an open fid inode->i_ino=23005ff
WARNING: CPU: 2 PID: 1155 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 2 PID: 1155 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 2 UID: 0 PID: 1155 Comm: kworker/u32:9 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: writeback wb_workfn (flush-9p-55)
RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a
RSP: 0018:ffffc9000610f480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880327a0670 RCX: ffffffff814cc379
RDX: ffff88802329a440 RSI: ffffffff814cc386 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888012c4a408
R13: dffffc0000000000 R14: ffffc9000610f840 R15: ffff888012c4a658
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 0000000011d46000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

Is request writable ?

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..ac69716aad07 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -33,8 +33,12 @@
static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;
+ bool writing = (wreq->origin == NETFS_READ_FOR_WRITE ||
+ wreq->origin == NETFS_WRITETHROUGH ||
+ wreq->origin == NETFS_UNBUFFERED_WRITE ||
+ wreq->origin == NETFS_DIO_WRITE);

- fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
+ fid = v9fs_fid_find_inode(wreq->inode, writing, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
wreq->inode->i_ino);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

WARNING: CPU: 2 PID: 64 at fs/9p/vfs_addr.c:43 v9fs_begin_writeback+0x25f/0x2c0 fs/9p/vfs_addr.c:43
Modules linked in:
CPU: 2 UID: 0 PID: 64 Comm: kworker/u32:3 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-1)
RIP: 0010:v9fs_begin_writeback+0x25f/0x2c0 fs/9p/vfs_addr.c:43
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 6a 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 f2 4b 0d fe 90 <0f> 0b 90 90 eb 80 e8 e6 2b a8 fe e9 d1 fd ff ff e8 cc 2c a8 fe e9
RSP: 0018:ffffc90000d17480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888046068670 RCX: ffffffff814cc379
RDX: ffff888016f42440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000004
R13: dffffc0000000000 R14: ffffc90000d17840 R15: ffff8880269d0298

FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555755375c8 CR3: 000000002c17a000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=173a319d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=125cb8d3980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..a5b716b716d4 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -67,6 +67,7 @@ struct p9_fid *v9fs_fid_find_inode(struct inode *inode, bool want_writeable,

spin_lock(&inode->i_lock);
h = (struct hlist_head *)&inode->i_private;
+ printk("ino: %p, inode fid list is empty: %d, %s\n", inode, hlist_empty(h), __func__);
hlist_for_each_entry(fid, h, ilist) {
if (any || uid_eq(fid->uid, uid)) {
if (want_writeable && !v9fs_is_writeable(fid->mode)) {
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..0da8ff7f38fb 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -44,6 +44,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct p9_fid *fid;
int omode;

+ printk("1ind: %p, %s\n", inode, __func__);
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))
@@ -54,8 +55,10 @@ int v9fs_file_open(struct inode *inode, struct file *file)
fid = file->private_data;
if (!fid) {
fid = v9fs_fid_clone(file_dentry(file));
- if (IS_ERR(fid))
- return PTR_ERR(fid);
+ if (IS_ERR(fid)) {
+ err = PTR_ERR(fid);
+ goto error;
+ }

if ((v9ses->cache & CACHE_WRITEBACK) && (omode & P9_OWRITE)) {
int writeback_omode = (omode & ~P9_OWRITE) | P9_ORDWR;
@@ -72,7 +75,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
}
if (err < 0) {
p9_fid_put(fid);
- return err;
+ goto error;
}
if ((file->f_flags & O_APPEND) &&
(!v9fs_proto_dotu(v9ses) && !v9fs_proto_dotl(v9ses)))
@@ -87,8 +90,12 @@ int v9fs_file_open(struct inode *inode, struct file *file)
file->f_mode & FMODE_WRITE);
#endif
v9fs_fid_add_modes(fid, v9ses->flags, v9ses->cache, file->f_flags);
+ printk("2ind: %p, %s\n", inode, __func__);
v9fs_open_fid_add(inode, &fid);
return 0;
+error:
+ printk("err: %d, ind: %p, %s\n", err, inode, __func__);
+
}

/**
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index fd72fc38c8f5..29a055f2fe7b 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -738,6 +738,7 @@ v9fs_vfs_atomic_open(struct inode *dir, struct dentry *dentry,
struct inode *inode;
int p9_omode;

+ printk("1ind: %p, %s\n", inode, __func__);
if (d_in_lookup(dentry)) {
res = v9fs_vfs_lookup(dir, dentry, 0);
if (IS_ERR(res))
@@ -781,6 +782,7 @@ v9fs_vfs_atomic_open(struct inode *dir, struct dentry *dentry,
#endif

v9fs_fid_add_modes(fid, v9ses->flags, v9ses->cache, file->f_flags);
+ printk("2ind: %p, %s\n", inode, __func__);
v9fs_open_fid_add(inode, &fid);

file->f_mode |= FMODE_CREATED;
@@ -789,6 +791,7 @@ v9fs_vfs_atomic_open(struct inode *dir, struct dentry *dentry,
return err;

error:
+ printk("err: %d, ind: %p, %s\n", err, inode, __func__);
p9_fid_put(fid);
goto out;
}
diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index c61b97bd13b9..3c4c744af0e8 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -194,6 +194,7 @@ v9fs_vfs_atomic_open_dotl(struct inode *dir, struct dentry *dentry,
struct posix_acl *pacl = NULL, *dacl = NULL;
struct dentry *res = NULL;

+ printk("1ind: %p, %s\n", inode, __func__);
if (d_in_lookup(dentry)) {
res = v9fs_vfs_lookup(dir, dentry, 0);
if (IS_ERR(res))
@@ -284,9 +285,11 @@ v9fs_vfs_atomic_open_dotl(struct inode *dir, struct dentry *dentry,
}
#endif
v9fs_fid_add_modes(ofid, v9ses->flags, v9ses->cache, flags);
+ printk("2ind: %p, %s\n", inode, __func__);
v9fs_open_fid_add(inode, &ofid);
file->f_mode |= FMODE_CREATED;
out:
+ printk("err: %d, ind: %p, %s\n", err, inode, __func__);
p9_fid_put(dfid);
p9_fid_put(ofid);
p9_fid_put(fid);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/9p/vfs_file.c:99:1: error: control reaches end of non-void function [-Werror=return-type]

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12be496d980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..a5b716b716d4 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -67,6 +67,7 @@ struct p9_fid *v9fs_fid_find_inode(struct inode *inode, bool want_writeable,

spin_lock(&inode->i_lock);
h = (struct hlist_head *)&inode->i_private;
+ printk("ino: %p, inode fid list is empty: %d, %s\n", inode, hlist_empty(h), __func__);
hlist_for_each_entry(fid, h, ilist) {
if (any || uid_eq(fid->uid, uid)) {
if (want_writeable && !v9fs_is_writeable(fid->mode)) {
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c

index 348cc90bf9c5..5329b83829e4 100644

@@ -87,8 +90,13 @@ int v9fs_file_open(struct inode *inode, struct file *file)

file->f_mode & FMODE_WRITE);
#endif
v9fs_fid_add_modes(fid, v9ses->flags, v9ses->cache, file->f_flags);
+ printk("2ind: %p, %s\n", inode, __func__);
v9fs_open_fid_add(inode, &fid);
return 0;
+error:
+ printk("err: %d, ind: %p, %s\n", err, inode, __func__);

+ return err;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: ffff888032f426a0, inode fid list is empty: 1, v9fs_fid_find_inode
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901337
WARNING: CPU: 0 PID: 65 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 0 PID: 65 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 0 UID: 0 PID: 65 Comm: kworker/u32:3 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-76)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9c 8e 8b e8 f1 49 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 d2 2a a8 fe e9 51 ff ff ff e8 38 2a
RSP: 0018:ffffc90000d27480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888032f426a0 RCX: ffffffff814cc379
RDX: ffff88801b4d2440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888030038048
R13: dffffc0000000000 R14: ffffc90000d27840 R15: ffff888030038298
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020001000 CR3: 000000002aaca000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=161d9755980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11272e5d980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..a5b716b716d4 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -67,6 +67,7 @@ struct p9_fid *v9fs_fid_find_inode(struct inode *inode, bool want_writeable,

spin_lock(&inode->i_lock);
h = (struct hlist_head *)&inode->i_private;
+ printk("ino: %p, inode fid list is empty: %d, %s\n", inode, hlist_empty(h), __func__);
hlist_for_each_entry(fid, h, ilist) {
if (any || uid_eq(fid->uid, uid)) {
if (want_writeable && !v9fs_is_writeable(fid->mode)) {

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..cf7200ed2553 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,6 +218,7 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("del, ind: %p, ino: %lu, %s\n", inode, inode->i_ino, __func__);
spin_lock(&inode->i_lock);
hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..abadf3b5fecb 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -44,6 +44,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct p9_fid *fid;
int omode;

+ printk("1ind: %p, file: %p, %s\n", inode, file, __func__);

+ printk("2ind: %p, ino: %lu, %s\n", inode, inode->i_ino, __func__);

v9fs_open_fid_add(inode, &fid);
return 0;
+error:
+ printk("err: %d, ind: %p, %s\n", err, inode, __func__);
+ return err;
+
}

/**

diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index c61b97bd13b9..085a788a3262 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -284,9 +284,11 @@ v9fs_vfs_atomic_open_dotl(struct inode *dir, struct dentry *dentry,

}
#endif
v9fs_fid_add_modes(ofid, v9ses->flags, v9ses->cache, flags);

+ printk("2ind: %p, ino: %lu, %s\n", inode, inode->i_ino, __func__);

v9fs_open_fid_add(inode, &ofid);
file->f_mode |= FMODE_CREATED;
out:

+ printk("err: %d, ind: %p, ino: %lu, %s\n", err, inode, inode->i_ino, __func__);
p9_fid_put(dfid);
p9_fid_put(ofid);
p9_fid_put(fid);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: ffff8880329e8000, inode fid list is empty: 1, v9fs_fid_find_inode
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901335
WARNING: CPU: 3 PID: 3173 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 3 PID: 3173 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 3 UID: 0 PID: 3173 Comm: kworker/u32:11 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-172)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 e0 9a 8e 8b e8 a1 49 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 82 2a a8 fe e9 51 ff ff ff e8 e8 29
RSP: 0018:ffffc900231d7480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880329e8000 RCX: ffffffff814cc379
RDX: ffff88802c048000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801f08f108
R13: dffffc0000000000 R14: ffffc900231d7840 R15: ffff88801f08f358
FS: 0000000000000000(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000740 CR3: 0000000040d1c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1355d66d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=125dbd23980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/file_table.c b/fs/file_table.c
index ca7843dde56d..3d7a59961ff6 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -418,6 +418,7 @@ static void __fput(struct file *file)
if (file->f_op->fasync)
file->f_op->fasync(-1, file, 0);
}
+ printk("ino: %lx, %s\n", inode->i_ino, __func__);
if (file->f_op->release)
file->f_op->release(inode, file);
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL &&
diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..7a08750da902 100644

--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -67,6 +67,7 @@ struct p9_fid *v9fs_fid_find_inode(struct inode *inode, bool want_writeable,

spin_lock(&inode->i_lock);
h = (struct hlist_head *)&inode->i_private;
+ printk("ino: %p, inode fid list is empty: %d, %s\n", inode, hlist_empty(h), __func__);
hlist_for_each_entry(fid, h, ilist) {
if (any || uid_eq(fid->uid, uid)) {
if (want_writeable && !v9fs_is_writeable(fid->mode)) {

@@ -132,8 +133,10 @@ static struct p9_fid *v9fs_fid_find(struct dentry *dentry, kuid_t uid, int any)
}
spin_unlock(&dentry->d_lock);
} else {
- if (dentry->d_inode)
+ if (dentry->d_inode) {
+ printk("ino: %lx, %s\n", dentry->d_inode->i_ino, __func__);
ret = v9fs_fid_find_inode(dentry->d_inode, false, uid, any);
+ }
}

return ret;
diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..a022263265fd 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);

fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);

if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
@@ -105,6 +106,7 @@ static int v9fs_init_request(struct netfs_io_request *rreq, struct file *file)
goto no_fid;
p9_fid_get(fid);
} else {
+ printk("ino: %lx, %s\n", rreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(rreq->inode, writing, INVALID_UID, true);
if (!fid)
goto no_fid;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901336
WARNING: CPU: 3 PID: 1109 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 3 UID: 0 PID: 1109 Comm: kworker/u32:8 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-18)
RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 a0 9b 8e 8b e8 35 4b 0d fe 90 <0f> 0b 90 90 eb 80 e8 19 2c a8 fe e9 6f ff ff ff e8 7f 2b a8 fe e9
RSP: 0018:ffffc90005a9f480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880327b26a0 RCX: ffffffff814cc379
RDX: ffff88802291c880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000001 R11: 0000000000000000 R12: ffff8880327b26a0
R13: dffffc0000000000 R14: ffffc90005a9f840 R15: ffff88801bbdf358

FS: 0000000000000000(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020001000 CR3: 00000000247e0000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=136a5b6d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=123eb723980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..d008ae949047 100644

--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -67,6 +67,7 @@ struct p9_fid *v9fs_fid_find_inode(struct inode *inode, bool want_writeable,

spin_lock(&inode->i_lock);
h = (struct hlist_head *)&inode->i_private;

+ printk("ino: %lx, inode fid list is empty: %d, %s\n", inode->i_ino, hlist_empty(h), __func__);

hlist_for_each_entry(fid, h, ilist) {
if (any || uid_eq(fid->uid, uid)) {
if (want_writeable && !v9fs_is_writeable(fid->mode)) {

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644

--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {

WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..4f02d8f294b1 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,7 +218,12 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("del, ind: %p, ino: %lx, %s\n", inode, inode->i_ino, __func__);
spin_lock(&inode->i_lock);
+ if (inode_is_dirtytime_only(inode)) {
+ spin_unlock(&inode->i_lock);
+ return -EINVAL;
+ }
hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
put_err = p9_fid_put(fid);
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..b0c2cd989854 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -44,6 +44,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct p9_fid *fid;
int omode;

+ printk("ind: %p, ino: %lx, %s\n", inode, inode->i_ino, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: 1901336, v9fs_begin_writeback
ino: 1901336, inode fid list is empty: 1, v9fs_fid_find_inode
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901336
WARNING: CPU: 2 PID: 46 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 2 UID: 0 PID: 46 Comm: kworker/u32:3 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-17)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 60 9a 8e 8b e8 05 4c 0d fe 90 <0f> 0b 90 90 eb 80 e8 e9 2c a8 fe e9 6f ff ff ff e8 4f 2c a8 fe e9
RSP: 0018:ffffc900009e7480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803249cd40 RCX: ffffffff814cc379
RDX: ffff888018ef0000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88803249cd40
R13: dffffc0000000000 R14: ffffc900009e7840 R15: ffff88802791d958
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffec1874f78 CR3: 000000002a43c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11331ed3980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1236fc5d980000

[Lizhi Xu]

wait for writeback done before release inode

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..cddbd7cc39e5 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,7 +218,13 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("del, ind: %p, ino: %lx, ino is dirty: %d, %s\n", inode, inode->i_ino, inode->i_state & I_DIRTY, __func__);
spin_lock(&inode->i_lock);
+ if (inode->i_state & I_DIRTY) {
+ spin_unlock(&inode->i_lock);
+ wait_on_bit_timeout(&inode->i_state, ~I_DIRTY, TASK_UNINTERRUPTIBLE, HZ*100);
+ spin_lock(&inode->i_lock);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: wild-memory-access Read in v9fs_dir_release

==================================================================
BUG: KASAN: wild-memory-access in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: wild-memory-access in _test_bit_acquire include/asm-generic/bitops/instrumented-non-atomic.h:153 [inline]
BUG: KASAN: wild-memory-access in wait_on_bit_timeout include/linux/wait_bit.h:126 [inline]
BUG: KASAN: wild-memory-access in v9fs_dir_release+0x5b6/0x710 fs/9p/vfs_dir.c:225
Read of size 8 at addr 1fff8880330d80c8 by task syz.0.15/5886

CPU: 3 UID: 0 PID: 5886 Comm: syz.0.15 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
kasan_report+0xd9/0x110 mm/kasan/report.c:601
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
_test_bit_acquire include/asm-generic/bitops/instrumented-non-atomic.h:153 [inline]
wait_on_bit_timeout include/linux/wait_bit.h:126 [inline]
v9fs_dir_release+0x5b6/0x710 fs/9p/vfs_dir.c:225
__fput+0x408/0xbb0 fs/file_table.c:422
task_work_run+0x14e/0x250 kernel/task_work.c:228
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xaa3/0x2bb0 kernel/exit.c:882
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fd/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbb473773b9
Code: Unable to access opcode bytes at 0x7fbb4737738f.
RSP: 002b:00007fbb4807f0f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fbb47505f88 RCX: 00007fbb473773b9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fbb47505f8c
RBP: 00007fbb47505f80 R08: 00007fbb48080080 R09: 00007fbb4807f6c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbb47505f8c
R13: 000000000000000b R14: 00007fff1cf6dc20 R15: 00007fff1cf6dd08
</TASK>
==================================================================

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=15b3bd23980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15702291980000

[Lizhi Xu]

wait for writeback done before release inode

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..d5eea95b8690 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,7 +218,15 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("del, ind: %p, ino: %lx, ino is dirty: %d, %s\n", inode, inode->i_ino, inode->i_state & I_DIRTY, __func__);
spin_lock(&inode->i_lock);
+ if (inode->i_state & I_DIRTY) {
+ spin_unlock(&inode->i_lock);

+ if (wait_on_bit_timeout(&inode->i_state, I_DIRTY,
+ TASK_UNINTERRUPTIBLE, HZ*30))
+ return -EBUSY;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in v9fs_begin_writeback

------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901335
WARNING: CPU: 1 PID: 1107 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 1 PID: 1107 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 1 UID: 0 PID: 1107 Comm: kworker/u32:7 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-39)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a
RSP: 0018:ffffc90005d6f480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff888032a2ad10 RCX: ffffffff814cc379
RDX: ffff888022d94880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888040c47448
R13: dffffc0000000000 R14: ffffc90005d6f840 R15: ffff888040c47698
FS: 0000000000000000(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f18749020c0 CR3: 000000000db7c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=17004ff9980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17406ff1980000

[Lizhi Xu]

wait for writeback done before release inode

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..ca7ea0d619aa 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -219,6 +219,14 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
retval = filemap_fdatawrite(inode->i_mapping);

spin_lock(&inode->i_lock);
+ if (test_bit(I_DIRTY, &inode->i_state)) {

+ spin_unlock(&inode->i_lock);
+ if (wait_on_bit_timeout(&inode->i_state, I_DIRTY,

+ TASK_UNINTERRUPTIBLE, HZ))
+ return -EBUSY;

+ printk("del, ind: %p, ino: %lx, ino is dirty: %d, %s\n", inode, inode->i_ino, inode->i_state & I_DIRTY, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901336
WARNING: CPU: 0 PID: 1204 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 0 PID: 1204 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 0 UID: 0 PID: 1204 Comm: kworker/u32:9 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-21)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a

RSP: 0018:ffffc90005dff480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803274e090 RCX: ffffffff814cc379
RDX: ffff8880232cc880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888024d0cd48
R13: dffffc0000000000 R14: ffffc90005dff840 R15: ffff888024d0cf98
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020001000 CR3: 0000000023c86000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10c34d11980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=138833bd980000

[Lizhi Xu]

add file refconut when add fid to list

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..99c7015396ab 100644

--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -219,6 +219,14 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
retval = filemap_fdatawrite(inode->i_mapping);

spin_lock(&inode->i_lock);

+ if (test_bit(I_SYNC, &inode->i_state)) {
+ spin_unlock(&inode->i_lock);
+ if (wait_on_bit_timeout(&inode->i_state, I_SYNC,

+ TASK_UNINTERRUPTIBLE, HZ))
+ return -EBUSY;

+ printk("del, ind: %p, ino: %lx, ino is dirty: %d, %s\n", inode, inode->i_ino, inode->i_state & I_SYNC, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901336

WARNING: CPU: 2 PID: 77 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 2 PID: 77 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 2 UID: 0 PID: 77 Comm: kworker/u32:4 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-15)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a

RSP: 0018:ffffc9000160f480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803299e090 RCX: ffffffff814cc379
RDX: ffff88801ac3c880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000001 R11: 0000000000000000 R12: ffff88801b5260c8
R13: dffffc0000000000 R14: ffffc9000160f840 R15: ffff88801b526318
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000c001011000 CR3: 00000000225d4000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1327b2bd980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1493d66d980000

[Lizhi Xu]

add file refconut when add fid to list

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..4ccd9cb74c11 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -95,6 +95,7 @@ void v9fs_open_fid_add(struct inode *inode, struct p9_fid **pfid)
struct p9_fid *fid = *pfid;

spin_lock(&inode->i_lock);
+ fget(fid->fid);
hlist_add_head(&fid->ilist, (struct hlist_head *)&inode->i_private);
spin_unlock(&inode->i_lock);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/9p/fid.c:98:9: error: implicit declaration of function 'fget'; did you mean 'sget'? [-Werror=implicit-function-declaration]

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14722213980000

[Lizhi Xu]

add file refconut when add fid to list

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c

index de009a33e0e2..b7016e148f48 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -13,6 +13,7 @@
#include <linux/sched.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
+#include <linux/file.h>

#include "v9fs.h"
#include "v9fs_vfs.h"
@@ -95,6 +96,7 @@ void v9fs_open_fid_add(struct inode *inode, struct p9_fid **pfid)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901336

WARNING: CPU: 2 PID: 609 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 2 PID: 609 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 2 UID: 0 PID: 609 Comm: kworker/u32:5 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-21)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a

RSP: 0018:ffffc90003f3f480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880321a6d70 RCX: ffffffff814cc379
RDX: ffff88801f710000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802eb42408
R13: dffffc0000000000 R14: ffffc90003f3f840 R15: ffff88802eb42658

FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000740 CR3: 000000004221c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=13b83d11980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10689dbd980000

[Lizhi Xu]

permission not granted

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..02cbc93ece5c 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
+#include <linux/security.h>

#include "v9fs.h"
#include "v9fs_vfs.h"
@@ -44,6 +45,10 @@ int v9fs_file_open(struct inode *inode, struct file *file)

struct p9_fid *fid;
int omode;

+ if ((file->f_flags & O_RDWR || file->f_flags & O_WRONLY) &&
+ security_file_permission(file, MAY_WRITE))
+ return -EPERM;
+

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901337

WARNING: CPU: 0 PID: 13 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 0 PID: 13 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 0 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-18)

RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a

RSP: 0018:ffffc90000107480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8880333a53b0 RCX: ffffffff814cc379
RDX: ffff888017ea8000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802bfe5708
R13: dffffc0000000000 R14: ffffc90000107840 R15: ffff88802bfe5958
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055556843b5c8 CR3: 0000000026014000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=15ac45d9980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1014bae5980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..b5ccab74bb6f 100644

--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -13,6 +13,7 @@
#include <linux/sched.h>

#include <net/9p/9p.h>
#include <net/9p/client.h>

+#include <linux/file.h>

#include "v9fs.h"
#include "v9fs_vfs.h"

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {

WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..002c3f7f0ba3 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
+#include <linux/security.h>

#include "v9fs.h"
#include "v9fs_vfs.h"

@@ -44,6 +45,12 @@ int v9fs_file_open(struct inode *inode, struct file *file)

struct p9_fid *fid;
int omode;

+ if ((file->f_flags & O_RDWR || file->f_flags & O_WRONLY) &&

+ security_file_permission(filp, MAY_WRITE)) {
+ pr_info("file: %p no permission, ino: %lx, %s\n", file, inode->i_ino, __func__);
+ return -EPERM;
+ }

+
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))

@@ -397,6 +404,12 @@ v9fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
{
struct file *file = iocb->ki_filp;
struct p9_fid *fid = file->private_data;
+ struct inode *inode = file_inode(file);
+
+ if (security_file_permission(filp, MAY_WRITE)) {
+ pr_info("file: %p no permission, ino: %lx, %s\n", file, inode->i_ino, __func__);
+ return -EPERM;
+ }

p9_debug(P9_DEBUG_VFS, "fid %d\n", fid->fid);

@@ -460,6 +473,11 @@ v9fs_file_mmap(struct file *filp, struct vm_area_struct *vma)
struct inode *inode = file_inode(filp);
struct v9fs_session_info *v9ses = v9fs_inode2v9ses(inode);

+ if (security_file_permission(filp, MAY_WRITE)) {
+ pr_info("file: %p no permission, ino: %lx, %s\n", filp, inode->i_ino, __func__);
+ return -EPERM;
+ }
+
p9_debug(P9_DEBUG_MMAP, "filp :%p\n", filp);

if (!(v9ses->cache & CACHE_WRITEBACK)) {
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..bab69d871381 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -528,6 +528,7 @@ int netfs_writepages(struct address_space *mapping,
/* It appears we don't have to handle cyclic writeback wrapping. */
WARN_ON_ONCE(wreq && folio_pos(folio) < wreq->start + wreq->submitted);

+ printk("ino: %lx, folio: %p, %s\n", wret->inode->i_ino, folio, __func__);
if (netfs_folio_group(folio) != NETFS_FOLIO_COPY_TO_CACHE &&
unlikely(!test_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags))) {
set_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/netfs/write_issue.c:531:53: error: 'wret' undeclared (first use in this function); did you mean 'wreq'?

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=163928ed980000

[Edward Adam Davis]

+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/9p/vfs_file.c:49:38: error: 'filp' undeclared (first use in this function); did you mean 'file'?
fs/9p/vfs_file.c:409:38: error: 'filp' undeclared (first use in this function); did you mean 'file'?

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1082c67d980000

[Edward Adam Davis]

+ security_file_permission(file, MAY_WRITE)) {

+ pr_info("file: %p no permission, ino: %lx, %s\n", file, inode->i_ino, __func__);
+ return -EPERM;
+ }
+
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))
@@ -397,6 +404,12 @@ v9fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
{
struct file *file = iocb->ki_filp;
struct p9_fid *fid = file->private_data;
+ struct inode *inode = file_inode(file);
+

+ if (security_file_permission(file, MAY_WRITE)) {

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: 1901337, folio: ffffea0000b9e280, netfs_writepages
ino: 1901337, v9fs_begin_writeback
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901337
WARNING: CPU: 3 PID: 1111 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 3 UID: 0 PID: 1111 Comm: kworker/u32:8 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-37)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 e0 9a 8e 8b e8 a5 4b 0d fe 90 <0f> 0b 90 90 eb 80 e8 89 2c a8 fe e9 6f ff ff ff e8 ef 2b a8 fe e9
RSP: 0018:ffffc90005cff478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888032064d40 RCX: ffffffff814cc379
RDX: ffff888022ada440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000001 R11: 0000000000000000 R12: ffff888032064d40
R13: ffffc90005cff840 R14: ffffffff8b8e9c80 R15: ffff8880429e6998
FS: 0000000000000000(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055557e5f55c8 CR3: 000000002be92000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x6a2/0xe40 fs/netfs/write_issue.c:535

do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=121f7bc9980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=107a78ed980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..b5ccab74bb6f 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -13,6 +13,7 @@
#include <linux/sched.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
+#include <linux/file.h>

#include "v9fs.h"
#include "v9fs_vfs.h"
diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..0ce9ab0d9a9d 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -219,6 +219,15 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

retval = filemap_fdatawrite(inode->i_mapping);

spin_lock(&inode->i_lock);

+ printk("del, ino: %lx, ino sync: %d, %s\n", inode->i_ino, inode->i_state & I_SYNC, __func__);
+ if (I_SYNC & inode->i_state) {

+ spin_unlock(&inode->i_lock);
+ if (wait_on_bit_timeout(&inode->i_state, I_SYNC,

+ TASK_UNINTERRUPTIBLE, 5 * HZ))
+ return -EBUSY;
+ spin_lock(&inode->i_lock);
+ }

+
hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
put_err = p9_fid_put(fid);

index 9258d30cffe3..ce6f3c3d04a3 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -522,12 +522,17 @@ int netfs_writepages(struct address_space *mapping,
trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("sync: %d, tb-sync: %d, ino: %lx, %s\n", wreq->inode->i_state & I_SYNC,
+ test_bit(I_SYNC, &wreq->inode->i_state),
+ wreq->inode->i_ino, __func__);
+ wreq->inode->i_state |= I_SYNC;
do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

/* It appears we don't have to handle cyclic writeback wrapping. */
WARN_ON_ONCE(wreq && folio_pos(folio) < wreq->start + wreq->submitted);

+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
if (netfs_folio_group(folio) != NETFS_FOLIO_COPY_TO_CACHE &&
unlikely(!test_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags))) {
set_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags);

@@ -538,6 +543,7 @@ int netfs_writepages(struct address_space *mapping,
if (error < 0)
break;
} while ((folio = writeback_iter(mapping, wbc, folio, &error)));
+ wreq->inode->i_state &= ~I_SYNC;

for (int s = 0; s < NR_IO_STREAMS; s++)
netfs_issue_write(wreq, &wreq->io_streams[s]);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: 1901337, folio: ffffea0000cd8b00, netfs_writepages

ino: 1901337, v9fs_begin_writeback
------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901337
WARNING: CPU: 1 PID: 325 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 1 UID: 0 PID: 325 Comm: kworker/u32:5 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-74)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 20 9b 8e 8b e8 c5 49 0d fe 90 <0f> 0b 90 90 eb 80 e8 a9 2a a8 fe e9 6f ff ff ff e8 0f 2a a8 fe e9
RSP: 0018:ffffc90003397478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888044443380 RCX: ffffffff814cc379
RDX: ffff88801e4d8000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888044443380
R13: ffffc90003397840 R14: ffff888023584c58 R15: ffff8880235849c0
FS: 0000000000000000(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020001000 CR3: 000000001f6c6000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x812/0x1020 fs/netfs/write_issue.c:539

do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=13b6115d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1095dccb980000

[Edward Adam Davis]

diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..60472069907e 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -502,6 +502,7 @@ int netfs_writepages(struct address_space *mapping,
struct netfs_io_request *wreq = NULL;
struct folio *folio;
int error = 0;
+ static DEFINE_MUTEX(wlock);

if (wbc->sync_mode == WB_SYNC_ALL)
mutex_lock(&ictx->wb_lock);
@@ -522,12 +523,18 @@ int netfs_writepages(struct address_space *mapping,

trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("sync: %d, tb-sync: %d, ino: %lx, %s\n", wreq->inode->i_state & I_SYNC,
+ test_bit(I_SYNC, &wreq->inode->i_state),
+ wreq->inode->i_ino, __func__);

+ mutex_lock(&wlock);

+ wreq->inode->i_state |= I_SYNC;
do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

/* It appears we don't have to handle cyclic writeback wrapping. */
WARN_ON_ONCE(wreq && folio_pos(folio) < wreq->start + wreq->submitted);

+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
if (netfs_folio_group(folio) != NETFS_FOLIO_COPY_TO_CACHE &&
unlikely(!test_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags))) {
set_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags);

@@ -538,6 +545,8 @@ int netfs_writepages(struct address_space *mapping,

if (error < 0)
break;
} while ((folio = writeback_iter(mapping, wbc, folio, &error)));
+ wreq->inode->i_state &= ~I_SYNC;

+ mutex_unlock(&wlock);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: 1901336, folio: ffffea0000e18200, netfs_writepages
ino: 1901336, v9fs_begin_writeback
------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901336

WARNING: CPU: 0 PID: 65 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 0 UID: 0 PID: 65 Comm: kworker/u32:3 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-7)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 a0 9b 8e 8b e8 a5 49 0d fe 90 <0f> 0b 90 90 eb 80 e8 89 2a a8 fe e9 6f ff ff ff e8 ef 29 a8 fe e9
RSP: 0018:ffffc90000d27478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888032adb9f0 RCX: ffffffff814cc379
RDX: ffff888019ac8000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888032adb9f0
R13: ffffc90000d27840 R14: ffff88802036a658 R15: ffff88802036a3c0
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffc78e97db8 CR3: 0000000044b02000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x82c/0x1040 fs/netfs/write_issue.c:541

do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1121115d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=146ec67d980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/fid.c b/fs/9p/fid.c
index de009a33e0e2..b5ccab74bb6f 100644
--- a/fs/9p/fid.c
+++ b/fs/9p/fid.c
@@ -13,6 +13,7 @@
#include <linux/sched.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
+#include <linux/file.h>

#include "v9fs.h"
#include "v9fs_vfs.h"
diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..3fe715ab6efd 100644

--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -219,6 +219,15 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
retval = filemap_fdatawrite(inode->i_mapping);

spin_lock(&inode->i_lock);

+ printk("del, ino: %lx, ino sync: %d, comm: %s, %s\n", inode->i_ino, inode->i_state & I_SYNC, current->comm, __func__);

+ if (I_SYNC & inode->i_state) {
+ spin_unlock(&inode->i_lock);
+ if (wait_on_bit_timeout(&inode->i_state, I_SYNC,
+ TASK_UNINTERRUPTIBLE, 5 * HZ))
+ return -EBUSY;
+ spin_lock(&inode->i_lock);
+ }
+
hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
put_err = p9_fid_put(fid);

diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..4d37c1932de4 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>

#include <net/9p/9p.h>
#include <net/9p/client.h>

+#include <linux/security.h>

#include "v9fs.h"
#include "v9fs_vfs.h"
@@ -44,6 +45,12 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct p9_fid *fid;
int omode;

+ if ((file->f_flags & O_RDWR || file->f_flags & O_WRONLY) &&
+ security_file_permission(file, MAY_WRITE)) {
+ pr_info("file: %p no permission, ino: %lx, %s\n", file, inode->i_ino, __func__);
+ return -EPERM;
+ }
+
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))
@@ -397,6 +404,12 @@ v9fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
{
struct file *file = iocb->ki_filp;
struct p9_fid *fid = file->private_data;
+ struct inode *inode = file_inode(file);
+

+ if (security_file_permission(filp, MAY_WRITE)) {
+ pr_info("file: %p no permission, ino: %lx, %s\n", file, inode->i_ino, __func__);
+ return -EPERM;
+ }

p9_debug(P9_DEBUG_VFS, "fid %d\n", fid->fid);

@@ -460,6 +473,11 @@ v9fs_file_mmap(struct file *filp, struct vm_area_struct *vma)
struct inode *inode = file_inode(filp);
struct v9fs_session_info *v9ses = v9fs_inode2v9ses(inode);

+ if (security_file_permission(filp, MAY_WRITE)) {
+ pr_info("file: %p no permission, ino: %lx, %s\n", filp, inode->i_ino, __func__);
+ return -EPERM;
+ }
+
p9_debug(P9_DEBUG_MMAP, "filp :%p\n", filp);

if (!(v9ses->cache & CACHE_WRITEBACK)) {

diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..4434bf37caa1 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -522,12 +522,23 @@ int netfs_writepages(struct address_space *mapping,
trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ unsigned long i_state = wreq->inode->i_state;

+ wreq->inode->i_state |= I_SYNC;

+ printk("doing sync: %d, before sync: %d, ino: %lx, comm: %s, %s\n", wreq->inode->i_state & I_SYNC,
+ i_state & I_SYNC,
+ wreq->inode->i_ino, current->comm, __func__);
+ if (i_state & I_SYNC) {
+ error = -EBUSY;
+ goto couldnt_start;
+ }
+

do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

/* It appears we don't have to handle cyclic writeback wrapping. */
WARN_ON_ONCE(wreq && folio_pos(folio) < wreq->start + wreq->submitted);

+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
if (netfs_folio_group(folio) != NETFS_FOLIO_COPY_TO_CACHE &&
unlikely(!test_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags))) {
set_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags);

@@ -538,6 +549,9 @@ int netfs_writepages(struct address_space *mapping,

if (error < 0)
break;
} while ((folio = writeback_iter(mapping, wbc, folio, &error)));
+ wreq->inode->i_state &= ~I_SYNC;

+ printk("end sync: %d, ino: %lx, comm: %s, error: %d, %s\n", wreq->inode->i_state & I_SYNC,
+ wreq->inode->i_ino, current->comm, error, __func__);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/9p/vfs_file.c:409:38: error: 'filp' undeclared (first use in this function); did you mean 'file'?

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13951703980000

[Edward Adam Davis]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in v9fs_evict_inode

INFO: task syz-executor:5811 blocked for more than 143 seconds.
Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:23952 pid:5811 tgid:5811 ppid:1 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5188 [inline]
__schedule+0xe37/0x5490 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6621
netfs_wait_for_outstanding_io include/linux/netfs.h:535 [inline]
v9fs_evict_inode+0x271/0x310 fs/9p/vfs_inode.c:351
evict+0x2ed/0x6c0 fs/inode.c:669
dispose_list+0x117/0x1e0 fs/inode.c:712
evict_inodes+0x34e/0x450 fs/inode.c:762
generic_shutdown_super+0xb5/0x3d0 fs/super.c:627
kill_anon_super+0x3a/0x60 fs/super.c:1237
v9fs_kill_super+0x3d/0xa0 fs/9p/vfs_super.c:193
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1373
task_work_run+0x14e/0x250 kernel/task_work.c:228
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7b6a1786e7
RSP: 002b:00007ffeeb983478 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f7b6a1786e7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffeeb983530
RBP: 00007ffeeb983530 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffeeb9845b0
R13: 00007f7b6a1e4784 R14: 0000000000028c1d R15: 00007ffeeb9845f0
</TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/40:
#0: ffffffff8ddb53a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
#0: ffffffff8ddb53a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#0: ffffffff8ddb53a0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6620
2 locks held by getty/5135:
#0: ffff8880235fb0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000db2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc8/0x1490 drivers/tty/n_tty.c:2211
1 lock held by syz-executor/5811:
#0: ffff888020a800e0 (&type->s_umount_key#67){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline]
#0: ffff888020a800e0 (&type->s_umount_key#67){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff888020a800e0 (&type->s_umount_key#67){+.+.}-{3:3}, at: deactivate_super+0xd6/0x100 fs/super.c:505
2 locks held by syz.0.4336/14555:
#0: ffffffff8ec222b8 (qp_broker_list.mutex){+.+.}-{3:3}, at: vmci_qp_broker_detach+0x14d/0x1370 drivers/misc/vmw_vmci/vmci_queue_pair.c:2095
#1: ffffffff8ddc0b38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:296

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 40 Comm: khungtaskd Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf4e/0x1280 kernel/hung_task.c:379

kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Sending NMI from CPU 1 to CPUs 0,2-3:
NMI backtrace for cpu 3 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
NMI backtrace for cpu 3 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:106 [inline]
NMI backtrace for cpu 3 skipped: idling at default_idle+0xf/0x20 arch/x86/kernel/process.c:742
NMI backtrace for cpu 2 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
NMI backtrace for cpu 2 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:106 [inline]
NMI backtrace for cpu 2 skipped: idling at default_idle+0xf/0x20 arch/x86/kernel/process.c:742
NMI backtrace for cpu 0 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline]
NMI backtrace for cpu 0 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:106 [inline]
NMI backtrace for cpu 0 skipped: idling at default_idle+0xf/0x20 arch/x86/kernel/process.c:742

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1265c113980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12a5c113980000

[Edward Adam Davis]

diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..4d37c1932de4 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>

#include <net/9p/9p.h>
#include <net/9p/client.h>

diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..4c03b8911375 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -522,12 +522,19 @@ int netfs_writepages(struct address_space *mapping,

trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ unsigned long i_state = wreq->inode->i_state;
+ wreq->inode->i_state |= I_SYNC;
+ printk("doing sync: %d, before sync: %d, ino: %lx, comm: %s, %s\n", wreq->inode->i_state & I_SYNC,
+ i_state & I_SYNC,
+ wreq->inode->i_ino, current->comm, __func__);
+

do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

/* It appears we don't have to handle cyclic writeback wrapping. */
WARN_ON_ONCE(wreq && folio_pos(folio) < wreq->start + wreq->submitted);

+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
if (netfs_folio_group(folio) != NETFS_FOLIO_COPY_TO_CACHE &&
unlikely(!test_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags))) {
set_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags);

@@ -538,6 +545,9 @@ int netfs_writepages(struct address_space *mapping,

[Edward Adam Davis]

index 348cc90bf9c5..ed319921a898 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -22,6 +22,7 @@
#include <linux/slab.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
+#include <linux/security.h>

#include "v9fs.h"
#include "v9fs_vfs.h"

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/9p/vfs_file.c:409:38: error: 'filp' undeclared (first use in this function); did you mean 'file'?

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15a9b97d980000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in v9fs_begin_writeback

ino: 1901335, folio: ffffea0000cd8c00, netfs_writepages
ino: 1901335, v9fs_begin_writeback
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901335
WARNING: CPU: 2 PID: 1105 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 2 UID: 0 PID: 1105 Comm: kworker/u32:6 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-1559)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 a0 9b 8e 8b e8 65 49 0d fe 90 <0f> 0b 90 90 eb 80 e8 49 2a a8 fe e9 6f ff ff ff e8 af 29 a8 fe e9
RSP: 0018:ffffc90005c0f478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888032f6c060 RCX: ffffffff814cc379
RDX: ffff888022edc880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888032f6c060
R13: ffffc90005c0f840 R14: ffff888025835380 R15: ffff888025835618
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffd489a9e18 CR3: 0000000043618000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x839/0x1080 fs/netfs/write_issue.c:541

do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390

kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12a328ed980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11223d11980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/mm/filemap.c b/mm/filemap.c
index d62150418b91..f854a3fe0335 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -394,6 +394,7 @@ int filemap_fdatawrite_wbc(struct address_space *mapping,
return 0;

wbc_attach_fdatawrite_inode(wbc, mapping->host);
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
ret = do_writepages(mapping, wbc);
wbc_detach_inode(wbc);
return ret;
@@ -427,6 +428,7 @@ int __filemap_fdatawrite_range(struct address_space *mapping, loff_t start,
.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_fdatawrite_wbc(mapping, &wbc);
}

@@ -4227,6 +4229,7 @@ int filemap_invalidate_inode(struct inode *inode, bool flush,
.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);
filemap_fdatawrite_wbc(mapping, &wbc);
}

diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index 4430ac68e4c4..f76ce90a5396 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -2687,6 +2687,7 @@ int do_writepages(struct address_space *mapping, struct writeback_control *wbc)
/* deal with chardevs and other special files */
ret = 0;
}
+ printk("ret: %d, ino: %lx, comm: %s, %s\n", ret, mapping->host->i_ino, current->comm, __func__);
if (ret != -ENOMEM || wbc->sync_mode != WB_SYNC_ALL)
break;

diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 4726c315453c..b7877f5c6bb0 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -510,6 +510,7 @@ ssize_t netfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
netfs_end_io_write(inode);
if (ret > 0)
ret = generic_write_sync(iocb, ret);
+ printk("ino: %lx, in state: %lu, comm: %s, %s\n", inode->i_ino, inode->state, current->comm, __func__);
return ret;
}
EXPORT_SYMBOL(netfs_file_write_iter);
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..2720943c47ba 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -522,6 +522,8 @@ int netfs_writepages(struct address_space *mapping,
trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("ino state: %lu, ino: %lx, comm: %s, folio: %p, %s\n", wreq->inode->i_state,
+ wreq->inode->i_ino, current->comm, folio, __func__);

do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..73cff02644b2 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -219,6 +219,7 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

retval = filemap_fdatawrite(inode->i_mapping);

spin_lock(&inode->i_lock);
+ printk("del, ino: %lx, ino sync: %d, comm: %s, %s\n", inode->i_ino, inode->i_state & I_SYNC, current->comm, __func__);

hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
put_err = p9_fid_put(fid);
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c

index 348cc90bf9c5..0ebcd847f2b0 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -44,6 +44,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)

struct p9_fid *fid;
int omode;

+ pr_info("ino: %lx, %s\n", inode->i_ino, __func__);

p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))

@@ -397,12 +398,14 @@ v9fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)

{
struct file *file = iocb->ki_filp;
struct p9_fid *fid = file->private_data;
+ struct inode *inode = file_inode(file);

p9_debug(P9_DEBUG_VFS, "fid %d\n", fid->fid);

if (fid->mode & (P9L_DIRECT | P9L_NOWRITECACHE))
return netfs_unbuffered_write_iter(iocb, from);

+ pr_info("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);
p9_debug(P9_DEBUG_CACHE, "(cached)\n");
return netfs_file_write_iter(iocb, from);
}
@@ -461,6 +464,7 @@ v9fs_file_mmap(struct file *filp, struct vm_area_struct *vma)
struct v9fs_session_info *v9ses = v9fs_inode2v9ses(inode);

p9_debug(P9_DEBUG_MMAP, "filp :%p\n", filp);

+ pr_info("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

if (!(v9ses->cache & CACHE_WRITEBACK)) {

p9_debug(P9_DEBUG_CACHE, "(read-only mmap mode)");

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/netfs/buffered_write.c:513:80: error: 'struct inode' has no member named 'state'; did you mean 'i_state'?

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1054666b980000

[Edward Adam Davis]

+ printk("ino: %lx, in state: %lu, comm: %s, %s\n", inode->i_ino, inode->i_state, current->comm, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino state: 393351, ino: 1901337, comm: kworker/u32:0, folio: ffffea0000dc0780, netfs_writepages
ino: 1901337, v9fs_begin_writeback
------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901337

WARNING: CPU: 1 PID: 11 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 1 UID: 0 PID: 11 Comm: kworker/u32:0 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-97)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 60 9d 8e 8b e8 65 47 0d fe 90 <0f> 0b 90 90 eb 80 e8 49 2b a8 fe e9 6f ff ff ff e8 af 2a a8 fe e9
RSP: 0018:ffffc900000e7478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888044cb0670 RCX: ffffffff814cc379
RDX: ffff888017ea2440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000001 R11: 0000000000000000 R12: ffff888044cb0670
R13: dffffc0000000000 R14: ffffc900000e7840 R15: ffff888020f2f018
FS: 0000000000000000(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005555815235c8 CR3: 0000000020ffc000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x6ee/0xec0 fs/netfs/write_issue.c:536
do_writepages+0x1ae/0x940 mm/page-writeback.c:2683

__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=106bbae5980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1438d9d3980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c
index a688d4c75d99..fab0714e1324 100644
--- a/fs/netfs/buffered_read.c
+++ b/fs/netfs/buffered_read.c
@@ -602,6 +602,7 @@ ssize_t netfs_buffered_read_iter(struct kiocb *iocb, struct iov_iter *iter)
test_bit(NETFS_ICTX_UNBUFFERED, &ictx->flags)))
return -EINVAL;

+ pr_info("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

ret = netfs_start_io_read(inode);
if (ret == 0) {
ret = filemap_read(iocb, iter, 0);
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 4726c315453c..63d85b6421e9 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -192,6 +192,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
) {
wbc_attach_fdatawrite_inode(&wbc, mapping->host);

+ printk("ino: %lx, in state: %lu, comm: %s, %s\n", inode->i_ino, inode->i_state, current->comm, __func__);

ret = filemap_write_and_wait_range(mapping, pos, pos + iter->count);
if (ret < 0) {
wbc_detach_inode(&wbc);
@@ -510,6 +511,7 @@ ssize_t netfs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)

netfs_end_io_write(inode);
if (ret > 0)
ret = generic_write_sync(iocb, ret);
+ printk("ino: %lx, in state: %lu, comm: %s, %s\n", inode->i_ino, inode->i_state, current->comm, __func__);
return ret;
}
EXPORT_SYMBOL(netfs_file_write_iter);

@@ -555,6 +557,7 @@ vm_fault_t netfs_page_mkwrite(struct vm_fault *vmf, struct netfs_group *netfs_gr
group = netfs_folio_group(folio);
if (group != netfs_group && group != NETFS_FOLIO_COPY_TO_CACHE) {
folio_unlock(folio);

+ printk("ino: %lx, in state: %lu, comm: %s, %s\n", inode->i_ino, inode->i_state, current->comm, __func__);

err = filemap_fdatawrite_range(mapping,
folio_pos(folio),
folio_pos(folio) + folio_size(folio));
diff --git a/fs/netfs/direct_write.c b/fs/netfs/direct_write.c
index 88f2adfab75e..c19963e9627b 100644
--- a/fs/netfs/direct_write.c
+++ b/fs/netfs/direct_write.c
@@ -170,6 +170,7 @@ ssize_t netfs_unbuffered_write_iter(struct kiocb *iocb, struct iov_iter *from)
if (filemap_invalidate_inode(inode, true, pos, end))
goto out;
} else {

+ printk("ino: %lx, in state: %lu, comm: %s, %s\n", inode->i_ino, inode->i_state, current->comm, __func__);

ret = filemap_write_and_wait_range(mapping, pos, end);
if (ret < 0)
goto out;
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..106eb5b287e9 100644

--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -522,6 +522,8 @@ int netfs_writepages(struct address_space *mapping,
trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("ino state: %lu, ino: %lx, comm: %s, folio: %p, %s\n", wreq->inode->i_state,
+ wreq->inode->i_ino, current->comm, folio, __func__);
do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

diff --git a/mm/filemap.c b/mm/filemap.c
index d62150418b91..37229eeaf628 100644

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -394,6 +394,7 @@ int filemap_fdatawrite_wbc(struct address_space *mapping,
return 0;

wbc_attach_fdatawrite_inode(wbc, mapping->host);
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
ret = do_writepages(mapping, wbc);
wbc_detach_inode(wbc);
return ret;

@@ -427,12 +428,14 @@ int __filemap_fdatawrite_range(struct address_space *mapping, loff_t start,

.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_fdatawrite_wbc(mapping, &wbc);
}

static inline int __filemap_fdatawrite(struct address_space *mapping,
int sync_mode)
{

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

return __filemap_fdatawrite_range(mapping, 0, LLONG_MAX, sync_mode);
}

@@ -445,6 +448,7 @@ EXPORT_SYMBOL(filemap_fdatawrite);
int filemap_fdatawrite_range(struct address_space *mapping, loff_t start,
loff_t end)
{

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

return __filemap_fdatawrite_range(mapping, start, end, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite_range);
@@ -682,6 +686,7 @@ int filemap_write_and_wait_range(struct address_space *mapping,
return 0;

if (mapping_needs_writeback(mapping)) {

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

err = __filemap_fdatawrite_range(mapping, lstart, lend,
WB_SYNC_ALL);
/*
@@ -785,6 +790,7 @@ int file_write_and_wait_range(struct file *file, loff_t lstart, loff_t lend)
return 0;

if (mapping_needs_writeback(mapping)) {

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

err = __filemap_fdatawrite_range(mapping, lstart, lend,
WB_SYNC_ALL);
/* See comment of filemap_write_and_wait() */
@@ -2708,6 +2714,7 @@ int kiocb_write_and_wait(struct kiocb *iocb, size_t count)
return 0;

}

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

return filemap_write_and_wait_range(mapping, pos, end);
}
EXPORT_SYMBOL_GPL(kiocb_write_and_wait);
@@ -2775,6 +2782,7 @@ generic_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)
struct address_space *mapping = file->f_mapping;
struct inode *inode = mapping->host;

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

retval = kiocb_write_and_wait(iocb, count);
if (retval < 0)
return retval;
@@ -4227,6 +4235,7 @@ int filemap_invalidate_inode(struct inode *inode, bool flush,

.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);
filemap_fdatawrite_wbc(mapping, &wbc);
}

diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index 4430ac68e4c4..f76ce90a5396 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -2687,6 +2687,7 @@ int do_writepages(struct address_space *mapping, struct writeback_control *wbc)
/* deal with chardevs and other special files */
ret = 0;
}
+ printk("ret: %d, ino: %lx, comm: %s, %s\n", ret, mapping->host->i_ino, current->comm, __func__);
if (ret != -ENOMEM || wbc->sync_mode != WB_SYNC_ALL)
break;

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..73cff02644b2 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -219,6 +219,7 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
retval = filemap_fdatawrite(inode->i_mapping);

spin_lock(&inode->i_lock);
+ printk("del, ino: %lx, ino sync: %d, comm: %s, %s\n", inode->i_ino, inode->i_state & I_SYNC, current->comm, __func__);
hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
put_err = p9_fid_put(fid);
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c

index 348cc90bf9c5..a3c32b7de2f5 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -44,6 +44,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct p9_fid *fid;
int omode;

+ pr_info("ino: %lx, %s\n", inode->i_ino, __func__);
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))

@@ -461,6 +462,7 @@ v9fs_file_mmap(struct file *filp, struct vm_area_struct *vma)

struct v9fs_session_info *v9ses = v9fs_inode2v9ses(inode);

p9_debug(P9_DEBUG_MMAP, "filp :%p\n", filp);
+ pr_info("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

if (!(v9ses->cache & CACHE_WRITEBACK)) {
p9_debug(P9_DEBUG_CACHE, "(read-only mmap mode)");

@@ -477,6 +479,7 @@ v9fs_file_mmap(struct file *filp, struct vm_area_struct *vma)
static vm_fault_t
v9fs_vm_page_mkwrite(struct vm_fault *vmf)
{
+ printk("comm: %s, %s\n", current->comm, __func__);
return netfs_page_mkwrite(vmf, NULL);
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino state: 393351, ino: 1901336, comm: kworker/u32:8, folio: ffffea0000dd71c0, netfs_writepages
ino: 1901336, v9fs_begin_writeback
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901336
WARNING: CPU: 2 PID: 1115 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 2 UID: 0 PID: 1115 Comm: kworker/u32:8 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-121)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 a0 a0 8e 8b e8 f5 40 0d fe 90 <0f> 0b 90 90 eb 80 e8 f9 28 a8 fe e9 6f ff ff ff e8 5f 28 a8 fe e9
RSP: 0018:ffffc90005bd7478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88803310cd40 RCX: ffffffff814cc379
RDX: ffff888022ed4880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88803310cd40
R13: dffffc0000000000 R14: ffffc90005bd7840 R15: ffff888045888c58
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000c0014bd000 CR3: 000000000db7c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x6ee/0xec0 fs/netfs/write_issue.c:536
do_writepages+0x1ae/0x940 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1558e95d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13aacaf3980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..2705474f5fcb 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -215,10 +215,13 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
inode, filp, fid ? fid->fid : -1);

if (fid) {
- if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
+ if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE)) {

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

retval = filemap_fdatawrite(inode->i_mapping);
+ }

diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index fd72fc38c8f5..21fa2246ec09 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -355,6 +355,7 @@ void v9fs_evict_inode(struct inode *inode)
netfs_clear_inode_writeback(inode, &version);

clear_inode(inode);

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

filemap_fdatawrite(&inode->i_data);

#ifdef CONFIG_9P_FSCACHE
@@ -953,6 +954,7 @@ v9fs_vfs_getattr(struct mnt_idmap *idmap, const struct path *path,
return 0;
} else if (v9ses->cache & CACHE_WRITEBACK) {
if (S_ISREG(inode->i_mode)) {

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

int retval = filemap_fdatawrite(inode->i_mapping);

if (retval)
@@ -1034,6 +1036,7 @@ static int v9fs_vfs_setattr(struct mnt_idmap *idmap,

/* Write all dirty data */
if (d_is_reg(dentry)) {

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

retval = filemap_fdatawrite(inode->i_mapping);
if (retval)
p9_debug(P9_DEBUG_ERROR,
diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index c61b97bd13b9..961becc48888 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -390,6 +390,7 @@ v9fs_vfs_getattr_dotl(struct mnt_idmap *idmap,
return 0;
} else if (v9ses->cache) {
if (S_ISREG(inode->i_mode)) {

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

int retval = filemap_fdatawrite(inode->i_mapping);

if (retval)
@@ -518,6 +519,7 @@ int v9fs_vfs_setattr_dotl(struct mnt_idmap *idmap,

/* Write all dirty data */
if (S_ISREG(inode->i_mode)) {

+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

retval = filemap_fdatawrite(inode->i_mapping);
if (retval < 0)
p9_debug(P9_DEBUG_ERROR,

index d62150418b91..beda9b7b6ccd 100644

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -394,6 +394,7 @@ int filemap_fdatawrite_wbc(struct address_space *mapping,
return 0;

wbc_attach_fdatawrite_inode(wbc, mapping->host);
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
ret = do_writepages(mapping, wbc);
wbc_detach_inode(wbc);
return ret;

@@ -427,17 +428,20 @@ int __filemap_fdatawrite_range(struct address_space *mapping, loff_t start,

.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_fdatawrite_wbc(mapping, &wbc);
}

static inline int __filemap_fdatawrite(struct address_space *mapping,
int sync_mode)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite_range(mapping, 0, LLONG_MAX, sync_mode);
}

int filemap_fdatawrite(struct address_space *mapping)
{

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

return __filemap_fdatawrite(mapping, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite);
@@ -445,6 +449,7 @@ EXPORT_SYMBOL(filemap_fdatawrite);

int filemap_fdatawrite_range(struct address_space *mapping, loff_t start,
loff_t end)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite_range(mapping, start, end, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite_range);

@@ -460,6 +465,7 @@ EXPORT_SYMBOL(filemap_fdatawrite_range);
*/
int filemap_flush(struct address_space *mapping)
{

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);

return __filemap_fdatawrite(mapping, WB_SYNC_NONE);
}
EXPORT_SYMBOL(filemap_flush);
@@ -682,6 +688,7 @@ int filemap_write_and_wait_range(struct address_space *mapping,

return 0;

if (mapping_needs_writeback(mapping)) {
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
err = __filemap_fdatawrite_range(mapping, lstart, lend,
WB_SYNC_ALL);
/*

@@ -785,6 +792,7 @@ int file_write_and_wait_range(struct file *file, loff_t lstart, loff_t lend)

return 0;

if (mapping_needs_writeback(mapping)) {
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
err = __filemap_fdatawrite_range(mapping, lstart, lend,
WB_SYNC_ALL);
/* See comment of filemap_write_and_wait() */

@@ -2708,6 +2716,7 @@ int kiocb_write_and_wait(struct kiocb *iocb, size_t count)

return 0;
}

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_write_and_wait_range(mapping, pos, end);
}
EXPORT_SYMBOL_GPL(kiocb_write_and_wait);

@@ -2775,6 +2784,7 @@ generic_file_read_iter(struct kiocb *iocb, struct iov_iter *iter)

struct address_space *mapping = file->f_mapping;
struct inode *inode = mapping->host;

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
retval = kiocb_write_and_wait(iocb, count);
if (retval < 0)
return retval;

@@ -4227,6 +4237,7 @@ int filemap_invalidate_inode(struct inode *inode, bool flush,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino state: 393351, ino: 1901337, comm: kworker/u32:9, folio: ffffea0000b70480, netfs_writepages
ino: 1901337, v9fs_begin_writeback
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901337
WARNING: CPU: 0 PID: 1137 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 0 UID: 0 PID: 1137 Comm: kworker/u32:9 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-246)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 e0 a2 8e 8b e8 15 3e 0d fe 90 <0f> 0b 90 90 eb 80 e8 39 27 a8 fe e9 6f ff ff ff e8 9f 26 a8 fe e9
RSP: 0018:ffffc90005b77478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff88804550b9f0 RCX: ffffffff814cc379
RDX: ffff888022754880 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88804550b9f0
R13: dffffc0000000000 R14: ffffc90005b77840 R15: ffff88801b231958
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020001000 CR3: 000000000db7c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x6ee/0xec0 fs/netfs/write_issue.c:536
do_writepages+0x1ae/0x940 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11288d7d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=113ac96d980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/mm/filemap.c b/mm/filemap.c
index d62150418b91..5112cf69bce2 100644

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -394,6 +394,7 @@ int filemap_fdatawrite_wbc(struct address_space *mapping,
return 0;

wbc_attach_fdatawrite_inode(wbc, mapping->host);
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
ret = do_writepages(mapping, wbc);
wbc_detach_inode(wbc);
return ret;
@@ -427,17 +428,20 @@ int __filemap_fdatawrite_range(struct address_space *mapping, loff_t start,
.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_fdatawrite_wbc(mapping, &wbc);
}

static inline int __filemap_fdatawrite(struct address_space *mapping,
int sync_mode)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite_range(mapping, 0, LLONG_MAX, sync_mode);
}

int filemap_fdatawrite(struct address_space *mapping)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite(mapping, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite);

diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index 4430ac68e4c4..f76ce90a5396 100644
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -2687,6 +2687,7 @@ int do_writepages(struct address_space *mapping, struct writeback_control *wbc)
/* deal with chardevs and other special files */
ret = 0;
}
+ printk("ret: %d, ino: %lx, comm: %s, %s\n", ret, mapping->host->i_ino, current->comm, __func__);
if (ret != -ENOMEM || wbc->sync_mode != WB_SYNC_ALL)
break;

diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..fd72d75e00cb 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -503,6 +503,15 @@ int netfs_writepages(struct address_space *mapping,

struct folio *folio;
int error = 0;

+ if (!mapping_can_writeback(mapping) ||
+ !mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
+ printk("ino %lx can not wb: %d or mapping tagged :%d, %s\n",
+ mapping->host->i_ino, mapping_can_writeback(mapping),
+ mapping_tagged(mapping, PAGECACHE_TAG_DIRTY),
+ __func__);
+ return 0;
+ }
+

if (wbc->sync_mode == WB_SYNC_ALL)
mutex_lock(&ictx->wb_lock);

else if (!mutex_trylock(&ictx->wb_lock))
@@ -522,6 +531,8 @@ int netfs_writepages(struct address_space *mapping,

trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("ino state: %lu, ino: %lx, comm: %s, folio: %p, %s\n", wreq->inode->i_state,
+ wreq->inode->i_ino, current->comm, folio, __func__);
do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

index fd72fc38c8f5..99f42ce8de15 100644

--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -355,6 +355,7 @@ void v9fs_evict_inode(struct inode *inode)
netfs_clear_inode_writeback(inode, &version);

clear_inode(inode);
+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);
filemap_fdatawrite(&inode->i_data);

#ifdef CONFIG_9P_FSCACHE

@@ -1034,6 +1035,7 @@ static int v9fs_vfs_setattr(struct mnt_idmap *idmap,

/* Write all dirty data */
if (d_is_reg(dentry)) {
+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);
retval = filemap_fdatawrite(inode->i_mapping);
if (retval)
p9_debug(P9_DEBUG_ERROR,
diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c

index c61b97bd13b9..68b3ced3f3b1 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -518,6 +518,7 @@ int v9fs_vfs_setattr_dotl(struct mnt_idmap *idmap,

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/netfs/write_issue.c:506:14: error: implicit declaration of function 'mapping_can_writeback'; did you mean 'mapping_map_writable'? [-Werror=implicit-function-declaration]

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17c6c96d980000

[Edward Adam Davis]

diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..87d14dfa9017 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -35,6 +35,7 @@
#include <linux/mm.h>
#include <linux/pagemap.h>
#include "internal.h"
+#include <linux/backing-dev.h>

/*
* Kill all dirty folios in the event of an unrecoverable error, starting with
@@ -503,6 +504,15 @@ int netfs_writepages(struct address_space *mapping,

struct folio *folio;
int error = 0;

+ if (!mapping_can_writeback(mapping) ||
+ !mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
+ printk("ino %lx can not wb: %d or mapping tagged :%d, %s\n",
+ mapping->host->i_ino, mapping_can_writeback(mapping),
+ mapping_tagged(mapping, PAGECACHE_TAG_DIRTY),
+ __func__);
+ return 0;
+ }
+
if (wbc->sync_mode == WB_SYNC_ALL)
mutex_lock(&ictx->wb_lock);
else if (!mutex_trylock(&ictx->wb_lock))

@@ -522,6 +532,8 @@ int netfs_writepages(struct address_space *mapping,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino state: 393351, ino: 1901337, comm: kworker/u32:7, folio: ffffea0000efe1c0, netfs_writepages

ino: 1901337, v9fs_begin_writeback
------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901337

WARNING: CPU: 3 PID: 1106 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 3 UID: 0 PID: 1106 Comm: kworker/u32:7 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-1832)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 a0 9e 8e 8b e8 25 44 0d fe 90 <0f> 0b 90 90 eb 80 e8 19 29 a8 fe e9 6f ff ff ff e8 7f 28 a8 fe e9
RSP: 0018:ffffc90005c07478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888032ee26a0 RCX: ffffffff814cc379
RDX: ffff8880227c0000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888032ee26a0
R13: ffff88802599dfd8 R14: dffffc0000000000 R15: ffffc90005c07840
FS: 0000000000000000(0000) GS:ffff88806b300000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000740 CR3: 000000002c012000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x97c/0x10a0 fs/netfs/write_issue.c:546

do_writepages+0x1ae/0x940 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=147299d9980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14c6caf3980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/mm/filemap.c b/mm/filemap.c
index d62150418b91..5112cf69bce2 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -394,6 +394,7 @@ int filemap_fdatawrite_wbc(struct address_space *mapping,
return 0;

wbc_attach_fdatawrite_inode(wbc, mapping->host);
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
ret = do_writepages(mapping, wbc);
wbc_detach_inode(wbc);
return ret;
@@ -427,17 +428,20 @@ int __filemap_fdatawrite_range(struct address_space *mapping, loff_t start,
.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_fdatawrite_wbc(mapping, &wbc);
}

static inline int __filemap_fdatawrite(struct address_space *mapping,
int sync_mode)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite_range(mapping, 0, LLONG_MAX, sync_mode);
}

int filemap_fdatawrite(struct address_space *mapping)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite(mapping, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite);
diff --git a/mm/page-writeback.c b/mm/page-writeback.c

index 4430ac68e4c4..ddb16ce699ba 100644

--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -2687,6 +2687,7 @@ int do_writepages(struct address_space *mapping, struct writeback_control *wbc)
/* deal with chardevs and other special files */
ret = 0;
}
+ printk("ret: %d, ino: %lx, comm: %s, %s\n", ret, mapping->host->i_ino, current->comm, __func__);
if (ret != -ENOMEM || wbc->sync_mode != WB_SYNC_ALL)
break;

@@ -2797,6 +2798,9 @@ void __folio_mark_dirty(struct folio *folio, struct address_space *mapping,
folio_account_dirtied(folio, mapping);
__xa_set_mark(&mapping->i_pages, folio_index(folio),
PAGECACHE_TAG_DIRTY);
+ printk("ino: %lx, comm: %s, mapping tagged :%d, %s\n",
+ mapping->host->i_ino,
+ current->comm, mapping_tagged(mapping, PAGECACHE_TAG_DIRTY), __func__);
}
xa_unlock_irqrestore(&mapping->i_pages, flags);
}
@@ -2828,6 +2832,9 @@ bool filemap_dirty_folio(struct address_space *mapping, struct folio *folio)
return false;
}

+ printk("ino: %lx, comm: %s, mapping tagged :%d, %s\n",
+ mapping->host->i_ino,
+ current->comm, mapping_tagged(mapping, PAGECACHE_TAG_DIRTY), __func__);
__folio_mark_dirty(folio, mapping, !folio_test_private(folio));
folio_memcg_unlock(folio);

@@ -2859,6 +2866,9 @@ bool folio_redirty_for_writepage(struct writeback_control *wbc,
bool ret;

wbc->pages_skipped += nr;
+ printk("ino: %lx, comm: %s, mapping tagged :%d, %s\n",
+ mapping->host->i_ino,
+ current->comm, mapping_tagged(mapping, PAGECACHE_TAG_DIRTY), __func__);
ret = filemap_dirty_folio(mapping, folio);
if (mapping && mapping_can_writeback(mapping)) {

struct inode *inode = mapping->host;

@@ -3148,8 +3158,12 @@ void __folio_start_writeback(struct folio *folio, bool keep_write)
*/
if (mapping->host && !on_wblist)
sb_mark_inode_writeback(mapping->host);
- if (!folio_test_dirty(folio))
+ if (!folio_test_dirty(folio)) {
xas_clear_mark(&xas, PAGECACHE_TAG_DIRTY);
+ printk("ino: %lx, comm: %s, mapping tagged :%d, %s\n",
+ mapping->host->i_ino,
+ current->comm, mapping_tagged(mapping, PAGECACHE_TAG_DIRTY), __func__);
+ }
if (!keep_write)
xas_clear_mark(&xas, PAGECACHE_TAG_TOWRITE);
xas_unlock_irqrestore(&xas, flags);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino state: 393351, ino: 190133a, comm: kworker/u32:0, folio: ffffea0000de1400, netfs_writepages
ino: 190133a, v9fs_begin_writeback
------------[ cut here ]------------
folio expected an open fid inode->i_ino=190133a
WARNING: CPU: 2 PID: 11 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 2 UID: 0 PID: 11 Comm: kworker/u32:0 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-212)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 e0 9f 8e 8b e8 35 40 0d fe 90 <0f> 0b 90 90 eb 80 e8 19 29 a8 fe e9 6f ff ff ff e8 7f 28 a8 fe e9
RSP: 0018:ffffc900000e7478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888032acd3b0 RCX: ffffffff814cc379
RDX: ffff888017ea2440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888032acd3b0
R13: ffff888026ce12d8 R14: dffffc0000000000 R15: ffffc900000e7840
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020000740 CR3: 000000001efc6000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netfs_writepages+0x97c/0x10a0 fs/netfs/write_issue.c:546
do_writepages+0x1ae/0x940 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=15b7d95d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16d13d11980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c
index a688d4c75d99..533738844f0c 100644
--- a/fs/netfs/buffered_read.c
+++ b/fs/netfs/buffered_read.c
@@ -110,6 +110,7 @@ void netfs_rreq_unlock_folios(struct netfs_io_request *rreq)
if (wback_to_cache && !WARN_ON_ONCE(folio_get_private(folio) != NULL)) {
trace_netfs_folio(folio, netfs_folio_trace_copy_to_cache);
folio_attach_private(folio, NETFS_FOLIO_COPY_TO_CACHE);
+ printk("ino: %lx, folio: %p, %s\n", folio->mapping->host->i_ino, folio, __func__);
filemap_dirty_folio(folio->mapping, folio);
}
}
diff --git a/fs/netfs/buffered_write.c b/fs/netfs/buffered_write.c
index 4726c315453c..8e4804f24f06 100644
--- a/fs/netfs/buffered_write.c
+++ b/fs/netfs/buffered_write.c
@@ -392,6 +392,7 @@ ssize_t netfs_perform_write(struct kiocb *iocb, struct iov_iter *iter,
folio_mark_dirty(folio);
folio_unlock(folio);
} else {
+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
netfs_advance_writethrough(wreq, &wbc, folio, copied,
offset + copied == flen,
&writethrough);
diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c
index 83e644bd518f..cb4b16c8a129 100644
--- a/fs/netfs/misc.c
+++ b/fs/netfs/misc.c
@@ -28,6 +28,7 @@ bool netfs_dirty_folio(struct address_space *mapping, struct folio *folio)

_enter("");

+ printk("ino: %lx, folio: %p, %s\n", inode->i_ino, folio, __func__);
if (!filemap_dirty_folio(mapping, folio))
return false;
if (!fscache_cookie_valid(cookie))
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index 9258d30cffe3..0f3c314d27d3 100644

--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -35,6 +35,7 @@
#include <linux/mm.h>
#include <linux/pagemap.h>
#include "internal.h"
+#include <linux/backing-dev.h>

/*
* Kill all dirty folios in the event of an unrecoverable error, starting with

@@ -74,6 +75,7 @@ static void netfs_kill_dirty_pages(struct address_space *mapping,

trace_netfs_folio(folio, why);

+ printk("ino: %lx, folio: %p, %s\n", mapping->host->i_ino, folio, __func__);
folio_start_writeback(folio);
folio_unlock(folio);
folio_end_writeback(folio);
@@ -331,6 +333,7 @@ static int netfs_write_folio(struct netfs_io_request *wreq,
if (fpos >= i_size) {
/* mmap beyond eof. */
_debug("beyond eof");
+ printk("1 ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
folio_start_writeback(folio);
folio_unlock(folio);
wreq->nr_group_rel += netfs_folio_written_back(folio);
@@ -403,8 +406,10 @@ static int netfs_write_folio(struct netfs_io_request *wreq,
* from write-through, then the page has already been put into the wb
* state.
*/
- if (wreq->origin == NETFS_WRITEBACK)
+ if (wreq->origin == NETFS_WRITEBACK) {
+ printk("2 ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
folio_start_writeback(folio);
+ }
folio_unlock(folio);

if (fgroup == NETFS_FOLIO_COPY_TO_CACHE) {
@@ -503,6 +508,15 @@ int netfs_writepages(struct address_space *mapping,

struct folio *folio;
int error = 0;

+ if (!mapping_can_writeback(mapping) ||
+ !mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
+ printk("ino %lx can not wb: %d or mapping tagged :%d, %s\n",
+ mapping->host->i_ino, mapping_can_writeback(mapping),
+ mapping_tagged(mapping, PAGECACHE_TAG_DIRTY),
+ __func__);
+ return 0;
+ }
+
if (wbc->sync_mode == WB_SYNC_ALL)
mutex_lock(&ictx->wb_lock);
else if (!mutex_trylock(&ictx->wb_lock))

@@ -522,6 +536,8 @@ int netfs_writepages(struct address_space *mapping,

trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("ino state: %lu, ino: %lx, comm: %s, folio: %p, %s\n", wreq->inode->i_state,
+ wreq->inode->i_ino, current->comm, folio, __func__);
do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

@@ -551,6 +567,7 @@ int netfs_writepages(struct address_space *mapping,
return error;

couldnt_start:
+ printk("ino: %lx, folio: %p, error: %d, %s\n", mapping->host->i_ino, folio, error, __func__);
netfs_kill_dirty_pages(mapping, wbc, folio);
out:
mutex_unlock(&ictx->wb_lock);
@@ -600,6 +617,7 @@ int netfs_advance_writethrough(struct netfs_io_request *wreq, struct writeback_c
folio_clear_dirty_for_io(folio);

/* We can make multiple writes to the folio... */
+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
folio_start_writeback(folio);
if (wreq->len == 0)
trace_netfs_folio(folio, netfs_folio_trace_wthru);

diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..84c3d83439d9 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -215,12 +215,18 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

inode, filp, fid ? fid->fid : -1);

if (fid) {
- if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))

- retval = filemap_fdatawrite(inode->i_mapping);

+ if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE)) {
+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

+ if (!mapping_tagged(inode->i_mapping, PAGECACHE_TAG_WRITEBACK))
+ retval = filemap_fdatawrite(inode->i_mapping);
+ }
+ printk("del, ino: %lx, ino state: %lu, comm: %s, fid refcount: %d, %s\n", inode->i_ino, inode->i_state, current->comm, refcount_read(&fid->count), __func__);

- spin_lock(&inode->i_lock);
- hlist_del(&fid->ilist);
- spin_unlock(&inode->i_lock);
+ if (refcount_read(&fid->count) == 1) {
+ spin_lock(&inode->i_lock);
+ hlist_del(&fid->ilist);
+ spin_unlock(&inode->i_lock);
+ }
put_err = p9_fid_put(fid);
retval = retval < 0 ? retval : put_err;
}
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..5b2a77bf1e5e 100644

--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -44,6 +44,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct p9_fid *fid;
int omode;

+ pr_info("ino: %lx, %s\n", inode->i_ino, __func__);
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
if (v9fs_proto_dotl(v9ses))
@@ -461,6 +462,7 @@ v9fs_file_mmap(struct file *filp, struct vm_area_struct *vma)
struct v9fs_session_info *v9ses = v9fs_inode2v9ses(inode);

p9_debug(P9_DEBUG_MMAP, "filp :%p\n", filp);
+ pr_info("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);

if (!(v9ses->cache & CACHE_WRITEBACK)) {
p9_debug(P9_DEBUG_CACHE, "(read-only mmap mode)");

diff --git a/mm/filemap.c b/mm/filemap.c
index d62150418b91..5112cf69bce2 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -394,6 +394,7 @@ int filemap_fdatawrite_wbc(struct address_space *mapping,
return 0;

wbc_attach_fdatawrite_inode(wbc, mapping->host);
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
ret = do_writepages(mapping, wbc);
wbc_detach_inode(wbc);
return ret;
@@ -427,17 +428,20 @@ int __filemap_fdatawrite_range(struct address_space *mapping, loff_t start,
.range_end = end,
};

+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return filemap_fdatawrite_wbc(mapping, &wbc);
}

static inline int __filemap_fdatawrite(struct address_space *mapping,
int sync_mode)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite_range(mapping, 0, LLONG_MAX, sync_mode);
}

int filemap_fdatawrite(struct address_space *mapping)
{
+ printk("ino: %lx, comm: %s, %s\n", mapping->host->i_ino, current->comm, __func__);
return __filemap_fdatawrite(mapping, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite);
diff --git a/mm/page-writeback.c b/mm/page-writeback.c

index 4430ac68e4c4..043809a4cf9e 100644

@@ -2906,6 +2916,7 @@ bool folio_mark_dirty(struct folio *folio)
*/
if (folio_test_reclaim(folio))
folio_clear_reclaim(folio);
+ printk("ino: %lx, folio: %p, %s\n", mapping->host->i_ino, folio, __func__);
return mapping->a_ops->dirty_folio(mapping, folio);
}

@@ -3148,8 +3159,12 @@ void __folio_start_writeback(struct folio *folio, bool keep_write)

*/
if (mapping->host && !on_wblist)
sb_mark_inode_writeback(mapping->host);
- if (!folio_test_dirty(folio))
+ if (!folio_test_dirty(folio)) {
xas_clear_mark(&xas, PAGECACHE_TAG_DIRTY);

+ printk("ino: %lx, comm: %s, mapping tagged :%d, folio: %p, %s\n",
+ mapping->host->i_ino,
+ current->comm, mapping_tagged(mapping, PAGECACHE_TAG_DIRTY), folio, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino: 1901338, v9fs_begin_writeback
------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901338
WARNING: CPU: 0 PID: 1201 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 0 UID: 0 PID: 1201 Comm: kworker/u32:11 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-8)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 20 a4 8e 8b e8 95 3b 0d fe 90 <0f> 0b 90 90 eb 80 e8 f9 24 a8 fe e9 6f ff ff ff e8 5f 24 a8 fe e9
RSP: 0018:ffffc90005d8f478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff888033572030 RCX: ffffffff814cc379
RDX: ffff888023322440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff888033572030
R13: ffff88801bafd958 R14: dffffc0000000000 R15: ffffc90005d8f840
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f2173307a8c CR3: 0000000042048000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x97c/0x1230 fs/netfs/write_issue.c:550

do_writepages+0x1ae/0x940 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=11e497c9980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10c6e95d980000

[Edward Adam Davis]

index 9258d30cffe3..648a7ea6881c 100644

--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -35,6 +35,7 @@
#include <linux/mm.h>
#include <linux/pagemap.h>
#include "internal.h"
+#include <linux/backing-dev.h>

/*
* Kill all dirty folios in the event of an unrecoverable error, starting with
@@ -74,6 +75,7 @@ static void netfs_kill_dirty_pages(struct address_space *mapping,

trace_netfs_folio(folio, why);

+ printk("ino: %lx, folio: %p, %s\n", mapping->host->i_ino, folio, __func__);
folio_start_writeback(folio);
folio_unlock(folio);
folio_end_writeback(folio);

@@ -387,6 +389,7 @@ static int netfs_write_folio(struct netfs_io_request *wreq,
} else if (fgroup != wreq->group) {
/* We can't write this page to the server yet. */
kdebug("wrong group");

+ printk("1 ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);

folio_redirty_for_writepage(wbc, folio);
folio_unlock(folio);
netfs_issue_write(wreq, upload);
@@ -403,12 +406,15 @@ static int netfs_write_folio(struct netfs_io_request *wreq,

* from write-through, then the page has already been put into the wb
* state.
*/
- if (wreq->origin == NETFS_WRITEBACK)
+ if (wreq->origin == NETFS_WRITEBACK) {
+ printk("2 ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
folio_start_writeback(folio);
+ }
folio_unlock(folio);

if (fgroup == NETFS_FOLIO_COPY_TO_CACHE) {

if (!fscache_resources_valid(&wreq->cache_resources)) {
+ printk("3 ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
trace_netfs_folio(folio, netfs_folio_trace_cancel_copy);
netfs_issue_write(wreq, upload);
netfs_folio_written_back(folio);
@@ -503,6 +509,15 @@ int netfs_writepages(struct address_space *mapping,

struct folio *folio;
int error = 0;

+ if (!mapping_can_writeback(mapping) ||
+ !mapping_tagged(mapping, PAGECACHE_TAG_DIRTY)) {
+ printk("ino %lx can not wb: %d or mapping tagged :%d, %s\n",
+ mapping->host->i_ino, mapping_can_writeback(mapping),
+ mapping_tagged(mapping, PAGECACHE_TAG_DIRTY),
+ __func__);
+ return 0;
+ }
+
if (wbc->sync_mode == WB_SYNC_ALL)
mutex_lock(&ictx->wb_lock);
else if (!mutex_trylock(&ictx->wb_lock))

@@ -522,6 +537,8 @@ int netfs_writepages(struct address_space *mapping,

trace_netfs_write(wreq, netfs_write_trace_writeback);
netfs_stat(&netfs_n_wh_writepages);

+ printk("ino state: %lu, ino: %lx, comm: %s, folio: %p, %s\n", wreq->inode->i_state,
+ wreq->inode->i_ino, current->comm, folio, __func__);
do {
_debug("wbiter %lx %llx", folio->index, wreq->start + wreq->submitted);

@@ -553,6 +570,7 @@ int netfs_writepages(struct address_space *mapping,
couldnt_start:
netfs_kill_dirty_pages(mapping, wbc, folio);
out:
+ printk("out, ino: %lx, folio: %p, error: %d, %s\n", mapping->host->i_ino, folio, error, __func__);
mutex_unlock(&ictx->wb_lock);
_leave(" = %d", error);
return error;
@@ -600,6 +618,7 @@ int netfs_advance_writethrough(struct netfs_io_request *wreq, struct writeback_c

folio_clear_dirty_for_io(folio);

/* We can make multiple writes to the folio... */
+ printk("ino: %lx, folio: %p, %s\n", wreq->inode->i_ino, folio, __func__);
folio_start_writeback(folio);
if (wreq->len == 0)
trace_netfs_folio(folio, netfs_folio_trace_wthru);
diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index a97ceb105cd8..7768cc70439d 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -34,6 +34,7 @@ static void v9fs_begin_writeback(struct netfs_io_request *wreq)
{
struct p9_fid *fid;

+ printk("ino: %lx, %s\n", wreq->inode->i_ino, __func__);
fid = v9fs_fid_find_inode(wreq->inode, true, INVALID_UID, true);
if (!fid) {
WARN_ONCE(1, "folio expected an open fid inode->i_ino=%lx\n",
diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..08aa879896e3 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -215,8 +215,12 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

inode, filp, fid ? fid->fid : -1);

if (fid) {
- if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
- retval = filemap_fdatawrite(inode->i_mapping);
+ if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE)) {
+ printk("ino: %lx, comm: %s, %s\n", inode->i_ino, current->comm, __func__);
+ if (!mapping_tagged(inode->i_mapping, PAGECACHE_TAG_WRITEBACK))
+ retval = filemap_fdatawrite(inode->i_mapping);
+ }

+ printk("del, ino: %lx, ino state: %lu, comm: %s, %s\n", inode->i_ino, inode->i_state, current->comm, __func__);

spin_lock(&inode->i_lock);
hlist_del(&fid->ilist);

index 4430ac68e4c4..28a4a7a60446 100644

+ printk("ino: %lx, not write folio: %p, nr: %lu, comm: %s, mapping tagged dirty :%d, %s\n",
+ mapping->host->i_ino, folio, nr,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in v9fs_begin_writeback

ino state: 393351, ino: 1901337, comm: kworker/u32:1, folio: ffffea0000d06040, netfs_writepages
ino: 1901337, v9fs_begin_writeback
------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901337

WARNING: CPU: 1 PID: 13 at fs/9p/vfs_addr.c:40 v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40
Modules linked in:
CPU: 1 UID: 0 PID: 13 Comm: kworker/u32:1 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-143)

RIP: 0010:v9fs_begin_writeback+0x24c/0x2c0 fs/9p/vfs_addr.c:40

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 7a 48 8b 73 40 48 c7 c7 a0 a3 8e 8b e8 75 3c 0d fe 90 <0f> 0b 90 90 eb 80 e8 49 24 a8 fe e9 6f ff ff ff e8 af 23 a8 fe e9
RSP: 0018:ffffc90000107478 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880324173e0 RCX: ffffffff814cc379
RDX: ffff888017ea8000 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880324173e0
R13: ffff888024c17358 R14: dffffc0000000000 R15: ffffc90000107840
FS: 0000000000000000(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555571e075c8 CR3: 000000002bbf0000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x97c/0x1240 fs/netfs/write_issue.c:551

do_writepages+0x1ae/0x940 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>


Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=137d46ed980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16e46af5980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..cb511d49e35a 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,8 +218,10 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))

retval = filemap_fdatawrite(inode->i_mapping);

+ printk("fid: %p, %s\n", fid, __func__);

spin_lock(&inode->i_lock);
- hlist_del(&fid->ilist);

+ if (refcount_read(&fid->count) == 1)

+ hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);

put_err = p9_fid_put(fid);
retval = retval < 0 ? retval : put_err;

diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 348cc90bf9c5..acee5f6570a5 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -52,6 +52,7 @@ int v9fs_file_open(struct inode *inode, struct file *file)
omode = v9fs_uflags2omode(file->f_flags,
v9fs_proto_dotu(v9ses));
fid = file->private_data;
+ printk("fid: %p, %s\n", fid, __func__);
if (!fid) {
fid = v9fs_fid_clone(file_dentry(file));
if (IS_ERR(fid))
@@ -80,6 +81,8 @@ int v9fs_file_open(struct inode *inode, struct file *file)

file->private_data = fid;
}
+ else
+ p9_fid_get(fid);

#ifdef CONFIG_9P_FSCACHE
if (v9ses->cache & CACHE_FSCACHE)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in v9fs_fid_find_inode

==================================================================
BUG: KASAN: slab-use-after-free in v9fs_fid_find_inode+0x2e9/0x320 fs/9p/fid.c:72
Read of size 4 at addr ffff88801ef88810 by task kworker/u32:10/1215

CPU: 1 UID: 0 PID: 1215 Comm: kworker/u32:10 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-31)

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119

print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
v9fs_fid_find_inode+0x2e9/0x320 fs/9p/fid.c:72
v9fs_begin_writeback+0x49/0x280 fs/9p/vfs_addr.c:37
netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683

__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Allocated by task 5955:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
p9_fid_create+0x45/0x470 net/9p/client.c:856
p9_client_walk+0xc6/0x550 net/9p/client.c:1157
clone_fid fs/9p/fid.h:23 [inline]
v9fs_fid_clone fs/9p/fid.h:33 [inline]
v9fs_file_open+0x63d/0xbb0 fs/9p/vfs_file.c:57
do_dentry_open+0x91f/0x15f0 fs/open.c:959
vfs_open+0x82/0x3f0 fs/open.c:1089
do_open fs/namei.c:3727 [inline]
path_openat+0x2141/0x2d20 fs/namei.c:3886
do_filp_open+0x1dc/0x430 fs/namei.c:3913
do_sys_openat2+0x17a/0x1e0 fs/open.c:1416
do_sys_open fs/open.c:1431 [inline]
__do_sys_openat fs/open.c:1447 [inline]
__se_sys_openat fs/open.c:1442 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1442
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 1215:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4594
p9_client_clunk+0x12a/0x170 net/9p/client.c:1459
p9_fid_put include/net/9p/client.h:280 [inline]
v9fs_free_request+0xdc/0x110 fs/9p/vfs_addr.c:138
netfs_free_request+0x257/0x720 fs/netfs/objects.c:135
netfs_put_request+0x19b/0x1f0 fs/netfs/objects.c:170
netfs_write_collection_worker+0x1a1d/0x5a10 fs/netfs/write_collect.c:702

process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

The buggy address belongs to the object at ffff88801ef88800
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 16 bytes inside of
freed 96-byte region [ffff88801ef88800, ffff88801ef88860)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ef88
anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000000 ffff888015842280 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000200020 00000001fdffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4829, tgid 4829 (udevd), ts 32699297341, free_ts 30639630227
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
prep_new_page mm/page_alloc.c:1501 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3442
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4700
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x4e/0xf0 mm/slub.c:2321
allocate_slab mm/slub.c:2484 [inline]
new_slab+0x84/0x260 mm/slub.c:2537
___slab_alloc+0xdac/0x1870 mm/slub.c:3723
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3813
__slab_alloc_node mm/slub.c:3866 [inline]
slab_alloc_node mm/slub.c:4025 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x367/0x400 mm/slub.c:4170
kmalloc_noprof include/linux/slab.h:685 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
tomoyo_encode2+0x100/0x3e0 security/tomoyo/realpath.c:45
tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
tomoyo_realpath_from_path+0x19d/0x720 security/tomoyo/realpath.c:283
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x273/0x450 security/tomoyo/file.c:822
security_inode_getattr+0xf4/0x160 security/security.c:2269
vfs_getattr fs/stat.c:204 [inline]
vfs_fstat+0x53/0xd0 fs/stat.c:229
vfs_fstatat+0x146/0x160 fs/stat.c:338
__do_sys_newfstatat+0xa2/0x130 fs/stat.c:505
page last free pid 4837 tgid 4837 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1094 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2612
__put_partials+0x14c/0x170 mm/slub.c:3051
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3988 [inline]
slab_alloc_node mm/slub.c:4037 [inline]
__do_kmalloc_node mm/slub.c:4157 [inline]
__kmalloc_noprof+0x199/0x400 mm/slub.c:4170
kmalloc_noprof include/linux/slab.h:685 [inline]
tomoyo_realpath_from_path+0xb9/0x720 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_check_open_permission+0x2a7/0x3b0 security/tomoyo/file.c:771
tomoyo_file_open+0x71/0x90 security/tomoyo/tomoyo.c:334
security_file_open+0x78/0x8b0 security/security.c:2988
do_dentry_open+0x5c7/0x15f0 fs/open.c:946
vfs_open+0x82/0x3f0 fs/open.c:1089
do_open fs/namei.c:3727 [inline]
path_openat+0x2141/0x2d20 fs/namei.c:3886
do_filp_open+0x1dc/0x430 fs/namei.c:3913
do_sys_openat2+0x17a/0x1e0 fs/open.c:1416
do_sys_open fs/open.c:1431 [inline]
__do_sys_openat fs/open.c:1447 [inline]
__se_sys_openat fs/open.c:1442 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1442

Memory state around the buggy address:
ffff88801ef88700: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88801ef88780: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff88801ef88800: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff88801ef88880: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88801ef88900: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=1219db5d980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10f5adcb980000

[Edward Adam Davis]

debug

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c
index e0d34e4e9076..cb511d49e35a 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,8 +218,10 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)
if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("fid: %p, %s\n", fid, __func__);
spin_lock(&inode->i_lock);
- hlist_del(&fid->ilist);
+ if (refcount_read(&fid->count) == 1)
+ hlist_del(&fid->ilist);
spin_unlock(&inode->i_lock);
put_err = p9_fid_put(fid);
retval = retval < 0 ? retval : put_err;
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c

index 348cc90bf9c5..129354d5b284 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -80,6 +80,8 @@ int v9fs_file_open(struct inode *inode, struct file *file)

file->private_data = fid;
}

+ printk("fid: %p, %s\n", fid, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+0b74d3...@syzkaller.appspotmail.com
Tested-by: syzbot+0b74d3...@syzkaller.appspotmail.com

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12540de5980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=174967d9980000

Note: testing is done by a robot and is best-effort only.

[Lizhi Xu]

clean dirty for the release inode, stop to worker wb it again.

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..7f881506a68a 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,7 +218,9 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("fid: %p, fidnum: %d, ino: %lx, %s\n", fid, fid->fid, inode->i_ino, __func__);
spin_lock(&inode->i_lock);
+ inode->i_state &= ~I_DIRTY;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in v9fs_begin_writeback

------------[ cut here ]------------

folio expected an open fid inode->i_ino=1901338

WARNING: CPU: 0 PID: 1105 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 0 PID: 1105 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 0 UID: 0 PID: 1105 Comm: kworker/u32:6 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-29)
RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9a 8e 8b e8 51 4a 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 32 2b a8 fe e9 51 ff ff ff e8 98 2a
RSP: 0018:ffffc90005aef480 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88804547d3b0 RCX: ffffffff814cc379
RDX: ffff888022d92440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802b172dc8
R13: dffffc0000000000 R14: ffffc90005aef840 R15: ffff88802b173018
FS: 0000000000000000(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff8ce29b68 CR3: 000000001bb1c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x656/0xde0 fs/netfs/write_issue.c:534
do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=10fc0ad5980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11af3bd9980000

[Lizhi Xu]

clean dirty for the release inode, stop to worker wb it again.

#syz test: upstream c0ecd6388360

diff --git a/fs/9p/vfs_dir.c b/fs/9p/vfs_dir.c

index e0d34e4e9076..85161f0bb749 100644
--- a/fs/9p/vfs_dir.c
+++ b/fs/9p/vfs_dir.c
@@ -218,7 +218,12 @@ int v9fs_dir_release(struct inode *inode, struct file *filp)

if ((S_ISREG(inode->i_mode)) && (filp->f_mode & FMODE_WRITE))
retval = filemap_fdatawrite(inode->i_mapping);

+ printk("fid: %p, fidnum: %d, ino: %lx, ino is freeing:%d, will free: %d, dirty: %d, %s\n", fid, fid->fid, inode->i_ino,
+ inode->i_state & I_FREEING,
+ inode->i_state & I_WILL_FREE,
+ inode->i_state & I_DIRTY, __func__);
spin_lock(&inode->i_lock);
+ inode->i_state |= I_FREEING;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

VFS: Busy inodes after unmount (use-after-free)

VFS: Busy inodes after unmount of 9p (9p)
------------[ cut here ]------------
kernel BUG at fs/super.c:650!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5814 Comm: syz-executor Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

RIP: 0010:generic_shutdown_super+0x31b/0x3d0 fs/super.c:650
Code: 28 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 aa 00 00 00 48 8b 55 00 48 8d b3 68 06 00 00 48 c7 c7 e0 5e 5d 8b e8 66 35 73 ff 90 <0f> 0b e8 4e e9 ef ff e9 2f fd ff ff e8 44 e9 ef ff e9 02 fd ff ff
RSP: 0018:ffffc900035a7d70 EFLAGS: 00010286
RAX: 0000000000000029 RBX: ffff888025fb4000 RCX: ffffffff816b0039
RDX: 0000000000000000 RSI: ffffffff816b9416 RDI: 0000000000000005
RBP: ffffffff8e438ce0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffff888025fb49c0
R13: ffff888025fb4780 R14: 0000000000000000 R15: ffff88801a1d3540
FS: 0000555587d56500(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555587d715c8 CR3: 000000002c722000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

kill_anon_super+0x3a/0x60 fs/super.c:1237
v9fs_kill_super+0x3d/0xa0 fs/9p/vfs_super.c:193
deactivate_locked_super+0xbe/0x1a0 fs/super.c:473
deactivate_super+0xde/0x100 fs/super.c:506
cleanup_mnt+0x222/0x450 fs/namespace.c:1373
task_work_run+0x14e/0x250 kernel/task_work.c:228
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5d0f3786e7
Code: a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 a8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fff76269ff8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f5d0f3786e7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff7626a0b0
RBP: 00007fff7626a0b0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff7626b130
R13: 00007f5d0f3e4784 R14: 000000000001f21c R15: 00007fff7626b170
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:generic_shutdown_super+0x31b/0x3d0 fs/super.c:650
Code: 28 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 aa 00 00 00 48 8b 55 00 48 8d b3 68 06 00 00 48 c7 c7 e0 5e 5d 8b e8 66 35 73 ff 90 <0f> 0b e8 4e e9 ef ff e9 2f fd ff ff e8 44 e9 ef ff e9 02 fd ff ff
RSP: 0018:ffffc900035a7d70 EFLAGS: 00010286
RAX: 0000000000000029 RBX: ffff888025fb4000 RCX: ffffffff816b0039
RDX: 0000000000000000 RSI: ffffffff816b9416 RDI: 0000000000000005
RBP: ffffffff8e438ce0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: ffff888025fb49c0
R13: ffff888025fb4780 R14: 0000000000000000 R15: ffff88801a1d3540
FS: 0000555587d56500(0000) GS:ffff88806b000000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000555587d715c8 CR3: 000000002c722000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=157a16d5980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1347418d980000

[Lizhi Xu]

clean dirty for the release inode, stop to worker wb it again.

#syz test: upstream c0ecd6388360

diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index ec6cf8707fb0..02b06e4e3596 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -530,7 +530,9 @@ int netfs_writepages(struct address_space *mapping,
if (netfs_folio_group(folio) != NETFS_FOLIO_COPY_TO_CACHE &&
unlikely(!test_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags))) {
set_bit(NETFS_RREQ_UPLOAD_TO_SERVER, &wreq->flags);
- wreq->netfs_ops->begin_writeback(wreq);
+ printk("ino: %lx, sync: %d, wsize: %u, %s\n", wreq->inode->i_ino, wreq->inode->i_state & I_SYNC, wreq->wsize, __func__);
+ if (wreq->inode->i_state & ~I_SYNC)
+ wreq->netfs_ops->begin_writeback(wreq);
}

error = netfs_write_folio(wreq, wbc, folio);
diff --git a/mm/filemap.c b/mm/filemap.c
index 876cc64aadd7..9176270fe35a 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -438,6 +438,8 @@ static inline int __filemap_fdatawrite(struct address_space *mapping,

int filemap_fdatawrite(struct address_space *mapping)
{
+ struct inode *inode = mapping->host;
+ printk("ino: %lx, sync: %d, %s \n", inode->i_ino, inode->i_state & I_SYNC, __func__);
return __filemap_fdatawrite(mapping, WB_SYNC_ALL);
}
EXPORT_SYMBOL(filemap_fdatawrite);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

WARNING in v9fs_begin_writeback

ino: 1901338, sync: 128, wsize: 2147483647, netfs_writepages

------------[ cut here ]------------
folio expected an open fid inode->i_ino=1901338

WARNING: CPU: 2 PID: 1106 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
WARNING: CPU: 2 PID: 1106 at fs/9p/vfs_addr.c:39 v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33
Modules linked in:
CPU: 2 UID: 0 PID: 1106 Comm: kworker/u32:7 Not tainted 6.11.0-rc1-syzkaller-00154-gc0ecd6388360-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: writeback wb_workfn (flush-9p-29)
RIP: 0010:v9fs_begin_writeback fs/9p/vfs_addr.c:39 [inline]
RIP: 0010:v9fs_begin_writeback+0x210/0x280 fs/9p/vfs_addr.c:33

Code: 00 fc ff df 48 8b 5b 48 48 8d 7b 40 48 89 fa 48 c1 ea 03 80 3c 02 00 75 66 48 8b 73 40 48 c7 c7 20 9b 8e 8b e8 31 48 0d fe 90 <0f> 0b 90 90 e9 62 ff ff ff e8 b2 29 a8 fe e9 51 ff ff ff e8 18 29
RSP: 0018:ffffc90005dff470 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880460ecd40 RCX: ffffffff814cc379
RDX: ffff888022c0a440 RSI: ffffffff814cc386 RDI: 0000000000000001

RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000000 R12: ffff88802dd79d88
R13: ffffc90005dff840 R14: ffff88802dd79d40 R15: ffff88802dd79d88
FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000020001000 CR3: 000000000db7c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

netfs_writepages+0x773/0xf60 fs/netfs/write_issue.c:536

do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
__writeback_single_inode+0x163/0xf90 fs/fs-writeback.c:1651
writeback_sb_inodes+0x611/0x1150 fs/fs-writeback.c:1947
wb_writeback+0x199/0xb50 fs/fs-writeback.c:2127
wb_do_writeback fs/fs-writeback.c:2274 [inline]
wb_workfn+0x28d/0xf40 fs/fs-writeback.c:2314
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf20 kernel/workqueue.c:3390
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: c0ecd638 Merge tag 'pci-v6.11-fixes-1' of git://git.ke..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=101677c9980000

kernel config: https://syzkaller.appspot.com/x/.config?x=8da8b059e43c5370
dashboard link: https://syzkaller.appspot.com/bug?extid=0b74d367d6e80661d6df
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=112bc3e5980000