[syzbot] [ext4?] kernel BUG in ext4_write_inline_data
54 views
Skip to first unread message
syzbot
Mar 16, 2023, 11:16:47 PM3/16/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot found the following issue on:
HEAD commit: 134231664868 Merge tag 'staging-6.3-rc2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ec9f7ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8aef547e348b1ab8
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f45827...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:225!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 24186 Comm: syz-executor.2 Not tainted 6.3.0-rc1-syzkaller-00274-g134231664868 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:225
Code: 5f e9 b0 16 5b ff e8 ab 16 5b ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 93 16 5b ff 0f 0b e8 8c 16 5b ff <0f> 0b e8 a5 5c ac ff e9 fe fd ff ff 4c 89 ff e8 98 5c ac ff e9 99
RSP: 0018:ffffc900035673c0 EFLAGS: 00010216
RAX: 000000000001158c RBX: ffff88801cbb02b0 RCX: ffffc900031ea000
RDX: 0000000000040000 RSI: ffffffff8228bf04 RDI: 0000000000000006
RBP: 0000000000000048 R08: 0000000000000006 R09: 0000000000000051
R10: 0000000000000048 R11: 0000000000000000 R12: 0000000000000009
R13: 0000000000000051 R14: ffffc90003567460 R15: ffff88801cbb0872
FS: 0000000000000000(0000) GS:ffff88802cb00000(0063) knlGS:00000000f7f53b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020030018 CR3: 00000000487e6000 CR4: 0000000000150ee0
Call Trace:
<TASK>
ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:766
ext4_da_write_end+0x396/0x9c0 fs/ext4/inode.c:3149
generic_perform_write+0x316/0x570 mm/filemap.c:3937
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:289
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1851 [inline]
do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
do_iter_write+0x182/0x700 fs/read_write.c:861
vfs_iter_write+0x74/0xa0 fs/read_write.c:902
iter_file_splice_write+0x743/0xc80 fs/splice.c:778
do_splice_from fs/splice.c:856 [inline]
direct_splice_actor+0x114/0x180 fs/splice.c:1022
splice_direct_to_actor+0x335/0x8a0 fs/splice.c:977
do_splice_direct+0x1ab/0x280 fs/splice.c:1065
do_sendfile+0xb19/0x12c0 fs/read_write.c:1255
__do_compat_sys_sendfile fs/read_write.c:1344 [inline]
__se_compat_sys_sendfile fs/read_write.c:1327 [inline]
__ia32_compat_sys_sendfile+0x1e1/0x220 fs/read_write.c:1327
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7f58579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7f535cc EFLAGS: 00000296 ORIG_RAX: 00000000000000bb
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000000005
RDX: 0000000000000000 RSI: 0000000080000041 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:225
Code: 5f e9 b0 16 5b ff e8 ab 16 5b ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 93 16 5b ff 0f 0b e8 8c 16 5b ff <0f> 0b e8 a5 5c ac ff e9 fe fd ff ff 4c 89 ff e8 98 5c ac ff e9 99
RSP: 0018:ffffc900035673c0 EFLAGS: 00010216
RAX: 000000000001158c RBX: ffff88801cbb02b0 RCX: ffffc900031ea000
RDX: 0000000000040000 RSI: ffffffff8228bf04 RDI: 0000000000000006
RBP: 0000000000000048 R08: 0000000000000006 R09: 0000000000000051
R10: 0000000000000048 R11: 0000000000000000 R12: 0000000000000009
R13: 0000000000000051 R14: ffffc90003567460 R15: ffff88801cbb0872
FS: 0000000000000000(0000) GS:ffff88802cb00000(0063) knlGS:00000000f7f53b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020030018 CR3: 00000000487e6000 CR4: 0000000000150ee0
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 10 06 adc %al,(%rsi)
2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
6: 10 07 adc %al,(%rdi)
8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
c: 10 08 adc %cl,(%rax)
e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1e: 00 51 52 add %dl,0x52(%rcx)
21: 55 push %rbp
22: 89 e5 mov %esp,%ebp
24: 0f 34 sysenter
26: cd 80 int $0x80
* 28: 5d pop %rbp <-- trapping instruction
29: 5a pop %rdx
2a: 59 pop %rcx
2b: c3 retq
2c: 90 nop
2d: 90 nop
2e: 90 nop
2f: 90 nop
30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: 134231664868 Merge tag 'staging-6.3-rc2' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ec9f7ac80000
kernel config: https://syzkaller.appspot.com/x/.config?x=8aef547e348b1ab8
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
userspace arch: i386
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f45827...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:225!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 2 PID: 24186 Comm: syz-executor.2 Not tainted 6.3.0-rc1-syzkaller-00274-g134231664868 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:225
Code: 5f e9 b0 16 5b ff e8 ab 16 5b ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 93 16 5b ff 0f 0b e8 8c 16 5b ff <0f> 0b e8 a5 5c ac ff e9 fe fd ff ff 4c 89 ff e8 98 5c ac ff e9 99
RSP: 0018:ffffc900035673c0 EFLAGS: 00010216
RAX: 000000000001158c RBX: ffff88801cbb02b0 RCX: ffffc900031ea000
RDX: 0000000000040000 RSI: ffffffff8228bf04 RDI: 0000000000000006
RBP: 0000000000000048 R08: 0000000000000006 R09: 0000000000000051
R10: 0000000000000048 R11: 0000000000000000 R12: 0000000000000009
R13: 0000000000000051 R14: ffffc90003567460 R15: ffff88801cbb0872
FS: 0000000000000000(0000) GS:ffff88802cb00000(0063) knlGS:00000000f7f53b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020030018 CR3: 00000000487e6000 CR4: 0000000000150ee0
Call Trace:
<TASK>
ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:766
ext4_da_write_end+0x396/0x9c0 fs/ext4/inode.c:3149
generic_perform_write+0x316/0x570 mm/filemap.c:3937
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:289
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1851 [inline]
do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
do_iter_write+0x182/0x700 fs/read_write.c:861
vfs_iter_write+0x74/0xa0 fs/read_write.c:902
iter_file_splice_write+0x743/0xc80 fs/splice.c:778
do_splice_from fs/splice.c:856 [inline]
direct_splice_actor+0x114/0x180 fs/splice.c:1022
splice_direct_to_actor+0x335/0x8a0 fs/splice.c:977
do_splice_direct+0x1ab/0x280 fs/splice.c:1065
do_sendfile+0xb19/0x12c0 fs/read_write.c:1255
__do_compat_sys_sendfile fs/read_write.c:1344 [inline]
__se_compat_sys_sendfile fs/read_write.c:1327 [inline]
__ia32_compat_sys_sendfile+0x1e1/0x220 fs/read_write.c:1327
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7f58579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7f535cc EFLAGS: 00000296 ORIG_RAX: 00000000000000bb
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000000005
RDX: 0000000000000000 RSI: 0000000080000041 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:225
Code: 5f e9 b0 16 5b ff e8 ab 16 5b ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 93 16 5b ff 0f 0b e8 8c 16 5b ff <0f> 0b e8 a5 5c ac ff e9 fe fd ff ff 4c 89 ff e8 98 5c ac ff e9 99
RSP: 0018:ffffc900035673c0 EFLAGS: 00010216
RAX: 000000000001158c RBX: ffff88801cbb02b0 RCX: ffffc900031ea000
RDX: 0000000000040000 RSI: ffffffff8228bf04 RDI: 0000000000000006
RBP: 0000000000000048 R08: 0000000000000006 R09: 0000000000000051
R10: 0000000000000048 R11: 0000000000000000 R12: 0000000000000009
R13: 0000000000000051 R14: ffffc90003567460 R15: ffff88801cbb0872
FS: 0000000000000000(0000) GS:ffff88802cb00000(0063) knlGS:00000000f7f53b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000020030018 CR3: 00000000487e6000 CR4: 0000000000150ee0
----------------
Code disassembly (best guess), 2 bytes skipped:
0: 10 06 adc %al,(%rsi)
2: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
6: 10 07 adc %al,(%rdi)
8: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
c: 10 08 adc %cl,(%rax)
e: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1e: 00 51 52 add %dl,0x52(%rcx)
21: 55 push %rbp
22: 89 e5 mov %esp,%ebp
24: 0f 34 sysenter
26: cd 80 int $0x80
* 28: 5d pop %rbp <-- trapping instruction
29: 5a pop %rdx
2a: 59 pop %rcx
2b: c3 retq
2c: 90 nop
2d: 90 nop
2e: 90 nop
2f: 90 nop
30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 22, 2023, 4:07:53 PM5/22/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, ty...@mit.edu
syzbot has found a reproducer for the following issue on:
HEAD commit: 44c026a73be8 Linux 6.4-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1028b7a1280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f389ffdf4e9ba3f0
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12eb0691280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8c94fba58ffe/disk-44c026a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc04d8a50461/vmlinux-44c026a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4d861756bf1a/bzImage-44c026a7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f43e36084b2b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f45827...@syzkaller.appspotmail.com
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:235!
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:235
Code: 5f e9 80 76 59 ff e8 7b 76 59 ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 63 76 59 ff 0f 0b e8 5c 76 59 ff <0f> 0b e8 25 40 ac ff e9 fe fd ff ff 4c 89 ff e8 18 40 ac ff e9 99
RSP: 0018:ffffc90003e7f950 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807497c8b0 RCX: 0000000000000000
RDX: ffff888020bb1dc0 RSI: ffffffff822acc74 RDI: 0000000000000006
RBP: 0000000000000054 R08: 0000000000000006 R09: 0000000000000060
R10: 0000000000000054 R11: 0000000000000000 R12: 000000000000000c
R13: 0000000000000060 R14: ffffc90003e7f9e8 R15: ffff88807497ce6a
FS: 00007f4e59eb8700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4e59e71000 CR3: 000000002bdc2000 CR4: 0000000000350ee0
Call Trace:
<TASK>
ext4_write_inline_data_end+0x2b3/0xd20 fs/ext4/inline.c:775
ext4_da_write_end+0x3d0/0xad0 fs/ext4/inode.c:2985
generic_perform_write+0x316/0x570 mm/filemap.c:3934
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4e62256399
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e59eb82f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000003a RCX: 00007f4e62256399
RDX: 000000000000000c RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f4e622d37a8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e622d37a0
R13: 00007f4e622a08f8 R14: 0000000020001200 R15: 0030656c69662f2e
Code: 5f e9 80 76 59 ff e8 7b 76 59 ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 63 76 59 ff 0f 0b e8 5c 76 59 ff <0f> 0b e8 25 40 ac ff e9 fe fd ff ff 4c 89 ff e8 18 40 ac ff e9 99
RSP: 0018:ffffc90003e7f950 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807497c8b0 RCX: 0000000000000000
RDX: ffff888020bb1dc0 RSI: ffffffff822acc74 RDI: 0000000000000006
RBP: 0000000000000054 R08: 0000000000000006 R09: 0000000000000060
R10: 0000000000000054 R11: 0000000000000000 R12: 000000000000000c
R13: 0000000000000060 R14: ffffc90003e7f9e8 R15: ffff88807497ce6a
FS: 00007f4e59eb8700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555a6837b238 CR3: 000000002bdc2000 CR4: 0000000000350ee0
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 44c026a73be8 Linux 6.4-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1028b7a1280000
kernel config: https://syzkaller.appspot.com/x/.config?x=f389ffdf4e9ba3f0
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=162a1a8e280000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12eb0691280000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8c94fba58ffe/disk-44c026a7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/fc04d8a50461/vmlinux-44c026a7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4d861756bf1a/bzImage-44c026a7.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f43e36084b2b/mount_0.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f45827...@syzkaller.appspotmail.com
------------[ cut here ]------------
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 5070 Comm: syz-executor189 Not tainted 6.4.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:235
Code: 5f e9 80 76 59 ff e8 7b 76 59 ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 63 76 59 ff 0f 0b e8 5c 76 59 ff <0f> 0b e8 25 40 ac ff e9 fe fd ff ff 4c 89 ff e8 18 40 ac ff e9 99
RSP: 0018:ffffc90003e7f950 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807497c8b0 RCX: 0000000000000000
RDX: ffff888020bb1dc0 RSI: ffffffff822acc74 RDI: 0000000000000006
RBP: 0000000000000054 R08: 0000000000000006 R09: 0000000000000060
R10: 0000000000000054 R11: 0000000000000000 R12: 000000000000000c
R13: 0000000000000060 R14: ffffc90003e7f9e8 R15: ffff88807497ce6a
FS: 00007f4e59eb8700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4e59e71000 CR3: 000000002bdc2000 CR4: 0000000000350ee0
Call Trace:
<TASK>
ext4_write_inline_data_end+0x2b3/0xd20 fs/ext4/inline.c:775
ext4_da_write_end+0x3d0/0xad0 fs/ext4/inode.c:2985
generic_perform_write+0x316/0x570 mm/filemap.c:3934
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:289
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1868 [inline]
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4e62256399
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4e59eb82f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000003a RCX: 00007f4e62256399
RDX: 000000000000000c RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f4e622d37a8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e622d37a0
R13: 00007f4e622a08f8 R14: 0000000020001200 R15: 0030656c69662f2e
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:235
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: 5f e9 80 76 59 ff e8 7b 76 59 ff 45 8d 64 2c c4 41 bd 3c 00 00 00 41 29 ed e9 e8 fe ff ff e8 63 76 59 ff 0f 0b e8 5c 76 59 ff <0f> 0b e8 25 40 ac ff e9 fe fd ff ff 4c 89 ff e8 18 40 ac ff e9 99
RSP: 0018:ffffc90003e7f950 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807497c8b0 RCX: 0000000000000000
RDX: ffff888020bb1dc0 RSI: ffffffff822acc74 RDI: 0000000000000006
RBP: 0000000000000054 R08: 0000000000000006 R09: 0000000000000060
R10: 0000000000000054 R11: 0000000000000000 R12: 000000000000000c
R13: 0000000000000060 R14: ffffc90003e7f9e8 R15: ffff88807497ce6a
FS: 00007f4e59eb8700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555a6837b238 CR3: 000000002bdc2000 CR4: 0000000000350ee0
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Theodore Ts'o
Jun 1, 2023, 11:18:29 PM6/1/23
to syzbot, syzkall...@googlegroups.com
#syz test git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git ext4_for_linus_stable
Subject: [PATCH v2] ext4: fix race condition between buffer write and page_mkwrite
From: Baokun Li <liba...@huawei.com>
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index d101b3b0c7da..9df82d72eb90 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -795,7 +795,8 @@ static const struct vm_operations_struct ext4_file_vm_ops = {
static int ext4_file_mmap(struct file *file, struct vm_area_struct *vma)
{
struct inode *inode = file->f_mapping->host;
- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ struct super_block *sb = inode->i_sb;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
struct dax_device *dax_dev = sbi->s_daxdev;
if (unlikely(ext4_forced_shutdown(sbi)))
@@ -808,6 +809,27 @@ static int ext4_file_mmap(struct file *file, struct vm_area_struct *vma)
if (!daxdev_mapping_supported(vma, dax_dev))
return -EOPNOTSUPP;
+ /*
+ * Writing via mmap has no logic to handle inline data, so we
+ * need to call ext4_convert_inline_data() to convert the inode
+ * to normal format before doing so, otherwise a BUG_ON will be
+ * triggered in ext4_writepages() due to the
+ * EXT4_STATE_MAY_INLINE_DATA flag. Moreover, we need to grab
+ * i_rwsem during conversion, since clearing and setting the
+ * inline data flag may race with ext4_buffered_write_iter()
+ * to trigger a BUG_ON.
+ */
+ if (ext4_has_feature_inline_data(sb) &&
+ vma->vm_flags & VM_SHARED && vma->vm_flags & VM_MAYWRITE) {
+ int err;
+
+ inode_lock(inode);
+ err = ext4_convert_inline_data(inode);
+ inode_unlock(inode);
+ if (err)
+ return err;
+ }
+
file_accessed(file);
if (IS_DAX(file_inode(file))) {
vma->vm_ops = &ext4_dax_vm_ops;
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index ce5f21b6c2b3..31844c4ec9fe 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -6043,10 +6043,6 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)
filemap_invalidate_lock_shared(mapping);
- err = ext4_convert_inline_data(inode);
- if (err)
- goto out_ret;
-
/*
* On data journalling we skip straight to the transaction handle:
* there's no delalloc; page truncated will be checked later; the
--
2.31.1
Subject: [PATCH v2] ext4: fix race condition between buffer write and page_mkwrite
From: Baokun Li <liba...@huawei.com>
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index d101b3b0c7da..9df82d72eb90 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -795,7 +795,8 @@ static const struct vm_operations_struct ext4_file_vm_ops = {
static int ext4_file_mmap(struct file *file, struct vm_area_struct *vma)
{
struct inode *inode = file->f_mapping->host;
- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ struct super_block *sb = inode->i_sb;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
struct dax_device *dax_dev = sbi->s_daxdev;
if (unlikely(ext4_forced_shutdown(sbi)))
@@ -808,6 +809,27 @@ static int ext4_file_mmap(struct file *file, struct vm_area_struct *vma)
if (!daxdev_mapping_supported(vma, dax_dev))
return -EOPNOTSUPP;
+ /*
+ * Writing via mmap has no logic to handle inline data, so we
+ * need to call ext4_convert_inline_data() to convert the inode
+ * to normal format before doing so, otherwise a BUG_ON will be
+ * triggered in ext4_writepages() due to the
+ * EXT4_STATE_MAY_INLINE_DATA flag. Moreover, we need to grab
+ * i_rwsem during conversion, since clearing and setting the
+ * inline data flag may race with ext4_buffered_write_iter()
+ * to trigger a BUG_ON.
+ */
+ if (ext4_has_feature_inline_data(sb) &&
+ vma->vm_flags & VM_SHARED && vma->vm_flags & VM_MAYWRITE) {
+ int err;
+
+ inode_lock(inode);
+ err = ext4_convert_inline_data(inode);
+ inode_unlock(inode);
+ if (err)
+ return err;
+ }
+
file_accessed(file);
if (IS_DAX(file_inode(file))) {
vma->vm_ops = &ext4_dax_vm_ops;
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index ce5f21b6c2b3..31844c4ec9fe 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -6043,10 +6043,6 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)
filemap_invalidate_lock_shared(mapping);
- err = ext4_convert_inline_data(inode);
- if (err)
- goto out_ret;
-
/*
* On data journalling we skip straight to the transaction handle:
* there's no delalloc; page truncated will be checked later; the
--
2.31.1
syzbot
Jun 2, 2023, 2:05:36 AM6/2/23
to syzkall...@googlegroups.com, ty...@mit.edu
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in do_user_addr_fault
======================================================
WARNING: possible circular locking dependency detected
6.4.0-rc4-syzkaller-geb1f822c76be-dirty #0 Not tainted
------------------------------------------------------
syz-executor.4/5589 is trying to acquire lock:
ffff888024228168 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:142 [inline]
ffff888024228168 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault+0xb3d/0x1210 arch/x86/mm/fault.c:1391
but task is already holding lock:
ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: inode_lock include/linux/fs.h:775 [inline]
ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: ext4_buffered_write_iter+0xb0/0x460 fs/ext4/file.c:283
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&sb->s_type->i_mutex_key#8){++++}-{3:3}:
down_write+0x92/0x200 kernel/locking/rwsem.c:1573
inode_lock include/linux/fs.h:775 [inline]
ext4_file_mmap+0x62e/0x800 fs/ext4/file.c:826
call_mmap include/linux/fs.h:1873 [inline]
mmap_region+0x694/0x28d0 mm/mmap.c:2652
do_mmap+0x831/0xf60 mm/mmap.c:1394
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1440
check_prev_add kernel/locking/lockdep.c:3113 [inline]
check_prevs_add kernel/locking/lockdep.c:3232 [inline]
validate_chain kernel/locking/lockdep.c:3847 [inline]
__lock_acquire+0x2fcd/0x5f30 kernel/locking/lockdep.c:5088
lock_acquire kernel/locking/lockdep.c:5705 [inline]
lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5670
down_read+0x9c/0x480 kernel/locking/rwsem.c:1520
mmap_read_lock include/linux/mmap_lock.h:142 [inline]
do_user_addr_fault+0xb3d/0x1210 arch/x86/mm/fault.c:1391
handle_page_fault arch/x86/mm/fault.c:1534 [inline]
exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1590
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
fault_in_readable+0x1a5/0x210 mm/gup.c:1856
fault_in_iov_iter_readable+0x252/0x2c0 lib/iov_iter.c:362
generic_perform_write+0x1ae/0x570 mm/filemap.c:3913
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sb->s_type->i_mutex_key#8);
lock(&mm->mmap_lock);
lock(&sb->s_type->i_mutex_key#8);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
3 locks held by syz-executor.4/5589:
#0: ffff88802a7fe0e8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe7/0x100 fs/file.c:1047
#1: ffff888021fe0460 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0x12b/0x250 fs/read_write.c:637
#2: ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: inode_lock include/linux/fs.h:775 [inline]
#2: ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: ext4_buffered_write_iter+0xb0/0x460 fs/ext4/file.c:283
stack backtrace:
CPU: 0 PID: 5589 Comm: syz-executor.4 Not tainted 6.4.0-rc4-syzkaller-geb1f822c76be-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2188
check_prev_add kernel/locking/lockdep.c:3113 [inline]
check_prevs_add kernel/locking/lockdep.c:3232 [inline]
validate_chain kernel/locking/lockdep.c:3847 [inline]
__lock_acquire+0x2fcd/0x5f30 kernel/locking/lockdep.c:5088
lock_acquire kernel/locking/lockdep.c:5705 [inline]
lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5670
down_read+0x9c/0x480 kernel/locking/rwsem.c:1520
mmap_read_lock include/linux/mmap_lock.h:142 [inline]
do_user_addr_fault+0xb3d/0x1210 arch/x86/mm/fault.c:1391
handle_page_fault arch/x86/mm/fault.c:1534 [inline]
exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1590
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:fault_in_readable+0x1a5/0x210 mm/gup.c:1856
Code: fc ff df 48 c7 04 02 00 00 00 00 48 83 c4 48 4c 89 e0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 e4 eb ce e8 ae 51 c4 ff 45 31 f6 <41> 8a 45 00 31 ff 44 89 f6 88 44 24 28 e8 b9 4d c4 ff 45 85 f6 75
RSP: 0018:ffffc90006187a38 EFLAGS: 00050246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888026905940 RSI: ffffffff81bff672 RDI: 0000000000000007
RBP: 00000000200002cc R08: 0000000000000007 R09: 0000000000000000
R10: 00000000000002c0 R11: 1ffffffff219cbe3 R12: 000000000000000c
R13: 00000000200002c0 R14: 0000000000000000 R15: 1ffff92000c30f48
fault_in_iov_iter_readable+0x252/0x2c0 lib/iov_iter.c:362
generic_perform_write+0x1ae/0x570 mm/filemap.c:3913
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f235a721168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2359bac050 RCX: 00007f2359a8c169
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffea89659df R14: 00007f235a721300 R15: 0000000000022000
</TASK>
3: 04 02 add $0x2,%al
5: 00 00 add %al,(%rax)
7: 00 00 add %al,(%rax)
9: 48 83 c4 48 add $0x48,%rsp
d: 4c 89 e0 mov %r12,%rax
10: 5b pop %rbx
11: 5d pop %rbp
12: 41 5c pop %r12
14: 41 5d pop %r13
16: 41 5e pop %r14
18: 41 5f pop %r15
1a: c3 retq
1b: 45 31 e4 xor %r12d,%r12d
1e: eb ce jmp 0xffffffee
20: e8 ae 51 c4 ff callq 0xffc451d3
25: 45 31 f6 xor %r14d,%r14d
* 28: 41 8a 45 00 mov 0x0(%r13),%al <-- trapping instruction
2c: 31 ff xor %edi,%edi
2e: 44 89 f6 mov %r14d,%esi
31: 88 44 24 28 mov %al,0x28(%rsp)
35: e8 b9 4d c4 ff callq 0xffc44df3
3a: 45 85 f6 test %r14d,%r14d
3d: 75 .byte 0x75
Tested on:
commit: eb1f822c ext4: enable the lazy init thread when remoun..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git ext4_for_linus_stable
console output: https://syzkaller.appspot.com/x/log.txt?x=13260843280000
kernel config: https://syzkaller.appspot.com/x/.config?x=3da6c5d3e0a6c932
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in do_user_addr_fault
======================================================
WARNING: possible circular locking dependency detected
6.4.0-rc4-syzkaller-geb1f822c76be-dirty #0 Not tainted
------------------------------------------------------
syz-executor.4/5589 is trying to acquire lock:
ffff888024228168 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:142 [inline]
ffff888024228168 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault+0xb3d/0x1210 arch/x86/mm/fault.c:1391
but task is already holding lock:
ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: inode_lock include/linux/fs.h:775 [inline]
ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: ext4_buffered_write_iter+0xb0/0x460 fs/ext4/file.c:283
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&sb->s_type->i_mutex_key#8){++++}-{3:3}:
down_write+0x92/0x200 kernel/locking/rwsem.c:1573
inode_lock include/linux/fs.h:775 [inline]
ext4_file_mmap+0x62e/0x800 fs/ext4/file.c:826
call_mmap include/linux/fs.h:1873 [inline]
mmap_region+0x694/0x28d0 mm/mmap.c:2652
do_mmap+0x831/0xf60 mm/mmap.c:1394
vm_mmap_pgoff+0x1a2/0x3b0 mm/util.c:543
ksys_mmap_pgoff+0x41f/0x5a0 mm/mmap.c:1440
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
-> #0 (&mm->mmap_lock){++++}-{3:3}:
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
check_prev_add kernel/locking/lockdep.c:3113 [inline]
check_prevs_add kernel/locking/lockdep.c:3232 [inline]
validate_chain kernel/locking/lockdep.c:3847 [inline]
__lock_acquire+0x2fcd/0x5f30 kernel/locking/lockdep.c:5088
lock_acquire kernel/locking/lockdep.c:5705 [inline]
lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5670
down_read+0x9c/0x480 kernel/locking/rwsem.c:1520
mmap_read_lock include/linux/mmap_lock.h:142 [inline]
do_user_addr_fault+0xb3d/0x1210 arch/x86/mm/fault.c:1391
handle_page_fault arch/x86/mm/fault.c:1534 [inline]
exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1590
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
fault_in_readable+0x1a5/0x210 mm/gup.c:1856
fault_in_iov_iter_readable+0x252/0x2c0 lib/iov_iter.c:362
generic_perform_write+0x1ae/0x570 mm/filemap.c:3913
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:289
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1868 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
other info that might help us debug this:
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1868 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&sb->s_type->i_mutex_key#8);
lock(&mm->mmap_lock);
lock(&sb->s_type->i_mutex_key#8);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
3 locks held by syz-executor.4/5589:
#0: ffff88802a7fe0e8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe7/0x100 fs/file.c:1047
#1: ffff888021fe0460 (sb_writers#4){.+.+}-{0:0}, at: ksys_write+0x12b/0x250 fs/read_write.c:637
#2: ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: inode_lock include/linux/fs.h:775 [inline]
#2: ffff88806a066800 (&sb->s_type->i_mutex_key#8){++++}-{3:3}, at: ext4_buffered_write_iter+0xb0/0x460 fs/ext4/file.c:283
stack backtrace:
CPU: 0 PID: 5589 Comm: syz-executor.4 Not tainted 6.4.0-rc4-syzkaller-geb1f822c76be-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2188
check_prev_add kernel/locking/lockdep.c:3113 [inline]
check_prevs_add kernel/locking/lockdep.c:3232 [inline]
validate_chain kernel/locking/lockdep.c:3847 [inline]
__lock_acquire+0x2fcd/0x5f30 kernel/locking/lockdep.c:5088
lock_acquire kernel/locking/lockdep.c:5705 [inline]
lock_acquire+0x1b1/0x520 kernel/locking/lockdep.c:5670
down_read+0x9c/0x480 kernel/locking/rwsem.c:1520
mmap_read_lock include/linux/mmap_lock.h:142 [inline]
do_user_addr_fault+0xb3d/0x1210 arch/x86/mm/fault.c:1391
handle_page_fault arch/x86/mm/fault.c:1534 [inline]
exc_page_fault+0x98/0x170 arch/x86/mm/fault.c:1590
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0010:fault_in_readable+0x1a5/0x210 mm/gup.c:1856
Code: fc ff df 48 c7 04 02 00 00 00 00 48 83 c4 48 4c 89 e0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 e4 eb ce e8 ae 51 c4 ff 45 31 f6 <41> 8a 45 00 31 ff 44 89 f6 88 44 24 28 e8 b9 4d c4 ff 45 85 f6 75
RSP: 0018:ffffc90006187a38 EFLAGS: 00050246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888026905940 RSI: ffffffff81bff672 RDI: 0000000000000007
RBP: 00000000200002cc R08: 0000000000000007 R09: 0000000000000000
R10: 00000000000002c0 R11: 1ffffffff219cbe3 R12: 000000000000000c
R13: 00000000200002c0 R14: 0000000000000000 R15: 1ffff92000c30f48
fault_in_iov_iter_readable+0x252/0x2c0 lib/iov_iter.c:362
generic_perform_write+0x1ae/0x570 mm/filemap.c:3913
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:289
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1868 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f2359a8c169
ext4_file_write_iter+0xbe0/0x1740 fs/ext4/file.c:710
call_write_iter include/linux/fs.h:1868 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f235a721168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f2359bac050 RCX: 00007f2359a8c169
RDX: 000000000000000c RSI: 00000000200002c0 RDI: 0000000000000004
RBP: 00007f2359ae7ca1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffea89659df R14: 00007f235a721300 R15: 0000000000022000
</TASK>
----------------
Code disassembly (best guess), 2 bytes skipped:
0: df 48 c7 fisttps -0x39(%rax)
Code disassembly (best guess), 2 bytes skipped:
3: 04 02 add $0x2,%al
5: 00 00 add %al,(%rax)
7: 00 00 add %al,(%rax)
9: 48 83 c4 48 add $0x48,%rsp
d: 4c 89 e0 mov %r12,%rax
10: 5b pop %rbx
11: 5d pop %rbp
12: 41 5c pop %r12
14: 41 5d pop %r13
16: 41 5e pop %r14
18: 41 5f pop %r15
1a: c3 retq
1b: 45 31 e4 xor %r12d,%r12d
1e: eb ce jmp 0xffffffee
20: e8 ae 51 c4 ff callq 0xffc451d3
25: 45 31 f6 xor %r14d,%r14d
* 28: 41 8a 45 00 mov 0x0(%r13),%al <-- trapping instruction
2c: 31 ff xor %edi,%edi
2e: 44 89 f6 mov %r14d,%esi
31: 88 44 24 28 mov %al,0x28(%rsp)
35: e8 b9 4d c4 ff callq 0xffc44df3
3a: 45 85 f6 test %r14d,%r14d
3d: 75 .byte 0x75
Tested on:
commit: eb1f822c ext4: enable the lazy init thread when remoun..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git ext4_for_linus_stable
console output: https://syzkaller.appspot.com/x/log.txt?x=13260843280000
kernel config: https://syzkaller.appspot.com/x/.config?x=3da6c5d3e0a6c932
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=16a010b3280000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Theodore Ts'o
Jun 3, 2023, 12:09:03 AM6/3/23
to syzbot, syzkall...@googlegroups.com
@syz fix: ext4: fix race condition between buffer write and page_mkwrite
Aleksandr Nogikh
Jun 8, 2023, 4:46:32 AM6/8/23
to Theodore Ts'o, syzbot, syzkall...@googlegroups.com
#syz fix: ext4: fix race condition between buffer write and page_mkwrite
On Sat, Jun 3, 2023 at 6:09 AM Theodore Ts'o <ty...@mit.edu> wrote:
>
> @syz fix: ext4: fix race condition between buffer write and page_mkwrite
>
> --
>
> @syz fix: ext4: fix race condition between buffer write and page_mkwrite
>
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bug...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20230603040859.GC1128875%40mit.edu.
syzbot
Sep 6, 2023, 4:46:49 AM9/6/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
This bug is marked as fixed by commit:
Is it a correct commit? Please update it by replying:
#syz fix: exact-commit-title
Until then the bug is still considered open and new crashes with
the same signature are ignored.
Kernel: Linux
Dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
---
[1] I expect the commit to be present in:
1. for-kernelci branch of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git
2. master branch of
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
3. master branch of
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
4. main branch of
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
The full list of 9 trees can be found at
https://syzkaller.appspot.com/upstream/repos
ext4: fix race condition between buffer write and page_mkwrite
But I can't find it in the tested trees[1] for more than 90 days.
Is it a correct commit? Please update it by replying:
#syz fix: exact-commit-title
Until then the bug is still considered open and new crashes with
the same signature are ignored.
Kernel: Linux
Dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
---
[1] I expect the commit to be present in:
1. for-kernelci branch of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git
2. master branch of
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git
3. master branch of
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git
4. main branch of
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
The full list of 9 trees can be found at
https://syzkaller.appspot.com/upstream/repos
syzbot
Sep 20, 2023, 4:47:26 AM9/20/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Oct 4, 2023, 4:47:37 AM10/4/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Oct 18, 2023, 4:48:43 AM10/18/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Nov 1, 2023, 4:49:13 AM11/1/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Nov 15, 2023, 3:50:15 AM11/15/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Nov 29, 2023, 3:51:20 AM11/29/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Dec 13, 2023, 3:52:18 AM12/13/23
to adilger...@dilger.ca, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
Edward Adam Davis
Dec 13, 2023, 6:06:02 AM12/13/23
to syzbot+f45827...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test kernel BUG in ext4_write_inline_data
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 44c026a73be8
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 9a84a5f9fef4..2ab1ca192167 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -169,6 +169,7 @@ int ext4_find_inline_data_nolock(struct inode *inode)
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
+ printk("iis: %d, %s\n", EXT4_I(inode)->i_inline_size, __func__);
}
out:
brelse(is.iloc.bh);
@@ -232,7 +233,9 @@ static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
return;
BUG_ON(!EXT4_I(inode)->i_inline_off);
- BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+ printk("pos: %d, len: %d, iis: %d, %s\n", pos, len, EXT4_I(inode)->i_inline_size, __func__);
+ if (EXT4_I(inode)->i_inline_size > 0)
+ BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
raw_inode = ext4_raw_inode(iloc);
buffer += pos;
@@ -314,6 +317,7 @@ static int ext4_create_inline_data(handle_t *handle,
EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE;
+ printk("len: %d, iis: %d, %s\n", len, EXT4_I(inode)->i_inline_size, __func__);
ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
get_bh(is.iloc.bh);
@@ -381,6 +385,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
+ printk("iis: %d, %s\n", EXT4_I(inode)->i_inline_size, __func__);
ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
get_bh(is.iloc.bh);
error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
@@ -469,6 +474,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
EXT4_I(inode)->i_inline_off = 0;
EXT4_I(inode)->i_inline_size = 0;
+ printk("iis: %d, %s\n", EXT4_I(inode)->i_inline_size, __func__);
ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
out:
brelse(is.iloc.bh);
@@ -1979,6 +1985,7 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
EXT4_I(inode)->i_inline_size = i_size <
EXT4_MIN_INLINE_DATA_SIZE ?
EXT4_MIN_INLINE_DATA_SIZE : i_size;
+ printk("isize: %d, iis: %d, %s\n", i_size, EXT4_I(inode)->i_inline_size, __func__);
}
out_error:
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 44c026a73be8
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 9a84a5f9fef4..2ab1ca192167 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -169,6 +169,7 @@ int ext4_find_inline_data_nolock(struct inode *inode)
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
+ printk("iis: %d, %s\n", EXT4_I(inode)->i_inline_size, __func__);
}
out:
brelse(is.iloc.bh);
@@ -232,7 +233,9 @@ static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
return;
BUG_ON(!EXT4_I(inode)->i_inline_off);
- BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+ printk("pos: %d, len: %d, iis: %d, %s\n", pos, len, EXT4_I(inode)->i_inline_size, __func__);
+ if (EXT4_I(inode)->i_inline_size > 0)
+ BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
raw_inode = ext4_raw_inode(iloc);
buffer += pos;
@@ -314,6 +317,7 @@ static int ext4_create_inline_data(handle_t *handle,
EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE;
+ printk("len: %d, iis: %d, %s\n", len, EXT4_I(inode)->i_inline_size, __func__);
ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
get_bh(is.iloc.bh);
@@ -381,6 +385,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
+ printk("iis: %d, %s\n", EXT4_I(inode)->i_inline_size, __func__);
ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
get_bh(is.iloc.bh);
error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
@@ -469,6 +474,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
EXT4_I(inode)->i_inline_off = 0;
EXT4_I(inode)->i_inline_size = 0;
+ printk("iis: %d, %s\n", EXT4_I(inode)->i_inline_size, __func__);
ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
out:
brelse(is.iloc.bh);
@@ -1979,6 +1985,7 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
EXT4_I(inode)->i_inline_size = i_size <
EXT4_MIN_INLINE_DATA_SIZE ?
EXT4_MIN_INLINE_DATA_SIZE : i_size;
+ printk("isize: %d, iis: %d, %s\n", i_size, EXT4_I(inode)->i_inline_size, __func__);
}
out_error:
syzbot
Dec 13, 2023, 6:56:06 AM12/13/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_do_writepages
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2587!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 10 Comm: kworker/u4:0 Not tainted 6.4.0-rc3-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:ext4_do_writepages+0x27a1/0x34a0 fs/ext4/inode.c:2587
Code: fc ff df 44 89 64 24 18 48 c1 ea 03 80 3c 02 00 0f 84 bc ed ff ff 48 8b 7c 24 08 e8 49 aa a8 ff e9 ad ed ff ff e8 ef 2f 55 ff <0f> 0b e8 e8 2f 55 ff 48 8b 84 24 b0 00 00 00 48 8d 78 40 48 b8 00
RSP: 0018:ffffc900000f73e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807592bc50 RCX: 0000000000000000
RDX: ffff888016a41dc0 RSI: ffffffff82306c61 RDI: 0000000000000007
RBP: ffffc900000f75f0 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88802aede678 R14: ffff88807592beb0 R15: 7fffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561e569a2950 CR3: 000000002a00e000 CR4: 0000000000350ef0
Call Trace:
<TASK>
ext4_writepages+0x30b/0x780 fs/ext4/inode.c:2792
do_writepages+0x1b4/0x690 mm/page-writeback.c:2551
__writeback_single_inode+0x158/0xe70 fs/fs-writeback.c:1603
writeback_sb_inodes+0x599/0x1010 fs/fs-writeback.c:1894
wb_writeback+0x2ca/0xa90 fs/fs-writeback.c:2068
wb_do_writeback fs/fs-writeback.c:2211 [inline]
wb_workfn+0x29c/0xfd0 fs/fs-writeback.c:2251
process_one_work+0x9f9/0x15f0 kernel/workqueue.c:2405
worker_thread+0x687/0x1110 kernel/workqueue.c:2552
kthread+0x33a/0x430 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_do_writepages+0x27a1/0x34a0 fs/ext4/inode.c:2587
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: fc ff df 44 89 64 24 18 48 c1 ea 03 80 3c 02 00 0f 84 bc ed ff ff 48 8b 7c 24 08 e8 49 aa a8 ff e9 ad ed ff ff e8 ef 2f 55 ff <0f> 0b e8 e8 2f 55 ff 48 8b 84 24 b0 00 00 00 48 8d 78 40 48 b8 00
RSP: 0018:ffffc900000f73e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88807592bc50 RCX: 0000000000000000
RDX: ffff888016a41dc0 RSI: ffffffff82306c61 RDI: 0000000000000007
RBP: ffffc900000f75f0 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
R13: ffff88802aede678 R14: ffff88807592beb0 R15: 7fffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f629e29e378 CR3: 000000000c772000 CR4: 0000000000350ef0
Tested on:
commit: 44c026a7 Linux 6.4-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12c7b6fae80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e2045748b9f1055b
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=133a9fbce80000
Edward Adam Davis
Dec 14, 2023, 10:26:07 PM12/14/23
to syzbot+f45827...@syzkaller.appspotmail.com, syzkall...@googlegroups.com
please test kernel BUG in ext4_write_inline_data
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 44c026a73be8
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 9a84a5f9fef4..e0d261ffe623 100644
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 44c026a73be8
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -169,6 +169,7 @@ int ext4_find_inline_data_nolock(struct inode *inode)
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
+ printk("iis: %d, in: %p, %s\n", EXT4_I(inode)->i_inline_size, inode, __func__);
+++ b/fs/ext4/inline.c
@@ -169,6 +169,7 @@ int ext4_find_inline_data_nolock(struct inode *inode)
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
}
out:
brelse(is.iloc.bh);
@@ -232,7 +233,9 @@ static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
return;
BUG_ON(!EXT4_I(inode)->i_inline_off);
- BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+ printk("pos: %d, len: %d, in: %p, iis: %d, %s\n", pos, len, inode, EXT4_I(inode)->i_inline_size, __func__);
out:
brelse(is.iloc.bh);
@@ -232,7 +233,9 @@ static void ext4_write_inline_data(struct inode *inode, struct ext4_iloc *iloc,
return;
BUG_ON(!EXT4_I(inode)->i_inline_off);
- BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
+ if (EXT4_I(inode)->i_inline_size > 0)
+ BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
raw_inode = ext4_raw_inode(iloc);
buffer += pos;
@@ -314,6 +317,7 @@ static int ext4_create_inline_data(handle_t *handle,
EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE;
+ printk("len: %d, in: %p, iis: %d, %s\n", len, inode, EXT4_I(inode)->i_inline_size, __func__);
+ BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
raw_inode = ext4_raw_inode(iloc);
buffer += pos;
@@ -314,6 +317,7 @@ static int ext4_create_inline_data(handle_t *handle,
EXT4_I(inode)->i_inline_off = (u16)((void *)is.s.here -
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = len + EXT4_MIN_INLINE_DATA_SIZE;
ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS);
ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
get_bh(is.iloc.bh);
@@ -381,6 +385,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
+ printk("iis: %d, in:%p, %s\n", EXT4_I(inode)->i_inline_size, inode, __func__);
ext4_set_inode_flag(inode, EXT4_INODE_INLINE_DATA);
get_bh(is.iloc.bh);
@@ -381,6 +385,7 @@ static int ext4_update_inline_data(handle_t *handle, struct inode *inode,
(void *)ext4_raw_inode(&is.iloc));
EXT4_I(inode)->i_inline_size = EXT4_MIN_INLINE_DATA_SIZE +
le32_to_cpu(is.s.here->e_value_size);
ext4_set_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
get_bh(is.iloc.bh);
error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
@@ -469,6 +474,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
EXT4_I(inode)->i_inline_off = 0;
EXT4_I(inode)->i_inline_size = 0;
+ printk("iis: %d, in: %p, %s\n", EXT4_I(inode)->i_inline_size, inode, __func__);
get_bh(is.iloc.bh);
error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
@@ -469,6 +474,7 @@ static int ext4_destroy_inline_data_nolock(handle_t *handle,
EXT4_I(inode)->i_inline_off = 0;
EXT4_I(inode)->i_inline_size = 0;
ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
out:
brelse(is.iloc.bh);
@@ -1979,6 +1985,7 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
EXT4_I(inode)->i_inline_size = i_size <
EXT4_MIN_INLINE_DATA_SIZE ?
EXT4_MIN_INLINE_DATA_SIZE : i_size;
+ printk("isize: %d, in: %p, iis: %d, %s\n", i_size, inode, EXT4_I(inode)->i_inline_size, __func__);
out:
brelse(is.iloc.bh);
@@ -1979,6 +1985,7 @@ int ext4_inline_data_truncate(struct inode *inode, int *has_inline)
EXT4_I(inode)->i_inline_size = i_size <
EXT4_MIN_INLINE_DATA_SIZE ?
EXT4_MIN_INLINE_DATA_SIZE : i_size;
}
out_error:
syzbot
Dec 14, 2023, 10:40:08 PM12/14/23
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_do_writepages
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2587!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10 Comm: kworker/u4:0 Not tainted 6.4.0-rc3-syzkaller-dirty #0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ext4_do_writepages
------------[ cut here ]------------
kernel BUG at fs/ext4/inode.c:2587!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Workqueue: writeback wb_workfn (flush-7:0)
RIP: 0010:ext4_do_writepages+0x27a1/0x34a0 fs/ext4/inode.c:2587
Code: fc ff df 44 89 64 24 18 48 c1 ea 03 80 3c 02 00 0f 84 bc ed ff ff 48 8b 7c 24 08 e8 19 aa a8 ff e9 ad ed ff ff e8 bf 2f 55 ff <0f> 0b e8 b8 2f 55 ff 48 8b 84 24 b0 00 00 00 48 8d 78 40 48 b8 00
RIP: 0010:ext4_do_writepages+0x27a1/0x34a0 fs/ext4/inode.c:2587
RSP: 0018:ffffc900000f73e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880684f6e50 RCX: 0000000000000000
RDX: ffff888016649dc0 RSI: ffffffff82306c91 RDI: 0000000000000007
RBP: ffffc900000f75f0 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88807e006678 R14: ffff8880684f70b0 R15: 7fffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f07671c7650 CR3: 000000002a381000 CR4: 0000000000350ee0
Call Trace:
<TASK>
ext4_writepages+0x30b/0x780 fs/ext4/inode.c:2792
do_writepages+0x1b4/0x690 mm/page-writeback.c:2551
__writeback_single_inode+0x158/0xe70 fs/fs-writeback.c:1603
writeback_sb_inodes+0x599/0x1010 fs/fs-writeback.c:1894
wb_writeback+0x2ca/0xa90 fs/fs-writeback.c:2068
wb_do_writeback fs/fs-writeback.c:2211 [inline]
wb_workfn+0x29c/0xfd0 fs/fs-writeback.c:2251
process_one_work+0x9f9/0x15f0 kernel/workqueue.c:2405
worker_thread+0x687/0x1110 kernel/workqueue.c:2552
kthread+0x33a/0x430 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_do_writepages+0x27a1/0x34a0 fs/ext4/inode.c:2587
Code: fc ff df 44 89 64 24 18 48 c1 ea 03 80 3c 02 00 0f 84 bc ed ff ff 48 8b 7c 24 08 e8 19 aa a8 ff e9 ad ed ff ff e8 bf 2f 55 ff <0f> 0b e8 b8 2f 55 ff 48 8b 84 24 b0 00 00 00 48 8d 78 40 48 b8 00
<TASK>
ext4_writepages+0x30b/0x780 fs/ext4/inode.c:2792
do_writepages+0x1b4/0x690 mm/page-writeback.c:2551
__writeback_single_inode+0x158/0xe70 fs/fs-writeback.c:1603
writeback_sb_inodes+0x599/0x1010 fs/fs-writeback.c:1894
wb_writeback+0x2ca/0xa90 fs/fs-writeback.c:2068
wb_do_writeback fs/fs-writeback.c:2211 [inline]
wb_workfn+0x29c/0xfd0 fs/fs-writeback.c:2251
process_one_work+0x9f9/0x15f0 kernel/workqueue.c:2405
worker_thread+0x687/0x1110 kernel/workqueue.c:2552
kthread+0x33a/0x430 kernel/kthread.c:379
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ext4_do_writepages+0x27a1/0x34a0 fs/ext4/inode.c:2587
RSP: 0018:ffffc900000f73e8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880684f6e50 RCX: 0000000000000000
RDX: ffff888016649dc0 RSI: ffffffff82306c91 RDI: 0000000000000007
RBP: ffffc900000f75f0 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001
R13: ffff88807e006678 R14: ffff8880684f70b0 R15: 7fffffffffffffff
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f07671c7650 CR3: 0000000029b19000 CR4: 0000000000350ee0
Tested on:
commit: 44c026a7 Linux 6.4-rc3
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=e2045748b9f1055b
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=100bda1ee80000
dashboard link: https://syzkaller.appspot.com/bug?extid=f4582777a19ec422b517
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syzbot
Dec 28, 2023, 10:40:15 PM12/28/23
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Jan 11, 2024, 10:40:22 PMJan 11
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Jan 25, 2024, 10:41:12 PMJan 25
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Feb 8, 2024, 10:41:19 PMFeb 8
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Feb 22, 2024, 10:42:16 PMFeb 22
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Mar 7, 2024, 10:42:19 PMMar 7
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Mar 21, 2024, 11:43:11 PMMar 21
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Apr 4, 2024, 11:43:18 PMApr 4
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
syzbot
Apr 18, 2024, 11:44:13 PM (22 hours ago) Apr 18
to adilger...@dilger.ca, ead...@qq.com, linux...@vger.kernel.org, linux-...@vger.kernel.org, linux-...@vger.kernel.org, nog...@google.com, syzkall...@googlegroups.com, ty...@mit.edu
Reply all
Reply to author
Forward
0 new messages