[syzbot] [nilfs?] WARNING: ODEBUG bug in nilfs_detach_log_writer (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: b98c94eed4a9 arm64: mte: Do not warn if the page is alread..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=14144be2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=158bd6857eb7a550
dashboard link: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12ce5d2f980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16136e7c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c82e514449b/disk-b98c94ee.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a322ed38c368/vmlinux-b98c94ee.xz
kernel image: https://storage.googleapis.com/syzbot-assets/059db7d7114e/Image-b98c94ee.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/3ad719caa640/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+24d8b7...@syzkaller.appspotmail.com

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: __ll_sc_atomic64_andnot arch/arm64/include/asm/atomic_ll_sc.h:-1 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: arch_atomic64_andnot arch/arm64/include/asm/atomic.h:64 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: raw_atomic64_andnot include/linux/atomic/atomic-arch-fallback.h:3675 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: raw_atomic_long_andnot include/linux/atomic/atomic-long.h:964 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: arch_clear_bit include/asm-generic/bitops/atomic.h:25 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: clear_bit include/asm-generic/bitops/instrumented-atomic.h:42 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: clear_nilfs_purging fs/nilfs2/the_nilfs.h:206 [inline]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout+0x0/0x50 fs/nilfs2/segment.c:2893
WARNING: CPU: 0 PID: 6673 at lib/debugobjects.c:615 debug_print_object lib/debugobjects.c:612 [inline]
WARNING: CPU: 0 PID: 6673 at lib/debugobjects.c:615 __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
WARNING: CPU: 0 PID: 6673 at lib/debugobjects.c:615 debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
Modules linked in:
CPU: 0 UID: 0 PID: 6673 Comm: syz-executor Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:612 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
pc : debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
lr : debug_print_object lib/debugobjects.c:612 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
lr : debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
sp : ffff8000a1547910
x29: ffff8000a1547950 x28: ffff0000cf608400 x27: 0000000000000000
x26: ffff80008aed7f20 x25: ffff0000cf608270 x24: ffff800082080a4c
x23: ffff0000d8cabfc0 x22: ffff0000cf608000 x21: dfff800000000000
x20: 0000000000000000 x19: ffff0000cf608000 x18: 00000000ffffffff
x17: 626f206131313462 x16: ffff800082de9540 x15: 0000000000000001
x14: 1fffe000337db6fa x13: 0000000000000000 x12: 0000000000000000
x11: ffff6000337db6fb x10: 0000000000ff0100 x9 : c941407f25652900
x8 : c941407f25652900 x7 : ffff8000805638d4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807d4f2c
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
debug_print_object lib/debugobjects.c:612 [inline] (P)
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline] (P)
debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129 (P)
slab_free_hook mm/slub.c:2454 [inline]
slab_free mm/slub.c:6611 [inline]
kfree+0x120/0x600 mm/slub.c:6818
nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline]
nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877
nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509
generic_shutdown_super+0x12c/0x2b8 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xc4/0x12c fs/super.c:473
deactivate_super+0xe0/0x100 fs/super.c:506
cleanup_mnt+0x31c/0x3ac fs/namespace.c:1327
__cleanup_mnt+0x20/0x30 fs/namespace.c:1334
task_work_run+0x1dc/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xfc/0x178 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:103 [inline]
el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:747
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
irq event stamp: 136662
hardirqs last enabled at (136661): [<ffff800080559f90>] vprintk_store+0x898/0xac8 kernel/printk/printk.c:2329
hardirqs last disabled at (136662): [<ffff80008ade9670>] el1_brk64+0x20/0x54 arch/arm64/kernel/entry-common.c:434
softirqs last enabled at (136170): [<ffff8000801f95fc>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (136168): [<ffff8000801f95c8>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Ryusuke Konishi]

...

> NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer

It seems that a timer-related resource leak was detected in the final
kfree() call of nilfs_segctor_destroy(), which releases the log writer
during unmount.

This issue was supposed to have been resolved already, but it’s
possible that something was overlooked.

If it can be reproduced with a reproducer, I’d like to dig deeper into
what’s happening.

Ryusuke Konishi

[Edward Adam Davis]

#syz test

diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
index f15ca6fc400d..0e8733bedfcb 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2808,6 +2808,10 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci)

down_write(&nilfs->ns_segctor_sem);

+ if (sci->sc_task) {
+ printk("sci %p sctask %p %s\n", sci, sci->sc_task, __func__);
+ timer_shutdown_sync(&sci->sc_timer);
+ }
kfree(sci);
}

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+24d8b7...@syzkaller.appspotmail.com
Tested-by: syzbot+24d8b7...@syzkaller.appspotmail.com

Tested on:

commit: b98c94ee arm64: mte: Do not warn if the page is alread..

git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

console output: https://syzkaller.appspot.com/x/log.txt?x=164c0704580000

kernel config: https://syzkaller.appspot.com/x/.config?x=158bd6857eb7a550
dashboard link: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=15e16258580000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

#syz test

diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c

index f15ca6fc400d..8a17ae49bc41 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2768,7 +2768,9 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci)

if (sci->sc_task) {
wake_up(&sci->sc_wait_daemon);
- kthread_stop(sci->sc_task);
+ printk("kthread start to stop (sci %p)sctask %p, %s\n", sci, sci->sc_task, __func__);
+ int ret = kthread_stop(sci->sc_task);
+ printk("kthread stopped (sci %p)sctask %p thread return %d, %s\n", sci, sci->sc_task, ret, __func__);
}

spin_lock(&sci->sc_state_lock);
@@ -2808,6 +2810,10 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci)

down_write(&nilfs->ns_segctor_sem);

+ if (sci->sc_task) {
+ printk("sci %p sctask %p %s\n", sci, sci->sc_task, __func__);

+ //timer_shutdown_sync(&sci->sc_timer);
+ }
kfree(sci);
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in nilfs_detach_log_writer

sci 000000002fc63a1f sctask 00000000cb1c8b43 nilfs_segctor_destroy
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: __ll_sc_atomic64_andnot arch/arm64/include/asm/atomic_ll_sc.h:-1 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: arch_atomic64_andnot arch/arm64/include/asm/atomic.h:64 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: raw_atomic64_andnot include/linux/atomic/atomic-arch-fallback.h:3675 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: raw_atomic_long_andnot include/linux/atomic/atomic-long.h:964 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: arch_clear_bit include/asm-generic/bitops/atomic.h:25 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: clear_bit include/asm-generic/bitops/instrumented-atomic.h:42 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: clear_nilfs_purging fs/nilfs2/the_nilfs.h:206 [inline]
ODEBUG: free active (active state 0) object: 00000000243cd50f object type: timer_list hint: nilfs_construction_timeout+0x0/0x50 fs/nilfs2/segment.c:2899
WARNING: CPU: 1 PID: 7086 at lib/debugobjects.c:615 debug_print_object lib/debugobjects.c:612 [inline]
WARNING: CPU: 1 PID: 7086 at lib/debugobjects.c:615 __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
WARNING: CPU: 1 PID: 7086 at lib/debugobjects.c:615 debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
Modules linked in:
CPU: 1 UID: 0 PID: 7086 Comm: syz-executor Not tainted syzkaller #0 PREEMPT

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:612 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
pc : debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
lr : debug_print_object lib/debugobjects.c:612 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
lr : debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129

sp : ffff8000a1b578f0
x29: ffff8000a1b57930 x28: ffff0000dbe26c00 x27: 0000000000000000
x26: ffff80008aed7f20 x25: ffff0000dbe26a70 x24: ffff800082080b44
x23: ffff0000ca04be70 x22: ffff0000dbe26000 x21: dfff800000000000
x20: 0000000000000000 x19: ffff0000dbe26800 x18: 00000000ffffffff
x17: 626f206630356463 x16: ffff800082de9640 x15: 0000000000000001
x14: 1ffff0001436ae54 x13: 0000000000000000 x12: 0000000000000000
x11: 00000000778946ad x10: 0000000000ff0100 x9 : 73910471fe57b500
x8 : 73910471fe57b500 x7 : ffff8000805638d4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000002 x1 : 0000000100000000 x0 : 0000000000000000

Call trace:
debug_print_object lib/debugobjects.c:612 [inline] (P)
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline] (P)
debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129 (P)
slab_free_hook mm/slub.c:2454 [inline]
slab_free mm/slub.c:6611 [inline]
kfree+0x120/0x600 mm/slub.c:6818

nilfs_segctor_destroy fs/nilfs2/segment.c:2817 [inline]
nilfs_detach_log_writer+0x684/0x9c4 fs/nilfs2/segment.c:2883

nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509
generic_shutdown_super+0x12c/0x2b8 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xc4/0x12c fs/super.c:473
deactivate_super+0xe0/0x100 fs/super.c:506
cleanup_mnt+0x31c/0x3ac fs/namespace.c:1327
__cleanup_mnt+0x20/0x30 fs/namespace.c:1334
task_work_run+0x1dc/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xfc/0x178 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:103 [inline]
el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:747
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

irq event stamp: 393728
hardirqs last enabled at (393727): [<ffff800080559f90>] vprintk_store+0x898/0xac8 kernel/printk/printk.c:2329
hardirqs last disabled at (393728): [<ffff80008ade9780>] el1_brk64+0x20/0x54 arch/arm64/kernel/entry-common.c:434
softirqs last enabled at (393526): [<ffff8000803d7488>] softirq_handle_end kernel/softirq.c:468 [inline]
softirqs last enabled at (393526): [<ffff8000803d7488>] handle_softirqs+0xaf8/0xc88 kernel/softirq.c:650
softirqs last disabled at (392817): [<ffff800080022024>] __do_softirq+0x14/0x20 kernel/softirq.c:656

---[ end trace 0000000000000000 ]---

kthread start to stop (sci 000000005be7e884)sctask 000000008631ea2b, nilfs_segctor_destroy
kthread stopped (sci 000000005be7e884)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000009d71d04a)sctask 00000000a0141cfe, nilfs_segctor_destroy
kthread stopped (sci 000000009d71d04a)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000002b2f1418)sctask 000000006c451d11, nilfs_segctor_destroy
kthread stopped (sci 000000002b2f1418)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000effbdfa6)sctask 00000000a6318a24, nilfs_segctor_destroy
kthread stopped (sci 00000000effbdfa6)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000000fdbe516)sctask 0000000026c32dd0, nilfs_segctor_destroy
kthread stopped (sci 000000000fdbe516)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000001905d913)sctask 0000000050a4687e, nilfs_segctor_destroy
kthread stopped (sci 000000001905d913)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000a3eeddcd)sctask 0000000079f3d7c8, nilfs_segctor_destroy
kthread stopped (sci 00000000a3eeddcd)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000095360f23)sctask 0000000017af06a9, nilfs_segctor_destroy
kthread stopped (sci 0000000095360f23)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000005a9a2e80)sctask 00000000450f99c2, nilfs_segctor_destroy
kthread stopped (sci 000000005a9a2e80)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000a5326494)sctask 000000003bc4f8b8, nilfs_segctor_destroy
kthread stopped (sci 00000000a5326494)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000a603b099)sctask 000000008631ea2b, nilfs_segctor_destroy
kthread stopped (sci 00000000a603b099)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000affd4105)sctask 0000000064524a43, nilfs_segctor_destroy
kthread stopped (sci 00000000affd4105)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000028cafbde)sctask 000000005945da3a, nilfs_segctor_destroy
kthread stopped (sci 0000000028cafbde)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000004d042e5c)sctask 0000000034209c98, nilfs_segctor_destroy
kthread stopped (sci 000000004d042e5c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000d5a02571)sctask 000000008197e345, nilfs_segctor_destroy
kthread stopped (sci 00000000d5a02571)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000cb8a270a)sctask 00000000a075cdeb, nilfs_segctor_destroy
kthread stopped (sci 00000000cb8a270a)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000023a2d3ea)sctask 00000000952a7887, nilfs_segctor_destroy
kthread stopped (sci 0000000023a2d3ea)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000ce675362)sctask 000000000df5a992, nilfs_segctor_destroy
kthread stopped (sci 00000000ce675362)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000576731dc)sctask 0000000082cdf5af, nilfs_segctor_destroy
kthread stopped (sci 00000000576731dc)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000e5b3a0b0)sctask 00000000e4102e6b, nilfs_segctor_destroy
kthread stopped (sci 00000000e5b3a0b0)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000008c9fa24c)sctask 00000000ca2032a8, nilfs_segctor_destroy
kthread stopped (sci 000000008c9fa24c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000072959ad0)sctask 00000000d02d4a8e, nilfs_segctor_destroy
kthread stopped (sci 0000000072959ad0)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000dc9d7abc)sctask 00000000979ed9ea, nilfs_segctor_destroy
kthread stopped (sci 00000000dc9d7abc)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000b18846c3)sctask 0000000076687d8f, nilfs_segctor_destroy
kthread stopped (sci 00000000b18846c3)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000536e8ffd)sctask 000000007798b86f, nilfs_segctor_destroy
kthread stopped (sci 00000000536e8ffd)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000006b6f7633)sctask 0000000087ea6322, nilfs_segctor_destroy
kthread stopped (sci 000000006b6f7633)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000eadf0db0)sctask 0000000020355604, nilfs_segctor_destroy
kthread stopped (sci 00000000eadf0db0)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000007344f784)sctask 00000000e08f1ab4, nilfs_segctor_destroy
kthread stopped (sci 000000007344f784)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000010fbc4d9)sctask 00000000f03c335c, nilfs_segctor_destroy
kthread stopped (sci 0000000010fbc4d9)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000f46a4493)sctask 00000000ba507f0b, nilfs_segctor_destroy
kthread stopped (sci 00000000f46a4493)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000060b110ed)sctask 000000003b1ab5ad, nilfs_segctor_destroy
kthread stopped (sci 0000000060b110ed)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000694aac4c)sctask 0000000060a56e61, nilfs_segctor_destroy
kthread stopped (sci 00000000694aac4c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000009864c2ac)sctask 000000006e998649, nilfs_segctor_destroy
kthread stopped (sci 000000009864c2ac)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000e0e3a3e5)sctask 00000000ac1e6b29, nilfs_segctor_destroy
kthread stopped (sci 00000000e0e3a3e5)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000005a10065e)sctask 00000000057002a4, nilfs_segctor_destroy
kthread stopped (sci 000000005a10065e)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000e4f1117f)sctask 00000000d1405353, nilfs_segctor_destroy
kthread stopped (sci 00000000e4f1117f)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000001b211764)sctask 000000006280584a, nilfs_segctor_destroy
kthread stopped (sci 000000001b211764)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000090abbc6)sctask 00000000c3e1a812, nilfs_segctor_destroy
kthread stopped (sci 00000000090abbc6)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000006e76001d)sctask 00000000eed8bd1d, nilfs_segctor_destroy
kthread stopped (sci 000000006e76001d)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000009c3f81c)sctask 00000000030407b5, nilfs_segctor_destroy
kthread stopped (sci 0000000009c3f81c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000006c06e552)sctask 00000000368252a8, nilfs_segctor_destroy
kthread stopped (sci 000000006c06e552)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000000ea9b08)sctask 0000000026c266fc, nilfs_segctor_destroy
kthread stopped (sci 0000000000ea9b08)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000694aac4c)sctask 0000000012ac78da, nilfs_segctor_destroy
kthread stopped (sci 00000000694aac4c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000040949351)sctask 00000000a59115fd, nilfs_segctor_destroy
kthread stopped (sci 0000000040949351)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000020aa063d)sctask 00000000b617a775, nilfs_segctor_destroy
kthread stopped (sci 0000000020aa063d)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 000000006c416ffd)sctask 00000000da61bfc3, nilfs_segctor_destroy
kthread stopped (sci 000000006c416ffd)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 00000000cb84fb3c)sctask 0000000030bae658, nilfs_segctor_destroy
kthread stopped (sci 00000000cb84fb3c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer
kthread start to stop (sci 0000000023c9588c)sctask 00000000bfd16b12, nilfs_segctor_destroy
kthread stopped (sci 0000000023c9588c)sctask 0000000000000000 thread return 0, nilfs_segctor_destroy
NILFS (loop4): disposed unprocessed dirty file(s) when stopping log writer

Tested on:

commit: b98c94ee arm64: mte: Do not warn if the page is alread..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

console output: https://syzkaller.appspot.com/x/log.txt?x=1252d3cd980000

kernel config: https://syzkaller.appspot.com/x/.config?x=158bd6857eb7a550
dashboard link: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=16fbef34580000

[Edward Adam Davis]

#syz test

diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c

index f15ca6fc400d..9e95b0255bfe 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2671,7 +2671,7 @@ static int nilfs_segctor_thread(void *arg)
}

prepare_to_wait(&sci->sc_wait_daemon, &wait,
- TASK_INTERRUPTIBLE);
+ TASK_UNINTERRUPTIBLE);
should_write = nilfs_log_write_required(sci, &mode);
if (!should_write)
schedule();
@@ -2808,6 +2808,10 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci)

down_write(&nilfs->ns_segctor_sem);

+ if (sci->sc_task) {

+ printk("!!! sci %p sctask %p %s\n", sci, sci->sc_task, __func__);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in nilfs_detach_log_writer

!!! sci 00000000654d1193 sctask 000000001d256998 nilfs_segctor_destroy
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: __ll_sc_atomic64_andnot arch/arm64/include/asm/atomic_ll_sc.h:-1 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: arch_atomic64_andnot arch/arm64/include/asm/atomic.h:64 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: raw_atomic64_andnot include/linux/atomic/atomic-arch-fallback.h:3675 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: raw_atomic_long_andnot include/linux/atomic/atomic-long.h:964 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: arch_clear_bit include/asm-generic/bitops/atomic.h:25 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: clear_bit include/asm-generic/bitops/instrumented-atomic.h:42 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: clear_nilfs_purging fs/nilfs2/the_nilfs.h:206 [inline]
ODEBUG: free active (active state 0) object: 00000000cb289602 object type: timer_list hint: nilfs_construction_timeout+0x0/0x50 fs/nilfs2/segment.c:2897
WARNING: CPU: 0 PID: 7171 at lib/debugobjects.c:615 debug_print_object lib/debugobjects.c:612 [inline]
WARNING: CPU: 0 PID: 7171 at lib/debugobjects.c:615 __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
WARNING: CPU: 0 PID: 7171 at lib/debugobjects.c:615 debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
Modules linked in:
CPU: 0 UID: 0 PID: 7171 Comm: syz-executor Not tainted syzkaller #0 PREEMPT

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : debug_print_object lib/debugobjects.c:612 [inline]
pc : __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
pc : debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129
lr : debug_print_object lib/debugobjects.c:612 [inline]
lr : __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
lr : debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129

sp : ffff80009d0378f0
x29: ffff80009d037930 x28: ffff0000d5f63c00 x27: 0000000000000000
x26: ffff80008aed7f20 x25: ffff0000d5f63a70 x24: ffff800082080abc
x23: ffff0000c6402188 x22: ffff0000d5f63000 x21: dfff800000000000
x20: 0000000000000000 x19: ffff0000d5f63800 x18: 1fffe000337db690
x17: 626f203230363938 x16: ffff800082de95c0 x15: 0000000000000001
x14: 1fffe000337db6fa x13: 0000000000000000 x12: 0000000000000000
x11: ffff6000337db6fb x10: 0000000000ff0100 x9 : b75f7cbc17284200
x8 : b75f7cbc17284200 x7 : ffff8000805638d4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807d4f2c
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000

Call trace:
debug_print_object lib/debugobjects.c:612 [inline] (P)
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline] (P)
debug_check_no_obj_freed+0x390/0x470 lib/debugobjects.c:1129 (P)
slab_free_hook mm/slub.c:2454 [inline]
slab_free mm/slub.c:6611 [inline]
kfree+0x120/0x600 mm/slub.c:6818

nilfs_segctor_destroy fs/nilfs2/segment.c:2815 [inline]
nilfs_detach_log_writer+0x69c/0x93c fs/nilfs2/segment.c:2881

nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509
generic_shutdown_super+0x12c/0x2b8 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xc4/0x12c fs/super.c:473
deactivate_super+0xe0/0x100 fs/super.c:506
cleanup_mnt+0x31c/0x3ac fs/namespace.c:1327
__cleanup_mnt+0x20/0x30 fs/namespace.c:1334
task_work_run+0x1dc/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xfc/0x178 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:103 [inline]
el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:747
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:765
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

irq event stamp: 199786
hardirqs last enabled at (199785): [<ffff800080559f90>] vprintk_store+0x898/0xac8 kernel/printk/printk.c:2329
hardirqs last disabled at (199786): [<ffff80008ade9700>] el1_brk64+0x20/0x54 arch/arm64/kernel/entry-common.c:434
softirqs last enabled at (199286): [<ffff8000801f95fc>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (199284): [<ffff8000801f95c8>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19

---[ end trace 0000000000000000 ]---

NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer
NILFS (loop1): disposed unprocessed dirty file(s) when stopping log writer

Tested on:

commit: b98c94ee arm64: mte: Do not warn if the page is alread..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

console output: https://syzkaller.appspot.com/x/log.txt?x=1554dd42580000

kernel config: https://syzkaller.appspot.com/x/.config?x=158bd6857eb7a550
dashboard link: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=178d832f980000

[Edward Adam Davis]

#syz test

diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c

index f15ca6fc400d..deee16bc9d4e 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2768,7 +2768,12 @@ static void nilfs_segctor_destroy(struct nilfs_sc_info *sci)

if (sci->sc_task) {
wake_up(&sci->sc_wait_daemon);
- kthread_stop(sci->sc_task);

+ if (kthread_stop(sci->sc_task)) {
+ spin_lock(&sci->sc_state_lock);
+ sci->sc_task = NULL;
+ timer_shutdown_sync(&sci->sc_timer);
+ spin_unlock(&sci->sc_state_lock);
+ }
}

spin_lock(&sci->sc_state_lock);

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+24d8b7...@syzkaller.appspotmail.com
Tested-by: syzbot+24d8b7...@syzkaller.appspotmail.com

Tested on:

commit: b98c94ee arm64: mte: Do not warn if the page is alread..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

console output: https://syzkaller.appspot.com/x/log.txt?x=11a09c92580000

kernel config: https://syzkaller.appspot.com/x/.config?x=158bd6857eb7a550
dashboard link: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=128b8fe2580000

[Edward Adam Davis]

Because kthread_stop did not stop sc_task properly and returned -EINTR,
the sc_timer was not properly closed, ultimately causing the problem [1]
reported by syzbot when freeing sci due to the sc_timer not being closed.

Because the thread sc_task main function nilfs_segctor_thread() returns 0
when it succeeds, when the return value of kthread_stop() is not 0 in
nilfs_segctor_destroy(), we believe that it has not properly closed sc_timer.
We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set
the value of sc_task to NULL under the protection of lock sc_state_lock,
so as to avoid the issue caused by sc_timer not being properly shutdowned.

[1]
ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout
Call trace:

nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline]
nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877
nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509

Reported-by: syzbot+24d8b7...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
Tested-by: syzbot+24d8b7...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
fs/nilfs2/segment.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

--
2.43.0

[Ryusuke Konishi]

Thanks, Edward!

I spent a little while wondering if kthread_stop() could actually
return a non-zero value (such as -EINTR), but then I realized you'd
actually tested it with syzbot and confirmed that it could happen and
that this was causing the problem.

I'll send this fix upstream.

Thanks,
Ryusuke Konishi

[Ryusuke Konishi]

From: Edward Adam Davis <ead...@qq.com>

Because kthread_stop did not stop sc_task properly and returned -EINTR,
the sc_timer was not properly closed, ultimately causing the problem [1]
reported by syzbot when freeing sci due to the sc_timer not being closed.

Because the thread sc_task main function nilfs_segctor_thread() returns 0
when it succeeds, when the return value of kthread_stop() is not 0 in
nilfs_segctor_destroy(), we believe that it has not properly closed
sc_timer.
We use timer_shutdown_sync() to sync wait for sc_timer to shutdown, and set
the value of sc_task to NULL under the protection of lock sc_state_lock,
so as to avoid the issue caused by sc_timer not being properly shutdowned.

[1]

ODEBUG: free active (active state 0) object: 00000000dacb411a object type: timer_list hint: nilfs_construction_timeout
Call trace:

nilfs_segctor_destroy fs/nilfs2/segment.c:2811 [inline]
nilfs_detach_log_writer+0x668/0x8cc fs/nilfs2/segment.c:2877
nilfs_put_super+0x4c/0x12c fs/nilfs2/super.c:509

Reported-by: syzbot+24d8b7...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=24d8b70f039151f65590
Tested-by: syzbot+24d8b7...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>

Fixes: 3f66cc261ccb ("nilfs2: use kthread_create and kthread_stop for the log writer thread")
Cc: <sta...@vger.kernel.org> # 6.12+
Signed-off-by: Ryusuke Konishi <konishi...@gmail.com>
---
Hi Andrew,

Please apply this patch as a bug fix. It addresses a recently reported
issue by syzbot, where a timer might not be properly shut down.

Thanks,
Ryusuke Konishi