[syzbot] [ocfs2?] kernel BUG in ocfs2_iget

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: d07b43284ab3 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1309d7d9980000
kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=119c396b980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=148ab6d5980000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-d07b4328.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/91ceec6e19d3/vmlinux-d07b4328.xz
kernel image: https://storage.googleapis.com/syzbot-assets/be11646b0c05/bzImage-d07b4328.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/958835a2c737/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5bdd49...@syzkaller.appspotmail.com

(syz-executor200,5094,0):ocfs2_read_locked_inode:536 ERROR: bug expression: !!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) != !!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE)
(syz-executor200,5094,0):ocfs2_read_locked_inode:536 ERROR: Inode 17: system file state is ambiguous
------------[ cut here ]------------
kernel BUG at fs/ocfs2/inode.c:536!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5094 Comm: syz-executor200 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:ocfs2_read_locked_inode fs/ocfs2/inode.c:533 [inline]
RIP: 0010:ocfs2_iget+0x202b/0x2120 fs/ocfs2/inode.c:159
Code: 00 e8 59 8b 75 fe 4c 8b 84 24 c0 01 00 00 4c 89 f7 48 c7 c6 e8 bd 0b 8e ba 18 02 00 00 48 c7 c1 00 00 49 8c e8 06 c9 16 00 90 <0f> 0b e8 de 45 0e fe 90 0f 0b e8 d6 45 0e fe 31 db 65 ff 0d a5 93
RSP: 0018:ffffc9000b0aefe0 EFLAGS: 00010246
RAX: 64c5852747dade00 RBX: ffffc9000b0af140 RCX: 64c5852747dade00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000b0af270 R08: ffffffff8174024c R09: 1ffff1100410519a
R10: dffffc0000000000 R11: ffffed100410519b R12: ffff8880154ea200
R13: dffffc0000000000 R14: ffffc9000b0af160 R15: 1000000000000000
FS: 00005555677bf380(0000) GS:ffff888020800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a9ee203e78 CR3: 000000003680c000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_init_global_system_inodes+0xc6/0x730 fs/ocfs2/super.c:437
ocfs2_initialize_super fs/ocfs2/super.c:2250 [inline]
ocfs2_fill_super+0x3068/0x5880 fs/ocfs2/super.c:994
mount_bdev+0x20a/0x2d0 fs/super.c:1679
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1800
do_new_mount+0x2be/0xb40 fs/namespace.c:3472
do_mount fs/namespace.c:3812 [inline]
__do_sys_mount fs/namespace.c:4020 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2d27572dea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 5e 04 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff1e6e9398 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fff1e6e93b0 RCX: 00007f2d27572dea
RDX: 0000000020004480 RSI: 00000000200044c0 RDI: 00007fff1e6e93b0
RBP: 0000000000000004 R08: 00007fff1e6e93f0 R09: 000000000000447b
R10: 0000000002800400 R11: 0000000000000282 R12: 0000000002800400
R13: 00007fff1e6e93f0 R14: 0000000000000003 R15: 0000000001000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ocfs2_read_locked_inode fs/ocfs2/inode.c:533 [inline]
RIP: 0010:ocfs2_iget+0x202b/0x2120 fs/ocfs2/inode.c:159
Code: 00 e8 59 8b 75 fe 4c 8b 84 24 c0 01 00 00 4c 89 f7 48 c7 c6 e8 bd 0b 8e ba 18 02 00 00 48 c7 c1 00 00 49 8c e8 06 c9 16 00 90 <0f> 0b e8 de 45 0e fe 90 0f 0b e8 d6 45 0e fe 31 db 65 ff 0d a5 93
RSP: 0018:ffffc9000b0aefe0 EFLAGS: 00010246
RAX: 64c5852747dade00 RBX: ffffc9000b0af140 RCX: 64c5852747dade00
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: ffffc9000b0af270 R08: ffffffff8174024c R09: 1ffff1100410519a
R10: dffffc0000000000 R11: ffffed100410519b R12: ffff8880154ea200
R13: dffffc0000000000 R14: ffffc9000b0af160 R15: 1000000000000000
FS: 00005555677bf380(0000) GS:ffff888020800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a9ee203e78 CR3: 000000003680c000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Lizhi Xu]

clean dirty for the release inode, stop to worker wb it again.

#syz test: upstream d07b43284ab3

diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c
index cdb9b9bdea1f..156943973aa8 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -115,6 +115,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
}
bh = bhs[i];

+ printk("jbd: %d, dirty: %d, i: %d, bh: %p, %s\n", buffer_jbd(bh), buffer_dirty(bh), i, bh, __func__);
if (buffer_jbd(bh)) {
trace_ocfs2_read_blocks_sync_jbd(
(unsigned long long)bh->b_blocknr);
@@ -170,6 +171,8 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
continue;
}

+ printk("rf, jbd: %d, dirty: %d, i: %d, bh: %p, buf lock: %d, %s\n", buffer_jbd(bh),
+ buffer_dirty(bh), buffer_locked(bh), i, bh, __func__);
/* No need to wait on the buffer if it's managed by JBD. */
if (!buffer_jbd(bh))
wait_on_buffer(bh);
diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index 2cc5c99fe941..3b9a8b62a57d 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -489,6 +489,8 @@ static int ocfs2_read_locked_inode(struct inode *inode,
}
}

+ printk("can lock: %d, sysf: %d, blkno: %lu, %s\n", can_lock,
+ args->fi_flags & OCFS2_FI_FLAG_SYSFILE, args->fi_blkno, __func__);
if (can_lock) {
if (args->fi_flags & OCFS2_FI_FLAG_FILECHECK_CHK)
status = ocfs2_filecheck_read_inode_block_full(inode,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in ocfs2_iget

(syz.0.15,5600,0):ocfs2_read_locked_inode:538 ERROR: bug expression: !!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) != !!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE)
(syz.0.15,5600,0):ocfs2_read_locked_inode:538 ERROR: Inode 17: system file state is ambiguous
------------[ cut here ]------------
kernel BUG at fs/ocfs2/inode.c:538!

Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI

CPU: 0 UID: 0 PID: 5600 Comm: syz.0.15 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

RIP: 0010:ocfs2_read_locked_inode fs/ocfs2/inode.c:535 [inline]
RIP: 0010:ocfs2_iget+0x1c71/0x1cf0 fs/ocfs2/inode.c:159
Code: 00 e8 03 8e 75 fe 4c 8b 84 24 40 01 00 00 4c 89 f7 48 c7 c6 0f be 0b 8e ba 1a 02 00 00 48 c7 c1 20 01 49 8c e8 a0 ca 16 00 90 <0f> 0b e8 88 48 0e fe 90 0f 0b e8 80 48 0e fe 90 0f 0b 90 e9 3d fa
RSP: 0018:ffffc900027bf060 EFLAGS: 00010246
RAX: d9ed16ebbba7d700 RBX: ffffc900027bf140 RCX: d9ed16ebbba7d700

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: ffffc900027bf270 R08: ffffffff8174024c R09: 1ffff1100410519a
R10: dffffc0000000000 R11: ffffed100410519b R12: dffffc0000000000
R13: ffff88803a6c8878 R14: ffffc900027bf160 R15: 1000000000000000
FS: 00007f0c989f86c0(0000) GS:ffff888020800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5ed5d95ed8 CR3: 000000001d86c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ocfs2_init_global_system_inodes+0xc6/0x730 fs/ocfs2/super.c:437
ocfs2_initialize_super fs/ocfs2/super.c:2250 [inline]
ocfs2_fill_super+0x3068/0x5880 fs/ocfs2/super.c:994
mount_bdev+0x20a/0x2d0 fs/super.c:1679
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1800
do_new_mount+0x2be/0xb40 fs/namespace.c:3472
do_mount fs/namespace.c:3812 [inline]
__do_sys_mount fs/namespace.c:4020 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0c97b7b0ba
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 7e 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0c989f7e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f0c989f7ef0 RCX: 00007f0c97b7b0ba
RDX: 0000000020004480 RSI: 00000000200044c0 RDI: 00007f0c989f7eb0
RBP: 0000000020004480 R08: 00007f0c989f7ef0 R09: 0000000002800400
R10: 0000000002800400 R11: 0000000000000246 R12: 00000000200044c0
R13: 00007f0c989f7eb0 R14: 0000000000004481 R15: 00000000200001c0

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:ocfs2_read_locked_inode fs/ocfs2/inode.c:535 [inline]
RIP: 0010:ocfs2_iget+0x1c71/0x1cf0 fs/ocfs2/inode.c:159
Code: 00 e8 03 8e 75 fe 4c 8b 84 24 40 01 00 00 4c 89 f7 48 c7 c6 0f be 0b 8e ba 1a 02 00 00 48 c7 c1 20 01 49 8c e8 a0 ca 16 00 90 <0f> 0b e8 88 48 0e fe 90 0f 0b e8 80 48 0e fe 90 0f 0b 90 e9 3d fa
RSP: 0018:ffffc900027bf060 EFLAGS: 00010246
RAX: d9ed16ebbba7d700 RBX: ffffc900027bf140 RCX: d9ed16ebbba7d700

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: ffffc900027bf270 R08: ffffffff8174024c R09: 1ffff1100410519a
R10: dffffc0000000000 R11: ffffed100410519b R12: dffffc0000000000
R13: ffff88803a6c8878 R14: ffffc900027bf160 R15: 1000000000000000
FS: 00007f0c989f86c0(0000) GS:ffff888020800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5ed5d95ed8 CR3: 000000001d86c000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tested on:

commit: d07b4328 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1340acfd980000

kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11b3abc5980000

[Lizhi Xu]

clean dirty for the release inode, stop to worker wb it again.

#syz test: upstream d07b43284ab3

diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c

index cdb9b9bdea1f..a33d06069968 100644

--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -115,6 +115,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
}
bh = bhs[i];

+ printk("jbd: %d, dirty: %d, i: %d, bh: %p, %s\n", buffer_jbd(bh), buffer_dirty(bh), i, bh, __func__);
if (buffer_jbd(bh)) {
trace_ocfs2_read_blocks_sync_jbd(
(unsigned long long)bh->b_blocknr);

@@ -148,6 +149,8 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
get_bh(bh); /* for end_buffer_read_sync() */
bh->b_end_io = end_buffer_read_sync;
submit_bh(REQ_OP_READ, bh);
+ printk("bio, jbd: %d, dirty: %d, i: %d, bh: %p, buflocked: %d, status: %d, %s\n", buffer_jbd(bh),
+ buffer_dirty(bh), i, bh, buffer_locked(bh), status, __func__);
}

read_failure:
@@ -170,9 +173,15 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
continue;
}

+ printk("rf, jbd: %d, dirty: %d, i: %d, bh: %p, buflocked: %d, status: %d, %s\n", buffer_jbd(bh),
+ buffer_dirty(bh), i, bh, buffer_locked(bh), status, __func__);

/* No need to wait on the buffer if it's managed by JBD. */

- if (!buffer_jbd(bh))
+ if (!buffer_jbd(bh)) {
+ if (!buffer_locked(bh) && bh->b_end_io == end_buffer_read_sync)
+ lock_buffer(bh);
+
wait_on_buffer(bh);
+ }

if (!buffer_uptodate(bh)) {
/* Status won't be cleared from here on out,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in ocfs2_read_blocks_sync

INFO: task syz.0.15:5591 blocked for more than 143 seconds.
Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.15 state:D stack:22832 pid:5591 tgid:5590 ppid:5536 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5188 [inline]
__schedule+0x1800/0x4a60 kernel/sched/core.c:6529
__schedule_loop kernel/sched/core.c:6606 [inline]
schedule+0x14b/0x320 kernel/sched/core.c:6621
io_schedule+0x8d/0x110 kernel/sched/core.c:7401
bit_wait_io+0x12/0xd0 kernel/sched/wait_bit.c:209
__wait_on_bit+0xb0/0x2f0 kernel/sched/wait_bit.c:49
out_of_line_wait_on_bit+0x1d5/0x260 kernel/sched/wait_bit.c:64
wait_on_buffer include/linux/buffer_head.h:415 [inline]
ocfs2_read_blocks_sync+0xc51/0xfe0 fs/ocfs2/buffer_head_io.c:183
ocfs2_read_locked_inode fs/ocfs2/inode.c:503 [inline]
ocfs2_iget+0xa3a/0x2120 fs/ocfs2/inode.c:159

ocfs2_init_global_system_inodes+0xc6/0x730 fs/ocfs2/super.c:437
ocfs2_initialize_super fs/ocfs2/super.c:2250 [inline]
ocfs2_fill_super+0x3068/0x5880 fs/ocfs2/super.c:994
mount_bdev+0x20a/0x2d0 fs/super.c:1679
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1800
do_new_mount+0x2be/0xb40 fs/namespace.c:3472
do_mount fs/namespace.c:3812 [inline]
__do_sys_mount fs/namespace.c:4020 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7eff18d7b0ba
RSP: 002b:00007eff19a76e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007eff19a76ef0 RCX: 00007eff18d7b0ba
RDX: 0000000020004480 RSI: 00000000200044c0 RDI: 00007eff19a76eb0
RBP: 0000000020004480 R08: 00007eff19a76ef0 R09: 0000000002800400

R10: 0000000002800400 R11: 0000000000000246 R12: 00000000200044c0

R13: 00007eff19a76eb0 R14: 0000000000004481 R15: 00000000200001c0
</TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/25:
#0: ffffffff8e9382e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
#0: ffffffff8e9382e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
#0: ffffffff8e9382e0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6626
2 locks held by kswapd0/72:
2 locks held by getty/4888:
#0: ffff88801b6c10a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc9000039b2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ac/0x1e00 drivers/tty/n_tty.c:2211
1 lock held by syz.0.15/5591:
#0: ffff8880429de0e0 (&type->s_umount_key#52/1){+.+.}-{3:3}, at: alloc_super+0x221/0x9d0 fs/super.c:344

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 25 Comm: khungtaskd Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3-dirty #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xfee/0x1030 kernel/hung_task.c:379
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: d07b4328 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12e04605980000

kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14c516d5980000

[Lizhi Xu]

BH_Lock state check micro buffer_locked not work?

#syz test: upstream d07b43284ab3

diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c

index cdb9b9bdea1f..f67f82adfee2 100644
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -148,6 +148,8 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,

get_bh(bh); /* for end_buffer_read_sync() */
bh->b_end_io = end_buffer_read_sync;
submit_bh(REQ_OP_READ, bh);

+ printk("bio, jbd: %d, dirty: %d, i: %d, bh: %p, buflocked: %d, bfl: %d, status: %d, %s\n", buffer_jbd(bh),
+ buffer_dirty(bh), i, bh, buffer_locked(bh), bh->b_state & BH_Lock, status, __func__);
}

read_failure:
@@ -170,9 +172,15 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block,
continue;
}

+ printk("rf, jbd: %d, dirty: %d, i: %d, bh: %p, buflocked: %d, bfl: %d, status: %d, %s\n", buffer_jbd(bh),
+ buffer_dirty(bh), i, bh, buffer_locked(bh), bh->b_state & BH_Lock, status, __func__);

/* No need to wait on the buffer if it's managed by JBD. */
- if (!buffer_jbd(bh))
+ if (!buffer_jbd(bh)) {

+ if (!buffer_locked(bh) && (bh->b_state & BH_Lock) && bh->b_end_io == end_buffer_read_sync)

+ lock_buffer(bh);
+
wait_on_buffer(bh);
+ }

if (!buffer_uptodate(bh)) {
/* Status won't be cleared from here on out,

diff --git a/include/linux/buffer_head.h b/include/linux/buffer_head.h
index e022e40b099e..33c179fa522e 100644
--- a/include/linux/buffer_head.h
+++ b/include/linux/buffer_head.h
@@ -411,7 +411,7 @@ map_bh(struct buffer_head *bh, struct super_block *sb, sector_t block)
static inline void wait_on_buffer(struct buffer_head *bh)
{
might_sleep();
- if (buffer_locked(bh))
+ if (bh->i_state & BH_Lock)
__wait_on_buffer(bh);
}

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

./include/linux/buffer_head.h:414:10: error: no member named 'i_state' in 'struct buffer_head'; did you mean 'b_state'?In file included from
./include/linux/buffer_head.h:414:10: error: no member named 'i_state' in 'struct buffer_head'; did you mean 'b_state'?

Tested on:

commit: d07b4328 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f5e18d980000

[Lizhi Xu]

+ if (bh->b_state & BH_Lock)
__wait_on_buffer(bh);
}

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ver
[ 22.256176][ T1] gre: GRE over IPv4 demultiplexor driver
[ 22.259770][ T1] ip_gre: GRE over IPv4 tunneling driver
[ 22.287563][ T1] IPv4 over IPsec tunneling driver
[ 22.311919][ T1] Initializing XFRM netlink socket
[ 22.315482][ T1] IPsec XFRM device driver
[ 22.318978][ T1] NET: Registered PF_INET6 protocol family
[ 22.365642][ T1] Segment Routing with IPv6
[ 22.368543][ T1] RPL Segment Routing with IPv6
[ 22.381211][ T1] In-situ OAM (IOAM) with IPv6
[ 22.384937][ T1] mip6: Mobile IPv6
[ 22.402582][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 22.423906][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 22.441036][ T1] NET: Registered PF_PACKET protocol family
[ 22.444604][ T1] NET: Registered PF_KEY protocol family
[ 22.448675][ T1] Bridge firewalling registered
[ 22.472037][ T1] NET: Registered PF_X25 protocol family
[ 22.475775][ T1] X25: Linux Version 0.2
[ 22.491394][ T1] NET: Registered PF_NETROM protocol family
[ 22.499054][ T1] NET: Registered PF_ROSE protocol family
[ 22.511551][ T1] NET: Registered PF_AX25 protocol family
[ 22.516042][ T1] can: controller area network core
[ 22.519856][ T1] NET: Registered PF_CAN protocol family
[ 22.540813][ T1] can: raw protocol
[ 22.543257][ T1] can: broadcast manager protocol
[ 22.546276][ T1] can: netlink gateway - max_hops=1
[ 22.549709][ T1] can: SAE J1939
[ 22.560774][ T1] can: isotp protocol (max_pdu_size 8300)
[ 22.564738][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 22.568297][ T1] Bluetooth: RFCOMM socket layer initialized
[ 22.580943][ T1] Bluetooth: RFCOMM ver 1.11
[ 22.583931][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 22.587734][ T1] Bluetooth: BNEP filters: protocol multicast
[ 22.600814][ T1] Bluetooth: BNEP socket layer initialized
[ 22.604465][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 22.608137][ T1] Bluetooth: CMTP socket layer initialized
[ 22.620818][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 22.625493][ T1] Bluetooth: HIDP socket layer initialized
[ 22.642879][ T1] NET: Registered PF_RXRPC protocol family
[ 22.646673][ T1] Key type rxrpc registered
[ 22.649692][ T1] Key type rxrpc_s registered
[ 22.671739][ T1] NET: Registered PF_KCM protocol family
[ 22.676152][ T1] lec:lane_module_init: lec.c: initialized
[ 22.679516][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 22.691093][ T1] l2tp_core: L2TP core driver, V2.0
[ 22.694470][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 22.698571][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 22.721627][ T1] l2tp_netlink: L2TP netlink interface
[ 22.725854][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 22.729901][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 22.741069][ T1] NET: Registered PF_PHONET protocol family
[ 22.744990][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 22.766151][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 22.769445][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 22.791314][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 22.798332][ T1] sctp: Hash tables configured (bind 32/56)
[ 22.812708][ T1] NET: Registered PF_RDS protocol family
[ 22.821126][ T1] Registered RDS/infiniband transport
[ 22.826052][ T1] Registered RDS/tcp transport
[ 22.828939][ T1] tipc: Activated (version 2.0.0)
[ 22.851699][ T1] NET: Registered PF_TIPC protocol family
[ 22.856538][ T1] tipc: Started in single node mode
[ 22.860624][ T1] NET: Registered PF_SMC protocol family
[ 22.871125][ T1] 9pnet: Installing 9P2000 support
[ 22.892730][ T1] NET: Registered PF_CAIF protocol family
[ 22.904135][ T1] NET: Registered PF_IEEE802154 protocol family
[ 22.907774][ T1] Key type dns_resolver registered
[ 22.921439][ T1] Key type ceph registered
[ 22.924461][ T1] libceph: loaded (mon/osd proto 15/24)
[ 22.941318][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.2 (compatibility version 15) loaded
[ 22.946449][ T1] openvswitch: Open vSwitch switching datapath
[ 22.963290][ T1] NET: Registered PF_VSOCK protocol family
[ 22.966983][ T1] mpls_gso: MPLS GSO support
[ 22.998127][ T1] IPI shorthand broadcast: enabled
[ 23.010939][ T1] AES CTR mode by8 optimization enabled
[ 25.092738][ T1] sched_clock: Marking stable (24940064092, 150641100)->(25105710100, -15004908)
[ 25.112831][ T1] registered taskstats version 1
[ 25.138057][ T1] Loading compiled-in X.509 certificates
[ 25.155654][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 1982cdebc9b34f571b35a9e4997953b56129a245'
[ 25.634485][ T1] zswap: loaded using pool lzo/zsmalloc
[ 25.651413][ T1] Demotion targets for Node 0: null
[ 25.654756][ T1] Demotion targets for Node 1: null
[ 25.658058][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 25.684439][ T1] Key type .fscrypt registered
[ 25.687420][ T1] Key type fscrypt-provisioning registered
[ 25.707223][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 25.760940][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 25.767099][ T1] Key type big_key registered
[ 25.787630][ T1] Key type encrypted registered
[ 25.791182][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 25.795538][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 25.799672][ T1] Loading compiled-in module X.509 certificates
[ 25.823648][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 1982cdebc9b34f571b35a9e4997953b56129a245'
[ 25.830457][ T1] ima: Allocated hash algorithm: sha256
[ 25.851170][ T1] ima: No architecture policies found
[ 25.855225][ T1] evm: Initialising EVM extended attributes:
[ 25.858950][ T1] evm: security.selinux (disabled)
[ 25.870767][ T1] evm: security.SMACK64 (disabled)
[ 25.874149][ T1] evm: security.SMACK64EXEC (disabled)
[ 25.877263][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 25.891255][ T1] evm: security.SMACK64MMAP (disabled)
[ 25.900835][ T1] evm: security.apparmor
[ 25.903422][ T1] evm: security.ima
[ 25.905764][ T1] evm: security.capability
[ 25.908451][ T1] evm: HMAC attrs: 0x1
[ 25.923759][ T1] PM: Magic number: 4:468:66
[ 25.926702][ T1] misc vhci: hash matches
[ 25.940746][ T1] printk: legacy console [netcon0] enabled
[ 25.944537][ T1] netconsole: network logging started
[ 25.948522][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 25.975449][ T1] rdma_rxe: loaded
[ 25.978564][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 25.992849][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 25.997648][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 26.021491][ T1] clk: Disabling unused clocks
[ 26.024720][ T1] ALSA device list:
[ 26.027272][ T1] #0: Dummy 1
[ 26.029691][ T1] #1: Loopback 1
[ 26.034074][ T8] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 26.039920][ T8] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 26.060993][ T1] #2: Virtual MIDI Card 1
[ 26.069802][ T1] md: Waiting for all devices to be available before autodetect
[ 26.080824][ T1] md: If you don't use raid, use raid=noautodetect
[ 26.083787][ T1] md: Autodetecting RAID arrays.
[ 26.086140][ T1] md: autorun ...
[ 26.087847][ T1] md: ... autorun DONE.
[ 26.106628][ T1] REISERFS warning (device sda1): sh-2006 read_super_block: bread failed (dev sda1, block 2, size 4096)
[ 26.121102][ T1] REISERFS warning (device sda1): sh-2006 read_super_block: bread failed (dev sda1, block 16, size 4096)
[ 26.137346][ T1] EXT4-fs (sda1): unable to read superblock
[ 26.151559][ T1] VFS: Cannot open root device "/dev/sda1" or unknown-block(8,1): error -5
[ 26.154695][ T1] Please append a correct "root=" boot option; here are the available partitions:
[ 26.157973][ T1] 0100 4096 ram0
[ 26.157993][ T1] (driver?)
[ 26.170884][ T1] 0101 4096 ram1
[ 26.170903][ T1] (driver?)
[ 26.173970][ T1] 0102 4096 ram2
[ 26.173984][ T1] (driver?)
[ 26.177024][ T1] 0103 4096 ram3
[ 26.177036][ T1] (driver?)
[ 26.179966][ T1] 0104 4096 ram4
[ 26.179977][ T1] (driver?)
[ 26.190784][ T1] 0105 4096 ram5
[ 26.190799][ T1] (driver?)
[ 26.193830][ T1] 0106 4096 ram6
[ 26.193842][ T1] (driver?)
[ 26.196508][ T1] 0107 4096 ram7
[ 26.196521][ T1] (driver?)
[ 26.199540][ T1] 0108 4096 ram8
[ 26.199552][ T1] (driver?)
[ 26.220772][ T1] 0109 4096 ram9
[ 26.220793][ T1] (driver?)
[ 26.223952][ T1] 010a 4096 ram10
[ 26.223968][ T1] (driver?)
[ 26.227033][ T1] 010b 4096 ram11
[ 26.227047][ T1] (driver?)
[ 26.230122][ T1] 010c 4096 ram12
[ 26.230135][ T1] (driver?)
[ 26.240772][ T1] 010d 4096 ram13
[ 26.240790][ T1] (driver?)
[ 26.243796][ T1] 010e 4096 ram14
[ 26.243810][ T1] (driver?)
[ 26.246862][ T1] 010f 4096 ram15
[ 26.246877][ T1] (driver?)
[ 26.249691][ T1] fa00 262144000 nullb0
[ 26.249703][ T1] (driver?)
[ 26.270789][ T1] 103:00000 65536 pmem0
[ 26.270811][ T1] driver: nd_pmem
[ 26.273992][ T1] 1f00 128 mtdblock0
[ 26.274006][ T1] (driver?)
[ 26.277085][ T1] 0800 1048729 sda
[ 26.277099][ T1] driver: sd
[ 26.280053][ T1] 0801 1048576 sda1 00000000-01
[ 26.280067][ T1]
[ 26.290853][ T1] 0b00 64 sr0
[ 26.290869][ T1] driver: sr
[ 26.294114][ T1] List of all bdev filesystems:
[ 26.296096][ T1] reiserfs
[ 26.296106][ T1] ext3
[ 26.297360][ T1] ext2
[ 26.298565][ T1] ext4
[ 26.299810][ T1] cramfs
[ 26.312965][ T1] squashfs
[ 26.314221][ T1] minix
[ 26.315444][ T1] vfat
[ 26.316555][ T1] msdos
[ 26.317631][ T1] exfat
[ 26.318658][ T1] bfs
[ 26.319813][ T1] iso9660
[ 26.330812][ T1] hfsplus
[ 26.332042][ T1] hfs
[ 26.333198][ T1] vxfs
[ 26.334241][ T1] sysv
[ 26.335241][ T1] v7
[ 26.336320][ T1] hpfs
[ 26.337367][ T1] ntfs3
[ 26.338398][ T1] ufs
[ 26.339540][ T1] efs
[ 26.340648][ T1] affs
[ 26.350766][ T1] romfs
[ 26.351895][ T1] qnx4
[ 26.353012][ T1] qnx6
[ 26.354113][ T1] adfs
[ 26.355194][ T1] fuseblk
[ 26.356334][ T1] udf
[ 26.357517][ T1] omfs
[ 26.358547][ T1] jfs
[ 26.359625][ T1] xfs
[ 26.370782][ T1] nilfs2
[ 26.371842][ T1] befs
[ 26.372831][ T1] ocfs2
[ 26.373926][ T1] gfs2
[ 26.375065][ T1] gfs2meta
[ 26.376173][ T1] f2fs
[ 26.377413][ T1] bcachefs
[ 26.378499][ T1] erofs
[ 26.379765][ T1] zonefs
[ 26.392475][ T1] btrfs
[ 26.393658][ T1]
[ 26.395611][ T1] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
[ 26.398884][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3-dirty #0
[ 26.402615][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 26.406329][ T1] Call Trace:
[ 26.407589][ T1] <TASK>
[ 26.408656][ T1] dump_stack_lvl+0x241/0x360
[ 26.410564][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 26.412592][ T1] ? vsnprintf+0x184/0x1da0
[ 26.414233][ T1] ? __pfx__printk+0x10/0x10
[ 26.415947][ T1] ? vscnprintf+0x5d/0x90
[ 26.417369][ T1] panic+0x349/0x860
[ 26.418703][ T1] ? __wake_up_klogd+0xcc/0x110
[ 26.420305][ T1] ? __pfx_panic+0x10/0x10
[ 26.421739][ T1] ? __wake_up_klogd+0xcc/0x110
[ 26.423408][ T1] ? do_mount_root+0xfd/0x260
[ 26.424981][ T1] mount_root_generic+0x3c3/0x3e0
[ 26.426675][ T1] ? __pfx_mount_root_generic+0x10/0x10
[ 26.428510][ T1] prepare_namespace+0xc2/0x100
[ 26.430198][ T1] kernel_init_freeable+0x476/0x5d0
[ 26.432199][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 26.434463][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 26.436908][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.438695][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.440416][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.442094][ T1] kernel_init+0x1d/0x2b0
[ 26.443618][ T1] ret_from_fork+0x4b/0x80
[ 26.445243][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.447182][ T1] ret_from_fork_asm+0x1a/0x30
[ 26.448992][ T1] </TASK>
[ 26.450290][ T1] Kernel Offset: disabled
[ 26.451937][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.4'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build223168768=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at e4bacdaf3
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e4bacdaf3417006ad6aa0d911a44b49bb25a6e1a -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240814-175600'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e4bacdaf3417006ad6aa0d911a44b49bb25a6e1a\"
/usr/bin/ld: /tmp/ccI66zQZ.o: in function `test_cover_filter()':
executor.cc:(.text+0x13e0b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/ccI66zQZ.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15243fd3980000

Tested on:

commit: d07b4328 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=176a0cfd980000

[Lizhi Xu]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

over IPv4 tunneling driver
[ 22.681196][ T1] IPv4 over IPsec tunneling driver
[ 22.689324][ T1] Initializing XFRM netlink socket
[ 22.700521][ T1] IPsec XFRM device driver
[ 22.704012][ T1] NET: Registered PF_INET6 protocol family
[ 22.744667][ T1] Segment Routing with IPv6
[ 22.747583][ T1] RPL Segment Routing with IPv6
[ 22.759923][ T1] In-situ OAM (IOAM) with IPv6
[ 22.763258][ T1] mip6: Mobile IPv6
[ 22.782112][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 22.803545][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 22.821928][ T1] NET: Registered PF_PACKET protocol family
[ 22.825832][ T1] NET: Registered PF_KEY protocol family
[ 22.840132][ T1] Bridge firewalling registered
[ 22.843436][ T1] NET: Registered PF_X25 protocol family
[ 22.846894][ T1] X25: Linux Version 0.2
[ 22.863254][ T1] NET: Registered PF_NETROM protocol family
[ 22.880740][ T1] NET: Registered PF_ROSE protocol family
[ 22.884479][ T1] NET: Registered PF_AX25 protocol family
[ 22.888083][ T1] can: controller area network core
[ 22.900025][ T1] NET: Registered PF_CAN protocol family
[ 22.903314][ T1] can: raw protocol
[ 22.905604][ T1] can: broadcast manager protocol
[ 22.908918][ T1] can: netlink gateway - max_hops=1
[ 22.929939][ T1] can: SAE J1939
[ 22.932186][ T1] can: isotp protocol (max_pdu_size 8300)
[ 22.936079][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 22.949748][ T1] Bluetooth: RFCOMM socket layer initialized
[ 22.953701][ T1] Bluetooth: RFCOMM ver 1.11
[ 22.956607][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 22.969813][ T1] Bluetooth: BNEP filters: protocol multicast
[ 22.973928][ T1] Bluetooth: BNEP socket layer initialized
[ 22.977586][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 22.989689][ T1] Bluetooth: CMTP socket layer initialized
[ 22.993460][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 22.997816][ T1] Bluetooth: HIDP socket layer initialized
[ 23.022653][ T1] NET: Registered PF_RXRPC protocol family
[ 23.026158][ T1] Key type rxrpc registered
[ 23.029041][ T1] Key type rxrpc_s registered
[ 23.040527][ T1] NET: Registered PF_KCM protocol family
[ 23.050194][ T1] lec:lane_module_init: lec.c: initialized
[ 23.054077][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 23.058006][ T1] l2tp_core: L2TP core driver, V2.0
[ 23.080024][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 23.083713][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 23.088086][ T1] l2tp_netlink: L2TP netlink interface
[ 23.099814][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 23.104218][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 23.108941][ T1] NET: Registered PF_PHONET protocol family
[ 23.129957][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 23.150332][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 23.153773][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 23.158446][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 23.180124][ T1] sctp: Hash tables configured (bind 32/56)
[ 23.184931][ T1] NET: Registered PF_RDS protocol family
[ 23.200156][ T1] Registered RDS/infiniband transport
[ 23.205108][ T1] Registered RDS/tcp transport
[ 23.208128][ T1] tipc: Activated (version 2.0.0)
[ 23.220459][ T1] NET: Registered PF_TIPC protocol family
[ 23.225718][ T1] tipc: Started in single node mode
[ 23.240226][ T1] NET: Registered PF_SMC protocol family
[ 23.244293][ T1] 9pnet: Installing 9P2000 support
[ 23.265164][ T1] NET: Registered PF_CAIF protocol family
[ 23.282869][ T1] NET: Registered PF_IEEE802154 protocol family
[ 23.287199][ T1] Key type dns_resolver registered
[ 23.300985][ T1] Key type ceph registered
[ 23.304269][ T1] libceph: loaded (mon/osd proto 15/24)
[ 23.309066][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.2 (compatibility version 15) loaded
[ 23.320247][ T1] openvswitch: Open vSwitch switching datapath
[ 23.333192][ T1] NET: Registered PF_VSOCK protocol family
[ 23.349795][ T1] mpls_gso: MPLS GSO support
[ 23.376493][ T1] IPI shorthand broadcast: enabled
[ 23.389830][ T1] AES CTR mode by8 optimization enabled
[ 25.056289][ T1] sched_clock: Marking stable (24900059923, 149540500)->(25060936007, -11335584)
[ 25.091540][ T1] registered taskstats version 1
[ 25.116888][ T1] Loading compiled-in X.509 certificates
[ 25.144534][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 218caf1c31104bcbdeaa60830551d7c075b8594c'
[ 25.644688][ T1] zswap: loaded using pool lzo/zsmalloc
[ 25.660280][ T1] Demotion targets for Node 0: null
[ 25.663600][ T1] Demotion targets for Node 1: null
[ 25.666959][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 25.692171][ T1] Key type .fscrypt registered
[ 25.695044][ T1] Key type fscrypt-provisioning registered
[ 25.715809][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 25.770730][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 25.776557][ T1] Key type big_key registered
[ 25.797883][ T1] Key type encrypted registered
[ 25.809915][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 25.814222][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 25.818000][ T1] Loading compiled-in module X.509 certificates
[ 25.834512][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 218caf1c31104bcbdeaa60830551d7c075b8594c'
[ 25.859718][ T1] ima: Allocated hash algorithm: sha256
[ 25.863869][ T1] ima: No architecture policies found
[ 25.868279][ T1] evm: Initialising EVM extended attributes:
[ 25.879666][ T1] evm: security.selinux (disabled)
[ 25.882959][ T1] evm: security.SMACK64 (disabled)
[ 25.886230][ T1] evm: security.SMACK64EXEC (disabled)
[ 25.889490][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 25.909650][ T1] evm: security.SMACK64MMAP (disabled)
[ 25.912931][ T1] evm: security.apparmor
[ 25.915513][ T1] evm: security.ima
[ 25.917844][ T1] evm: security.capability
[ 25.929845][ T1] evm: HMAC attrs: 0x1
[ 25.939691][ T1] PM: Magic number: 4:983:571
[ 25.942784][ T1] misc uhid: hash matches
[ 25.945813][ T1] usbmon usbmon11: hash matches
[ 25.948890][ T1] tty ptyb3: hash matches
[ 25.970260][ T1] printk: legacy console [netcon0] enabled
[ 25.973618][ T1] netconsole: network logging started
[ 25.977424][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 25.994861][ T1] rdma_rxe: loaded
[ 25.997880][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 26.012178][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 26.017897][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 26.042070][ T9] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 26.049216][ T9] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 26.055580][ T1] clk: Disabling unused clocks
[ 26.058896][ T1] ALSA device list:
[ 26.071544][ T1] #0: Dummy 1
[ 26.073615][ T1] #1: Loopback 1
[ 26.076029][ T1] #2: Virtual MIDI Card 1
[ 26.094145][ T1] md: Waiting for all devices to be available before autodetect
[ 26.097217][ T1] md: If you don't use raid, use raid=noautodetect
[ 26.109741][ T1] md: Autodetecting RAID arrays.
[ 26.111848][ T1] md: autorun ...
[ 26.113413][ T1] md: ... autorun DONE.
[ 26.131264][ T1] REISERFS warning (device sda1): sh-2006 read_super_block: bread failed (dev sda1, block 2, size 4096)
[ 26.136001][ T1] REISERFS warning (device sda1): sh-2006 read_super_block: bread failed (dev sda1, block 16, size 4096)
[ 26.160783][ T1] EXT4-fs (sda1): unable to read superblock
[ 26.163576][ T1] VFS: Cannot open root device "/dev/sda1" or unknown-block(8,1): error -5
[ 26.166627][ T1] Please append a correct "root=" boot option; here are the available partitions:
[ 26.169476][ T1] 0100 4096 ram0
[ 26.169487][ T1] (driver?)
[ 26.180457][ T1] 0101 4096 ram1
[ 26.180475][ T1] (driver?)
[ 26.183555][ T1] 0102 4096 ram2
[ 26.183570][ T1] (driver?)
[ 26.186554][ T1] 0103 4096 ram3
[ 26.186567][ T1] (driver?)
[ 26.189464][ T1] 0104 4096 ram4
[ 26.189477][ T1] (driver?)
[ 26.209634][ T1] 0105 4096 ram5
[ 26.209649][ T1] (driver?)
[ 26.212722][ T1] 0106 4096 ram6
[ 26.212736][ T1] (driver?)
[ 26.215719][ T1] 0107 4096 ram7
[ 26.215732][ T1] (driver?)
[ 26.218673][ T1] 0108 4096 ram8
[ 26.218685][ T1] (driver?)
[ 26.229675][ T1] 0109 4096 ram9
[ 26.229693][ T1] (driver?)
[ 26.232562][ T1] 010a 4096 ram10
[ 26.232570][ T1] (driver?)
[ 26.235354][ T1] 010b 4096 ram11
[ 26.235363][ T1] (driver?)
[ 26.238332][ T1] 010c 4096 ram12
[ 26.238342][ T1] (driver?)
[ 26.249650][ T1] 010d 4096 ram13
[ 26.249668][ T1] (driver?)
[ 26.252611][ T1] 010e 4096 ram14
[ 26.252625][ T1] (driver?)
[ 26.255434][ T1] 010f 4096 ram15
[ 26.255442][ T1] (driver?)
[ 26.258333][ T1] fa00 262144000 nullb0
[ 26.258345][ T1] (driver?)
[ 26.279671][ T1] 103:00000 65536 pmem0
[ 26.279692][ T1] driver: nd_pmem
[ 26.282874][ T1] 1f00 128 mtdblock0
[ 26.282884][ T1] (driver?)
[ 26.285857][ T1] 0800 1048729 sda
[ 26.285870][ T1] driver: sd
[ 26.288603][ T1] 0801 1048576 sda1 00000000-01
[ 26.288611][ T1]
[ 26.299682][ T1] 0b00 64 sr0
[ 26.299699][ T1] driver: sr
[ 26.302605][ T1] List of all bdev filesystems:
[ 26.304416][ T1] reiserfs
[ 26.304425][ T1] ext3
[ 26.305640][ T1] ext2
[ 26.306861][ T1] ext4
[ 26.308117][ T1] cramfs
[ 26.309245][ T1] squashfs
[ 26.319666][ T1] minix
[ 26.320940][ T1] vfat
[ 26.322017][ T1] msdos
[ 26.323033][ T1] exfat
[ 26.324192][ T1] bfs
[ 26.325302][ T1] iso9660
[ 26.326334][ T1] hfsplus
[ 26.327509][ T1] hfs
[ 26.328690][ T1] vxfs
[ 26.339674][ T1] sysv
[ 26.340817][ T1] v7
[ 26.341954][ T1] hpfs
[ 26.343111][ T1] ntfs3
[ 26.344309][ T1] ufs
[ 26.345378][ T1] efs
[ 26.346401][ T1] affs
[ 26.347433][ T1] romfs
[ 26.348547][ T1] qnx4
[ 26.359671][ T1] qnx6
[ 26.360786][ T1] adfs
[ 26.361863][ T1] fuseblk
[ 26.362902][ T1] udf
[ 26.363882][ T1] omfs
[ 26.364680][ T1] jfs
[ 26.365583][ T1] xfs
[ 26.366568][ T1] nilfs2
[ 26.367552][ T1] befs
[ 26.368645][ T1] ocfs2
[ 26.379647][ T1] gfs2
[ 26.380792][ T1] gfs2meta
[ 26.381833][ T1] f2fs
[ 26.382986][ T1] bcachefs
[ 26.384069][ T1] erofs
[ 26.385244][ T1] zonefs
[ 26.386313][ T1] btrfs
[ 26.387398][ T1]
[ 26.389346][ T1] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
[ 26.392612][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3-dirty #0
[ 26.396470][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 26.400373][ T1] Call Trace:
[ 26.401573][ T1] <TASK>
[ 26.402632][ T1] dump_stack_lvl+0x241/0x360
[ 26.404395][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 26.406180][ T1] ? vsnprintf+0x184/0x1da0
[ 26.407823][ T1] ? __pfx__printk+0x10/0x10
[ 26.409469][ T1] ? vscnprintf+0x5d/0x90
[ 26.411073][ T1] panic+0x349/0x860
[ 26.412545][ T1] ? __wake_up_klogd+0xcc/0x110
[ 26.414317][ T1] ? __pfx_panic+0x10/0x10
[ 26.415927][ T1] ? __wake_up_klogd+0xcc/0x110
[ 26.417650][ T1] ? do_mount_root+0xfd/0x260
[ 26.419401][ T1] mount_root_generic+0x3c3/0x3e0
[ 26.421379][ T1] ? __pfx_mount_root_generic+0x10/0x10
[ 26.423297][ T1] prepare_namespace+0xc2/0x100
[ 26.425107][ T1] kernel_init_freeable+0x476/0x5d0
[ 26.426851][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 26.428845][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 26.431064][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.432937][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.434692][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.436525][ T1] kernel_init+0x1d/0x2b0
[ 26.438222][ T1] ret_from_fork+0x4b/0x80
[ 26.439816][ T1] ? __pfx_kernel_init+0x10/0x10
[ 26.441580][ T1] ret_from_fork_asm+0x1a/0x30
[ 26.443380][ T1] </TASK>
[ 26.444764][ T1] Kernel Offset: disabled
[ 26.446251][ T1] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build763184766=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at e4bacdaf3
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e4bacdaf3417006ad6aa0d911a44b49bb25a6e1a -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240814-175600'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e4bacdaf3417006ad6aa0d911a44b49bb25a6e1a\"

/usr/bin/ld: /tmp/ccOQlpqV.o: in function `test_cover_filter()':

executor.cc:(.text+0x13e0b): warning: the use of `tempnam' is dangerous, better use `mkstemp'

/usr/bin/ld: /tmp/ccOQlpqV.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=11837cfd980000

Tested on:

commit: d07b4328 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14a95dcb980000

[Lizhi Xu]

BH_Lock state check micro buffer_locked not work?

#syz test: upstream master

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

kernel BUG in ocfs2_iget

(syz.0.15,5573,0):ocfs2_read_locked_inode:536 ERROR: bug expression: !!(fe->i_flags & cpu_to_le32(OCFS2_SYSTEM_FL)) != !!(args->fi_flags & OCFS2_FI_FLAG_SYSFILE)
(syz.0.15,5573,0):ocfs2_read_locked_inode:536 ERROR: Inode 17: system file state is ambiguous
------------[ cut here ]------------
kernel BUG at fs/ocfs2/inode.c:536!

Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI

CPU: 0 UID: 0 PID: 5573 Comm: syz.0.15 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

RIP: 0010:ocfs2_read_locked_inode fs/ocfs2/inode.c:533 [inline]

RIP: 0010:ocfs2_iget+0x202b/0x2120 fs/ocfs2/inode.c:159
Code: 00 e8 b9 84 75 fe 4c 8b 84 24 c0 01 00 00 4c 89 f7 48 c7 c6 78 bf 0b 8e ba 18 02 00 00 48 c7 c1 00 00 49 8c e8 16 c9 16 00 90 <0f> 0b e8 ee 3d 0e fe 90 0f 0b e8 e6 3d 0e fe 31 db 65 ff 0d 35 8a
RSP: 0018:ffffc9000280efe0 EFLAGS: 00010246
RAX: 0dfa14ca5ec41c00 RBX: ffffc9000280f140 RCX: 0dfa14ca5ec41c00

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: ffffc9000280f270 R08: ffffffff817402fc R09: 1ffff92000501d70
R10: dffffc0000000000 R11: fffff52000501d71 R12: ffff88804cc18200
R13: dffffc0000000000 R14: ffffc9000280f160 R15: 1000000000000000
FS: 00007ff56b8ba6c0(0000) GS:ffff888020800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f99dd1b4ba8 CR3: 000000003671e000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>

ocfs2_init_global_system_inodes+0xc6/0x730 fs/ocfs2/super.c:437
ocfs2_initialize_super fs/ocfs2/super.c:2250 [inline]
ocfs2_fill_super+0x3068/0x5880 fs/ocfs2/super.c:994
mount_bdev+0x20a/0x2d0 fs/super.c:1679
legacy_get_tree+0xee/0x190 fs/fs_context.c:662
vfs_get_tree+0x90/0x2a0 fs/super.c:1800
do_new_mount+0x2be/0xb40 fs/namespace.c:3472
do_mount fs/namespace.c:3812 [inline]
__do_sys_mount fs/namespace.c:4020 [inline]
__se_sys_mount+0x2d6/0x3c0 fs/namespace.c:3997
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7ff56ab7b0ba

Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 7e 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ff56b8b9e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ff56b8b9ef0 RCX: 00007ff56ab7b0ba
RDX: 0000000020004480 RSI: 00000000200044c0 RDI: 00007ff56b8b9eb0
RBP: 0000000020004480 R08: 00007ff56b8b9ef0 R09: 0000000002800400

R10: 0000000002800400 R11: 0000000000000246 R12: 00000000200044c0

R13: 00007ff56b8b9eb0 R14: 0000000000004481 R15: 00000000200001c0
</TASK>

Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:ocfs2_read_locked_inode fs/ocfs2/inode.c:533 [inline]

RIP: 0010:ocfs2_iget+0x202b/0x2120 fs/ocfs2/inode.c:159
Code: 00 e8 b9 84 75 fe 4c 8b 84 24 c0 01 00 00 4c 89 f7 48 c7 c6 78 bf 0b 8e ba 18 02 00 00 48 c7 c1 00 00 49 8c e8 16 c9 16 00 90 <0f> 0b e8 ee 3d 0e fe 90 0f 0b e8 e6 3d 0e fe 31 db 65 ff 0d 35 8a
RSP: 0018:ffffc9000280efe0 EFLAGS: 00010246
RAX: 0dfa14ca5ec41c00 RBX: ffffc9000280f140 RCX: 0dfa14ca5ec41c00

RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000

RBP: ffffc9000280f270 R08: ffffffff817402fc R09: 1ffff92000501d70
R10: dffffc0000000000 R11: fffff52000501d71 R12: ffff88804cc18200
R13: dffffc0000000000 R14: ffffc9000280f160 R15: 1000000000000000
FS: 00007ff56b8ba6c0(0000) GS:ffff888020800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00005616292ca000 CR3: 000000003671e000 CR4: 0000000000350ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


Tested on:

commit: d7a5aa4b Merge tag 'perf-tools-fixes-for-v6.11-2024-08..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15510ad5980000

kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

[Lizhi Xu]

BH_Lock state check micro buffer_locked not work?

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

r IPv4 tunneling driver
[ 23.104436][ T1] IPv4 over IPsec tunneling driver
[ 23.129111][ T1] Initializing XFRM netlink socket
[ 23.132613][ T1] IPsec XFRM device driver
[ 23.135938][ T1] NET: Registered PF_INET6 protocol family
[ 23.172024][ T1] Segment Routing with IPv6
[ 23.174892][ T1] RPL Segment Routing with IPv6
[ 23.188177][ T1] In-situ OAM (IOAM) with IPv6
[ 23.192616][ T1] mip6: Mobile IPv6
[ 23.211084][ T1] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[ 23.236201][ T1] ip6_gre: GRE over IPv6 tunneling driver
[ 23.259048][ T1] NET: Registered PF_PACKET protocol family
[ 23.263139][ T1] NET: Registered PF_KEY protocol family
[ 23.278174][ T1] Bridge firewalling registered
[ 23.282303][ T1] NET: Registered PF_X25 protocol family
[ 23.286074][ T1] X25: Linux Version 0.2
[ 23.301416][ T1] NET: Registered PF_NETROM protocol family
[ 23.318832][ T1] NET: Registered PF_ROSE protocol family
[ 23.322889][ T1] NET: Registered PF_AX25 protocol family
[ 23.326765][ T1] can: controller area network core
[ 23.347958][ T1] NET: Registered PF_CAN protocol family
[ 23.351765][ T1] can: raw protocol
[ 23.354415][ T1] can: broadcast manager protocol
[ 23.367507][ T1] can: netlink gateway - max_hops=1
[ 23.371118][ T1] can: SAE J1939
[ 23.373498][ T1] can: isotp protocol (max_pdu_size 8300)
[ 23.387745][ T1] Bluetooth: RFCOMM TTY layer initialized
[ 23.391632][ T1] Bluetooth: RFCOMM socket layer initialized
[ 23.395625][ T1] Bluetooth: RFCOMM ver 1.11
[ 23.407454][ T1] Bluetooth: BNEP (Ethernet Emulation) ver 1.3
[ 23.411410][ T1] Bluetooth: BNEP filters: protocol multicast
[ 23.415246][ T1] Bluetooth: BNEP socket layer initialized
[ 23.427408][ T1] Bluetooth: CMTP (CAPI Emulation) ver 1.0
[ 23.431143][ T1] Bluetooth: CMTP socket layer initialized
[ 23.434852][ T1] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[ 23.457414][ T1] Bluetooth: HIDP socket layer initialized
[ 23.464720][ T1] NET: Registered PF_RXRPC protocol family
[ 23.477433][ T1] Key type rxrpc registered
[ 23.480287][ T1] Key type rxrpc_s registered
[ 23.488039][ T1] NET: Registered PF_KCM protocol family
[ 23.497666][ T1] lec:lane_module_init: lec.c: initialized
[ 23.501477][ T1] mpoa:atm_mpoa_init: mpc.c: initialized
[ 23.505306][ T1] l2tp_core: L2TP core driver, V2.0
[ 23.517745][ T1] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[ 23.521466][ T1] l2tp_ip: L2TP IP encapsulation support (L2TPv3)
[ 23.525945][ T1] l2tp_netlink: L2TP netlink interface
[ 23.547737][ T1] l2tp_eth: L2TP ethernet pseudowire support (L2TPv3)
[ 23.552108][ T1] l2tp_ip6: L2TP IP encapsulation support for IPv6 (L2TPv3)
[ 23.567741][ T1] NET: Registered PF_PHONET protocol family
[ 23.571963][ T1] 8021q: 802.1Q VLAN Support v1.8
[ 23.594173][ T1] DCCP: Activated CCID 2 (TCP-like)
[ 23.608131][ T1] DCCP: Activated CCID 3 (TCP-Friendly Rate Control)
[ 23.613720][ T1] DCCP is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 23.628421][ T1] sctp: Hash tables configured (bind 32/56)
[ 23.638359][ T1] NET: Registered PF_RDS protocol family
[ 23.647869][ T1] Registered RDS/infiniband transport
[ 23.653106][ T1] Registered RDS/tcp transport
[ 23.656293][ T1] tipc: Activated (version 2.0.0)
[ 23.678322][ T1] NET: Registered PF_TIPC protocol family
[ 23.683663][ T1] tipc: Started in single node mode
[ 23.698241][ T1] NET: Registered PF_SMC protocol family
[ 23.702447][ T1] 9pnet: Installing 9P2000 support
[ 23.724407][ T1] NET: Registered PF_CAIF protocol family
[ 23.741904][ T1] NET: Registered PF_IEEE802154 protocol family
[ 23.746285][ T1] Key type dns_resolver registered
[ 23.757523][ T1] Key type ceph registered
[ 23.761109][ T1] libceph: loaded (mon/osd proto 15/24)
[ 23.778001][ T1] batman_adv: B.A.T.M.A.N. advanced 2024.2 (compatibility version 15) loaded
[ 23.784139][ T1] openvswitch: Open vSwitch switching datapath
[ 23.810825][ T1] NET: Registered PF_VSOCK protocol family
[ 23.817925][ T1] mpls_gso: MPLS GSO support
[ 23.861386][ T1] IPI shorthand broadcast: enabled
[ 23.865022][ T1] AES CTR mode by8 optimization enabled
[ 25.942544][ T1] sched_clock: Marking stable (25780052182, 157279919)->(25932523814, 4808287)
[ 25.962101][ T1] registered taskstats version 1
[ 25.993919][ T1] Loading compiled-in X.509 certificates
[ 26.012094][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0c0e0a150e5726d04f45c19ee4cc57d94a35030f'
[ 26.505448][ T1] zswap: loaded using pool lzo/zsmalloc
[ 26.520389][ T1] Demotion targets for Node 0: null
[ 26.523620][ T1] Demotion targets for Node 1: null
[ 26.526940][ T1] debug_vm_pgtable: [debug_vm_pgtable ]: Validating architecture page table helpers
[ 26.550142][ T1] Key type .fscrypt registered
[ 26.553247][ T1] Key type fscrypt-provisioning registered
[ 26.574145][ T1] kAFS: Red Hat AFS client v0.1 registering.
[ 26.637518][ T1] Btrfs loaded, assert=on, ref-verify=on, zoned=yes, fsverity=yes
[ 26.643501][ T1] Key type big_key registered
[ 26.664453][ T1] Key type encrypted registered
[ 26.667489][ T1] AppArmor: AppArmor sha256 policy hashing enabled
[ 26.671527][ T1] ima: No TPM chip found, activating TPM-bypass!
[ 26.675424][ T1] Loading compiled-in module X.509 certificates
[ 26.701763][ T1] Loaded X.509 cert 'Build time autogenerated kernel key: 0c0e0a150e5726d04f45c19ee4cc57d94a35030f'
[ 26.718075][ T1] ima: Allocated hash algorithm: sha256
[ 26.722222][ T1] ima: No architecture policies found
[ 26.726101][ T1] evm: Initialising EVM extended attributes:
[ 26.737364][ T1] evm: security.selinux (disabled)
[ 26.741028][ T1] evm: security.SMACK64 (disabled)
[ 26.744562][ T1] evm: security.SMACK64EXEC (disabled)
[ 26.757379][ T1] evm: security.SMACK64TRANSMUTE (disabled)
[ 26.761049][ T1] evm: security.SMACK64MMAP (disabled)
[ 26.764472][ T1] evm: security.apparmor
[ 26.767006][ T1] evm: security.ima
[ 26.787401][ T1] evm: security.capability
[ 26.790312][ T1] evm: HMAC attrs: 0x1
[ 26.798731][ T1] PM: Magic number: 4:989:373
[ 26.802182][ T1] usb usb12-port3: hash matches
[ 26.805337][ T1] usb usb11-port4: hash matches
[ 26.827596][ T1] vc vcsa1: hash matches
[ 26.830885][ T1] printk: legacy console [netcon0] enabled
[ 26.834326][ T1] netconsole: network logging started
[ 26.848164][ T1] gtp: GTP module loaded (pdp ctx size 128 bytes)
[ 26.868486][ T1] rdma_rxe: loaded
[ 26.872520][ T1] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 26.890449][ T1] Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 26.895777][ T1] Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600'
[ 26.918145][ T1] clk: Disabling unused clocks
[ 26.921316][ T1] ALSA device list:
[ 26.923756][ T1] #0: Dummy 1
[ 26.925729][ T1] #1: Loopback 1
[ 26.929375][ T52] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2
[ 26.935114][ T52] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db
[ 26.947417][ T1] #2: Virtual MIDI Card 1
[ 26.954352][ T1] md: Waiting for all devices to be available before autodetect
[ 26.957038][ T1] md: If you don't use raid, use raid=noautodetect
[ 26.977468][ T1] md: Autodetecting RAID arrays.
[ 26.979362][ T1] md: autorun ...
[ 26.980744][ T1] md: ... autorun DONE.
[ 26.997552][ T1] REISERFS warning (device sda1): sh-2006 read_super_block: bread failed (dev sda1, block 2, size 4096)
[ 27.001644][ T1] REISERFS warning (device sda1): sh-2006 read_super_block: bread failed (dev sda1, block 16, size 4096)
[ 27.021249][ T1] EXT4-fs (sda1): unable to read superblock
[ 27.024653][ T1] VFS: Cannot open root device "/dev/sda1" or unknown-block(8,1): error -5
[ 27.037956][ T1] Please append a correct "root=" boot option; here are the available partitions:
[ 27.041263][ T1] 0100 4096 ram0
[ 27.041287][ T1] (driver?)
[ 27.043940][ T1] 0101 4096 ram1
[ 27.043948][ T1] (driver?)
[ 27.046555][ T1] 0102 4096 ram2
[ 27.046563][ T1] (driver?)
[ 27.057380][ T1] 0103 4096 ram3
[ 27.057391][ T1] (driver?)
[ 27.060287][ T1] 0104 4096 ram4
[ 27.060299][ T1] (driver?)
[ 27.063150][ T1] 0105 4096 ram5
[ 27.063161][ T1] (driver?)
[ 27.066465][ T1] 0106 4096 ram6
[ 27.066477][ T1] (driver?)
[ 27.087452][ T1] 0107 4096 ram7
[ 27.087471][ T1] (driver?)
[ 27.090349][ T1] 0108 4096 ram8
[ 27.090362][ T1] (driver?)
[ 27.093127][ T1] 0109 4096 ram9
[ 27.093140][ T1] (driver?)
[ 27.096078][ T1] 010a 4096 ram10
[ 27.096090][ T1] (driver?)
[ 27.107410][ T1] 010b 4096 ram11
[ 27.107429][ T1] (driver?)
[ 27.110269][ T1] 010c 4096 ram12
[ 27.110282][ T1] (driver?)
[ 27.113126][ T1] 010d 4096 ram13
[ 27.113137][ T1] (driver?)
[ 27.116130][ T1] 010e 4096 ram14
[ 27.116142][ T1] (driver?)
[ 27.127407][ T1] 010f 4096 ram15
[ 27.127426][ T1] (driver?)
[ 27.130355][ T1] fa00 262144000 nullb0
[ 27.130369][ T1] (driver?)
[ 27.133220][ T1] 103:00000 65536 pmem0
[ 27.133232][ T1] driver: nd_pmem
[ 27.136290][ T1] 1f00 128 mtdblock0
[ 27.136303][ T1] (driver?)
[ 27.157434][ T1] 0800 1048729 sda
[ 27.157454][ T1] driver: sd
[ 27.160153][ T1] 0801 1048576 sda1 00000000-01
[ 27.160162][ T1]
[ 27.163198][ T1] 0b00 64 sr0
[ 27.163210][ T1] driver: sr
[ 27.166028][ T1] List of all bdev filesystems:
[ 27.177369][ T1] reiserfs
[ 27.177385][ T1] ext3
[ 27.178616][ T1] ext2
[ 27.179904][ T1] ext4
[ 27.181179][ T1] cramfs
[ 27.182515][ T1] squashfs
[ 27.183675][ T1] minix
[ 27.184899][ T1] vfat
[ 27.186011][ T1] msdos
[ 27.187002][ T1] exfat
[ 27.197383][ T1] bfs
[ 27.198448][ T1] iso9660
[ 27.199452][ T1] hfsplus
[ 27.200614][ T1] hfs
[ 27.201773][ T1] vxfs
[ 27.202756][ T1] sysv
[ 27.203803][ T1] v7
[ 27.204815][ T1] hpfs
[ 27.205813][ T1] ntfs3
[ 27.206896][ T1] ufs
[ 27.217996][ T1] efs
[ 27.219721][ T1] affs
[ 27.220757][ T1] romfs
[ 27.221828][ T1] qnx4
[ 27.222881][ T1] qnx6
[ 27.223903][ T1] adfs
[ 27.224930][ T1] fuseblk
[ 27.225984][ T1] udf
[ 27.227127][ T1] omfs
[ 27.237365][ T1] jfs
[ 27.238436][ T1] xfs
[ 27.239462][ T1] nilfs2
[ 27.240477][ T1] befs
[ 27.241606][ T1] ocfs2
[ 27.242661][ T1] gfs2
[ 27.243765][ T1] gfs2meta
[ 27.244741][ T1] f2fs
[ 27.245917][ T1] bcachefs
[ 27.246946][ T1] erofs
[ 27.257378][ T1] zonefs
[ 27.258505][ T1] btrfs
[ 27.259630][ T1]
[ 27.261610][ T1] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(8,1)
[ 27.264759][ T1] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3-dirty #0
[ 27.268717][ T1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 27.273207][ T1] Call Trace:
[ 27.274430][ T1] <TASK>
[ 27.275469][ T1] dump_stack_lvl+0x241/0x360
[ 27.278125][ T1] ? __pfx_dump_stack_lvl+0x10/0x10
[ 27.280109][ T1] ? vsnprintf+0x184/0x1da0
[ 27.281834][ T1] ? __pfx__printk+0x10/0x10
[ 27.283561][ T1] ? vscnprintf+0x5d/0x90
[ 27.285101][ T1] panic+0x349/0x860
[ 27.286521][ T1] ? __wake_up_klogd+0xcc/0x110
[ 27.288252][ T1] ? __pfx_panic+0x10/0x10
[ 27.289874][ T1] ? __wake_up_klogd+0xcc/0x110
[ 27.291647][ T1] ? do_mount_root+0xfd/0x260
[ 27.293479][ T1] mount_root_generic+0x3c3/0x3e0
[ 27.295345][ T1] ? __pfx_mount_root_generic+0x10/0x10
[ 27.297407][ T1] prepare_namespace+0xc2/0x100
[ 27.299195][ T1] kernel_init_freeable+0x476/0x5d0
[ 27.301196][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 27.303231][ T1] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 27.305540][ T1] ? __pfx_kernel_init+0x10/0x10
[ 27.307339][ T1] ? __pfx_kernel_init+0x10/0x10
[ 27.309170][ T1] ? __pfx_kernel_init+0x10/0x10
[ 27.311024][ T1] kernel_init+0x1d/0x2b0
[ 27.312612][ T1] ret_from_fork+0x4b/0x80
[ 27.314156][ T1] ? __pfx_kernel_init+0x10/0x10
[ 27.316003][ T1] ret_from_fork_asm+0x1a/0x30
[ 27.317852][ T1] </TASK>
[ 27.319346][ T1] Kernel Offset: disabled
[ 27.321027][ T1] Rebooting in 86400 seconds..

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1383350581=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at e4bacdaf3
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=e4bacdaf3417006ad6aa0d911a44b49bb25a6e1a -X 'github.com/google/syzkaller/prog.gitRevisionDate=20240814-175600'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"e4bacdaf3417006ad6aa0d911a44b49bb25a6e1a\"

/usr/bin/ld: /tmp/ccPkHzAp.o: in function `test_cover_filter()':

executor.cc:(.text+0x13e0b): warning: the use of `tempnam' is dangerous, better use `mkstemp'

/usr/bin/ld: /tmp/ccPkHzAp.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=152dc2fd980000

Tested on:

commit: d07b4328 Merge tag 'for-linus' of git://git.kernel.org..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=7229118d88b4a71b
dashboard link: https://syzkaller.appspot.com/bug?extid=5bdd4953bc58c8fbd6eb
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=144be3c5980000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 552c50713f273b494ac6c77052032a49bc9255e2

diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 162711cc5b20..ce38505a823c 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -6164,7 +6164,7 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,
struct buffer_head *bh = NULL;
struct ocfs2_dinode *di;
struct ocfs2_truncate_log *tl;
- unsigned int tl_count;
+ unsigned int tl_count, tl_used;

inode = ocfs2_get_system_file_inode(osb,
TRUNCATE_LOG_SYSTEM_INODE,
@@ -6184,9 +6184,10 @@ static int ocfs2_get_truncate_log_info(struct ocfs2_super *osb,

di = (struct ocfs2_dinode *)bh->b_data;
tl = &di->id2.i_dealloc;
+ tl_used = le16_to_cpu(tl->tl_used);
tl_count = le16_to_cpu(tl->tl_count);
if (unlikely(tl_count > ocfs2_truncate_recs_per_inode(osb->sb) ||
- tl_count == 0)) {
+ tl_count == 0 || tl_used > tl_count)) {
status = -EFSCORRUPTED;
iput(inode);
brelse(bh);
diff --git a/fs/ocfs2/dir.c b/fs/ocfs2/dir.c
index 8c9c4825f984..2785ff245e79 100644
--- a/fs/ocfs2/dir.c
+++ b/fs/ocfs2/dir.c
@@ -302,8 +302,21 @@ static int ocfs2_check_dir_entry(struct inode *dir,
unsigned long offset)
{
const char *error_msg = NULL;
- const int rlen = le16_to_cpu(de->rec_len);
- const unsigned long next_offset = ((char *) de - buf) + rlen;
+ unsigned long next_offset;
+ int rlen;
+
+ if (offset > size - OCFS2_DIR_REC_LEN(1)) {
+ /* Dirent is (maybe partially) beyond the buffer
+ * boundaries so touching 'de' members is unsafe.
+ */
+ mlog(ML_ERROR, "directory entry (#%llu: offset=%lu) "
+ "too close to end or out-of-bounds",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno, offset);
+ return 0;
+ }
+
+ rlen = le16_to_cpu(de->rec_len);
+ next_offset = ((char *) de - buf) + rlen;

if (unlikely(rlen < OCFS2_DIR_REC_LEN(1)))
error_msg = "rec_len is smaller than minimal";
@@ -778,6 +791,14 @@ static int ocfs2_dx_dir_lookup_rec(struct inode *inode,
struct ocfs2_extent_block *eb;
struct ocfs2_extent_rec *rec = NULL;

+ if (le16_to_cpu(el->l_count) !=
+ ocfs2_extent_recs_per_dx_root(inode->i_sb)) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %lu has invalid extent list length %u\n",
+ inode->i_ino, le16_to_cpu(el->l_count));
+ goto out;
+ }
+
if (el->l_tree_depth) {
ret = ocfs2_find_leaf(INODE_CACHE(inode), el, major_hash,
&eb_bh);
@@ -3423,6 +3444,14 @@ static int ocfs2_find_dir_space_id(struct inode *dir, struct buffer_head *di_bh,
offset += le16_to_cpu(de->rec_len);
}

+ if (!last_de) {
+ ret = ocfs2_error(sb, "Directory entry (#%llu: size=%lld) "
+ "is unexpectedly short",
+ (unsigned long long)OCFS2_I(dir)->ip_blkno,
+ i_size_read(dir));
+ goto out;
+ }
+
/*
* We're going to require expansion of the directory - figure
* out how many blocks we'll need so that a place for the
@@ -4104,10 +4133,15 @@ static int ocfs2_expand_inline_dx_root(struct inode *dir,
}

dx_root->dr_flags &= ~OCFS2_DX_FLAG_INLINE;
- memset(&dx_root->dr_list, 0, osb->sb->s_blocksize -
- offsetof(struct ocfs2_dx_root_block, dr_list));
+
+ dx_root->dr_list.l_tree_depth = 0;
dx_root->dr_list.l_count =
cpu_to_le16(ocfs2_extent_recs_per_dx_root(osb->sb));
+ dx_root->dr_list.l_next_free_rec = 0;
+ memset(&dx_root->dr_list.l_recs, 0,
+ osb->sb->s_blocksize -
+ (offsetof(struct ocfs2_dx_root_block, dr_list) +
+ offsetof(struct ocfs2_extent_list, l_recs)));

/* This should never fail considering we start with an empty
* dx_root. */
diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
index d1aa04a5af1b..56be21c695d6 100644
--- a/fs/ocfs2/localalloc.c
+++ b/fs/ocfs2/localalloc.c
@@ -905,13 +905,11 @@ static int ocfs2_local_alloc_find_clear_bits(struct ocfs2_super *osb,
static void ocfs2_clear_local_alloc(struct ocfs2_dinode *alloc)
{
struct ocfs2_local_alloc *la = OCFS2_LOCAL_ALLOC(alloc);
- int i;

alloc->id1.bitmap1.i_total = 0;
alloc->id1.bitmap1.i_used = 0;
la->la_bm_off = 0;
- for(i = 0; i < le16_to_cpu(la->la_size); i++)
- la->la_bitmap[i] = 0;
+ memset(la->la_bitmap, 0, le16_to_cpu(la->la_size));
}

#if 0
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 86f2631e6360..ba4952b41602 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,13 @@ static int __ocfs2_move_extent(handle_t *handle,

rec = &el->l_recs[index];

- BUG_ON(ext_flags != rec->e_flags);
+ if (ext_flags != rec->e_flags) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+ (unsigned long long)ino, index, rec->e_flags, cpos);
+ goto out;
+ }
+
/*
* after moving/defraging to new location, the extent is not going
* to be refcounted anymore.
@@ -1031,6 +1037,12 @@ int ocfs2_ioctl_move_extents(struct file *filp, void __user *argp)
if (range.me_threshold > i_size_read(inode))
range.me_threshold = i_size_read(inode);

+ if (range.me_flags & ~(OCFS2_MOVE_EXT_FL_AUTO_DEFRAG |
+ OCFS2_MOVE_EXT_FL_PART_DEFRAG)) {
+ status = -EINVAL;
+ goto out_free;
+ }
+
if (range.me_flags & OCFS2_MOVE_EXT_FL_AUTO_DEFRAG) {
context->auto_defrag = 1;

diff --git a/fs/ocfs2/ocfs2_fs.h b/fs/ocfs2/ocfs2_fs.h
index ae0e44e5f2ad..c501eb3cdcda 100644
--- a/fs/ocfs2/ocfs2_fs.h
+++ b/fs/ocfs2/ocfs2_fs.h
@@ -468,7 +468,8 @@ struct ocfs2_extent_list {
__le16 l_reserved1;
__le64 l_reserved2; /* Pad to
sizeof(ocfs2_extent_rec) */
-/*10*/ struct ocfs2_extent_rec l_recs[]; /* Extent records */
+ /* Extent records */
+/*10*/ struct ocfs2_extent_rec l_recs[] __counted_by_le(l_count);
};

/*
@@ -482,7 +483,8 @@ struct ocfs2_chain_list {
__le16 cl_count; /* Total chains in this list */
__le16 cl_next_free_rec; /* Next unused chain slot */
__le64 cl_reserved1;
-/*10*/ struct ocfs2_chain_rec cl_recs[]; /* Chain records */
+ /* Chain records */
+/*10*/ struct ocfs2_chain_rec cl_recs[] __counted_by_le(cl_count);
};

/*
@@ -494,7 +496,8 @@ struct ocfs2_truncate_log {
/*00*/ __le16 tl_count; /* Total records in this log */
__le16 tl_used; /* Number of records in use */
__le32 tl_reserved1;
-/*08*/ struct ocfs2_truncate_rec tl_recs[]; /* Truncate records */
+ /* Truncate records */
+/*08*/ struct ocfs2_truncate_rec tl_recs[] __counted_by_le(tl_count);
};

/*
@@ -638,7 +641,7 @@ struct ocfs2_local_alloc
__le16 la_size; /* Size of included bitmap, in bytes */
__le16 la_reserved1;
__le64 la_reserved2;
-/*10*/ __u8 la_bitmap[];
+/*10*/ __u8 la_bitmap[] __counted_by_le(la_size);
};

/*
@@ -651,7 +654,7 @@ struct ocfs2_inline_data
* for data, starting at id_data */
__le16 id_reserved0;
__le32 id_reserved1;
- __u8 id_data[]; /* Start of user data */
+ __u8 id_data[] __counted_by_le(id_count); /* Start of user data */
};

/*
@@ -796,9 +799,10 @@ struct ocfs2_dx_entry_list {
* possible in de_entries */
__le16 de_num_used; /* Current number of
* de_entries entries */
- struct ocfs2_dx_entry de_entries[]; /* Indexed dir entries
- * in a packed array of
- * length de_num_used */
+ /* Indexed dir entries in a packed
+ * array of length de_num_used.
+ */
+ struct ocfs2_dx_entry de_entries[] __counted_by_le(de_count);
};

#define OCFS2_DX_FLAG_INLINE 0x01
@@ -934,7 +938,8 @@ struct ocfs2_refcount_list {
__le16 rl_used; /* Current number of used records */
__le32 rl_reserved2;
__le64 rl_reserved1; /* Pad to sizeof(ocfs2_refcount_record) */
-/*10*/ struct ocfs2_refcount_rec rl_recs[]; /* Refcount records */
+ /* Refcount records */
+/*10*/ struct ocfs2_refcount_rec rl_recs[] __counted_by_le(rl_count);
};


@@ -1020,7 +1025,8 @@ struct ocfs2_xattr_header {
buckets. A block uses
xb_check and sets
this field to zero.) */
- struct ocfs2_xattr_entry xh_entries[]; /* xattr entry list. */
+ /* xattr entry list. */
+ struct ocfs2_xattr_entry xh_entries[] __counted_by_le(xh_count);
};

/*
diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
index 6ac4dcd54588..9969a041ab18 100644
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -649,6 +649,16 @@ ocfs2_block_group_alloc_discontig(handle_t *handle,
return status ? ERR_PTR(status) : bg_bh;
}

+static int ocfs2_check_chain_list(struct ocfs2_chain_list *cl,
+ struct super_block *sb)
+{
+ if (le16_to_cpu(cl->cl_count) != ocfs2_chain_recs_per_inode(sb))
+ return -EINVAL;
+ if (le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count))
+ return -EINVAL;
+ return 0;
+}
+
/*
* We expect the block group allocator to already be locked.
*/
@@ -671,6 +681,10 @@ static int ocfs2_block_group_alloc(struct ocfs2_super *osb,
BUG_ON(ocfs2_is_cluster_bitmap(alloc_inode));

cl = &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, alloc_inode->i_sb);
+ if (status)
+ goto bail;
+
status = ocfs2_reserve_clusters_with_limit(osb,
le16_to_cpu(cl->cl_cpg),
max_block, flags, &ac);
@@ -1992,6 +2006,9 @@ static int ocfs2_claim_suballoc_bits(struct ocfs2_alloc_context *ac,
}

cl = (struct ocfs2_chain_list *) &fe->id2.i_chain;
+ status = ocfs2_check_chain_list(cl, ac->ac_inode->i_sb);
+ if (status)
+ goto bail;

victim = ocfs2_find_victim_chain(cl);
ac->ac_chain = victim;