Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6516451rwb;
        Mon, 5 Dec 2022 13:34:44 -0800 (PST)
X-Google-Smtp-Source: AA0mqf7Bw7fb67Yg4W6J92Vveo76at4GrDhuHnNVaN67O99Vvq40J1JDYXOg8JHqa6d5QGf7Z1Dz
X-Received: by 2002:a05:6a00:d5b:b0:577:2d0d:31c9 with SMTP id n27-20020a056a000d5b00b005772d0d31c9mr2204272pfv.73.1670276083774;
        Mon, 05 Dec 2022 13:34:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670276083; cv=none;
        d=google.com; s=arc-20160816;
        b=sa5CkhK5bjAffeAWXL5mKfD+1CX134bAGO1QhqSMkwTlkXoN7r4kk5sPHcmH81vwYi
         4IqflXrmLAg3E5PKduGjOrzDxipzKy7lBan8Fnr8Pa7ZYlHF2LMNhXL7O0ZuSRAKK/l7
         HPlQ8So8wPC6dRm9btk8FblBwB+rpIZQiXhSH93pal2pnJibJEbMYQmI9FyHw9P0frwg
         IYJeGIoqWMtyyfQnZ93XrzhFA1ImWzI0k464ehK5GlEabWpGEUmNI8lR364rSahDE+Tm
         4kEBTnaGXpB9c700CXUsDWKZ3yKtktNQx1mette2tN40Lib0puNFeWjfLByZePu1Sd+5
         vd0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=6jcMMAfJcjtqEGkSkydhoApZ0ELUrGZ/x3/QJFaQuDw=;
        b=d/FQOnwYQ7FRfIqJBx+hd1skLkiRdk5Z/rGCe+vXn5gfEit2TQqDGDoIx7zZtce3rt
         4iYQ8+cAcANbF+a/6H+3W5eUZ4c8H0dIr89xR6fXqY8JH15eneyXRlYpwR+7tobWp+ry
         Tae+35u9MDPWrRgl3D9sfgK5/A9z+Tzk5G6bpUaDjWgm7T/9n0VOkriBHSqLuSrQOqqn
         LlefIM+oVgFoSvehXsh7r33Amxz1y0oNUq5n5G50mdWVfRqdPZUVSou9SXbxZZLeLQWR
         3vA8Ju/gRET65ors7rh3mNYRqMowcTYIYLvOpLdpCs6p2ChEB8vyTaiK8unfUhXb+HaT
         VGCA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@mit.edu header.s=outgoing header.b=VORGXMbs;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Return-Path: <linux-ext4-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 20-20020a170902e9d400b00189ac5a3b1fsi13757415plk.158.2022.12.05.13.34.24;
        Mon, 05 Dec 2022 13:34:43 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@mit.edu header.s=outgoing header.b=VORGXMbs;
       spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230154AbiLEVKz (ORCPT <rfc822;aminbrickmover@gmail.com>
        + 99 others); Mon, 5 Dec 2022 16:10:55 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44710 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230084AbiLEVKy (ORCPT
        <rfc822;linux-ext4@vger.kernel.org>); Mon, 5 Dec 2022 16:10:54 -0500
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22838CF9
        for <linux-ext4@vger.kernel.org>; Mon,  5 Dec 2022 13:10:53 -0800 (PST)
Received: from cwcc.thunk.org (pool-173-48-120-46.bstnma.fios.verizon.net [173.48.120.46])
        (authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
        by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 2B5LAlI9005230
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 5 Dec 2022 16:10:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
        t=1670274649; bh=6jcMMAfJcjtqEGkSkydhoApZ0ELUrGZ/x3/QJFaQuDw=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To;
        b=VORGXMbsg0/TVwc4/0ANW6/tFMksdeUxMFVR4vnjk7ReIL6XKlrsIoGjeV3o40GpZ
         n1I+VoPP623g7Js1qGG57dZ8pg21ZX5K3EsIflOqddjvton7HO7G+2Hcs+qM8IEXw4
         8kDHnLYOWuJvqm/x29PzPp+7pev+ruHRSrgJEXHcSsop3wMM3/mexsOeD4DxmstAIa
         xF1EanD8ngCnlBT7WH2FZ67wfzt4SGN8AuPMoRDEbfdu/f5o+vCSisgoQc0g6IXUQl
         qSeFneOysgUwSJmaXUL/4X3VLmyZqu7loRzSlJiePDOvXdvi56XXjQma4KSTeXjdWz
         GrWcDTkue7ceA==
Received: by cwcc.thunk.org (Postfix, from userid 15806)
        id 7F91E15C3489; Mon,  5 Dec 2022 16:10:47 -0500 (EST)
Date:   Mon, 5 Dec 2022 16:10:47 -0500
From:   "Theodore Ts'o" <tytso@mit.edu>
To:     Ivan Zahariev <famzah@icdsoft.com>
Cc:     linux-ext4@vger.kernel.org,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: kernel BUG at fs/ext4/inode.c:1914 - page_buffers()
Message-ID: <Y45eV/nA2tj8C94W@mit.edu>
References: <c9e47bc3-3c5f-09ae-9dcc-eb5957d78b1b@icdsoft.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <c9e47bc3-3c5f-09ae-9dcc-eb5957d78b1b@icdsoft.com>
X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID,
        DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-ext4.vger.kernel.org>
X-Mailing-List: linux-ext4@vger.kernel.org

On Wed, Nov 23, 2022 at 04:48:01PM +0200, Ivan Zahariev wrote:
> Hello,
> 
> Starting with kernel 5.15 for the past eight months we have a total of 12
> kernel panics at a fleet of 1000 KVM/Qemu machines which look the following
> way:
> 
> ?? ?kernel BUG at fs/ext4/inode.c:1914
> 
> Switching from kernel 4.14 to 5.15 almost immediately triggered the problem.
> Therefore we are very confident that userland activity is more or less the
> same and is not the root cause. The kernel function which triggers the BUG
> is __ext4_journalled_writepage(). In 5.15 the code for
> __ext4_journalled_writepage() in "fs/ext4/inode.c" is the same as the
> current kernel "master". The line where the BUG is triggered is:
> 
> ?? ?struct buffer_head *page_bufs = page_buffers(page)
	...
> 
> Back to the problem! 99% of the difference between 4.14 and the latest
> kernel for __ext4_journalled_writepage() in "fs/ext4/inode.c" comes from the
> following commit: https://github.com/torvalds/linux/commit/5c48a7df91499e371ef725895b2e2d21a126e227
> 
> Is it safe that we revert this patch on the latest 5.15 kernel, so that we
> can confirm if this resolves the issue for us?

No, it's not safe to revert this patch; this fixes a potential
use-after-free bug identified by Syzkaller (and use-after-frees can
sometimes be leveraged into security volunerabilities.

I have not tested this change yet, but looking at the code and the
change made in patch yet, this *might* be a possible fix:

	size = i_size_read(inode);
-	if (page->mapping != mapping || page_offset(page) > size) {
+	if (page->mapping != mapping || page_offset(page) >= size) {
		/* The page got truncated from under us */
		ext4_journal_stop(handle);
		ret = 0;
		goto out;
	}

Is it fair to say that your workload is using data=journaled and is
frequently truncating that might have been recently modified (hence
triggering the race between truncate and journalled writepages)?

I wonder if you could come up with a more reliable reproducer so we
can test a particular patch.

Thanks,

					- Ted