Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6516451rwb; Mon, 5 Dec 2022 13:34:44 -0800 (PST) X-Google-Smtp-Source: AA0mqf7Bw7fb67Yg4W6J92Vveo76at4GrDhuHnNVaN67O99Vvq40J1JDYXOg8JHqa6d5QGf7Z1Dz X-Received: by 2002:a05:6a00:d5b:b0:577:2d0d:31c9 with SMTP id n27-20020a056a000d5b00b005772d0d31c9mr2204272pfv.73.1670276083774; Mon, 05 Dec 2022 13:34:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670276083; cv=none; d=google.com; s=arc-20160816; b=sa5CkhK5bjAffeAWXL5mKfD+1CX134bAGO1QhqSMkwTlkXoN7r4kk5sPHcmH81vwYi 4IqflXrmLAg3E5PKduGjOrzDxipzKy7lBan8Fnr8Pa7ZYlHF2LMNhXL7O0ZuSRAKK/l7 HPlQ8So8wPC6dRm9btk8FblBwB+rpIZQiXhSH93pal2pnJibJEbMYQmI9FyHw9P0frwg IYJeGIoqWMtyyfQnZ93XrzhFA1ImWzI0k464ehK5GlEabWpGEUmNI8lR364rSahDE+Tm 4kEBTnaGXpB9c700CXUsDWKZ3yKtktNQx1mette2tN40Lib0puNFeWjfLByZePu1Sd+5 vd0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=6jcMMAfJcjtqEGkSkydhoApZ0ELUrGZ/x3/QJFaQuDw=; b=d/FQOnwYQ7FRfIqJBx+hd1skLkiRdk5Z/rGCe+vXn5gfEit2TQqDGDoIx7zZtce3rt 4iYQ8+cAcANbF+a/6H+3W5eUZ4c8H0dIr89xR6fXqY8JH15eneyXRlYpwR+7tobWp+ry Tae+35u9MDPWrRgl3D9sfgK5/A9z+Tzk5G6bpUaDjWgm7T/9n0VOkriBHSqLuSrQOqqn LlefIM+oVgFoSvehXsh7r33Amxz1y0oNUq5n5G50mdWVfRqdPZUVSou9SXbxZZLeLQWR 3vA8Ju/gRET65ors7rh3mNYRqMowcTYIYLvOpLdpCs6p2ChEB8vyTaiK8unfUhXb+HaT VGCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=VORGXMbs; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 20-20020a170902e9d400b00189ac5a3b1fsi13757415plk.158.2022.12.05.13.34.24; Mon, 05 Dec 2022 13:34:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=VORGXMbs; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230154AbiLEVKz (ORCPT + 99 others); Mon, 5 Dec 2022 16:10:55 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230084AbiLEVKy (ORCPT ); Mon, 5 Dec 2022 16:10:54 -0500 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22838CF9 for ; Mon, 5 Dec 2022 13:10:53 -0800 (PST) Received: from cwcc.thunk.org (pool-173-48-120-46.bstnma.fios.verizon.net [173.48.120.46]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 2B5LAlI9005230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 5 Dec 2022 16:10:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1670274649; bh=6jcMMAfJcjtqEGkSkydhoApZ0ELUrGZ/x3/QJFaQuDw=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=VORGXMbsg0/TVwc4/0ANW6/tFMksdeUxMFVR4vnjk7ReIL6XKlrsIoGjeV3o40GpZ n1I+VoPP623g7Js1qGG57dZ8pg21ZX5K3EsIflOqddjvton7HO7G+2Hcs+qM8IEXw4 8kDHnLYOWuJvqm/x29PzPp+7pev+ruHRSrgJEXHcSsop3wMM3/mexsOeD4DxmstAIa xF1EanD8ngCnlBT7WH2FZ67wfzt4SGN8AuPMoRDEbfdu/f5o+vCSisgoQc0g6IXUQl qSeFneOysgUwSJmaXUL/4X3VLmyZqu7loRzSlJiePDOvXdvi56XXjQma4KSTeXjdWz GrWcDTkue7ceA== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 7F91E15C3489; Mon, 5 Dec 2022 16:10:47 -0500 (EST) Date: Mon, 5 Dec 2022 16:10:47 -0500 From: "Theodore Ts'o" To: Ivan Zahariev Cc: linux-ext4@vger.kernel.org, Greg Kroah-Hartman Subject: Re: kernel BUG at fs/ext4/inode.c:1914 - page_buffers() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, Nov 23, 2022 at 04:48:01PM +0200, Ivan Zahariev wrote: > Hello, > > Starting with kernel 5.15 for the past eight months we have a total of 12 > kernel panics at a fleet of 1000 KVM/Qemu machines which look the following > way: > > ?? ?kernel BUG at fs/ext4/inode.c:1914 > > Switching from kernel 4.14 to 5.15 almost immediately triggered the problem. > Therefore we are very confident that userland activity is more or less the > same and is not the root cause. The kernel function which triggers the BUG > is __ext4_journalled_writepage(). In 5.15 the code for > __ext4_journalled_writepage() in "fs/ext4/inode.c" is the same as the > current kernel "master". The line where the BUG is triggered is: > > ?? ?struct buffer_head *page_bufs = page_buffers(page) ... > > Back to the problem! 99% of the difference between 4.14 and the latest > kernel for __ext4_journalled_writepage() in "fs/ext4/inode.c" comes from the > following commit: https://github.com/torvalds/linux/commit/5c48a7df91499e371ef725895b2e2d21a126e227 > > Is it safe that we revert this patch on the latest 5.15 kernel, so that we > can confirm if this resolves the issue for us? No, it's not safe to revert this patch; this fixes a potential use-after-free bug identified by Syzkaller (and use-after-frees can sometimes be leveraged into security volunerabilities. I have not tested this change yet, but looking at the code and the change made in patch yet, this *might* be a possible fix: size = i_size_read(inode); - if (page->mapping != mapping || page_offset(page) > size) { + if (page->mapping != mapping || page_offset(page) >= size) { /* The page got truncated from under us */ ext4_journal_stop(handle); ret = 0; goto out; } Is it fair to say that your workload is using data=journaled and is frequently truncating that might have been recently modified (hence triggering the race between truncate and journalled writepages)? I wonder if you could come up with a more reliable reproducer so we can test a particular patch. Thanks, - Ted