Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp2365525rdg; Sun, 13 Aug 2023 23:09:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGvk4SGq5fS6lswAExC4y0qAZXMBxvPWaJaivBfsSegL8y3y/UTmFje4kzhhPri6QO0CNZb X-Received: by 2002:a17:906:30cf:b0:99c:bb4d:f59e with SMTP id b15-20020a17090630cf00b0099cbb4df59emr7084625ejb.63.1691993388339; Sun, 13 Aug 2023 23:09:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691993388; cv=none; d=google.com; s=arc-20160816; b=RwxDUdBMBsjCjOPgpMsSj+EgCi8ffsdjh67kLLqScrmmPrPnerJUhtd4GjAW8g/jRa KNNXpRTZr8lQ+Lbef4kinweyoeELpzauKRFPSmJAM8cljBIrijwAB1vy/KLlVtsGrCLD Xq+6bsk0hLx0WcHbjCB23WGRZDW9u6S8G93v/zIlIGzzR1J5JrkxC9Ni8qtqAjbo9B90 PQLdFqWmqHSmTg45tJRGIZpI7+NymCp0t3eAJtu+deXXhr4tKKqIKws8mXTiF0PuC1LX VnTpE3ocU3zt3cn02e1IMI4dHprplLxZbXfpSfK1Z46aNSXR/5MkIWftSeQ5HRICA2ST 0N6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:to:subject:cc:user-agent:mime-version :date:message-id:dkim-signature; bh=4BOY7SB48by5B9LazMn3f+64glE9hz2zraEf7DrSfCM=; fh=lhTPANClC8kbqAoQFNxJOGKGJ+iM2ZOMyx6rXYeNn/E=; b=OKewyUvkILG58GKnS0q8DOTA+ZaPfaINx9tzYfq4edqxP1FIzuKXa74/dySCkqpndo zXDzMwwJIPwY00KgwQ92rwk8CHKyYdPth3vZIoW2DCT4VWbuigoT9YeVYxRBO00tXh3S PD6Tppf9DrxXTtppi/nYQwGxYKVe13VSxZeqqy/W4lR9HlvjuIurUko1BwPQgZmqXtDK rBlnsSALrjP0SS9d1c7+ghYdy1OXRl6TRU01sR1cTUJmA2bBusG/eYoVyg5YxLeCNWWL Cht1t6ainu6SEiQoQoX+RjbPw5+yWDk5Ff7ydKHk0mjtDTIppYLeDKpyoYoviH8vKcsL 8tJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=KRkI9fAX; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dc22-20020a170906c7d600b00997e71d037dsi6870291ejb.624.2023.08.13.23.09.25; Sun, 13 Aug 2023 23:09:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=KRkI9fAX; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233299AbjHNFcS (ORCPT + 99 others); Mon, 14 Aug 2023 01:32:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38428 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233304AbjHNFbx (ORCPT ); Mon, 14 Aug 2023 01:31:53 -0400 Received: from madras.collabora.co.uk (madras.collabora.co.uk [46.235.227.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 18D97E77; Sun, 13 Aug 2023 22:31:49 -0700 (PDT) Received: from [192.168.164.158] (unknown [116.71.172.205]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: usama.anjum) by madras.collabora.co.uk (Postfix) with ESMTPSA id E9CBB660705E; Mon, 14 Aug 2023 06:31:43 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1691991106; bh=ANCniHg7REILr/QGUi9unlaj0a75Pe7ScZ5Fehdxbrk=; h=Date:Cc:Subject:To:References:From:In-Reply-To:From; b=KRkI9fAXgtzqN89AZyap4JhadnYJIvcuTIjEOdwSi0LG14TJMV0Vi9ixQcs5MbhcU bsFbe/XBpzrtCsyzJdAE2voWc/izY+aAN2xE8elmGp9vNpXOCaU+N62IE3N38zigu2 ueM3bH+qU1h8kGkIDwnjuGg25sjIt5hQE6Dj/a8gVvyCWtXV7MfC0Py0KDlqNhLGOd QPE4aVrb9D85+h9s27ppNCc3qwBWBEwGPxGspiTpXo0/Z6kzzLSNJshmw6a6moMxGB Crb+tkO1hGE7x2Rb+3q5lHwATBbWxuKRNzjTJSq+Ndu+SgnGEkmy7w/9IAVNm0AiRE YgSgz2YDmEXBw== Message-ID: <4637f58c-1cf3-0691-4fc1-6fbc38ec47ce@collabora.com> Date: Mon, 14 Aug 2023 10:31:38 +0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.1 Cc: Muhammad Usama Anjum , linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org, linux-stable , regressions@lists.linux.dev, Baokun Li , Andreas Dilger , Theodore Ts'o , Jan Kara Subject: Re: [v6.1] kernel BUG in ext4_writepages To: syzbot , syzkaller-lts-bugs@googlegroups.com References: <00000000000081f8c905f6c24e0d@google.com> <87dcdf62-8a74-1fbf-5f10-f4f3231f774f@collabora.com> Content-Language: en-US From: Muhammad Usama Anjum In-Reply-To: <87dcdf62-8a74-1fbf-5f10-f4f3231f774f@collabora.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-5.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_SORBS_WEB,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On 8/10/23 3:49 PM, Muhammad Usama Anjum wrote: > Hi, > > Syzbot has reporting hitting this bug on 6.1.18 and 5.15.101 LTS kernels > and provided reproducer as well. > > BUG_ON(ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)); > > I've copied the same config and reproduced the bug on 6.1.18, 6.1.44 and > next-20230809. > > This part of code hasn't been changed from the time it was introduced > 4e7ea81db53465 ("ext4: restructure writeback path"). I'm not sure why the > inlined data is being destroyed before copying it somewhere else. > > Please consider this a report. > > Regards, > Muhammad Usama Anjum > > > On 3/13/23 11:34 AM, syzbot wrote: >> syzbot has found a reproducer for the following issue on: >> >> HEAD commit: 1cc3fcf63192 Linux 6.1.18 >> git tree: linux-6.1.y >> console output: https://syzkaller.appspot.com/x/log.txt?x=10d4b342c80000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=157296d36f92ea19 > ^ Kernel config > >> dashboard link: https://syzkaller.appspot.com/bug?extid=a8068dd81edde0186829 >> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 >> userspace arch: arm64 >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13512ec6c80000 >> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15ca0ff4c80000 > ^ reproducers. C reproducer reproduces the bug easily. > >> >> Downloadable assets: >> disk image: https://storage.googleapis.com/syzbot-assets/0e4c0d43698b/disk-1cc3fcf6.raw.xz >> vmlinux: https://storage.googleapis.com/syzbot-assets/a4de39d735de/vmlinux-1cc3fcf6.xz >> kernel image: https://storage.googleapis.com/syzbot-assets/82bab928f6e3/Image-1cc3fcf6.gz.xz >> mounted in repro: https://storage.googleapis.com/syzbot-assets/bf2e21b96210/mount_0.gz >> >> IMPORTANT: if you fix the issue, please add the following tag to the commit: >> Reported-by: syzbot+a8068dd81edde0186829@syzkaller.appspotmail.com >> >> ------------[ cut here ]------------ >> kernel BUG at fs/ext4/inode.c:2746! >> Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP >> Modules linked in: >> CPU: 0 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.18-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 >> Workqueue: writeback wb_workfn (flush-7:0) >> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) >> pc : ext4_writepages+0x35f4/0x35f8 fs/ext4/inode.c:2745 >> lr : ext4_writepages+0x35f4/0x35f8 fs/ext4/inode.c:2745 >> sp : ffff800019d16d40 >> x29: ffff800019d17120 x28: ffff800008e691e4 x27: dfff800000000000 >> x26: ffff0000de1f3ee0 x25: ffff800019d17590 x24: ffff800019d17020 >> x23: ffff0000dd616000 x22: ffff800019d16f40 x21: ffff0000de1f4108 >> x20: 0000008410000000 x19: 0000000000000001 x18: ffff800019d16a20 >> x17: ffff80001572d000 x16: ffff8000083099b4 x15: 000000000000ba31 >> x14: 00000000ffffffff x13: dfff800000000000 x12: 0000000000000001 >> x11: ff80800008e6c7d8 x10: 0000000000000000 x9 : ffff800008e6c7d8 >> x8 : ffff0000c099b680 x7 : 0000000000000000 x6 : 0000000000000000 >> x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000001 >> x2 : 0000000000000000 x1 : 0000008000000000 x0 : 0000000000000000 >> Call trace: >> ext4_writepages+0x35f4/0x35f8 fs/ext4/inode.c:2745 >> do_writepages+0x2e8/0x56c mm/page-writeback.c:2469 >> __writeback_single_inode+0x228/0x1ec8 fs/fs-writeback.c:1587 >> writeback_sb_inodes+0x9c0/0x1844 fs/fs-writeback.c:1878 >> wb_writeback+0x4f8/0x1580 fs/fs-writeback.c:2052 >> wb_do_writeback fs/fs-writeback.c:2195 [inline] >> wb_workfn+0x460/0x11b8 fs/fs-writeback.c:2235 >> process_one_work+0x868/0x16f4 kernel/workqueue.c:2289 >> worker_thread+0x8e4/0xfec kernel/workqueue.c:2436 >> kthread+0x24c/0x2d4 kernel/kthread.c:376 >> ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 >> Code: d4210000 97da5cfa d4210000 97da5cf8 (d4210000) >> ---[ end trace 0000000000000000 ]--- >> >> The last refactoring was done by 4e7ea81db53465 on this code in 2013. The code segment in question is present from even before that. It means that this bug is present for several years. 4.14 is the most old kernel being maintained today. So it affects all current LTS and mainline kernels. I'll report 4e7ea81db53465 with regzbot for proper tracking. Thus probably the bug report will get associated with all LTS kernels as well. #regzbot title: Race condition between buffer write and page_mkwrite #regzbot introduced: 4e7ea81db53465 #regzbot monitor: https://lore.kernel.org/all/20230530134405.322194-1-libaokun1@huawei.com -- BR, Muhammad Usama Anjum