Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp2373365rdb;
        Fri, 8 Dec 2023 06:26:08 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHqkxfhyn2UfmhomAMLG/y4vu1Q7MiZS6COqf2Kx8PibCB9B6IIQvZ+mz7GtJWxuc6gmVQu
X-Received: by 2002:a17:906:8:b0:a18:8cf8:d632 with SMTP id 8-20020a170906000800b00a188cf8d632mr27076eja.20.1702045568196;
        Fri, 08 Dec 2023 06:26:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1702045568; cv=none;
        d=google.com; s=arc-20160816;
        b=YcXFPNw3yKSXhklwmh46mRBVTAW8f9X4F8cR3fHiuFoWcsI8ucQzw/dfQKy6VWO9dI
         FgswsEHUZdIfLkAYfBt5Zc1Gzk247t0so6ce9cISDNMz5Jts51xk77t5XLwnin1TCgRJ
         Rrfz+7L4TRM4/d3y4HkHgiJg4mKa8jKOdQ6ePpiu6Ys3rT4ip5l7zjE4ImWbP3QmNLfY
         jFRi/d+gf/PCvq9sgPzbvxb+TrekchOxKT6gLj90KSXGkd3OCBDpHoGuax6CG5QizHyu
         db3dl/HqKpnDzcm1SihBZ2TnDd2kNo5SdUtkXQtjNGVISuA/gzlqrJZ8Q9AjPXs9WIYo
         SMiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:dkim-signature;
        bh=Qv0/VXj9gO3IRMJ3aNrk4TuraBbkLjJrU94lN6xXrjM=;
        fh=n0noLmUDp2o3sxG0y5tf1fwDs7utP9wQwqRWgMaQszA=;
        b=m98/PZbUSIEYVxGGof/87gUlY+bYesWneiX9Wf0cjtIyWXSVhiGjwbKqJiKQHRBhDd
         48xwA/saJYSReiL3AfXbh3a0B+SNFFf5J7JfA9e2aki3su2eX46P0UUjFNECt/dCozbs
         vASFjBPJZiCH6mjtRjQUt6dhqJ+DTv3iSd8fJ/03ySK0FqbZe9NVIrkT85xvDbyU7UU+
         Iws1STY9UeQtMyLXyky1GhTSLbni/doqaIyGWjRWGXeQYdfXmltJ0HCpTm43I+yqUB1I
         4VZ4EGRjPQq/8awtJ9gAii3Nck/cHkjXEGgVqZ7kazYySvueC5l9ngKJFuHQUAj6Jtet
         mkaQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=l4JJUDbK;
       spf=pass (google.com: domain of linux-ext4+bounces-348-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-ext4+bounces-348-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-ext4+bounces-348-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id z11-20020a1709067e4b00b00a1b7769f832si872308ejr.614.2023.12.08.06.26.08
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 08 Dec 2023 06:26:08 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-ext4+bounces-348-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=l4JJUDbK;
       spf=pass (google.com: domain of linux-ext4+bounces-348-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-ext4+bounces-348-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id C2BCF1F21318
	for <linux.lists.archive@gmail.com>; Fri,  8 Dec 2023 14:26:07 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B613A1DFDF;
	Fri,  8 Dec 2023 14:26:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l4JJUDbK"
X-Original-To: linux-ext4@vger.kernel.org
Received: from mail-pj1-x1041.google.com (mail-pj1-x1041.google.com [IPv6:2607:f8b0:4864:20::1041])
	by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E08851987;
	Fri,  8 Dec 2023 06:25:59 -0800 (PST)
Received: by mail-pj1-x1041.google.com with SMTP id 98e67ed59e1d1-28a281bcb3cso659692a91.0;
        Fri, 08 Dec 2023 06:25:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1702045559; x=1702650359; darn=vger.kernel.org;
        h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=Qv0/VXj9gO3IRMJ3aNrk4TuraBbkLjJrU94lN6xXrjM=;
        b=l4JJUDbKlV9SpGBvZTqvn0iYSMAkrfTbFSLRxu1fRC+q087zVvDrr5NZPedabsbwl4
         JN7nAivoBfwclHlaKjKFRs89dAKQ1FOyG7/cOVFdi82ALvk72408fhF1/mnX0F5Fx5gE
         BzXZrftl3XqZHub4p3EjaZowmXnLaw4hSzt66TwQokTmTmltsQXXo9HPbBNE2pll9mSa
         BTZ52jqquhgT9o5lLxhI+B1H+EgPyFrdQJYEUouFkOvAPjIWPcrdoSSk9pEDJGQ5eoQR
         Ph/mRdValXXAbVr77p9ql46ZGSDUuSf2GAEpGknWqRsJa8Cr2qTViyq9JKC3egaMp9AX
         59Xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1702045559; x=1702650359;
        h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=Qv0/VXj9gO3IRMJ3aNrk4TuraBbkLjJrU94lN6xXrjM=;
        b=GlHjojsSTujubz+GLxcSNUEl0WtTctM672n5hhYcg8hrpSaZGj0y5b48d7il/ZeNxV
         9QK+Aq7Ep1UwgJx9RrGLgHN6S0uBhtAPsbp+E/4IuhRuYR2psGskBl8GrndhfUsVRbRX
         +UXBtfUDxKu+IWnQYji2V13243HrJftoGV6E4ElCifAjzwfy4X5yNaXpJjWnqOugvknV
         D1uNw9AwmFJKqpf1nUfuKwygXEJzdnAYsSZDUHMwPxrFATmLoZSpb6dBD4tQsME9rnMj
         lb9MjrErQKPYdEnzMKZAYIUgv/npDA4w3AJbJ3eryMpDEXMPBwvkOOceyUyyrYsK1LNi
         NCMA==
X-Gm-Message-State: AOJu0YwLVuNp6iY7YpVIuSLVjwm2UVrO5kSK4Md+jeIXeg/yr33iGjP5
	ymhqqstM0E/eJXr6CoRW2qaaEL8/7s7xHmz2vhR2HiE642H7WO4cgY6Z3w==
X-Received: by 2002:a17:90b:954:b0:286:f87b:ee0b with SMTP id
 dw20-20020a17090b095400b00286f87bee0bmr224657pjb.19.1702045559212; Fri, 08
 Dec 2023 06:25:59 -0800 (PST)
Precedence: bulk
X-Mailing-List: linux-ext4@vger.kernel.org
List-Id: <linux-ext4.vger.kernel.org>
List-Subscribe: <mailto:linux-ext4+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-ext4+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
From: xingwei lee <xrivendell7@gmail.com>
Date: Fri, 8 Dec 2023 22:12:01 +0800
Message-ID: <CABOYnLwVDrhLB6yqqDgS7xixzo-OA=ZcJwBDoMPeQDMiFR7scA@mail.gmail.com>
Subject: Re: divide error in mb_update_avg_fragment_size
To: harperchen1110@gmail.com
Cc: adilger.kernel@dilger.ca, linux-ext4@vger.kernel.org, 
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, 
	syzkaller@googlegroups.com, tytso@mit.edu
Content-Type: text/plain; charset="UTF-8"

Hello I saw you can't reproduce this bug and I reproduce it with
repro.c and repro.txt
I test the repro.c in the lastest HEAD: 5e3f5b81de80c98338bcb47c233aebefee5a4801
kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=6ae1a4ee971a7305
and the bug also existed.

=* repro.c =*
// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static unsigned long long procid;

static void sleep_ms(uint64_t ms) { usleep(ms * 1000); }

static uint64_t current_time_ms(void) {
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...) {
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1) return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static void kill_and_wait(int pid, int* status) {
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid) return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent) break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test() {
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void) {
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0) exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break;
      sleep_ms(1);
      if (current_time_ms() - start < 5000) continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[5] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff,
                 0xffffffffffffffff, 0xffffffffffffffff};

void execute_one(void) {
  intptr_t res = 0;
  memcpy((void*)0x20000280, "cgroup.controllers\000", 19);
  res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000280ul,
                /*flags=*/0x275aul, /*mode=*/0ul);
  if (res != -1) r[0] = res;
  memcpy((void*)0x20000180, "cgroup.controllers\000", 19);
  res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000180ul,
                /*flags=*/0x275aul, /*mode=*/0ul);
  if (res != -1) r[1] = res;
  res = syscall(__NR_dup3, /*oldfd=*/r[1], /*newfd=*/r[0], /*flags=*/0ul);
  if (res != -1) r[2] = res;
  *(uint32_t*)0x20000140 = 0x20;
  *(uint32_t*)0x20000144 = 0x8c8c;
  *(uint32_t*)0x20000148 = 0;
  *(uint32_t*)0x2000014c = 0;
  *(uint32_t*)0x20000150 = 0;
  memset((void*)0x20000154, 0, 8);
  syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0x401c5820, /*arg=*/0x20000140ul);
  sprintf((char*)0x20000040, "0x%016llx", (long long)0);
  syscall(__NR_write, /*fd=*/r[0], /*buf=*/0x20000040ul, /*len=*/0xfea0ul);
  memcpy((void*)0x200001c0, "cpuset.effective_cpus\000", 22);
  res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x200001c0ul,
                /*flags=*/0x275aul, /*mode=*/0ul);
  if (res != -1) r[3] = res;
  sprintf((char*)0x20000380, "0x%016llx", (long long)0);
  syscall(__NR_write, /*fd=*/r[3], /*buf=*/0x20000380ul, /*len=*/0x101bful);
  syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x660c, 0);
  *(uint32_t*)0x200000c0 = 0;
  *(uint32_t*)0x200000c4 = r[3];
  *(uint64_t*)0x200000c8 = 7;
  *(uint64_t*)0x200000d0 = 0;
  *(uint64_t*)0x200000d8 = 0;
  *(uint64_t*)0x200000e0 = 0;
  syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xc028660f, /*arg=*/0x200000c0ul);
  syscall(__NR_writev, /*fd=*/-1, /*vec=*/0ul, /*vlen=*/0ul);
  syscall(__NR_ioctl, /*fd=*/-1, /*cmd=*/0x40045569, /*arg=*/9ul);
  syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0ul, /*flags=*/0x275aul,
          /*mode=*/0ul);
  memcpy((void*)0x20000180, "cgroup.controllers\000", 19);
  res = syscall(__NR_openat, /*fd=*/0xffffff9c, /*file=*/0x20000180ul,
                /*flags=*/0x275aul, /*mode=*/0ul);
  if (res != -1) r[4] = res;
  *(uint64_t*)0x200000c0 = 4;
  *(uint64_t*)0x200000c8 = 0x16000000000000;
  *(uint64_t*)0x200000d0 = 0x20;
  syscall(__NR_ioctl, /*fd=*/r[4], /*cmd=*/0xc0185879, /*arg=*/0x200000c0ul);
}
int main(void) {
  syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul,
          /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
  for (procid = 0; procid < 4; procid++) {
    if (fork() == 0) {
      loop();
    }
  }
  sleep(1000000);
  return 0;
}

=* repro.txt =*
r0 = openat$cgroup_ro(0xffffffffffffff9c,
&(0x7f0000000280)='cgroup.controllers\x00', 0x275a, 0x0)
r1 = openat$cgroup_ro(0xffffffffffffff9c,
&(0x7f0000000180)='cgroup.controllers\x00', 0x275a, 0x0)
r2 = dup3(r1, r0, 0x0)
ioctl$FS_IOC_FSSETXATTR(r0, 0x401c5820, &(0x7f0000000140)={0x20, 0x8c8c})
write$cgroup_int(r0, &(0x7f0000000040), 0xfea0)
r3 = openat$cgroup_ro(0xffffffffffffff9c,
&(0x7f00000001c0)='cpuset.effective_cpus\x00', 0x275a, 0x0)
write$cgroup_int(r3, &(0x7f0000000380), 0x101bf)
ioctl$EXT4_IOC_ALLOC_DA_BLKS(r3, 0x660c)
ioctl$EXT4_IOC_MOVE_EXT(r2, 0xc028660f, &(0x7f00000000c0)={0x0, r3, 0x7})
writev(0xffffffffffffffff, 0x0, 0x0)
ioctl$UI_SET_LEDBIT(0xffffffffffffffff, 0x40045569, 0x9)
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
r4 = openat$cgroup_ro(0xffffffffffffff9c,
&(0x7f0000000180)='cgroup.controllers\x00', 0x275a, 0x0)
ioctl$FITRIM(r4, 0xc0185879, &(0x7f00000000c0)={0x4, 0x16000000000000, 0x20})

and also https://gist.github.com/xrivendell7/bad992c2b716ed14310efa2c6f878b7c