All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
@ 2022-12-06 14:41 Ye Bin
  2022-12-07  6:44 ` Jun Nie
  0 siblings, 1 reply; 4+ messages in thread
From: Ye Bin @ 2022-12-06 14:41 UTC (permalink / raw)
  To: tytso, adilger.kernel, linux-ext4
  Cc: linux-kernel, jack, Ye Bin, syzbot+4faa160fa96bfba639f8, Jun Nie

From: Ye Bin <yebin10@huawei.com>

Syzbot report follow issue:
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:227!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3629 Comm: syz-executor212 Not tainted 6.1.0-rc5-syzkaller-00018-g59d0d52c30d4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:227
RSP: 0018:ffffc90003b3f368 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880704e16c0 RCX: 0000000000000000
RDX: ffff888021763a80 RSI: ffffffff821e31a4 RDI: 0000000000000006
RBP: 000000000006818e R08: 0000000000000006 R09: 0000000000068199
R10: 0000000000000079 R11: 0000000000000000 R12: 000000000000000b
R13: 0000000000068199 R14: ffffc90003b3f408 R15: ffff8880704e1c82
FS:  000055555723e3c0(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffe8ac9080 CR3: 0000000079f81000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:768
 ext4_write_end+0x242/0xdd0 fs/ext4/inode.c:1313
 ext4_da_write_end+0x3ed/0xa30 fs/ext4/inode.c:3063
 generic_perform_write+0x316/0x570 mm/filemap.c:3764
 ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285
 ext4_file_write_iter+0x8bc/0x16e0 fs/ext4/file.c:700
 call_write_iter include/linux/fs.h:2191 [inline]
 do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
 do_iter_write+0x182/0x700 fs/read_write.c:861
 vfs_iter_write+0x74/0xa0 fs/read_write.c:902
 iter_file_splice_write+0x745/0xc90 fs/splice.c:686
 do_splice_from fs/splice.c:764 [inline]
 direct_splice_actor+0x114/0x180 fs/splice.c:931
 splice_direct_to_actor+0x335/0x8a0 fs/splice.c:886
 do_splice_direct+0x1ab/0x280 fs/splice.c:974
 do_sendfile+0xb19/0x1270 fs/read_write.c:1255
 __do_sys_sendfile64 fs/read_write.c:1323 [inline]
 __se_sys_sendfile64 fs/read_write.c:1309 [inline]
 __x64_sys_sendfile64+0x1d0/0x210 fs/read_write.c:1309
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
---[ end trace 0000000000000000 ]---

Above issue may happens as follows:
ext4_da_write_begin
  ext4_da_write_inline_data_begin
    ext4_da_convert_inline_data_to_extent
      ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
ext4_da_write_end

ext4_run_li_request
  ext4_mb_prefetch
    ext4_read_block_bitmap_nowait
      ext4_validate_block_bitmap
        ext4_mark_group_bitmap_corrupted(sb, block_group, EXT4_GROUP_INFO_BBITMAP_CORRUPT)
	 percpu_counter_sub(&sbi->s_freeclusters_counter,grp->bb_free);
	  -> sbi->s_freeclusters_counter become zero
ext4_da_write_begin
  if (ext4_nonda_switch(inode->i_sb)) -> As freeclusters_counter is zero will return true
    *fsdata = (void *)FALL_BACK_TO_NONDELALLOC;
    ext4_write_begin
ext4_da_write_end
  if (write_mode == FALL_BACK_TO_NONDELALLOC)
    ext4_write_end
      if (inline_data)
        ext4_write_inline_data_end
	  ext4_write_inline_data
	    BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
           -> As inode is already convert to extent, so 'pos + len' > inline_size
	   -> then trigger BUG.

To solve above issue, there's need to judge inode if has EXT4_STATE_MAY_INLINE_DATA
flag in 'ext4_write_end()'. 'ext4_has_inline_data()' flag only cleared after do
write back, EXT4_STATE_MAY_INLINE_DATA flag indicate that inode has inline data,
so add this flag check except 'ext4_has_inline_data()' flag in 'ext4_write_end()'.

Fixes:f19d5870cbf7("ext4: add normal write support for inline data")
Reported-by: syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 fs/ext4/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index f0079835b8a8..25841a878ce9 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1315,7 +1315,8 @@ static int ext4_write_end(struct file *file,
 
 	trace_ext4_write_end(inode, pos, len, copied);
 
-	if (ext4_has_inline_data(inode))
+	if (ext4_has_inline_data(inode) &&
+	    ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
 		return ext4_write_inline_data_end(inode, pos, len, copied, page);
 
 	copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
  2022-12-06 14:41 [PATCH v2] ext4: fix kernel BUG in 'ext4_write_inline_data_end()' Ye Bin
@ 2022-12-07  6:44 ` Jun Nie
  2022-12-07  7:53   ` yebin (H)
  0 siblings, 1 reply; 4+ messages in thread
From: Jun Nie @ 2022-12-07  6:44 UTC (permalink / raw)
  To: Ye Bin
  Cc: tytso, adilger.kernel, linux-ext4, linux-kernel, jack, Ye Bin,
	syzbot+4faa160fa96bfba639f8

Hi Bin,

Thanks for the patch! The bug is reproduced with this patch. I can
help trigger another
test when you have new patch.
https://syzkaller.appspot.com/text?tag=CrashLog&x=16760797880000

Regards,
Jun

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
  2022-12-07  6:44 ` Jun Nie
@ 2022-12-07  7:53   ` yebin (H)
  2022-12-07  8:11     ` Jun Nie
  0 siblings, 1 reply; 4+ messages in thread
From: yebin (H) @ 2022-12-07  7:53 UTC (permalink / raw)
  To: Jun Nie, Ye Bin
  Cc: tytso, adilger.kernel, linux-ext4, linux-kernel, jack,
	syzbot+4faa160fa96bfba639f8



On 2022/12/7 14:44, Jun Nie wrote:
> Hi Bin,
>
> Thanks for the patch! The bug is reproduced with this patch. I can
> help trigger another
> test when you have new patch.
> https://syzkaller.appspot.com/text?tag=CrashLog&x=16760797880000

The cause of this issue is different from that of the previous issue.
I analyze that the issue 
"https://syzkaller.appspot.com/text?tag=CrashLog&x=16760797880000 "
is caused by the concurrency of  inline data conversion and buffer 
write. To be honest, I haven't
thought of any good solution.

>
> Regards,
> Jun
> .


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
  2022-12-07  7:53   ` yebin (H)
@ 2022-12-07  8:11     ` Jun Nie
  0 siblings, 0 replies; 4+ messages in thread
From: Jun Nie @ 2022-12-07  8:11 UTC (permalink / raw)
  To: yebin (H)
  Cc: Ye Bin, tytso, adilger.kernel, linux-ext4, linux-kernel, jack,
	syzbot+4faa160fa96bfba639f8

yebin (H) <yebin10@huawei.com> 于2022年12月7日周三 15:54写道:
>
>
>
> On 2022/12/7 14:44, Jun Nie wrote:
> > Hi Bin,
> >
> > Thanks for the patch! The bug is reproduced with this patch. I can
> > help trigger another
> > test when you have new patch.
> > https://syzkaller.appspot.com/text?tag=CrashLog&x=16760797880000
>
> The cause of this issue is different from that of the previous issue.
> I analyze that the issue
> "https://syzkaller.appspot.com/text?tag=CrashLog&x=16760797880000 "
> is caused by the concurrency of  inline data conversion and buffer
> write. To be honest, I haven't
> thought of any good solution.
>
Thanks for explanation. So the patch to fix the previous bug is still
in upstream plan, right?
> >
> > Regards,
> > Jun
> > .
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-12-07  8:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-12-06 14:41 [PATCH v2] ext4: fix kernel BUG in 'ext4_write_inline_data_end()' Ye Bin
2022-12-07  6:44 ` Jun Nie
2022-12-07  7:53   ` yebin (H)
2022-12-07  8:11     ` Jun Nie

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.