[BUG] Warning in ext4_check_map_extents_env

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
To: Theodore Ts'o <tytso@mit.edu>,
	 Andreas Dilger <adilger.kernel@dilger.ca>
Cc: linux-ext4@vger.kernel.org
Subject: [BUG] Warning in ext4_check_map_extents_env
Date: Mon, 9 Mar 2026 10:41:13 -0300	[thread overview]
Message-ID: <aa7Ms0MzyPKggFGo@fedora> (raw)

Hi,

The warning below occurs when running selftests/mm/merge on a kernel built
with CONFIG_EXT4_DEBUG=y.

syzkaller login: [   29.277674] ------------[ cut here ]------------
[   29.279636] WARNING: fs/ext4/inode.c:436 at ext4_check_map_extents_env+0x389/0x440, CPU#1: merge/365
[   29.282459] Modules linked in:
[   29.283497] CPU: 1 UID: 0 PID: 365 Comm: merge Not tainted 7.0.0-rc3 #59 PREEMPT(full)
[   29.285999] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   29.288850] RIP: 0010:ext4_check_map_extents_env+0x389/0x440
[   29.290653] Code: ff 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 87 00 00 00 48 8b 45 18 48 85 c0 0f 85 2e fd ff ff 90 <0f> 0b 90 e9 25 fd ff ff e8 8a 2e ca ff e9 e4 fc ff ff 48 89 df e8
[   29.296623] RSP: 0018:ffff88811876f2a8 EFLAGS: 00010246
[   29.298288] RAX: 0000000000000000 RBX: ffff888106c66798 RCX: ffffffff81e8ad60
[   29.300529] RDX: 1ffff11020d8ccf3 RSI: 0000000000000008 RDI: ffff888106c66798
[   29.302748] RBP: ffff888106c66780 R08: 0000000000000000 R09: ffffed1020d8ccf3
[   29.305009] R10: ffff888106c6679f R11: 0000000000000001 R12: 00000000001e0c26
[   29.307226] R13: ffff88811876f494 R14: ffff88811876f498 R15: ffff88811876f488
[   29.309477] FS:  00007fbe82723780(0000) GS:ffff8883c38aa000(0000) knlGS:0000000000000000
[   29.312085] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.313749] CR2: 00007fbe82790915 CR3: 000000011880e000 CR4: 00000000000006f0
[   29.315643] Call Trace:
[   29.316170]  <TASK>
[   29.316539]  ext4_map_blocks+0x602/0xb40
[   29.317204]  ? __pfx_ext4_map_blocks+0x10/0x10
[   29.317971]  ? __pfx_stack_trace_save+0x10/0x10
[   29.318719]  ? __filemap_add_folio+0x66f/0xb30
[   29.319500]  ext4_mpage_readpages.constprop.0.isra.0+0x918/0xe20
[   29.320501]  ? __pfx_ext4_mpage_readpages.constprop.0.isra.0+0x10/0x10
[   29.321602]  ? filemap_add_folio+0x11e/0x2c0
[   29.322325]  ? __pfx_ext4_read_folio+0x10/0x10
[   29.323107]  ext4_read_folio+0xd9/0x230
[   29.323762]  ? __pfx_ext4_read_folio+0x10/0x10
[   29.324552]  ? __pfx_ext4_read_folio+0x10/0x10
[   29.325321]  filemap_read_folio+0x43/0x150
[   29.326041]  do_read_cache_folio+0x1b1/0x320
[   29.326759]  read_cache_page+0x46/0x120
[   29.327426]  install_breakpoint+0x27d/0x810
[   29.328123]  uprobe_mmap+0x439/0xeb0
[   29.328715]  ? __pfx_uprobe_mmap+0x10/0x10
[   29.329391]  __mmap_region+0x8af/0x2290
[   29.330074]  ? __pfx___mmap_region+0x10/0x10
[   29.330793]  ? unwind_get_return_address+0x59/0xa0
[   29.331630]  ? event_sched_in+0x33f/0xaf0
[   29.332308]  ? perf_event_groups_next+0x9a/0x200
[   29.333667]  ? mm_get_unmapped_area_vmflags+0x6c/0xe0
[   29.335295]  ? mmap_region+0xd3/0x2b0
[   29.336171]  do_mmap+0x98a/0xec0
[   29.336713]  ? ipe_mmap_file+0xcf/0xe0
[   29.337340]  ? __pfx_do_mmap+0x10/0x10
[   29.337977]  ? __pfx_down_write_killable+0x10/0x10
[   29.338757]  ? __pfx_mutex_unlock+0x10/0x10
[   29.339477]  vm_mmap_pgoff+0x1b2/0x310
[   29.340114]  ? __pfx_vm_mmap_pgoff+0x10/0x10
[   29.340819]  ? __pfx___do_sys_perf_event_open+0x10/0x10
[   29.341688]  ? fget+0x189/0x230
[   29.342223]  ksys_mmap_pgoff+0x2b1/0x5b0
[   29.342868]  ? __pfx_ksys_mmap_pgoff+0x10/0x10
[   29.343618]  do_syscall_64+0xe2/0x560
[   29.344246]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   29.345105] RIP: 0033:0x7fbe82832de2
[   29.345707] Code: 00 00 00 0f 1f 44 00 00 41 f7 c1 ff 0f 00 00 75 27 55 89 cd 53 48 89 fb 48 85 ff 74 3b 41 89 ea 48 89 df b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 76 5b 5d c3 0f 1f 00 48 8b 05 f9 8f 0d 00 64
[   29.348851] RSP: 002b:00007ffd535f3b38 EFLAGS: 00000206 ORIG_RAX: 0000000000000009
[   29.350309] RAX: ffffffffffffffda RBX: 00007fbe826f9000 RCX: 00007fbe82832de2
[   29.351526] RDX: 0000000000000004 RSI: 000000000000a000 RDI: 00007fbe826f9000
[   29.352865] RBP: 0000000000000012 R08: 000000000000000b R09: 0000000000000000
[   29.354136] R10: 0000000000000012 R11: 0000000000000206 R12: 00007ffd535f4120
[   29.355357] R13: 0000000000000000 R14: 000000000000000b R15: 0000000000001000
[   29.356684]  </TASK>
[   29.357119] ---[ end trace 0000000000000000 ]---

The warning is triggered by TEST_F(merge, handle_uprobe_upon_merged_vma) in
selftests/mm/merge.c. It occurs during the first mmap() following the
__NR_perf_event_open syscall, as shown in the excerpt below:

TEST_F(merge, handle_uprobe_upon_merged_vma)
{
	const size_t attr_sz = sizeof(struct perf_event_attr);
	unsigned int page_size = self->page_size;
	const char *probe_file = "./foo";
	char *carveout = self->carveout;
	struct perf_event_attr attr;
	unsigned long type;
	void *ptr1, *ptr2;
	int fd;

	fd = open(probe_file, O_RDWR|O_CREAT, 0600);
	ASSERT_GE(fd, 0);

	ASSERT_EQ(ftruncate(fd, page_size), 0);
	if (read_sysfs("/sys/bus/event_source/devices/uprobe/type", &type) != 0) {
		SKIP(goto out, "Failed to read uprobe sysfs file, skipping");
	}

	memset(&attr, 0, attr_sz);
	attr.size = attr_sz;
	attr.type = type;
	attr.config1 = (__u64)(long)probe_file;
	attr.config2 = 0x0;

	ASSERT_GE(syscall(__NR_perf_event_open, &attr, 0, -1, -1, 0), 0);

	ptr1 = mmap(&carveout[page_size], 10 * page_size, PROT_EXEC,
		    MAP_PRIVATE | MAP_FIXED, fd, 0); < WARNING!!!
	ASSERT_NE(ptr1, MAP_FAILED);

	getchar();

	ptr2 = mremap(ptr1, page_size, 2 * page_size,
		      MREMAP_MAYMOVE | MREMAP_FIXED, ptr1 + 5 * page_size);
	ASSERT_NE(ptr2, MAP_FAILED);

	ASSERT_NE(mremap(ptr2, page_size, page_size,
			 MREMAP_MAYMOVE | MREMAP_FIXED, ptr1), MAP_FAILED);

out:
	close(fd);
	remove(probe_file);
}

The issue originates from the following call chain:
	prepare_uprobe
	  -> copy_insn
	       -> __copy_insn
		    -> read_mapping_page() or shmem_read_mapping_page()

Both read_mapping_page() and shmem_read_mapping_page() are invoked
without holding i_rwsem or invalidate_lock. When CONFIG_EXT4_DEBUG
is enabled, this triggers the warning in ext4_check_map_extents_env().

next             reply	other threads:[~2026-03-09 13:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-09 13:41 Pedro Demarchi Gomes [this message]
2026-03-10 12:23 ` [BUG] Warning in ext4_check_map_extents_env Zhang Yi
  -- strict thread matches above, loose matches on Subject: below --
2026-03-09  4:26 Pedro Demarchi Gomes

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa7Ms0MzyPKggFGo@fedora \
    --to=pedrodemargomes@gmail.com \
    --cc=adilger.kernel@dilger.ca \
    --cc=linux-ext4@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.