* Re: [RFC PATCH] iomap: add fast read path for small direct I/O
From: Dave Chinner @ 2026-04-21 22:36 UTC (permalink / raw)
To: Fengnan
Cc: Ojaswin Mujoo, Fengnan Chang, brauner, djwong, linux-xfs,
linux-fsdevel, linux-ext4, lidiangang
In-Reply-To: <87674d63-c8cb-4135-8d76-84f52e90ac2e@bytedance.com>
On Tue, Apr 21, 2026 at 11:19:31AM +0800, Fengnan wrote:
> 在 2026/4/21 07:59, Dave Chinner 写道:
> > I'm clearly missing something here. I'm trying to work out why the
> > profiles show what they do, but there's differences between them
> > that do make obvious sense to me.
> >
> > It would also be useful to have XFS profiles, because it has a
> > larger CPU cache footprint than ext4. If what the profiles are
> > showing is a result of CPU cache residency artifacts, then we'll see
> > different profile (and, potentially, performance) artifacts with
> > XFS...
> The XFS flame graph is also attached now.
> IOPS: 1.92M->2.3M.
The callchains in both XFS flame graphs are completely bogus:
<io_uring entry>
....
io_read
__io_read
xfs_inode_free_eofblocks
xfs_prep_free_cowblocks
iomap_dio_rw
iomap_dio_simple_read
xfs_mountfs
....
Can you regenerate the profiles, please, and this time check that
they make sense before posting them?
-Dave.
--
Dave Chinner
dgc@kernel.org
^ permalink raw reply
* Re: [PATCH v8 04/22] fsverity: generate and store zero-block hash
From: Eric Biggers @ 2026-04-21 21:47 UTC (permalink / raw)
To: Andrey Albershteyn
Cc: linux-xfs, fsverity, linux-fsdevel, hch, linux-ext4,
linux-f2fs-devel, linux-btrfs, linux-unionfs, djwong
In-Reply-To: <20260420114714.1621982-5-aalbersh@kernel.org>
On Mon, Apr 20, 2026 at 01:46:51PM +0200, Andrey Albershteyn wrote:
> +void fsverity_fill_zerohash(struct folio *folio, size_t offset, size_t len,
> + struct fsverity_info *vi)
[...]
> +void fsverity_fill_zerohash(struct folio *folio, size_t poff, size_t plen,
> + struct fsverity_info *vi);
[...]
> +static inline void fsverity_fill_zerohash(struct folio *folio, size_t poff,
> + size_t plen, struct fsverity_info *vi)
The parameters should have the same name at each declaration site.
- Eric
^ permalink raw reply
* Re: [PATCH v8 03/22] ovl: use core fsverity ensure info interface
From: Eric Biggers @ 2026-04-21 21:44 UTC (permalink / raw)
To: Andrey Albershteyn
Cc: linux-xfs, fsverity, linux-fsdevel, hch, linux-ext4,
linux-f2fs-devel, linux-btrfs, linux-unionfs, djwong,
Amir Goldstein
In-Reply-To: <20260420114714.1621982-4-aalbersh@kernel.org>
On Mon, Apr 20, 2026 at 01:46:50PM +0200, Andrey Albershteyn wrote:
> int ovl_ensure_verity_loaded(const struct path *datapath)
> {
> struct inode *inode = d_inode(datapath->dentry);
> - struct file *filp;
>
> - if (!fsverity_active(inode) && IS_VERITY(inode)) {
> - /*
> - * If this inode was not yet opened, the verity info hasn't been
> - * loaded yet, so we need to do that here to force it into memory.
> - */
> - filp = kernel_file_open(datapath, O_RDONLY, current_cred());
> - if (IS_ERR(filp))
> - return PTR_ERR(filp);
> - fput(filp);
> - }
> + if (fsverity_active(inode))
> + return fsverity_ensure_verity_info(inode);
Not sure whether I should review this version or the version in git, but
both seem wrong. The 'if (!fsverity_active(inode) && IS_VERITY(inode))
{' condition should stay, but fsverity_ensure_verity_info() will need to
gain a !CONFIG_FS_VERITY stub to fix the build error.
- Eric
^ permalink raw reply
* Re: [PATCH v8 00/22] fs-verity support for XFS with post EOF merkle tree
From: Eric Biggers @ 2026-04-21 21:43 UTC (permalink / raw)
To: Andrey Albershteyn
Cc: linux-xfs, fsverity, linux-fsdevel, hch, linux-ext4,
linux-f2fs-devel, linux-btrfs, linux-unionfs, djwong, david
In-Reply-To: <20260420114714.1621982-1-aalbersh@kernel.org>
On Mon, Apr 20, 2026 at 01:46:47PM +0200, Andrey Albershteyn wrote:
> This series based on v7.0 with Christoph's read ioends patchset [1].
>
> kernel:
> https://git.kernel.org/pub/scm/linux/kernel/git/aalbersh/xfs-linux.git/log/?h=b4/fsverity
FYI: the git repository doesn't match what was actually sent out. For
example the patch "ovl: use core fsverity ensure info interface" is a
bit different. The version in git (incorrectly, I think) ignores the
error code, while the patch returns it.
- Eric
^ permalink raw reply
* Re: [BUG] ext4: BUG_ON in ext4_write_inline_data (fs/ext4/inline.c:240)
From: Jan Kara @ 2026-04-21 12:25 UTC (permalink / raw)
To: Zw Tang
Cc: tytso, Andreas Dilger, libaokun, jack, ojaswin, linux-ext4,
linux-kernel, yi.zhang
In-Reply-To: <CAPHJ_VJeBAL_fk+P79guYTABZgW1hkcAz8t=c_nVK1mbn3_FYw@mail.gmail.com>
Hello!
On Tue 21-04-26 19:32:43, Zw Tang wrote:
> I am reporting a kernel BUG in ext4 triggered by a syzkaller reproducer on
> Linux 7.0.0-08391-g1d51b370a0f8.
Sorry but we don't generally debug fuzzer issues not being reported by
syzbot. It provides much better tracking, deduplication and general
handling of issues which significantly speeds up debugging. If you have
some interesting modification of syzkaller, please contribute it upstream
so that everybody can benefit.
Honza
>
> The first fatal issue happens in the ext4 inline data write path:
> sendfile64 -> ext4_file_write_iter -> ext4_da_write_end ->
> ext4_write_inline_data_end -> ext4_write_inline_data.
>
> The crash is reported as:
>
> kernel BUG at fs/ext4/inline.c:240
>
> and RIP points to:
>
> ext4_write_inline_data+0x3d0/0x490
>
> This looks like an ext4 inline-data boundary/state inconsistency triggered
> while writing to an ext4 image crafted by syzkaller. The later
> KASAN: slab-use-after-free in rwsem_down_write_slowpath() appears to be a
> secondary effect after the primary ext4 BUG, likely during teardown/unlink
> after the filesystem failure.
>
> Reproducer:
> C reproducer: pastebin.com/raw/3LmK5Kxg
> console output: pastebin.com/raw/C0XjNMXp
> kernel config: pastebin.com/raw/aq1V3cLk
>
> Kernel:
> HEAD commit:
> git tree: <e.g. torvalds/linux>
> kernel version: 7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy) (QEMU)
>
> Relevant log:
>
> [ 1329.147750] kernel BUG at fs/ext4/inline.c:240!
> [ 1329.148692] Oops: invalid opcode: 0000 [#1] SMP KASAN
> [ 1329.149543] CPU: 0 UID: 0 PID: 334 Comm: repro1 Tainted: G W
> 7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy)
> [ 1329.153249] RIP: 0010+0x3d0/0x490
> [ 1329.167978] ext4_write_inline_data_end+0x293/0xc90
> [ 1329.170566] ext4_da_write_end+0x521/0xec0
> [ 1329.176842] ext4_buffered_write_iter+0x11a/0x430
> [ 1329.177610] ext4_file_write_iter+0x561/0x1840
> [ 1329.185052] iter_file_splice_write+0xa33/0x11c0
> [ 1329.190820] direct_splice_actor+0x18f/0x7a0
> [ 1329.198893] do_splice_direct+0x41/0x50
> [ 1329.200276] do_sendfile+0xa86/0xda0
> [ 1329.203110] __x64_sys_sendfile64+0x1cf/0x210
>
> There is also an ext4 metadata inconsistency message right after the BUG:
>
> [ 1329.221770] EXT4-fs error (device loop1):
> ext4_mb_generate_buddy:1314: group 0, block bitmap and bg descriptor
> inconsistent: 25 vs 150994969 free clusters
>
> and later a secondary report:
>
> [ 1329.274881] BUG: KASAN: slab-use-after-free in
> rwsem_down_write_slowpath+0x15e9/0x1640
>
> Based on the log, I believe the primary issue to investigate is the BUG in
> fs/ext4/inline.c, while the later rwsem report is probably fallout after
> the ext4 failure.
>
> Please let me know if more information is needed.
>
> Thanks.
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply
* Re: [BUG] ext4: BUG_ON in ext4_write_inline_data (fs/ext4/inline.c:240)
From: Theodore Tso @ 2026-04-21 12:20 UTC (permalink / raw)
To: Zw Tang
Cc: Andreas Dilger, libaokun, jack, ojaswin, linux-ext4, linux-kernel,
yi.zhang, syzkaller-bugs
In-Reply-To: <CAPHJ_VJeBAL_fk+P79guYTABZgW1hkcAz8t=c_nVK1mbn3_FYw@mail.gmail.com>
On Tue, Apr 21, 2026 at 07:32:43PM +0800, Zw Tang wrote:
> This looks like an ext4 inline-data boundary/state inconsistency triggered
> while writing to an ext4 image crafted by syzkaller. The later
> KASAN: slab-use-after-free in rwsem_down_write_slowpath() appears to be a
> secondary effect after the primary ext4 BUG, likely during teardown/unlink
> after the filesystem failure.
Writing to a mounted image is not something that we consider a valid
threat model. If you can write to a mounted image, there are a
zillion different ways that you can creash the kernel, or you can
create a setuid shell, etc.
The upstream syzkaller bot makes sure that CONFIG_BLK_DEV_WRITE_MOUNTED
is not defined to avoid syzkaller noise.
Out of curiosity, why are you running your own syzkaller instance? To
the extent that you duplicate findings done by the upstream syzkaller,
or use bad configurations that waste the time of upstream maintainers,
you are simply accelerating the time when we consider all syzkaller
reports as a denial of service attack on upstream maintainers.
To the upstream syzkaller folkers, can you fix syzkaller so that
disabling CONFIG_BLK_DEV_WRITE_MOUNTED is hard-coded so that the many
people who insist on duplicating syzkaller instances without enabling
the syzkaller dashboard functionality don't make this configuration
mistake?
Thanks, regards,
- Ted
^ permalink raw reply
* [PATH 6.6 3/3] ext4: get rid of ppath in convert_initialized_extent()
From: Yang Erkun @ 2026-04-21 11:34 UTC (permalink / raw)
To: stable, linux-ext4
Cc: tytso, libaokun, adilger.kernel, ojaswin, ritesh.list, jack,
gregkh, sashal, yangerkun, yi.zhang, zhangxiaoxu5
In-Reply-To: <20260421113416.4040274-1-yangerkun@huawei.com>
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 4191eefef978d734fa8249bede3f9b02a85aa3c0 ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in convert_initialized_extent(), the following is
done here:
* Free the extents path when an error is encountered.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-23-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
---
fs/ext4/extents.c | 37 +++++++++++++++++++------------------
1 file changed, 19 insertions(+), 18 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 0406dac7fbf1..1c55f498ce4f 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3830,13 +3830,12 @@ ext4_convert_unwritten_extents_endio(handle_t *handle, struct inode *inode,
return ERR_PTR(err);
}
-static int
+static struct ext4_ext_path *
convert_initialized_extent(handle_t *handle, struct inode *inode,
struct ext4_map_blocks *map,
- struct ext4_ext_path **ppath,
+ struct ext4_ext_path *path,
unsigned int *allocated)
{
- struct ext4_ext_path *path = *ppath;
struct ext4_extent *ex;
ext4_lblk_t ee_block;
unsigned int ee_len;
@@ -3861,29 +3860,25 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
if (ee_block != map->m_lblk || ee_len > map->m_len) {
path = ext4_split_convert_extents(handle, inode, map, path,
EXT4_GET_BLOCKS_CONVERT_UNWRITTEN, NULL);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
+ if (IS_ERR(path))
+ return path;
path = ext4_find_extent(inode, map->m_lblk, path, 0);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
- *ppath = path;
+ if (IS_ERR(path))
+ return path;
depth = ext_depth(inode);
ex = path[depth].p_ext;
if (!ex) {
EXT4_ERROR_INODE(inode, "unexpected hole at %lu",
(unsigned long) map->m_lblk);
- return -EFSCORRUPTED;
+ err = -EFSCORRUPTED;
+ goto errout;
}
}
err = ext4_ext_get_access(handle, inode, path + depth);
if (err)
- return err;
+ goto errout;
/* first mark the extent as unwritten */
ext4_ext_mark_unwritten(ex);
@@ -3895,7 +3890,7 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
/* Mark modified extent as dirty */
err = ext4_ext_dirty(handle, inode, path + path->p_depth);
if (err)
- return err;
+ goto errout;
ext4_ext_show_leaf(inode, path);
ext4_update_inode_fsync_trans(handle, inode, 1);
@@ -3904,7 +3899,11 @@ convert_initialized_extent(handle_t *handle, struct inode *inode,
if (*allocated > map->m_len)
*allocated = map->m_len;
map->m_len = *allocated;
- return 0;
+ return path;
+
+errout:
+ ext4_free_ext_path(path);
+ return ERR_PTR(err);
}
static struct ext4_ext_path *
@@ -4271,8 +4270,10 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
*/
if ((!ext4_ext_is_unwritten(ex)) &&
(flags & EXT4_GET_BLOCKS_CONVERT_UNWRITTEN)) {
- err = convert_initialized_extent(handle,
- inode, map, &path, &allocated);
+ path = convert_initialized_extent(handle,
+ inode, map, path, &allocated);
+ if (IS_ERR(path))
+ err = PTR_ERR(path);
goto out;
} else if (!ext4_ext_is_unwritten(ex)) {
map->m_flags |= EXT4_MAP_MAPPED;
--
2.39.2
^ permalink raw reply related
* [PATH 6.6 2/3] ext4: get rid of ppath in ext4_force_split_extent_at()
From: Yang Erkun @ 2026-04-21 11:34 UTC (permalink / raw)
To: stable, linux-ext4
Cc: tytso, libaokun, adilger.kernel, ojaswin, ritesh.list, jack,
gregkh, sashal, yangerkun, yi.zhang, zhangxiaoxu5
In-Reply-To: <20260421113416.4040274-1-yangerkun@huawei.com>
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit f07be1c367369636d7d338d7994473d6eae283c5 ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
To get rid of the ppath in ext4_force_split_extent_at(), the following is
done here:
* Free the extents path when an error is encountered.
No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-17-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
---
fs/ext4/extents.c | 69 ++++++++++++++++++++++++++---------------------
1 file changed, 38 insertions(+), 31 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 300bf2289bc1..0406dac7fbf1 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -329,27 +329,20 @@ static inline int ext4_ext_space_root_idx(struct inode *inode, int check)
return size;
}
-static inline int
+static inline struct ext4_ext_path *
ext4_force_split_extent_at(handle_t *handle, struct inode *inode,
- struct ext4_ext_path **ppath, ext4_lblk_t lblk,
+ struct ext4_ext_path *path, ext4_lblk_t lblk,
int nofail)
{
- struct ext4_ext_path *path = *ppath;
int unwritten = ext4_ext_is_unwritten(path[path->p_depth].p_ext);
int flags = EXT4_EX_NOCACHE | EXT4_GET_BLOCKS_PRE_IO;
if (nofail)
flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL | EXT4_EX_NOFAIL;
- path = ext4_split_extent_at(handle, inode, path, lblk, unwritten ?
+ return ext4_split_extent_at(handle, inode, path, lblk, unwritten ?
EXT4_EXT_MARK_UNWRIT1|EXT4_EXT_MARK_UNWRIT2 : 0,
flags);
- if (IS_ERR(path)) {
- *ppath = NULL;
- return PTR_ERR(path);
- }
- *ppath = path;
- return 0;
}
static int
@@ -2890,11 +2883,12 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start,
* fail removing space due to ENOSPC so try to use
* reserved block if that happens.
*/
- err = ext4_force_split_extent_at(handle, inode, &path,
- end + 1, 1);
- if (err < 0)
+ path = ext4_force_split_extent_at(handle, inode, path,
+ end + 1, 1);
+ if (IS_ERR(path)) {
+ err = PTR_ERR(path);
goto out;
-
+ }
} else if (sbi->s_cluster_ratio > 1 && end >= ex_end &&
partial.state == initial) {
/*
@@ -5772,17 +5766,21 @@ ext4_swap_extents(handle_t *handle, struct inode *inode1,
/* Prepare left boundary */
if (e1_blk < lblk1) {
split = 1;
- *erp = ext4_force_split_extent_at(handle, inode1,
- &path1, lblk1, 0);
- if (unlikely(*erp))
+ path1 = ext4_force_split_extent_at(handle, inode1,
+ path1, lblk1, 0);
+ if (IS_ERR(path1)) {
+ *erp = PTR_ERR(path1);
goto finish;
+ }
}
if (e2_blk < lblk2) {
split = 1;
- *erp = ext4_force_split_extent_at(handle, inode2,
- &path2, lblk2, 0);
- if (unlikely(*erp))
+ path2 = ext4_force_split_extent_at(handle, inode2,
+ path2, lblk2, 0);
+ if (IS_ERR(path2)) {
+ *erp = PTR_ERR(path2);
goto finish;
+ }
}
/* ext4_split_extent_at() may result in leaf extent split,
* path must to be revalidated. */
@@ -5798,17 +5796,21 @@ ext4_swap_extents(handle_t *handle, struct inode *inode1,
if (len != e1_len) {
split = 1;
- *erp = ext4_force_split_extent_at(handle, inode1,
- &path1, lblk1 + len, 0);
- if (unlikely(*erp))
+ path1 = ext4_force_split_extent_at(handle, inode1,
+ path1, lblk1 + len, 0);
+ if (IS_ERR(path1)) {
+ *erp = PTR_ERR(path1);
goto finish;
+ }
}
if (len != e2_len) {
split = 1;
- *erp = ext4_force_split_extent_at(handle, inode2,
- &path2, lblk2 + len, 0);
- if (*erp)
+ path2 = ext4_force_split_extent_at(handle, inode2,
+ path2, lblk2 + len, 0);
+ if (IS_ERR(path2)) {
+ *erp = PTR_ERR(path2);
goto finish;
+ }
}
/* ext4_split_extent_at() may result in leaf extent split,
* path must to be revalidated. */
@@ -5974,24 +5976,29 @@ int ext4_ext_replay_update_ex(struct inode *inode, ext4_lblk_t start,
ext4_ext_get_actual_len(ex) != len) {
/* We need to split this extent to match our extent first */
down_write(&EXT4_I(inode)->i_data_sem);
- ret = ext4_force_split_extent_at(NULL, inode, &path, start, 1);
+ path = ext4_force_split_extent_at(NULL, inode, path, start, 1);
up_write(&EXT4_I(inode)->i_data_sem);
- if (ret)
+ if (IS_ERR(path)) {
+ ret = PTR_ERR(path);
goto out;
+ }
path = ext4_find_extent(inode, start, path, 0);
if (IS_ERR(path))
return PTR_ERR(path);
+
ex = path[path->p_depth].p_ext;
WARN_ON(le32_to_cpu(ex->ee_block) != start);
if (ext4_ext_get_actual_len(ex) != len) {
down_write(&EXT4_I(inode)->i_data_sem);
- ret = ext4_force_split_extent_at(NULL, inode, &path,
- start + len, 1);
+ path = ext4_force_split_extent_at(NULL, inode, path,
+ start + len, 1);
up_write(&EXT4_I(inode)->i_data_sem);
- if (ret)
+ if (IS_ERR(path)) {
+ ret = PTR_ERR(path);
goto out;
+ }
path = ext4_find_extent(inode, start, path, 0);
if (IS_ERR(path))
--
2.39.2
^ permalink raw reply related
* [PATH 6.6 1/3] ext4: get rid of ppath in get_ext_path()
From: Yang Erkun @ 2026-04-21 11:34 UTC (permalink / raw)
To: stable, linux-ext4
Cc: tytso, libaokun, adilger.kernel, ojaswin, ritesh.list, jack,
gregkh, sashal, yangerkun, yi.zhang, zhangxiaoxu5
In-Reply-To: <20260421113416.4040274-1-yangerkun@huawei.com>
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 6b854d552711aa33f59eda334e6d94a00d8825bb ]
The use of path and ppath is now very confusing, so to make the code more
readable, pass path between functions uniformly, and get rid of ppath.
After getting rid of ppath in get_ext_path(), its caller may pass an error
pointer to ext4_free_ext_path(), so it needs to teach ext4_free_ext_path()
and ext4_ext_drop_refs() to skip the error pointer. No functional changes.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-13-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[we need IS_ERR_OR_NULL to prevent oops]
Reported-by: Hulk Robot <hulkrobot@huawei.com>
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
---
fs/ext4/extents.c | 5 +++--
fs/ext4/move_extent.c | 34 +++++++++++++++++-----------------
2 files changed, 20 insertions(+), 19 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 7626cf2b07f1..300bf2289bc1 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -114,7 +114,7 @@ static void ext4_ext_drop_refs(struct ext4_ext_path *path)
{
int depth, i;
- if (!path)
+ if (IS_ERR_OR_NULL(path))
return;
depth = path->p_depth;
for (i = 0; i <= depth; i++, path++) {
@@ -125,6 +125,8 @@ static void ext4_ext_drop_refs(struct ext4_ext_path *path)
void ext4_free_ext_path(struct ext4_ext_path *path)
{
+ if (IS_ERR_OR_NULL(path))
+ return;
ext4_ext_drop_refs(path);
kfree(path);
}
@@ -4227,7 +4229,6 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode,
path = ext4_find_extent(inode, map->m_lblk, NULL, 0);
if (IS_ERR(path)) {
err = PTR_ERR(path);
- path = NULL;
goto out;
}
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index d5636a2a718a..96a84de32169 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -17,27 +17,23 @@
* get_ext_path() - Find an extent path for designated logical block number.
* @inode: inode to be searched
* @lblock: logical block number to find an extent path
- * @ppath: pointer to an extent path pointer (for output)
+ * @path: pointer to an extent path
*
- * ext4_find_extent wrapper. Return 0 on success, or a negative error value
- * on failure.
+ * ext4_find_extent wrapper. Return an extent path pointer on success,
+ * or an error pointer on failure.
*/
-static inline int
+static inline struct ext4_ext_path *
get_ext_path(struct inode *inode, ext4_lblk_t lblock,
- struct ext4_ext_path **ppath)
+ struct ext4_ext_path *path)
{
- struct ext4_ext_path *path = *ppath;
-
- *ppath = NULL;
path = ext4_find_extent(inode, lblock, path, EXT4_EX_NOCACHE);
if (IS_ERR(path))
- return PTR_ERR(path);
+ return path;
if (path[ext_depth(inode)].p_ext == NULL) {
ext4_free_ext_path(path);
- return -ENODATA;
+ return ERR_PTR(-ENODATA);
}
- *ppath = path;
- return 0;
+ return path;
}
/**
@@ -95,9 +91,11 @@ mext_check_coverage(struct inode *inode, ext4_lblk_t from, ext4_lblk_t count,
int ret = 0;
ext4_lblk_t last = from + count;
while (from < last) {
- *err = get_ext_path(inode, from, &path);
- if (*err)
- goto out;
+ path = get_ext_path(inode, from, path);
+ if (IS_ERR(path)) {
+ *err = PTR_ERR(path);
+ return ret;
+ }
ext = path[ext_depth(inode)].p_ext;
if (unwritten != ext4_ext_is_unwritten(ext))
goto out;
@@ -634,9 +632,11 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk,
int offset_in_page;
int unwritten, cur_len;
- ret = get_ext_path(orig_inode, o_start, &path);
- if (ret)
+ path = get_ext_path(orig_inode, o_start, path);
+ if (IS_ERR(path)) {
+ ret = PTR_ERR(path);
goto out;
+ }
ex = path[path->p_depth].p_ext;
cur_blk = le32_to_cpu(ex->ee_block);
cur_len = ext4_ext_get_actual_len(ex);
--
2.39.2
^ permalink raw reply related
* [PATH 6.6 0/3] fix potential ext4 null pointer
From: Yang Erkun @ 2026-04-21 11:34 UTC (permalink / raw)
To: stable, linux-ext4
Cc: tytso, libaokun, adilger.kernel, ojaswin, ritesh.list, jack,
gregkh, sashal, yangerkun, yi.zhang, zhangxiaoxu5
Our Hulk robot discovered that there were missing 6b854d552711
("ext4: get rid of ppath in get_ext_path()") when backporting the
linux-6.6.y mainline patch set[1], which could potentially trigger
some error branches in ext4 to cause a panic. I also verified this
point during testing using xfstests-bld[2]. Along with this, we
have also backported other related patches from the corresponding
patch set [1].
[1]. https://lore.kernel.org/all/20240822023545.1994557-1-libaokun@huaweicloud.com/
[2]. https://github.com/tytso/xfstests-bld
generic/051 81s ... [09:20:24][ 509.012535] run fstests generic/051 at 2026-04-21 09:20:24
[ 509.314026] EXT4-fs (vdb): mounted filesystem d225342d-c437-4a7d-893b-5d02903a5ea4 r/w with ordered data mode. Quota mode: none.
[ 509.397019] EXT4-fs (vdc): mounted filesystem 72b9e6ee-4b56-45ee-b71e-ca491d2fd7e9 r/w with ordered data mode. Quota mode: none.
[ 509.399614] EXT4-fs (vdc): shut down requested (1)
[ 509.400082] Aborting journal on device vdc-8.
[ 509.402378] EXT4-fs (vdc): unmounting filesystem 72b9e6ee-4b56-45ee-b71e-ca491d2fd7e9.
[ 509.443140] EXT4-fs (vdc): mounted filesystem 03f15f3c-5938-41ea-bbf8-321de40d01ff r/w with ordered data mode. Quota mode: none.
[ 539.831842] EXT4-fs (vdc): unmounting filesystem 03f15f3c-5938-41ea-bbf8-321de40d01ff.
[ 539.868710] EXT4-fs (vdc): mounted filesystem 03f15f3c-5938-41ea-bbf8-321de40d01ff r/w with ordered data mode. Quota mode: none.
[ 552.967466] BUG: unable to handle page fault for address: ffffffffffffffec
[ 552.968455] #PF: supervisor read access in kernel mode
[ 552.969157] #PF: error_code(0x0000) - not-present page
[ 552.969859] PGD 282c067 P4D 282d067 PUD 282f067 PMD 0
[ 552.970575] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 552.971179] CPU: 0 PID: 292843 Comm: fsstress Not tainted 6.6.135-xfstests #2
[ 552.972143] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014
[ 552.973284] RIP: 0010:ext4_ext_map_blocks+0x191/0xab0
[ 552.973986] Code: 4c 89 e6 48 89 ef 48 8d 54 24 60 e8 89 6c ff ff 85 c0 89 44 24 28 0f 84 59 02 00 00 48 8b 44 24 30 48 85 c0 0f 84 09 06 00 00 <44> 0f b7 78 08 45 31 f6 48 89 1c 24 49 89 c4 44 89 f3 49 89 c6 49
[ 552.976362] RSP: 0018:ffa0000006ab3c78 EFLAGS: 00010286
[ 552.976862] RAX: ffffffffffffffe4 RBX: ffa0000006ab3de0 RCX: 0000000000000000
[ 552.977525] RDX: ffffffff82244590 RSI: ffffffff825d3cfc RDI: ff1100002e5d5068
[ 552.978189] RBP: ff110000064f6628 R08: ffffffff825d3ddd R09: ff1100006b74a618
[ 552.978850] R10: 00000000d8f693c7 R11: ff11000077f49ff0 R12: ff110000062040c0
[ 552.979511] R13: 0000000000000043 R14: 0000000000025b80 R15: ff110000069f1000
[ 552.980159] FS: 00007f7685ec8740(0000) GS:ff1100007dc00000(0000) knlGS:0000000000000000
[ 552.980906] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 552.981445] CR2: ffffffffffffffec CR3: 0000000006a44005 CR4: 0000000000771ef0
[ 552.982091] PKRU: 55555554
[ 552.982351] Call Trace:
[ 552.982606] <TASK>
[ 552.982818] ext4_map_blocks+0x23e/0x6b0
[ 552.983191] ext4_alloc_file_blocks.isra.0+0x12b/0x370
[ 552.983671] ext4_fallocate+0x150/0x310
[ 552.984034] vfs_fallocate+0x13e/0x380
[ 552.984391] ioctl_preallocate+0xa4/0xd0
[ 552.984769] __x64_sys_ioctl+0x71/0xd0
[ 552.985126] do_syscall_64+0x38/0x80
[ 552.985479] entry_SYSCALL_64_after_hwframe+0x78/0xe2
[ 552.985956] RIP: 0033:0x7f7685fc8c5b
[ 552.986291] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 552.987925] RSP: 002b:00007fff16838290 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 552.988571] RAX: ffffffffffffffda RBX: 000000000000991b RCX: 00007f7685fc8c5b
[ 552.989186] RDX: 00007fff16838310 RSI: 000000004030582a RDI: 0000000000000003
[ 552.989812] RBP: 0000000000000003 R08: 0000000000000002 R09: 00007fff168382fc
[ 552.990428] R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
[ 552.991043] R13: 00000000001a6829 R14: 8f5c28f5c28f5c29 R15: 000055c9bd970650
[ 552.991655] </TASK>
[ 552.991857] CR2: ffffffffffffffec
[ 552.992154] ---[ end trace 0000000000000000 ]---
[ 552.992557] RIP: 0010:ext4_ext_map_blocks+0x191/0xab0
Baokun Li (3):
ext4: get rid of ppath in get_ext_path()
ext4: get rid of ppath in ext4_force_split_extent_at()
ext4: get rid of ppath in convert_initialized_extent()
fs/ext4/extents.c | 111 +++++++++++++++++++++++-------------------
fs/ext4/move_extent.c | 34 ++++++-------
2 files changed, 77 insertions(+), 68 deletions(-)
--
2.39.2
^ permalink raw reply
* [BUG] ext4: BUG_ON in ext4_write_inline_data (fs/ext4/inline.c:240)
From: Zw Tang @ 2026-04-21 11:32 UTC (permalink / raw)
To: tytso
Cc: Andreas Dilger, libaokun, jack, ojaswin, linux-ext4, linux-kernel,
yi.zhang
Hi,
I am reporting a kernel BUG in ext4 triggered by a syzkaller reproducer on
Linux 7.0.0-08391-g1d51b370a0f8.
The first fatal issue happens in the ext4 inline data write path:
sendfile64 -> ext4_file_write_iter -> ext4_da_write_end ->
ext4_write_inline_data_end -> ext4_write_inline_data.
The crash is reported as:
kernel BUG at fs/ext4/inline.c:240
and RIP points to:
ext4_write_inline_data+0x3d0/0x490
This looks like an ext4 inline-data boundary/state inconsistency triggered
while writing to an ext4 image crafted by syzkaller. The later
KASAN: slab-use-after-free in rwsem_down_write_slowpath() appears to be a
secondary effect after the primary ext4 BUG, likely during teardown/unlink
after the filesystem failure.
Reproducer:
C reproducer: pastebin.com/raw/3LmK5Kxg
console output: pastebin.com/raw/C0XjNMXp
kernel config: pastebin.com/raw/aq1V3cLk
Kernel:
HEAD commit:
git tree: <e.g. torvalds/linux>
kernel version: 7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy) (QEMU)
Relevant log:
[ 1329.147750] kernel BUG at fs/ext4/inline.c:240!
[ 1329.148692] Oops: invalid opcode: 0000 [#1] SMP KASAN
[ 1329.149543] CPU: 0 UID: 0 PID: 334 Comm: repro1 Tainted: G W
7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy)
[ 1329.153249] RIP: 0010+0x3d0/0x490
[ 1329.167978] ext4_write_inline_data_end+0x293/0xc90
[ 1329.170566] ext4_da_write_end+0x521/0xec0
[ 1329.176842] ext4_buffered_write_iter+0x11a/0x430
[ 1329.177610] ext4_file_write_iter+0x561/0x1840
[ 1329.185052] iter_file_splice_write+0xa33/0x11c0
[ 1329.190820] direct_splice_actor+0x18f/0x7a0
[ 1329.198893] do_splice_direct+0x41/0x50
[ 1329.200276] do_sendfile+0xa86/0xda0
[ 1329.203110] __x64_sys_sendfile64+0x1cf/0x210
There is also an ext4 metadata inconsistency message right after the BUG:
[ 1329.221770] EXT4-fs error (device loop1):
ext4_mb_generate_buddy:1314: group 0, block bitmap and bg descriptor
inconsistent: 25 vs 150994969 free clusters
and later a secondary report:
[ 1329.274881] BUG: KASAN: slab-use-after-free in
rwsem_down_write_slowpath+0x15e9/0x1640
Based on the log, I believe the primary issue to investigate is the BUG in
fs/ext4/inline.c, while the later rwsem report is probably fallout after
the ext4 failure.
Please let me know if more information is needed.
Thanks.
^ permalink raw reply
* Re: [patch 33/38] powerpc: Select ARCH_HAS_RANDOM_ENTROPY
From: Mukesh Kumar Chaurasiya @ 2026-04-21 11:22 UTC (permalink / raw)
To: Thomas Gleixner
Cc: LKML, Michael Ellerman, linuxppc-dev, Arnd Bergmann, x86,
Lu Baolu, iommu, Michael Grzeschik, netdev, linux-wireless,
Herbert Xu, linux-crypto, Vlastimil Babka, linux-mm,
David Woodhouse, Bernie Thompson, linux-fbdev, Theodore Tso,
linux-ext4, Andrew Morton, Uladzislau Rezki, Marco Elver,
Dmitry Vyukov, kasan-dev, Andrey Ryabinin, Thomas Sailer,
linux-hams, Jason A. Donenfeld, Richard Henderson, linux-alpha,
Russell King, linux-arm-kernel, Catalin Marinas, Huacai Chen,
loongarch, Geert Uytterhoeven, linux-m68k, Dinh Nguyen,
Jonas Bonn, linux-openrisc, Helge Deller, linux-parisc,
Paul Walmsley, linux-riscv, Heiko Carstens, linux-s390,
David S. Miller, sparclinux
In-Reply-To: <20260410120319.789114053@kernel.org>
On Fri, Apr 10, 2026 at 02:21:09PM +0200, Thomas Gleixner wrote:
> The only remaining usage of get_cycles() is to provide random_get_entropy().
>
> Switch powerpc over to the new scheme of selecting ARCH_HAS_RANDOM_ENTROPY
> and providing random_get_entropy() in asm/random.h.
>
> Remove asm/timex.h as it has no functionality anymore.
>
> Signed-off-by: Thomas Gleixner <tglx@kernel.org>
> Cc: Michael Ellerman <mpe@ellerman.id.au>
> Cc: linuxppc-dev@lists.ozlabs.org
> ---
> arch/powerpc/Kconfig | 1 +
> arch/powerpc/include/asm/random.h | 13 +++++++++++++
> arch/powerpc/include/asm/timex.h | 21 ---------------------
> 3 files changed, 14 insertions(+), 21 deletions(-)
>
> --- a/arch/powerpc/Kconfig
> +++ b/arch/powerpc/Kconfig
> @@ -150,6 +150,7 @@ config PPC
> select ARCH_HAS_PREEMPT_LAZY
> select ARCH_HAS_PTDUMP
> select ARCH_HAS_PTE_SPECIAL
> + select ARCH_HAS_RANDOM_ENTROPY
> select ARCH_HAS_SCALED_CPUTIME if VIRT_CPU_ACCOUNTING_NATIVE && PPC_BOOK3S_64
> select ARCH_HAS_SET_MEMORY
> select ARCH_HAS_STRICT_KERNEL_RWX if (PPC_BOOK3S || PPC_8xx) && !HIBERNATION
> --- /dev/null
> +++ b/arch/powerpc/include/asm/random.h
> @@ -0,0 +1,13 @@
> +/* SPDX-License-Identifier: GPL-2.0 */
> +#ifndef _ASM_POWERPC_RANDOM_H
> +#define _ASM_POWERPC_RANDOM_H
> +
> +#include <asm/cputable.h>
> +#include <asm/vdso/timebase.h>
> +
> +static inline unsigned long random_get_entropy(void)
> +{
> + return mftb();
> +}
> +
> +#endif /* _ASM_POWERPC_RANDOM_H */
> --- a/arch/powerpc/include/asm/timex.h
> +++ b/arch/powerpc/include/asm/timex.h
> @@ -1,21 +0,0 @@
> -/* SPDX-License-Identifier: GPL-2.0 */
> -#ifndef _ASM_POWERPC_TIMEX_H
> -#define _ASM_POWERPC_TIMEX_H
> -
> -#ifdef __KERNEL__
> -
> -/*
> - * PowerPC architecture timex specifications
> - */
> -
> -#include <asm/cputable.h>
> -#include <asm/vdso/timebase.h>
> -
> -ostatic inline cycles_t get_cycles(void)
> -{
R> - return mftb();
> -}
> -#define get_cycles get_cycles
> -
> -#endif /* __KERNEL__ */
> -#endif /* _ASM_POWERPC_TIMEX_H */
>
Build tested for this series with allmodconfig and allyesconfig on ppc64le
machine for ppc64le.
tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/devel.git getcycles-v1
Boot tested for this series on powernv9 qemu, powernv10 qemu and pSeries
power11 hardware.
Tested-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
^ permalink raw reply
* Re: [PATCH] ext4: prevent out-of-bounds read in ext4_read_inline_data()
From: Jan Kara @ 2026-04-21 10:04 UTC (permalink / raw)
To: Junjie Cao
Cc: tytso, adilger.kernel, jack, libaokun, ojaswin, ritesh.list,
yi.zhang, linux-ext4, linux-kernel, stable,
syzbot+26c4a8cab92d0cda3e3b
In-Reply-To: <20260421093138.906266-1-junjie.cao@intel.com>
On Tue 21-04-26 17:31:38, Junjie Cao wrote:
> ext4_read_inline_data() reads e_value_offs from the inode buffer_head on
> each call, but the decision to enter the xattr value path depends on
> i_inline_size cached in EXT4_I(inode) at iget time. If the buffer
> contents change after the initial validation, e_value_offs can point
> beyond the inode body while i_inline_size still directs the code into
> the xattr value path, causing an out-of-bounds read in the memcpy.
>
> Add a bounds check before the memcpy, consistent with
> ext4_xattr_ibody_get(). Also guard folio_mark_uptodate() in
> ext4_read_inline_folio() since ext4_read_inline_data() can now return
> -EFSCORRUPTED.
>
> Fixes: 67cf5b09a46f ("ext4: add the basic function for inline data support")
> Cc: stable@vger.kernel.org
> Reported-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com
> Tested-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=26c4a8cab92d0cda3e3b
> Signed-off-by: Junjie Cao <junjie.cao@intel.com>
If the buffer contents changes after the initial validation, there is some
problem somewhere and this isn't going to fix it (likely the fs is
corrupted and that isn't properly detected). Please fix the real problem,
not just paper over it.
Honza
> ---
> fs/ext4/inline.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
> index 408677fa8196..18c678df0a6e 100644
> --- a/fs/ext4/inline.c
> +++ b/fs/ext4/inline.c
> @@ -211,6 +211,14 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,
> len = min_t(unsigned int, len,
> (unsigned int)le32_to_cpu(entry->e_value_size));
>
> + if (unlikely((void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs) +
> + len > (void *)ITAIL(inode, raw_inode))) {
> + EXT4_ERROR_INODE(inode,
> + "inline data value out of bounds (offs %u len %u)",
> + le16_to_cpu(entry->e_value_offs), len);
> + return -EFSCORRUPTED;
> + }
> +
> memcpy(buffer,
> (void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);
> cp_len += len;
> @@ -535,7 +543,8 @@ static int ext4_read_inline_folio(struct inode *inode, struct folio *folio)
> ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
> kaddr = folio_zero_tail(folio, len, kaddr + len);
> kunmap_local(kaddr);
> - folio_mark_uptodate(folio);
> + if (ret >= 0)
> + folio_mark_uptodate(folio);
> brelse(iloc.bh);
>
> out:
> --
> 2.43.0
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply
* [PATCH] ext4: prevent out-of-bounds read in ext4_read_inline_data()
From: Junjie Cao @ 2026-04-21 9:31 UTC (permalink / raw)
To: tytso
Cc: adilger.kernel, jack, libaokun, ojaswin, ritesh.list, yi.zhang,
linux-ext4, linux-kernel, stable, syzbot+26c4a8cab92d0cda3e3b,
junjie.cao
ext4_read_inline_data() reads e_value_offs from the inode buffer_head on
each call, but the decision to enter the xattr value path depends on
i_inline_size cached in EXT4_I(inode) at iget time. If the buffer
contents change after the initial validation, e_value_offs can point
beyond the inode body while i_inline_size still directs the code into
the xattr value path, causing an out-of-bounds read in the memcpy.
Add a bounds check before the memcpy, consistent with
ext4_xattr_ibody_get(). Also guard folio_mark_uptodate() in
ext4_read_inline_folio() since ext4_read_inline_data() can now return
-EFSCORRUPTED.
Fixes: 67cf5b09a46f ("ext4: add the basic function for inline data support")
Cc: stable@vger.kernel.org
Reported-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com
Tested-by: syzbot+26c4a8cab92d0cda3e3b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=26c4a8cab92d0cda3e3b
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
---
fs/ext4/inline.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 408677fa8196..18c678df0a6e 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -211,6 +211,14 @@ static int ext4_read_inline_data(struct inode *inode, void *buffer,
len = min_t(unsigned int, len,
(unsigned int)le32_to_cpu(entry->e_value_size));
+ if (unlikely((void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs) +
+ len > (void *)ITAIL(inode, raw_inode))) {
+ EXT4_ERROR_INODE(inode,
+ "inline data value out of bounds (offs %u len %u)",
+ le16_to_cpu(entry->e_value_offs), len);
+ return -EFSCORRUPTED;
+ }
+
memcpy(buffer,
(void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);
cp_len += len;
@@ -535,7 +543,8 @@ static int ext4_read_inline_folio(struct inode *inode, struct folio *folio)
ret = ext4_read_inline_data(inode, kaddr, len, &iloc);
kaddr = folio_zero_tail(folio, len, kaddr + len);
kunmap_local(kaddr);
- folio_mark_uptodate(folio);
+ if (ret >= 0)
+ folio_mark_uptodate(folio);
brelse(iloc.bh);
out:
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v2 v2 2/2] ext4: allow clearing mballoc stats through mb_stats
From: liubaolin @ 2026-04-21 7:07 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Ritesh Harjani (IBM), Andreas Dilger, tytso, wangguanyu, yi.zhang,
linux-ext4, linux-kernel, Baolin Liu
In-Reply-To: <aecVCWGL3bUFFiBd@li-dc0c254c-257c-11b2-a85c-98b6c1322444.ibm.com>
在 2026/4/21 14:12, Ojaswin Mujoo 写道:
> On Tue, Apr 21, 2026 at 01:22:31PM +0800, liubaolin wrote:
>> Dear all,
>> I noticed the discussion about where to document the ext4 proc parameter
>> mb_stats.
>> I ran:
>> git grep -n "/proc/fs/ext4" Documentation/
>> and found that ext4 proc parameters are currently documented in both
>> Documentation/admin-guide/ext4.rst and
>> Documentation/filesystems/proc.rst.
>>
>> To be consistent with the existing documentation, I am thinking about
>> documenting mb_stats in both places.
>> If there are no objections, I will send a v3 shortly.
>> Compared with v2,the v3 patch will add the mb_stats documentation to both
>> ext4.rst and proc.rst.
>
> Yes this makes sense to me. Feel free to retain the Reviewed-by since this is
> just a documentation change.
> OK, I will add all the reviewers who helped review my patch with Reviewed-by tags in the v3 version.
>
> Thanks,
> Ojaswin
>
>>
>> Regards,
>> Baolin
>>
>>
>>
>> 在 2026/4/21 11:40, Ritesh Harjani (IBM) 写道:
>>> Andreas Dilger <adilger@dilger.ca> writes:
>>>
>>>> On Apr 20, 2026, at 03:12, Ojaswin Mujoo <ojaswin@linux.ibm.com> wrote:
>>>>>
>>>>> On Sun, Apr 19, 2026 at 02:34:36PM +0800, Baolin Liu wrote:
>>>>>> From: Baolin Liu <liubaolin@kylinos.cn>
>>>>>>
>>>>>> Make /proc/fs/ext4/<dev>/mb_stats writable and clear the runtime
>>>>>> mballoc statistics when 0 is written.
>>>>>>
>>>>>> Signed-off-by: Baolin Liu <liubaolin@kylinos.cn>
>>>>>> ---
>>>>> Hi Baolin, thanks for the changes.
>>>>>
>>>>> Seems like userspace doesn't have any way to know that writing 0 will
>>>>> clear the that. Well, I guess if you are looking at this file you are
>>>>> anyways debugging kernel code so that should be fine
>>>>
>>>> That could be documented in Documentation/filesystems/ext4/allocators.rst,
>>>> or better would be to add a new file that covers mballoc in more detail.
>>>>
>>>
>>> I started looking for ext4's control knobs for sys-admins in kernel
>>> Documentation where we should ideally document this, and I see those
>>> are declared here..
>>>
>>> Documentation/admin-guide/ext4.rst
>>> Documentation/ABI/testing/sysfs-fs-ext4.rst
>>>
>>> Looking at this and the relevant code, I see all /proc/ entries in ext4
>>> are all readable and sysfs entries for ext4 are mostly the control knobs
>>> which are declared in above admin guide.
>>>
>>> But now this patch adds a control knob to /proc/fs/ext4/<dev>/mb_stats,
>>> to clear the stats :).
>>>
>>> I guess we could have simply documented a new control knob value (e.g.
>>> "2") for clearing the stats via /sys/fs/ext4/<dev>/mb_stats itself or
>>> maybe even having mb_stats_clear file in sysfs wasn't bad either... But
>>> either ways, clearing the stats via the same procfs mb_stats file is not
>>> totally bad and I don't have a strong preference.
>>>
>>>
>>> For documenting this, we can add mb_stats entry under /proc section in
>>> Documentation/admin-guide/ext4.rst and document this change. Something
>>> like -
>>>
>>> mb_stats
>>> reports runtime statistics from multiblock allocator (mballoc),
>>> including allocation request counts, groups scanned,
>>> per-criteria scan hits (cr_p2_aligned, cr_goal_fast,
>>> cr_best_avail, cr_goal_slow, cr_any_free), groups / extents
>>> scanned, goal hits, buddy bitmap generations, and preallocation
>>> usage etc.
>>> Writing 0 to this procfs file resets all counters to zero.
>>>
>>>
>>> -ritesh
>>
^ permalink raw reply
* Re: [patch 32/38] powerpc/spufs: Use mftb() directly
From: Mukesh Kumar Chaurasiya @ 2026-04-21 6:48 UTC (permalink / raw)
To: Thomas Gleixner
Cc: LKML, Michael Ellerman, linuxppc-dev, Arnd Bergmann, x86,
Lu Baolu, iommu, Michael Grzeschik, netdev, linux-wireless,
Herbert Xu, linux-crypto, Vlastimil Babka, linux-mm,
David Woodhouse, Bernie Thompson, linux-fbdev, Theodore Tso,
linux-ext4, Andrew Morton, Uladzislau Rezki, Marco Elver,
Dmitry Vyukov, kasan-dev, Andrey Ryabinin, Thomas Sailer,
linux-hams, Jason A. Donenfeld, Richard Henderson, linux-alpha,
Russell King, linux-arm-kernel, Catalin Marinas, Huacai Chen,
loongarch, Geert Uytterhoeven, linux-m68k, Dinh Nguyen,
Jonas Bonn, linux-openrisc, Helge Deller, linux-parisc,
Paul Walmsley, linux-riscv, Heiko Carstens, linux-s390,
David S. Miller, sparclinux
In-Reply-To: <20260410120319.723429844@kernel.org>
On Fri, Apr 10, 2026 at 02:21:04PM +0200, Thomas Gleixner wrote:
> There is no reason to indirect via get_cycles(), which is about to be
> removed.
>
> Use mftb() directly.
>
> Signed-off-by: Thomas Gleixner <tglx@kernel.org>
> Cc: Michael Ellerman <mpe@ellerman.id.au>
> Cc: linuxppc-dev@lists.ozlabs.org
> ---
> arch/powerpc/platforms/cell/spufs/switch.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> --- a/arch/powerpc/platforms/cell/spufs/switch.c
> +++ b/arch/powerpc/platforms/cell/spufs/switch.c
> @@ -34,6 +34,7 @@
> #include <asm/spu_priv1.h>
> #include <asm/spu_csa.h>
> #include <asm/mmu_context.h>
> +#include <asm/time.h>
>
> #include "spufs.h"
>
> @@ -279,7 +280,7 @@ static inline void save_timebase(struct
> * Read PPE Timebase High and Timebase low registers
> * and save in CSA. TBD.
> */
> - csa->suspend_time = get_cycles();
> + csa->suspend_time = mftb();
> }
>
> static inline void remove_other_spu_access(struct spu_state *csa,
> @@ -1261,7 +1262,7 @@ static inline void setup_decr(struct spu
> * in LSCSA.
> */
> if (csa->priv2.mfc_control_RW & MFC_CNTL_DECREMENTER_RUNNING) {
> - cycles_t resume_time = get_cycles();
> + cycles_t resume_time = mftb();
> cycles_t delta_time = resume_time - csa->suspend_time;
>
> csa->lscsa->decr_status.slot[0] = SPU_DECR_STATUS_RUNNING;
>
Reviewed-by: Mukesh Kumar Chaurasiya (IBM) <mkchauras@gmail.com>
^ permalink raw reply
* Re: [PATCH v2 v2 2/2] ext4: allow clearing mballoc stats through mb_stats
From: Ojaswin Mujoo @ 2026-04-21 6:12 UTC (permalink / raw)
To: liubaolin
Cc: Ritesh Harjani (IBM), Andreas Dilger, tytso, wangguanyu, yi.zhang,
linux-ext4, linux-kernel, Baolin Liu
In-Reply-To: <9a2d25d3-219f-481c-afb8-083c8b9417c1@163.com>
On Tue, Apr 21, 2026 at 01:22:31PM +0800, liubaolin wrote:
> Dear all,
> I noticed the discussion about where to document the ext4 proc parameter
> mb_stats.
> I ran:
> git grep -n "/proc/fs/ext4" Documentation/
> and found that ext4 proc parameters are currently documented in both
> Documentation/admin-guide/ext4.rst and
> Documentation/filesystems/proc.rst.
>
> To be consistent with the existing documentation, I am thinking about
> documenting mb_stats in both places.
> If there are no objections, I will send a v3 shortly.
> Compared with v2,the v3 patch will add the mb_stats documentation to both
> ext4.rst and proc.rst.
Yes this makes sense to me. Feel free to retain the Reviewed-by since this is
just a documentation change.
Thanks,
Ojaswin
>
> Regards,
> Baolin
>
>
>
> 在 2026/4/21 11:40, Ritesh Harjani (IBM) 写道:
> > Andreas Dilger <adilger@dilger.ca> writes:
> >
> > > On Apr 20, 2026, at 03:12, Ojaswin Mujoo <ojaswin@linux.ibm.com> wrote:
> > > >
> > > > On Sun, Apr 19, 2026 at 02:34:36PM +0800, Baolin Liu wrote:
> > > > > From: Baolin Liu <liubaolin@kylinos.cn>
> > > > >
> > > > > Make /proc/fs/ext4/<dev>/mb_stats writable and clear the runtime
> > > > > mballoc statistics when 0 is written.
> > > > >
> > > > > Signed-off-by: Baolin Liu <liubaolin@kylinos.cn>
> > > > > ---
> > > > Hi Baolin, thanks for the changes.
> > > >
> > > > Seems like userspace doesn't have any way to know that writing 0 will
> > > > clear the that. Well, I guess if you are looking at this file you are
> > > > anyways debugging kernel code so that should be fine
> > >
> > > That could be documented in Documentation/filesystems/ext4/allocators.rst,
> > > or better would be to add a new file that covers mballoc in more detail.
> > >
> >
> > I started looking for ext4's control knobs for sys-admins in kernel
> > Documentation where we should ideally document this, and I see those
> > are declared here..
> >
> > Documentation/admin-guide/ext4.rst
> > Documentation/ABI/testing/sysfs-fs-ext4.rst
> >
> > Looking at this and the relevant code, I see all /proc/ entries in ext4
> > are all readable and sysfs entries for ext4 are mostly the control knobs
> > which are declared in above admin guide.
> >
> > But now this patch adds a control knob to /proc/fs/ext4/<dev>/mb_stats,
> > to clear the stats :).
> >
> > I guess we could have simply documented a new control knob value (e.g.
> > "2") for clearing the stats via /sys/fs/ext4/<dev>/mb_stats itself or
> > maybe even having mb_stats_clear file in sysfs wasn't bad either... But
> > either ways, clearing the stats via the same procfs mb_stats file is not
> > totally bad and I don't have a strong preference.
> >
> >
> > For documenting this, we can add mb_stats entry under /proc section in
> > Documentation/admin-guide/ext4.rst and document this change. Something
> > like -
> >
> > mb_stats
> > reports runtime statistics from multiblock allocator (mballoc),
> > including allocation request counts, groups scanned,
> > per-criteria scan hits (cr_p2_aligned, cr_goal_fast,
> > cr_best_avail, cr_goal_slow, cr_any_free), groups / extents
> > scanned, goal hits, buddy bitmap generations, and preallocation
> > usage etc.
> > Writing 0 to this procfs file resets all counters to zero.
> >
> >
> > -ritesh
>
^ permalink raw reply
* Re: [PATCH v2 v2 2/2] ext4: allow clearing mballoc stats through mb_stats
From: liubaolin @ 2026-04-21 5:22 UTC (permalink / raw)
To: Ritesh Harjani (IBM), Andreas Dilger, Ojaswin Mujoo
Cc: tytso, wangguanyu, yi.zhang, linux-ext4, linux-kernel, Baolin Liu
In-Reply-To: <7bq1t1zg.ritesh.list@gmail.com>
Dear all,
I noticed the discussion about where to document the ext4 proc
parameter mb_stats.
I ran:
git grep -n "/proc/fs/ext4" Documentation/
and found that ext4 proc parameters are currently documented in both
Documentation/admin-guide/ext4.rst and
Documentation/filesystems/proc.rst.
To be consistent with the existing documentation, I am thinking
about documenting mb_stats in both places.
If there are no objections, I will send a v3 shortly.
Compared with v2,the v3 patch will add the mb_stats documentation to
both ext4.rst and proc.rst.
Regards,
Baolin
在 2026/4/21 11:40, Ritesh Harjani (IBM) 写道:
> Andreas Dilger <adilger@dilger.ca> writes:
>
>> On Apr 20, 2026, at 03:12, Ojaswin Mujoo <ojaswin@linux.ibm.com> wrote:
>>>
>>> On Sun, Apr 19, 2026 at 02:34:36PM +0800, Baolin Liu wrote:
>>>> From: Baolin Liu <liubaolin@kylinos.cn>
>>>>
>>>> Make /proc/fs/ext4/<dev>/mb_stats writable and clear the runtime
>>>> mballoc statistics when 0 is written.
>>>>
>>>> Signed-off-by: Baolin Liu <liubaolin@kylinos.cn>
>>>> ---
>>> Hi Baolin, thanks for the changes.
>>>
>>> Seems like userspace doesn't have any way to know that writing 0 will
>>> clear the that. Well, I guess if you are looking at this file you are
>>> anyways debugging kernel code so that should be fine
>>
>> That could be documented in Documentation/filesystems/ext4/allocators.rst,
>> or better would be to add a new file that covers mballoc in more detail.
>>
>
> I started looking for ext4's control knobs for sys-admins in kernel
> Documentation where we should ideally document this, and I see those
> are declared here..
>
> Documentation/admin-guide/ext4.rst
> Documentation/ABI/testing/sysfs-fs-ext4.rst
>
> Looking at this and the relevant code, I see all /proc/ entries in ext4
> are all readable and sysfs entries for ext4 are mostly the control knobs
> which are declared in above admin guide.
>
> But now this patch adds a control knob to /proc/fs/ext4/<dev>/mb_stats,
> to clear the stats :).
>
> I guess we could have simply documented a new control knob value (e.g.
> "2") for clearing the stats via /sys/fs/ext4/<dev>/mb_stats itself or
> maybe even having mb_stats_clear file in sysfs wasn't bad either... But
> either ways, clearing the stats via the same procfs mb_stats file is not
> totally bad and I don't have a strong preference.
>
>
> For documenting this, we can add mb_stats entry under /proc section in
> Documentation/admin-guide/ext4.rst and document this change. Something
> like -
>
> mb_stats
> reports runtime statistics from multiblock allocator (mballoc),
> including allocation request counts, groups scanned,
> per-criteria scan hits (cr_p2_aligned, cr_goal_fast,
> cr_best_avail, cr_goal_slow, cr_any_free), groups / extents
> scanned, goal hits, buddy bitmap generations, and preallocation
> usage etc.
> Writing 0 to this procfs file resets all counters to zero.
>
>
> -ritesh
^ permalink raw reply
* Re: [PATCH v2 v2 2/2] ext4: allow clearing mballoc stats through mb_stats
From: Ritesh Harjani @ 2026-04-21 3:40 UTC (permalink / raw)
To: Andreas Dilger, Ojaswin Mujoo
Cc: Baolin Liu, tytso, wangguanyu, yi.zhang, linux-ext4, linux-kernel,
Baolin Liu
In-Reply-To: <4A904858-8611-42BC-B1BD-9679F284F8EE@dilger.ca>
Andreas Dilger <adilger@dilger.ca> writes:
> On Apr 20, 2026, at 03:12, Ojaswin Mujoo <ojaswin@linux.ibm.com> wrote:
>>
>> On Sun, Apr 19, 2026 at 02:34:36PM +0800, Baolin Liu wrote:
>>> From: Baolin Liu <liubaolin@kylinos.cn>
>>>
>>> Make /proc/fs/ext4/<dev>/mb_stats writable and clear the runtime
>>> mballoc statistics when 0 is written.
>>>
>>> Signed-off-by: Baolin Liu <liubaolin@kylinos.cn>
>>> ---
>> Hi Baolin, thanks for the changes.
>>
>> Seems like userspace doesn't have any way to know that writing 0 will
>> clear the that. Well, I guess if you are looking at this file you are
>> anyways debugging kernel code so that should be fine
>
> That could be documented in Documentation/filesystems/ext4/allocators.rst,
> or better would be to add a new file that covers mballoc in more detail.
>
I started looking for ext4's control knobs for sys-admins in kernel
Documentation where we should ideally document this, and I see those
are declared here..
Documentation/admin-guide/ext4.rst
Documentation/ABI/testing/sysfs-fs-ext4.rst
Looking at this and the relevant code, I see all /proc/ entries in ext4
are all readable and sysfs entries for ext4 are mostly the control knobs
which are declared in above admin guide.
But now this patch adds a control knob to /proc/fs/ext4/<dev>/mb_stats,
to clear the stats :).
I guess we could have simply documented a new control knob value (e.g.
"2") for clearing the stats via /sys/fs/ext4/<dev>/mb_stats itself or
maybe even having mb_stats_clear file in sysfs wasn't bad either... But
either ways, clearing the stats via the same procfs mb_stats file is not
totally bad and I don't have a strong preference.
For documenting this, we can add mb_stats entry under /proc section in
Documentation/admin-guide/ext4.rst and document this change. Something
like -
mb_stats
reports runtime statistics from multiblock allocator (mballoc),
including allocation request counts, groups scanned,
per-criteria scan hits (cr_p2_aligned, cr_goal_fast,
cr_best_avail, cr_goal_slow, cr_any_free), groups / extents
scanned, goal hits, buddy bitmap generations, and preallocation
usage etc.
Writing 0 to this procfs file resets all counters to zero.
-ritesh
^ permalink raw reply
* Re: [RFC PATCH] iomap: add fast read path for small direct I/O
From: Fengnan @ 2026-04-21 3:19 UTC (permalink / raw)
To: Dave Chinner
Cc: Ojaswin Mujoo, Fengnan Chang, brauner, djwong, linux-xfs,
linux-fsdevel, linux-ext4, lidiangang
In-Reply-To: <aea96YRt2aHJsM96@dread>
[-- Attachment #1: Type: text/plain, Size: 6240 bytes --]
在 2026/4/21 07:59, Dave Chinner 写道:
> On Thu, Apr 16, 2026 at 11:22:08AM +0800, changfengnan wrote:
>> This is test 4k randread with QD 512 in io_uring poll mode.
>> If you use fio, almost like this, but ./t/io_uring can get higher IOPS.
>> fio \
>> --name=io_uring_test \
>> --ioengine=io_uring \
>> --filename=/mnt/testfile \
>> --direct=1 \
>> --rw=randread \
>> --bs=4096 \
>> --iodepth=512 \
>> --iodepth_batch_submit=32 \
>> --iodepth_batch_complete_min=32 \
>> --hipri=1 \
>> --fixedbufs=1 \
>> --registerfiles=1 \
>> --nonvectored=1 \
>> --sqthread_poll=1
> Ok, given the way fio works, the iodepth batching will result in in
> the code submitting repeated batches of 32 read Io submissions in a
> single 'syscall'.
>
> If you change the size of this batch, how does it change the
> performance of both vanilla and patched IO paths? i.e. does this
> optimisation provide a benefit over a range of IO submission
> patterns, or is it only evident when the CPU is running a IO-uring
> microbenchmark and userspace is doing no real work on the IO buffers
> being submitted?
Hi Dave:
If batch size is 16, IOPS 1.84M -> 2.11M.
If batch size is 8, IOPS 1.72M -> 1.98M.
If batch size is 1, IOPS 1.09M->1.17M.
This is a general optimization that isn't limited to specific tests; you
can see the
benefits even when using fio+libaio.
Use this command test, IOPS 480K->500K:
taskset -c 30 fio --name=test --ioengine=libaio
--filename=/mnt/mytest --direct=1
--rw=randread --bs=4096 --iodepth=512.
>
> Also, 'fixedbufs=1' leads me to beleive that this is using the same
> set of buffer memory for all IOs, and hence we've probably got a
> cache-hot data set here. Hence: is userspace reading the buffers at
> IO completion (i.e. emulating the application actually consuming the
> data that is being read from the disk), or are they remaining
> untouched by userspace and immediately reused for the next IO
> submission batch?
If use t/io_uring do test, the buffer is untouched by userspace. But I
think it doesn't matter.
I use fio with refill_buffers argument do some test, the result is same.
taskset -c 30 fio --name=test --ioengine=libaio
--filename=/mnt/mytest --direct=1
--rw=randread --bs=4096 --iodepth=512 --refill_buffers. IOPS 478K->498K.
taskset -c 30 fio --name=test --ioengine=io_uring
--filename=/mnt/mytest --direct=1
--rw=randread --bs=4096 --iodepth=512 --refill_buffers. IOPS 542K->568K.
Perhaps my test cases are a bit unusual, which has raised quite a few
questions.
In the upcoming patch, I’ll include more fio test results.
>
>>>> Profiling the ext4 workload reveals that a significant portion of CPU
>>>> time is spent on memory allocation and the iomap state machine
>>>> iteration:
>>>> 5.33% [kernel] [k] __iomap_dio_rw
>>>> 3.26% [kernel] [k] iomap_iter
>>>> 2.37% [kernel] [k] iomap_dio_bio_iter
>>>> 2.35% [kernel] [k] kfree
>>>> 1.33% [kernel] [k] iomap_dio_complete
>>>
>>> Hmm read is usually under a shared lock for inode as well as extent
>>> lookup so we should ideally not be blocking too much there. Can you
>>> share a bit more detailed perf report. I'd be interested to see where
>>> in iomap_iter() are you seeing the regression?
>> Are there enough images of the flame diagram? I’ve attached them.
>> ext4_poll_7.svg is without this patch, iomap_fast.svg is with this patch.
> I've had a look at them, and the biggest change in CPU usage is that
> bio_alloc_bioset() disappears from the graph. In the vanilla kernel,
> that accounts for 6.05% of the cpu samples.
>
> Let's put this in a table:
>
> function vanilla patched saved
> ---------- ------- ------- -----
> ext4_file_read_iter 54.75 46.85 -7.90
> iomap_dio_rw 49.21 40.69 -8.52
> ----
> bio_alloc_bioset 6.05 1.77 -4.28
> iomap_dio_bio_iter 25.44
> iomap_iter 15.02
> iomap_dio_fast_read_async 39.82
>
> (subtotals) 46.51 41.59 -4.99
> ----
> bio_alloc_bioset 6.05 1.77 -4.28
> bio_init 4.52 0.00 -4.52
>
> More than 50% of the difference in CPU usage between the two code
> paths is entirely from bio_init() overhead.
>
> That makes no sense to me. The fast path still requires bios to be
> allocated and have bio_init() called on them, and we are doing many
> more of those calls every second. Why is this overhead not showing
> up in the fast path profile -at all-?
I haven't figured that out either. I ran another flame graph on the
old kernel
version, and bio_alloc_bioset only accounted for 1.83%. I'm not sure if
there was
something wrong with the flame graph I generated back then.
I re-captured the ext4 heatmap using the newly modified patch, and it
looks more
reasonable now.
>
>>>> I attempted several incremental optimizations in the __iomap_dio_rw()
>>>> path to close the gap:
>>>> 1. Allocating the `bio` and `struct iomap_dio` together to avoid a
>>>> separate kmalloc. However, because `struct iomap_dio` is relatively
>>>> large and the main path is complex, this yielded almost no
>>>> performance improvement.
> Yet this is exactly what you do in the fast path. Why did it not
> provide any improvement for the existing code when it is an implied
> beneficial optimisation for the new fast path?
I think there might be two reasons: first, the __iomap_dio_rw path is
too complex, with
too many checks; second, the dio structure has to maintain reference
counts for every
I/O operation, and the operations on atomic variables are a bit heavy.
> I'm clearly missing something here. I'm trying to work out why the
> profiles show what they do, but there's differences between them
> that do make obvious sense to me.
>
> It would also be useful to have XFS profiles, because it has a
> larger CPU cache footprint than ext4. If what the profiles are
> showing is a result of CPU cache residency artifacts, then we'll see
> different profile (and, potentially, performance) artifacts with
> XFS...
The XFS flame graph is also attached now.
IOPS: 1.92M->2.3M.
>
> -Dave.
[-- Attachment #2: xfs_patch.svg --]
[-- Type: image/svg+xml, Size: 79092 bytes --]
[-- Attachment #3: xfs_base.svg --]
[-- Type: image/svg+xml, Size: 82837 bytes --]
[-- Attachment #4: ext4_base.svg --]
[-- Type: image/svg+xml, Size: 76895 bytes --]
[-- Attachment #5: ext4_patched.svg --]
[-- Type: image/svg+xml, Size: 72805 bytes --]
^ permalink raw reply
* Re: [RFC PATCH] iomap: add fast read path for small direct I/O
From: Dave Chinner @ 2026-04-20 23:59 UTC (permalink / raw)
To: changfengnan
Cc: Ojaswin Mujoo, Fengnan Chang, brauner, djwong, linux-xfs,
linux-fsdevel, linux-ext4, lidiangang
In-Reply-To: <d9210bcdf73fbe1ac8b6ec132865609a3ed68688.bd12b07f.c444.4fe0.8460.b6fed4af7332@bytedance.com>
On Thu, Apr 16, 2026 at 11:22:08AM +0800, changfengnan wrote:
> This is test 4k randread with QD 512 in io_uring poll mode.
> If you use fio, almost like this, but ./t/io_uring can get higher IOPS.
> fio \
> --name=io_uring_test \
> --ioengine=io_uring \
> --filename=/mnt/testfile \
> --direct=1 \
> --rw=randread \
> --bs=4096 \
> --iodepth=512 \
> --iodepth_batch_submit=32 \
> --iodepth_batch_complete_min=32 \
> --hipri=1 \
> --fixedbufs=1 \
> --registerfiles=1 \
> --nonvectored=1 \
> --sqthread_poll=1
Ok, given the way fio works, the iodepth batching will result in in
the code submitting repeated batches of 32 read Io submissions in a
single 'syscall'.
If you change the size of this batch, how does it change the
performance of both vanilla and patched IO paths? i.e. does this
optimisation provide a benefit over a range of IO submission
patterns, or is it only evident when the CPU is running a IO-uring
microbenchmark and userspace is doing no real work on the IO buffers
being submitted?
Also, 'fixedbufs=1' leads me to beleive that this is using the same
set of buffer memory for all IOs, and hence we've probably got a
cache-hot data set here. Hence: is userspace reading the buffers at
IO completion (i.e. emulating the application actually consuming the
data that is being read from the disk), or are they remaining
untouched by userspace and immediately reused for the next IO
submission batch?
> > > Profiling the ext4 workload reveals that a significant portion of CPU
> > > time is spent on memory allocation and the iomap state machine
> > > iteration:
> > > 5.33% [kernel] [k] __iomap_dio_rw
> > > 3.26% [kernel] [k] iomap_iter
> > > 2.37% [kernel] [k] iomap_dio_bio_iter
> > > 2.35% [kernel] [k] kfree
> > > 1.33% [kernel] [k] iomap_dio_complete
> >
> > Hmm read is usually under a shared lock for inode as well as extent
> > lookup so we should ideally not be blocking too much there. Can you
> > share a bit more detailed perf report. I'd be interested to see where
> > in iomap_iter() are you seeing the regression?
> Are there enough images of the flame diagram? I’ve attached them.
> ext4_poll_7.svg is without this patch, iomap_fast.svg is with this patch.
I've had a look at them, and the biggest change in CPU usage is that
bio_alloc_bioset() disappears from the graph. In the vanilla kernel,
that accounts for 6.05% of the cpu samples.
Let's put this in a table:
function vanilla patched saved
---------- ------- ------- -----
ext4_file_read_iter 54.75 46.85 -7.90
iomap_dio_rw 49.21 40.69 -8.52
----
bio_alloc_bioset 6.05 1.77 -4.28
iomap_dio_bio_iter 25.44
iomap_iter 15.02
iomap_dio_fast_read_async 39.82
(subtotals) 46.51 41.59 -4.99
----
bio_alloc_bioset 6.05 1.77 -4.28
bio_init 4.52 0.00 -4.52
More than 50% of the difference in CPU usage between the two code
paths is entirely from bio_init() overhead.
That makes no sense to me. The fast path still requires bios to be
allocated and have bio_init() called on them, and we are doing many
more of those calls every second. Why is this overhead not showing
up in the fast path profile -at all-?
> > > I attempted several incremental optimizations in the __iomap_dio_rw()
> > > path to close the gap:
> > > 1. Allocating the `bio` and `struct iomap_dio` together to avoid a
> > > separate kmalloc. However, because `struct iomap_dio` is relatively
> > > large and the main path is complex, this yielded almost no
> > > performance improvement.
Yet this is exactly what you do in the fast path. Why did it not
provide any improvement for the existing code when it is an implied
beneficial optimisation for the new fast path?
I'm clearly missing something here. I'm trying to work out why the
profiles show what they do, but there's differences between them
that do make obvious sense to me.
It would also be useful to have XFS profiles, because it has a
larger CPU cache footprint than ext4. If what the profiles are
showing is a result of CPU cache residency artifacts, then we'll see
different profile (and, potentially, performance) artifacts with
XFS...
-Dave.
--
Dave Chinner
dgc@kernel.org
^ permalink raw reply
* Re: [PATCH v2 v2 2/2] ext4: allow clearing mballoc stats through mb_stats
From: Andreas Dilger @ 2026-04-20 18:28 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Baolin Liu, tytso, wangguanyu, yi.zhang, ritesh.list, linux-ext4,
linux-kernel, Baolin Liu
In-Reply-To: <aeXt_qg1SprB9Gu_@li-dc0c254c-257c-11b2-a85c-98b6c1322444.ibm.com>
On Apr 20, 2026, at 03:12, Ojaswin Mujoo <ojaswin@linux.ibm.com> wrote:
>
> On Sun, Apr 19, 2026 at 02:34:36PM +0800, Baolin Liu wrote:
>> From: Baolin Liu <liubaolin@kylinos.cn>
>>
>> Make /proc/fs/ext4/<dev>/mb_stats writable and clear the runtime
>> mballoc statistics when 0 is written.
>>
>> Signed-off-by: Baolin Liu <liubaolin@kylinos.cn>
>> ---
> Hi Baolin, thanks for the changes.
>
> Seems like userspace doesn't have any way to know that writing 0 will
> clear the that. Well, I guess if you are looking at this file you are
> anyways debugging kernel code so that should be fine
That could be documented in Documentation/filesystems/ext4/allocators.rst,
or better would be to add a new file that covers mballoc in more detail.
Cheers, Andreas
^ permalink raw reply
* [PATCH AUTOSEL 7.0-6.1] ext4: unmap invalidated folios from page tables in mpage_release_unused_pages()
From: Sasha Levin @ 2026-04-20 13:22 UTC (permalink / raw)
To: patches, stable
Cc: Deepanshu Kartikey, syzbot+b0a0670332b6b3230a0a, Matthew Wilcox,
Theodore Ts'o, Sasha Levin, linux-ext4, linux-kernel
In-Reply-To: <20260420132314.1023554-1-sashal@kernel.org>
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit 9b25f381de6b8942645f43735cb0a4fb0ab3a6d1 ]
When delayed block allocation fails (e.g., due to filesystem corruption
detected in ext4_map_blocks()), the writeback error handler calls
mpage_release_unused_pages(invalidate=true) which invalidates affected
folios by clearing their uptodate flag via folio_clear_uptodate().
However, these folios may still be mapped in process page tables. If a
subsequent operation (such as ftruncate calling ext4_block_truncate_page)
triggers a write fault, the existing page table entry allows access to
the now-invalidated folio. This leads to ext4_page_mkwrite() being called
with a non-uptodate folio, which then gets marked dirty, triggering:
WARNING: CPU: 0 PID: 5 at mm/page-writeback.c:2960
__folio_mark_dirty+0x578/0x880
Call Trace:
fault_dirty_shared_page+0x16e/0x2d0
do_wp_page+0x38b/0xd20
handle_pte_fault+0x1da/0x450
The sequence leading to this warning is:
1. Process writes to mmap'd file, folio becomes uptodate and dirty
2. Writeback begins, but delayed allocation fails due to corruption
3. mpage_release_unused_pages(invalidate=true) is called:
- block_invalidate_folio() clears dirty flag
- folio_clear_uptodate() clears uptodate flag
- But folio remains mapped in page tables
4. Later, ftruncate triggers ext4_block_truncate_page()
5. This causes a write fault on the still-mapped folio
6. ext4_page_mkwrite() is called with folio that is !uptodate
7. block_page_mkwrite() marks buffers dirty
8. fault_dirty_shared_page() tries to mark folio dirty
9. block_dirty_folio() calls __folio_mark_dirty(warn=1)
10. WARNING triggers: WARN_ON_ONCE(warn && !uptodate && !dirty)
Fix this by unmapping folios from page tables before invalidating them
using unmap_mapping_pages(). This ensures that subsequent accesses
trigger new page faults rather than reusing invalidated folios through
stale page table entries.
Note that this results in data loss for any writes to the mmap'd region
that couldn't be written back, but this is expected behavior when
writeback fails due to filesystem corruption. The existing error message
already states "This should not happen!! Data will be lost".
Reported-by: syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com
Tested-by: syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b0a0670332b6b3230a0a
Suggested-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Link: https://patch.msgid.link/20251205055914.1393799-1-kartikey406@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
Now I have sufficient information to complete the forensic analysis.
## PHASE 1: COMMIT MESSAGE FORENSICS
**Step 1.1 — Subject line parse**
- Record: Subsystem `ext4:`; action verb `unmap` (describes the fix
mechanism, but semantically a fix); one-line summary: invalidated
folios in the writeback error path must also be unmapped from user
page tables to avoid a `__folio_mark_dirty` WARN.
**Step 1.2 — Commit message tags**
- Record:
- `Reported-by: syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com`
- `Tested-by: syzbot+...@syzkaller.appspotmail.com` (auto-test bot
confirmed fix)
- `Closes:
https://syzkaller.appspot.com/bug?extid=b0a0670332b6b3230a0a`
- `Suggested-by: Matthew Wilcox <willy@infradead.org>` (MM maintainer)
- `Signed-off-by: Deepanshu Kartikey` + `Signed-off-by: Theodore Ts'o`
(ext4 maintainer)
- `Link:` to lore message id
- No Fixes:, no Cc: stable (expected – that's why this is up for
review)
**Step 1.3 — Commit body analysis**
- Record: Very detailed 10-step reproduction flow. The author identifies
the exact sequence: mmap write → dirty/uptodate folio → delayed-alloc
failure (e.g., corruption) →
`mpage_release_unused_pages(invalidate=true)` → folio invalidated but
still mapped → later write fault (e.g., from
`ext4_block_truncate_page()`) hits `ext4_page_mkwrite()` with
`!uptodate` folio → `WARN_ON_ONCE(warn && !uptodate && !dirty)` fires
in `__folio_mark_dirty()`. Author explicitly states this is not
theoretical — syzbot has a C reproducer. Also notes data-loss is
intentional/expected on writeback failure ("This should not happen!!
Data will be lost" message is pre-existing).
**Step 1.4 — Hidden bug fix?**
- Record: Not hidden — the subject names the mechanism, and the body
explicitly documents a WARN and a concrete syscall sequence. This is
clearly a fix.
## PHASE 2: DIFF ANALYSIS
**Step 2.1 — Inventory**
- Record: 1 file changed (`fs/ext4/inode.c`), +15/-1 lines, all in
`mpage_release_unused_pages()`. Single-file surgical fix, scope = very
small.
**Step 2.2 — Code flow change**
- Record: Before: when `invalidate=true` and `folio_mapped(folio)` was
true, we only `folio_clear_dirty_for_io(folio)` to clear the PTE-dirty
bits (from 2016 commit `4e800c0359d9a`), then
`block_invalidate_folio()` + `folio_clear_uptodate()`, and left the
mapping in place. After: we additionally call
`unmap_mapping_pages(folio->mapping, folio->index,
folio_nr_pages(folio), false)` to tear the folio out of every
process's page tables, so no stale PTE can resurface the now-
invalidated folio.
**Step 2.3 — Bug mechanism classification**
- Record: Memory-safety / correctness in error path. Stale PTE pointing
at an invalidated folio → `fault_dirty_shared_page()` reaches
`__folio_mark_dirty()` with `!uptodate && !dirty`, firing a KERNEL
WARN. It is a bug (WARN = kernel bug signal to syzbot) and also opens
the door to suspicious follow-on state (dirty bits on a folio the
filesystem has already written off).
**Step 2.4 — Fix quality**
- Record: Obvious and correct. `unmap_mapping_pages()` is the standard
MM helper for exactly this purpose (used by truncate_pagecache,
`filemap_fault` race handling, etc.). It runs only under
`invalidate=true` — i.e., only on the writeback-failure path — so the
runtime cost in the non-error case is zero. Very low regression risk:
the worst case is forcing future access to re-fault, which is benign.
## PHASE 3: GIT HISTORY INVESTIGATION
**Step 3.1 — Blame**
- Record: The surrounding construct (`if (folio_mapped())
folio_clear_dirty_for_io(...)`, then `block_invalidate_folio` +
`folio_clear_uptodate`) was added by commit `4e800c0359d9a` ("ext4:
bugfix for mmaped pages in mpage_release_unused_pages()"), released in
v4.9-rc1 (2016). So the incomplete handling has existed since v4.9 —
every current stable tree is affected.
**Step 3.2 — Fixes: tag**
- Record: No `Fixes:` tag is in the commit (expected — this is a
candidate under review). The bug is logically introduced by
`4e800c0359d9a` (v4.9), which is present in every active stable tree.
**Step 3.3 — File history**
- Record: Recent touches to `mpage_release_unused_pages()` include
`d8be7607de039` (ext4: Move mpage_page_done() calls after error
handling), `fb5a5be05fb45` (convert to filemap_get_folios),
`a297b2fcee461` (unlock unused_pages timely). None address this
specific stale-PTE issue. This patch is self-contained; not part of a
series.
**Step 3.4 — Author**
- Record: `Deepanshu Kartikey` is a regular syzbot-driven contributor
(many small fixes across ext4, gfs2, netfs, mac80211). Not the
maintainer, but the commit was reviewed and applied by ext4 maintainer
Theodore Ts'o.
**Step 3.5 — Dependencies**
- Record: Only depends on `unmap_mapping_pages()`, which exists since
v4.16 (mm commit `977fbdcd5986c`) — verified present in every stable
tree checked (5.10, 5.15, 6.1, 6.6, 6.12). No patch-series dependency.
## PHASE 4: MAILING LIST AND EXTERNAL RESEARCH
**Step 4.1 — Original submission**
- Record: `b4 dig -c 9b25f381...` resolved to the v3 thread at `https://
lore.kernel.org/all/20251205055914.1393799-1-kartikey406@gmail.com/`.
`b4 dig -a` shows this is v3 (earlier attempts v1/v2 tried to fix it
in `ext4_page_mkwrite()` — see syzbot Discussions table linking
`20251122015742.362444-1-...` and `20251121131305.332698-1-...`). The
v3 approach was suggested by Matthew Wilcox and preferred by Ted Ts'o.
Ted applied v3 directly with "Applied, thanks!" (mbox saved by b4
shows `commit: 9b25f381de6b...`).
**Step 4.2 — Reviewers**
- Record: To/Cc from `b4 dig -w` includes `tytso@mit.edu` (ext4
maintainer — applied), `adilger.kernel@dilger.ca` (ext4 co-
maintainer), `willy@infradead.org` (MM maintainer — suggested the
fix), `djwong@kernel.org`, `yi.zhang@huaweicloud.com`, `linux-
ext4@vger.kernel.org`, `linux-kernel@vger.kernel.org`. Appropriate
audience reviewed the change.
**Step 4.3 — Bug report**
- Record: Fetched
https://syzkaller.appspot.com/bug?extid=b0a0670332b6b3230a0a. Syzbot
has a C reproducer. First crash 254 days before fetch, last 5d ago.
Label `Fix commit: 9b25f381de6b` confirms this commit closed the
upstream bug. The sample crash shows `__folio_mark_dirty` WARN with
call trace `block_dirty_folio → fault_dirty_shared_page → do_wp_page →
handle_mm_fault → do_user_addr_fault` — exact match to the commit
message. Linux-6.6 has a sibling report labeled `origin:lts-only` and
linux-6.1 one labeled `missing-backport`, indicating stable trees
still need a fix.
**Step 4.4 — Related patches**
- Record: This is a single-patch series (v3); v1/v2 were alternative
approaches to the same bug, superseded. No dependent patches.
**Step 4.5 — Stable ML**
- Record: No explicit Cc: stable in the applied patch. Syzbot label
`missing-backport` on 6.1 is effectively a public request for stable
coverage of this bug.
## PHASE 5: CODE SEMANTIC ANALYSIS
**Step 5.1 — Functions in diff**
- Record: Only `mpage_release_unused_pages()` is modified.
**Step 5.2 — Callers**
- Record: Two call sites in `ext4_do_writepages()`:
`mpage_release_unused_pages(mpd, false)` (normal completion, no
invalidate) and `mpage_release_unused_pages(mpd, give_up_on_write)`
(error path). The fix only triggers on the second (writeback-failure)
path.
**Step 5.3 — Callees**
- Record: After fix adds `unmap_mapping_pages(folio->mapping,
folio->index, folio_nr_pages(folio), false)` — standard MM helper that
tears down PTEs for the given pgoff range (non-even-cows). Existing
callees: `folio_clear_dirty_for_io`, `block_invalidate_folio`,
`folio_clear_uptodate`, `folio_unlock`.
**Step 5.4 — Call chain / reachability**
- Record: `ext4_do_writepages` is called from the ordinary writeback
path (syscalls such as `fsync`, `sync`, `msync`, memory-pressure-
driven writeback). The `give_up_on_write=true` branch is taken when
`ext4_map_blocks()` returns an error — e.g., on corruption detected by
the extent tree. So an unprivileged user with a mmap of a corrupt ext4
image can trigger it, which is exactly what syzbot does.
**Step 5.5 — Similar patterns**
- Record: Related earlier fix in the same function — commit
`4e800c0359d9a` from 2016 — covered the PTE-dirty bit but not the PTE
itself. The new patch completes that earlier partial fix. The same
philosophy (unmap before invalidating) is used by
`truncate_inode_pages_range()` and `invalidate_inode_pages2_range()`
in mm/truncate.c, so this brings ext4 in line with the mm convention.
## PHASE 6: CROSS-REFERENCING AND STABLE TREE ANALYSIS
**Step 6.1 — Code exists in stable**
- Record: Verified the vulnerable pattern exists:
- `stable/linux-6.19.y`: `folio_mapped(folio) →
folio_clear_dirty_for_io` without unmap ✓
- `stable/linux-6.18.y`: same ✓
- `stable/linux-6.17.y`: same ✓
- `stable/linux-6.12.y`: same ✓
- `stable/linux-6.6.y`: same ✓
- `stable/linux-6.1.y`: same ✓
- `stable/linux-5.15.y`, `5.10.y`: same logic but pre-folio
(`page_mapped(page) → clear_page_dirty_for_io`) — needs port to page
API.
**Step 6.2 — Backport complications**
- Record: For 6.1..6.19 the hunk is effectively identical and should
apply cleanly or with trivial offsets. For 5.15/5.10, the patch must
be re-expressed using `unmap_mapping_pages(page->mapping, page->index,
compound_nr(page), false)` or `1` for non-compound.
`unmap_mapping_pages()` itself is available since v4.16, so available
in all these trees.
**Step 6.3 — Already fixed?**
- Record: `git log --grep="unmap invalidated folios"` in
`stable/linux-6.1/6.6/6.12/6.17/6.18/6.19` returned nothing. Not yet
backported.
## PHASE 7: SUBSYSTEM AND MAINTAINER CONTEXT
**Step 7.1 — Subsystem**
- Record: `fs/ext4/` — one of the most widely deployed filesystems.
Criticality: IMPORTANT (affects a large population of users,
especially enterprise and Android).
**Step 7.2 — Activity**
- Record: ext4/inode.c is very actively maintained; the specific
`mpage_release_unused_pages()` function has had targeted fixes before
(2016, 2024). Writeback error path is exercised any time delayed
allocation fails.
## PHASE 8: IMPACT AND RISK ASSESSMENT
**Step 8.1 — Affected users**
- Record: Any user of ext4 who has a mmapped file where delayed block
allocation fails (FS corruption, ENOSPC under certain delalloc
conditions, etc.). Unprivileged users can trigger it with a
crafted/corrupt image (syzbot proved this).
**Step 8.2 — Trigger conditions**
- Record: Mmap a file on ext4, dirty it, then force writeback to fail
(syzbot does this with a corrupt FS image). A concrete C reproducer
exists and still crashes unpatched 6.6.y as of ~5 days ago.
**Step 8.3 — Failure mode / severity**
- Record: Kernel WARN (`WARN_ON_ONCE(warn && !uptodate && !dirty)`),
plus the page stays accessible via stale PTEs after invalidation. On
systems with `panic_on_warn`, this is a kernel panic (DoS). Even
without panic_on_warn, the invariant violation signals a genuine
state-machine bug and can mislead subsequent writeback/truncate logic.
Severity: MEDIUM-HIGH (WARN / potential DoS / invariant violation; a
security-relevant WARN class that syzbot tracks specifically).
**Step 8.4 — Risk-benefit**
- Record: Benefit — closes a syzbot-tracked bug with public C
reproducer, stops WARN/panic on corrupt FS workloads, on a core
filesystem. Risk — fix is 15 lines, only executes in the writeback-
error path, uses a well-understood MM API, reviewed by MM + ext4
maintainers, and has syzbot `Tested-by`. Ratio strongly favors
backporting.
## PHASE 9: SYNTHESIS
**Step 9.1 — Evidence**
- For: syzbot-reported + reproducible, WARN on a core filesystem, tiny
surgical change, reviewed by the MM maintainer who suggested it and
applied by the ext4 maintainer, Tested-by syzbot, the buggy code
exists in every active stable tree, sibling syzbot reports on 6.1.y
and 6.6.y explicitly labeled `missing-backport` / `origin:lts-only`,
dependency `unmap_mapping_pages()` is present since v4.16.
- Against: No `Cc: stable` tag (not a decisive signal — this is
precisely why it's under review). For 5.10/5.15 a minor port from
folio to page API is needed.
- Unresolved: None that would flip the decision.
**Step 9.2 — Stable rules checklist**
1. Obviously correct and tested — YES (syzbot Tested-by; straightforward
mm API use).
2. Fixes a real bug — YES (WARN with C reproducer).
3. Important issue — YES (kernel WARN/potential panic, invariant
violation in core filesystem).
4. Small and contained — YES (+15/-1 in one function, error path only).
5. No new features — YES.
6. Can apply to stable — YES for 6.1+ cleanly; minor hand-port for
5.15/5.10.
**Step 9.3 — Exception category**
- Not a device-ID/quirk/DT case; this is a straightforward bug fix that
qualifies on its own merits.
**Step 9.4 — Decision**
- Backport.
## Verification
- [Phase 1] Parsed tags from the commit body: `Reported-by:
syzbot+b0a0670332b6b3230a0a@...`, `Tested-by: syzbot+...`, `Suggested-
by: Matthew Wilcox`, `Signed-off-by: Theodore Ts'o`, `Closes:
syzkaller URL`. No Fixes: or Cc: stable (expected for candidates).
- [Phase 2] Ran `git show 9b25f381de6b...` — confirmed diff is +15/-1 in
`fs/ext4/inode.c`, only inside `mpage_release_unused_pages()`'s `if
(invalidate)` block, adds `unmap_mapping_pages(folio->mapping,
folio->index, folio_nr_pages(folio), false)`.
- [Phase 3] `git log --oneline --grep="mpage_release_unused_pages"` —
found 8 historical touches including the 2016 partial fix
`4e800c0359d9a` ("ext4: bugfix for mmaped pages..."). `git describe
--contains 4e800c0359d9a` → v4.9-rc1 — confirms the vulnerable
construct has been in stable trees since v4.9.
- [Phase 3] Confirmed no Fixes: tag in commit; logical predecessor is
`4e800c0359d9a`.
- [Phase 3] `git log --author="Deepanshu Kartikey"` — author is a
syzbot-focused contributor with many accepted small fixes across
subsystems.
- [Phase 4] `b4 dig -c 9b25f381de6b...` returned the v3 submission URL `
https://lore.kernel.org/all/20251205055914.1393799-1-
kartikey406@gmail.com/`.
- [Phase 4] `b4 dig -c ... -a` showed this is v3; earlier v1/v2 took a
different (rejected) approach in `ext4_page_mkwrite()`.
- [Phase 4] `b4 dig -c ... -w` confirmed willy, tytso, adilger, djwong,
yi.zhang, linux-ext4 were CC'd and reviewed.
- [Phase 4] `b4 dig -c ... -m` and read the mbox — Ted Ts'o applied v3
with "Applied, thanks!", commit `9b25f381de6b`.
- [Phase 4] Fetched syzkaller URL — confirmed public C reproducer, `Fix
commit: 9b25f381de6b`, still first-crashed 254 days ago and last seen
5 days ago on unpatched trees. Sibling bugs `a92b613efd5e` (linux-6.1,
label `missing-backport`) and `d429f1fb4bc9` (linux-6.6, label
`origin:lts-only`) indicate stable trees still need the fix.
- [Phase 5] Manually traced: only two call sites in
`ext4_do_writepages()`, the patched branch only hits the
`give_up_on_write` error path. Confirmed `unmap_mapping_pages` is used
elsewhere in mm/ with same pattern (truncate/invalidate).
- [Phase 6] Read `fs/ext4/inode.c` in stable/linux-6.1.y, 6.6.y, 6.12.y,
6.17.y, 6.18.y, 6.19.y — all contain the unchanged vulnerable `if
(folio_mapped(folio)) folio_clear_dirty_for_io(folio);
block_invalidate_folio(...); folio_clear_uptodate(...);` pattern. Read
5.10.y/5.15.y — contain the pre-folio `page_mapped(page) /
clear_page_dirty_for_io / block_invalidatepage / ClearPageUptodate`
pattern (needs small port).
- [Phase 6] `git log stable/linux-6.{1,6,12,17,18,19}.y --grep="unmap
invalidated folios"` — none contain this fix yet.
- [Phase 6] Confirmed `unmap_mapping_pages` is defined in `mm/memory.c`
of every stable tree checked; `git describe --contains 977fbdcd5986c`
= v4.16-rc1.
- [Phase 7] `fs/ext4/` is a core, widely-used filesystem;
`mpage_release_unused_pages()` touched by multiple targeted fixes over
the years.
- [Phase 8] Failure mode verified from the sample syzbot crash:
`block_dirty_folio → fault_dirty_shared_page → do_wp_page →
handle_mm_fault → exc_page_fault`, exactly matching the commit
message's description.
- UNVERIFIED: I did not attempt an actual patch apply against
5.10.y/5.15.y — expect a minor manual port (folio→page API), not a
semantic change.
The fix is small, surgical, obviously correct, syzbot-reported with a
reproducer, reviewed by ext4+MM maintainers, touches only the writeback-
error path, and the vulnerable code pattern is present in every active
stable tree. It satisfies all stable-kernel rules with very low
regression risk.
**YES**
fs/ext4/inode.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 1123d995494b5..025ea8f0c41bd 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1757,8 +1757,22 @@ static void mpage_release_unused_pages(struct mpage_da_data *mpd,
BUG_ON(!folio_test_locked(folio));
BUG_ON(folio_test_writeback(folio));
if (invalidate) {
- if (folio_mapped(folio))
+ if (folio_mapped(folio)) {
folio_clear_dirty_for_io(folio);
+ /*
+ * Unmap folio from page
+ * tables to prevent
+ * subsequent accesses through
+ * stale PTEs. This ensures
+ * future accesses trigger new
+ * page faults rather than
+ * reusing the invalidated
+ * folio.
+ */
+ unmap_mapping_pages(folio->mapping,
+ folio->index,
+ folio_nr_pages(folio), false);
+ }
block_invalidate_folio(folio, 0,
folio_size(folio));
folio_clear_uptodate(folio);
--
2.53.0
^ permalink raw reply related
* [PATCH AUTOSEL 7.0-5.10] ext2: replace BUG_ON with WARN_ON_ONCE in ext2_get_blocks
From: Sasha Levin @ 2026-04-20 13:18 UTC (permalink / raw)
To: patches, stable
Cc: Milos Nikic, Jan Kara, Sasha Levin, jack, linux-ext4,
linux-kernel
In-Reply-To: <20260420132314.1023554-1-sashal@kernel.org>
From: Milos Nikic <nikic.milos@gmail.com>
[ Upstream commit 0cf9c58bf654d0f27abe18005281dbf9890de401 ]
If ext2_get_blocks() is called with maxblocks == 0, it currently triggers
a BUG_ON(), causing a kernel panic.
While this condition implies a logic error in the caller, a filesystem
should not crash the system due to invalid arguments.
Replace the BUG_ON() with a WARN_ON_ONCE() to provide a stack trace for
debugging, and return -EINVAL to handle the error gracefully.
Signed-off-by: Milos Nikic <nikic.milos@gmail.com>
Link: https://patch.msgid.link/20260207010617.216675-1-nikic.milos@gmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
Now I have all the information needed for my analysis. Let me compile
the complete assessment.
---
## PHASE 1: COMMIT MESSAGE FORENSICS
### Step 1.1: Subject Line
- **Subsystem:** ext2
- **Action verb:** "replace" (BUG_ON with WARN_ON_ONCE)
- **Summary:** Converts a crash-inducing assertion into a graceful error
return in ext2 block allocation
Record: [ext2] [replace] [Convert BUG_ON to WARN_ON_ONCE + return
-EINVAL for maxblocks==0 assertion]
### Step 1.2: Tags
- **Signed-off-by:** Milos Nikic (author) and Jan Kara (ext2 maintainer,
merged)
- **Link:** `https://patch.msgid.link/20260207010617.216675-1-
nikic.milos@gmail.com`
- No Fixes: tag (expected for AUTOSEL candidate)
- No Reported-by: tag
- No Cc: stable tag
Record: Signed-off by ext2 maintainer Jan Kara. No Fixes, no Reported-
by, no syzbot. No explicit stable nomination.
### Step 1.3: Commit Body
The commit explains that when `ext2_get_blocks()` is called with
`maxblocks == 0`, it triggers a `BUG_ON()` causing a kernel panic. The
author argues a filesystem should not crash the system due to invalid
arguments.
Record: [Bug: BUG_ON causes kernel panic on invalid argument] [Symptom:
kernel panic/crash] [Root cause: overly aggressive assertion for a
condition that should be handled gracefully]
### Step 1.4: Hidden Bug Fix Detection
This is a defensive hardening change. BUG_ON() is itself a bug when a
graceful recovery is possible. The kernel community has been
systematically converting such assertions.
Record: This is a fix for "BUG_ON is a bug" - the assertion behavior is
itself the problem.
## PHASE 2: DIFF ANALYSIS
### Step 2.1: Inventory
- **Files:** `fs/ext2/inode.c` only
- **Lines changed:** -1 / +2 (net +1 line)
- **Function modified:** `ext2_get_blocks()`
- **Scope:** Single-file, single-function, surgical fix
### Step 2.2: Code Flow Change
**Before:** `BUG_ON(maxblocks == 0)` — triggers kernel panic, system
crashes
**After:** `if (WARN_ON_ONCE(maxblocks == 0)) return -EINVAL;` — prints
stack trace once, returns error code gracefully
The change affects the entry validation of `ext2_get_blocks()`, before
any actual work is done.
### Step 2.3: Bug Mechanism
Category: **Logic/correctness fix** (defensive assertion improvement).
The BUG_ON() unconditionally panics the system for a condition that can
be handled by returning an error.
### Step 2.4: Fix Quality
- Obviously correct: YES. This is a standard, well-understood pattern.
- Minimal: YES. 2 lines.
- Regression risk: Extremely low. The only behavior change is: if
`maxblocks == 0`, instead of crashing, return -EINVAL. Both callers
(`ext2_get_block` and `ext2_iomap_begin`) check return values
properly.
## PHASE 3: GIT HISTORY INVESTIGATION
### Step 3.1: Blame
The `BUG_ON(maxblocks == 0)` was introduced by commit `7ba3ec5749ddb6`
(Jan Kara, 2013-11-05, "ext2: Fix fs corruption in ext2_get_xip_mem()").
This commit first appeared in v3.13-rc1, meaning the buggy BUG_ON has
been present in **every stable tree** since v3.13 (~11 years).
### Step 3.2: Original Commit Context
The original commit `7ba3ec5749ddb6` fixed a real bug in
`ext2_get_xip_mem()` where 0 blocks were being requested. The BUG_ON was
added as a defensive assertion to catch similar bugs. The actual XIP bug
was also fixed in the same commit. The BUG_ON was always a "shouldn't
happen" assertion.
### Step 3.3: File History
`fs/ext2/inode.c` has had moderate churn (~44 changes since v5.15, ~65
since v5.4), but the specific BUG_ON line has been untouched since 2013.
No related fixes in this area.
### Step 3.4: Author
Milos Nikic is not the subsystem maintainer, but the patch was accepted
and signed-off by Jan Kara, who is the ext2 maintainer and who
originally added the BUG_ON.
### Step 3.5: Dependencies
None. This is a standalone 2-line change with no dependencies.
## PHASE 4: MAILING LIST RESEARCH
From the mbox thread:
1. **v1 submitted:** Feb 6, 2026
2. **Author ping:** Feb 26, 2026 — "Just a friendly ping on this patch"
3. **Jan Kara reply:** Feb 27, 2026 — "Thanks merged now."
No NAKs, no objections, no explicit stable nomination. Minimal
discussion — the maintainer accepted it without requesting changes. No
one mentioned stable.
Record: Single-version patch, accepted without changes by ext2
maintainer.
## PHASE 5: CODE SEMANTIC ANALYSIS
### Step 5.1: Functions Modified
Only `ext2_get_blocks()` is modified (static function in
`fs/ext2/inode.c`).
### Step 5.2: Callers
`ext2_get_blocks()` is called from:
1. `ext2_get_block()` (line 791) — where `max_blocks = bh_result->b_size
>> inode->i_blkbits`
2. `ext2_iomap_begin()` (line 835) — where `max_blocks = (length + (1 <<
blkbits) - 1) >> blkbits`
`ext2_get_block()` is called from numerous VFS paths:
`mpage_read_folio`, `mpage_readahead`, `block_write_begin`,
`generic_block_bmap`, `mpage_writepages`, `block_truncate_page`, and
`__block_write_begin`.
### Step 5.3-5.4: Reachability
The code is reachable from common filesystem operations (read, write,
truncate, bmap). In `ext2_get_block()`, `max_blocks` could theoretically
be 0 if `bh_result->b_size` is less than `(1 << i_blkbits)`. In
`ext2_iomap_begin()`, `max_blocks` would be 0 only if `length == 0`.
Both should be prevented by callers, but are not explicitly validated in
the callee.
### Step 5.5: Similar Patterns
There are other BUG_ON instances in ext2 (`balloc.c`, `dir.c`, `acl.c`).
The kernel has been systematically converting such assertions across
filesystems (e.g., `ext4: convert some BUG_ON's in mballoc`, `nilfs2:
convert BUG_ON in nilfs_finish_roll_forward`, `quota: Remove BUG_ON from
dqget()`).
## PHASE 6: STABLE TREE ANALYSIS
### Step 6.1: Code Existence in Stable
The BUG_ON line exists in ALL active stable trees (introduced in v3.13).
The line `BUG_ON(maxblocks == 0)` at the same location is unchanged
since 2013.
### Step 6.2: Backport Complications
The patch should apply cleanly to all stable trees — the surrounding
code is identical across all branches (verified via blame: the context
lines are from 2005/2007).
### Step 6.3: No related fixes already in stable for this issue.
## PHASE 7: SUBSYSTEM CONTEXT
### Step 7.1: Subsystem Criticality
- **Subsystem:** ext2 filesystem
- **Criticality:** IMPORTANT — ext2 is still used in embedded systems,
older systems, and as a simple/reliable FS choice
- A panic in filesystem code can cause data loss and is especially
disruptive
### Step 7.2: Activity
ext2 is a mature, low-activity subsystem. The code being fixed has been
stable for 11 years.
## PHASE 8: IMPACT AND RISK ASSESSMENT
### Step 8.1: Affected Users
All ext2 users across all kernel versions since v3.13. Ext2 is still
used in embedded, IoT, and some server configurations.
### Step 8.2: Trigger Conditions
Currently, no known caller passes maxblocks == 0. However:
- A corrupted filesystem image could potentially lead to invalid
parameters
- A future kernel bug (like the XIP bug that motivated the BUG_ON) could
trigger it
- The condition is a "shouldn't happen" scenario, but if it does, the
system panics
### Step 8.3: Failure Mode Severity
- **Without fix:** Kernel panic (BUG_ON) → CRITICAL (system crash,
potential data loss)
- **With fix:** WARN_ON_ONCE + -EINVAL → LOW (warning message, graceful
error handling)
### Step 8.4: Risk-Benefit Ratio
- **Benefit:** Prevents kernel panic if condition ever triggers.
Converts crash to graceful error.
- **Risk:** Essentially zero. 2 lines, obviously correct, well-
understood pattern. The -EINVAL return is properly handled by both
callers.
- **Ratio:** Extremely favorable.
## PHASE 9: FINAL SYNTHESIS
### Step 9.1: Evidence Compilation
**FOR backporting:**
- Prevents kernel panic (BUG_ON → WARN_ON_ONCE)
- 2-line change, minimal regression risk
- Obviously correct pattern
- Accepted by ext2 maintainer Jan Kara (who wrote the original BUG_ON)
- Code exists in ALL stable trees since v3.13
- Will apply cleanly to all stable trees
- Filesystem code should never crash the system on input validation
- No dependencies, completely standalone
**AGAINST backporting:**
- No known trigger in current code — the condition is theoretical
- No syzbot report, no user reports of the BUG_ON firing
- Could be considered defensive hardening rather than fixing a real bug
- No explicit stable nomination by anyone
### Step 9.2: Stable Rules Checklist
1. Obviously correct and tested? **YES** — trivial, well-understood
pattern, merged by maintainer
2. Fixes a real bug? **YES** — BUG_ON causing unnecessary kernel panic
IS a bug in filesystem code
3. Important issue? **YES if triggered** — kernel panic is CRITICAL
severity
4. Small and contained? **YES** — 2 lines in 1 file
5. No new features or APIs? **YES** — purely defensive improvement
6. Can apply to stable? **YES** — code is unchanged since v3.13
### Step 9.3: Exception Categories
Not strictly an exception category, but "BUG_ON to WARN_ON_ONCE
conversion in filesystem code" is a well-accepted pattern that has been
backported before.
### Step 9.4: Decision
The change is a tiny (2-line), obviously correct fix that prevents a
kernel panic in a filesystem. While the trigger condition is currently
theoretical, the risk of the backport is essentially zero, and the
benefit if triggered (preventing a crash vs. graceful error) is
significant. The ext2 maintainer accepted it. The BUG_ON has existed in
all stable trees for 11+ years.
## Verification
- [Phase 1] Parsed tags: Signed-off-by Milos Nikic and Jan Kara. Link to
lore. No Fixes/Reported-by/Cc:stable.
- [Phase 2] Diff analysis: 1 line removed (`BUG_ON`), 2 lines added (`if
(WARN_ON_ONCE(...)) return -EINVAL`), in `ext2_get_blocks()`.
- [Phase 3] git blame: `BUG_ON(maxblocks == 0)` introduced by commit
`7ba3ec5749ddb6` (Jan Kara, 2013-11-05), first in v3.13-rc1. Present
in ALL stable trees.
- [Phase 3] git show `7ba3ec5749ddb6`: Original commit was "ext2: Fix fs
corruption in ext2_get_xip_mem()" — BUG_ON added as defensive
assertion alongside actual XIP fix.
- [Phase 3] git log -20 on file: No related fixes or prerequisites for
this change.
- [Phase 3] Author check: Milos Nikic also authored `bac3190a8e79b`
(jbd2 hardening). Jan Kara is ext2 maintainer.
- [Phase 4] b4 mbox retrieved thread: 3 messages — original patch,
author ping, Jan Kara "Thanks merged now." No review comments, no
NAKs, no stable nomination.
- [Phase 5] Callers: `ext2_get_block()` (VFS callback, many callers) and
`ext2_iomap_begin()` (iomap path). Both handle negative return values
properly.
- [Phase 5] Trigger analysis: `max_blocks` computed from `b_size >>
i_blkbits` or ceiling division of `length`. Currently prevented by
callers but not validated in callee.
- [Phase 6] BUG_ON line unchanged since 2013, applies cleanly to all
stable trees.
- [Phase 6] ext2/inode.c: 44 changes since v5.15 but none near the
BUG_ON line.
- [Phase 8] Risk: essentially zero (2 lines, pattern is standard).
Benefit: prevents panic if triggered.
- UNVERIFIED: Could not access lore.kernel.org web UI due to Anubis bot
protection, but successfully retrieved full thread via b4 mbox.
**YES**
fs/ext2/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/ext2/inode.c b/fs/ext2/inode.c
index dbfe9098a1245..18bf1a91dbc24 100644
--- a/fs/ext2/inode.c
+++ b/fs/ext2/inode.c
@@ -638,7 +638,8 @@ static int ext2_get_blocks(struct inode *inode,
int count = 0;
ext2_fsblk_t first_block = 0;
- BUG_ON(maxblocks == 0);
+ if (WARN_ON_ONCE(maxblocks == 0))
+ return -EINVAL;
depth = ext2_block_to_path(inode,iblock,offsets,&blocks_to_boundary);
--
2.53.0
^ permalink raw reply related
* [PATCH AUTOSEL 7.0-6.6] ext2: avoid drop_nlink() during unlink of zero-nlink inode in ext2_unlink()
From: Sasha Levin @ 2026-04-20 13:17 UTC (permalink / raw)
To: patches, stable
Cc: Ziyi Guo, Jan Kara, Sasha Levin, jack, linux-ext4, linux-kernel
In-Reply-To: <20260420132314.1023554-1-sashal@kernel.org>
From: Ziyi Guo <n7l8m4@u.northwestern.edu>
[ Upstream commit 19134a133184fcc49c41cf42797cb2e7fef76065 ]
ext2_unlink() calls inode_dec_link_count() unconditionally, which
invokes drop_nlink(). If the inode was loaded from a corrupted disk
image with i_links_count == 0, drop_nlink()
triggers WARN_ON(inode->i_nlink == 0)
Follow the ext4 pattern from __ext4_unlink(): check i_nlink before
decrementing. If already zero, skip the decrement.
Signed-off-by: Ziyi Guo <n7l8m4@u.northwestern.edu>
Link: https://patch.msgid.link/20260211022052.973114-1-n7l8m4@u.northwestern.edu
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
Now I have all the information needed for a complete analysis. Let me
compile the full assessment.
---
## PHASE 1: COMMIT MESSAGE FORENSICS
### Step 1.1: Subject Line
- **Subsystem:** ext2 (filesystem)
- **Action verb:** "avoid" - indicates preventing an incorrect behavior
- **Summary:** Prevent `drop_nlink()` WARN_ON when unlinking an inode
that already has zero link count
### Step 1.2: Tags
- **Link:** `https://patch.msgid.link/20260211022052.973114-1-
n7l8m4@u.northwestern.edu` - original patch submission
- **Signed-off-by:** Ziyi Guo (author), Jan Kara (ext2/ext4 maintainer)
- No Fixes: tag (expected for this review pipeline)
- No Reported-by: tag, but the commit describes a specific WARN_ON
trigger from corrupted disk images
- No Cc: stable (expected)
### Step 1.3: Commit Body
- **Bug:** `ext2_unlink()` unconditionally calls
`inode_dec_link_count()`, which calls `drop_nlink()`. If the inode was
loaded from a corrupted disk with `i_links_count == 0`, `drop_nlink()`
triggers `WARN_ON(inode->i_nlink == 0)`.
- **Failure mode:** Kernel WARN_ON triggered, and then `i_nlink`
underflows to `(unsigned int)-1`.
- **Fix approach:** Follow the ext4 pattern from `__ext4_unlink()`:
check `i_nlink` before decrementing.
### Step 1.4: Hidden Bug Fix?
This is an explicit bug fix, not disguised. It directly addresses a
WARN_ON trigger and an nlink underflow from corrupted disk images.
---
## PHASE 2: DIFF ANALYSIS
### Step 2.1: Inventory
- **File:** `fs/ext2/namei.c` — 1 line removed, 3 lines added (net +2
lines)
- **Function modified:** `ext2_unlink()`
- **Scope:** Single-file, single-function, surgical fix
### Step 2.2: Code Flow Change
**Before:** `inode_dec_link_count(inode)` is called unconditionally
after a successful directory entry deletion.
**After:** `inode_dec_link_count(inode)` is only called if
`inode->i_nlink > 0`.
### Step 2.3: Bug Mechanism
Category: **Logic/correctness fix + defensive coding against
corruption**
The call chain is:
1. `ext2_unlink()` → `inode_dec_link_count()` (fs.h inline)
2. `inode_dec_link_count()` → `drop_nlink()` (fs/inode.c)
3. `drop_nlink()` has `WARN_ON(inode->i_nlink == 0)` followed by
`inode->__i_nlink--`
Verified from `fs/inode.c` lines 416-422:
```c
void drop_nlink(struct inode *inode)
{
WARN_ON(inode->i_nlink == 0);
inode->__i_nlink--;
...
}
```
With a corrupted disk where `i_links_count == 0`, this triggers the WARN
and underflows the nlink counter.
### Step 2.4: Fix Quality
- **Obviously correct:** Yes — if nlink is already 0, don't decrement
further.
- **Minimal/surgical:** Yes — 2 lines of logic added.
- **Regression risk:** Extremely low — only affects corrupted inodes
with zero nlink. Normal inodes always have nlink >= 1 during unlink.
- **Precedent:** The ext4 filesystem has had the identical check since
2019 (commit c7df4a1ecb857, by Theodore Ts'o, Cc: stable@kernel.org).
---
## PHASE 3: GIT HISTORY INVESTIGATION
### Step 3.1: Blame
The unconditional `inode_dec_link_count(inode)` at the unlink path
traces to `a513b035eadf80` (2006, Alexey Dobriyan - introduced the
`inode_dec_link_count` wrapper) but the underlying unlink logic is from
`1da177e4c3f41` (2005, Linus Torvalds, Linux 2.6.12-rc2). **This buggy
code has been present since the very first kernel in git.**
### Step 3.2: Fixes Tag
No Fixes: tag present. This is expected for the review pipeline. The bug
has existed since the origin of the codebase.
### Step 3.3: File History
Recent changes to `fs/ext2/namei.c` are all refactoring (folio
conversion, ctime accessors, idmap). None are related to nlink handling.
The fix is standalone with no prerequisites.
### Step 3.4: Author
Ziyi Guo is not a regular ext2 contributor. However, the commit was
signed by **Jan Kara** (`jack@suse.cz`), who is the ext2/ext4
maintainer. This gives the fix high credibility.
### Step 3.5: Dependencies
The fix has **zero dependencies**. It only adds an `if` guard around an
existing function call. No new functions, no new data structures.
---
## PHASE 4: MAILING LIST AND EXTERNAL RESEARCH
### Step 4.1-4.2: Patch Discussion
Lore was not accessible (Anubis protection). b4 dig could not match
because the HEAD SHA was incorrectly used. However, the Link: tag
confirms the patch was submitted and applied through Jan Kara's tree.
### Step 4.3: Bug Context
- The ext4 equivalent fix (c7df4a1ecb857) references bugzilla.kernel.org
bug 205433 — a real user-reported bug from corrupted disk images.
- The minix equivalent fixes (`009a2ba40303c`, `d3e0e8661ceb4`) were
**syzbot-reported**, confirming this class of bug is found by fuzzers
against ext2-like filesystems.
### Step 4.4: Related Patches
Multiple filesystems have received the exact same fix:
- **ext4:** c7df4a1ecb857 (2019, Cc: stable, by Theodore Ts'o)
- **minix rename:** 009a2ba40303c (syzbot-reported, Reviewed-by: Jan
Kara)
- **minix rmdir:** d3e0e8661ceb4 (syzbot-reported, Reviewed-by: Jan
Kara)
- **fat:** 8cafcb881364a (parent link count underflow in rmdir)
- **f2fs:** 42cb74a92adaf (prevent kernel warning from corrupted image)
This is a well-understood class of bug. Ext2 was the last remaining
major filesystem without the guard.
### Step 4.5: Stable History
The ext4 equivalent was explicitly tagged `Cc: stable@kernel.org` by
Theodore Ts'o, establishing a precedent that this class of fix belongs
in stable.
---
## PHASE 5: CODE SEMANTIC ANALYSIS
### Step 5.1-5.2: Functions
- **Modified function:** `ext2_unlink()` — called from:
- VFS unlink path (`.unlink = ext2_unlink` in
`ext2_dir_inode_operations`)
- `ext2_rmdir()` (line 308)
- `ext2_rename()` is not a direct caller
- VFS unlink is triggered by the `unlink()` syscall — this is a
**common, userspace-reachable path**.
### Step 5.3-5.4: Call Chain
`unlink()` syscall → `do_unlinkat()` → `vfs_unlink()` → `ext2_unlink()`
→ `inode_dec_link_count()` → `drop_nlink()` → **WARN_ON**
The buggy path is directly reachable from userspace with any corrupted
ext2 filesystem image.
### Step 5.5: Similar Patterns
`ext2_rmdir()` also has an unprotected `inode_dec_link_count(inode)` at
line 311 (after calling `ext2_unlink`). This is a separate path that
could benefit from a similar guard, but the current fix addresses the
most direct and common case.
---
## PHASE 6: STABLE TREE ANALYSIS
### Step 6.1: Code Exists in Stable
Verified: the exact same code exists in the 6.19.12 stable tree —
`inode_dec_link_count(inode)` at the same location in `ext2_unlink()`.
The buggy code has been present since Linux 2.6.12 and is in **every
active stable tree**.
### Step 6.2: Backport Complications
The code in the 7.0 tree and the 6.19.12 stable tree is **identical**
around `ext2_unlink()`. The patch will apply cleanly. Older stable trees
(pre-6.6) that use page-based rather than folio-based code will have the
same surrounding logic — the fix only touches the `inode_dec_link_count`
line, which hasn't changed.
### Step 6.3: Related Fixes in Stable
No equivalent ext2 fix is already in stable. The ext4 fix
(c7df4a1ecb857) went to stable in 2019.
---
## PHASE 7: SUBSYSTEM CONTEXT
### Step 7.1: Subsystem Criticality
- **Subsystem:** ext2 filesystem (fs/ext2/)
- **Criticality:** IMPORTANT — ext2 is widely used in embedded systems,
USB drives, small partitions, and as a simple filesystem for testing.
Any machine that mounts an ext2 filesystem is affected.
### Step 7.2: Activity
ext2 is a mature, stable subsystem with infrequent changes. Bug has been
present for 20+ years, making the fix more important for stable (more
deployed systems affected).
---
## PHASE 8: IMPACT AND RISK ASSESSMENT
### Step 8.1: Affected Population
All users who mount ext2 filesystems — this includes:
- Embedded systems, USB drives, legacy partitions
- Any system handling potentially corrupted or malicious ext2 images
### Step 8.2: Trigger Conditions
- **Trigger:** Mount a corrupted ext2 filesystem with an inode that has
`i_links_count == 0`, then unlink that file.
- **Likelihood:** Uncommon in normal usage, but straightforward with
corrupted/malicious disk images.
- **Unprivileged user:** Yes — can be triggered by any user with write
access to the mounted filesystem (or via auto-mounted USB devices).
- **Security relevance:** Mounting crafted filesystem images is a known
attack vector.
### Step 8.3: Failure Mode Severity
- **WARN_ON trigger:** Produces a kernel warning with full stack trace
(log spam, potential for denial-of-service if warnings cause system
slowdown or panic-on-warn)
- **nlink underflow:** `i_nlink` wraps to `(unsigned int)-1`, which
corrupts the inode state in memory
- **Severity:** MEDIUM-HIGH (WARN_ON + data corruption in inode state)
- On systems with `panic_on_warn`, this becomes a **kernel panic**
(CRITICAL).
### Step 8.4: Risk-Benefit Ratio
- **Benefit:** Prevents WARN_ON, nlink underflow, and potential panic on
corrupted ext2 images. Established pattern across 5+ filesystems.
- **Risk:** Near-zero. The fix is a 2-line `if` guard that only
activates on corrupted inodes. Normal operations are completely
unaffected.
- **Ratio:** Very favorable for backporting.
---
## PHASE 9: FINAL SYNTHESIS
### Step 9.1: Evidence Summary
**FOR backporting:**
- Fixes a real bug: WARN_ON + nlink underflow on corrupted disk images
- Extremely small and surgical: 2 lines of code
- Obviously correct: simple `if (inode->i_nlink)` guard
- Follows established pattern from ext4 (which was CC'd stable by Ted
Ts'o)
- Same class of fix applied to minix (syzbot-reported), fat, f2fs
- Signed by ext2 maintainer Jan Kara
- Buggy code exists in ALL stable trees (since 2005)
- Patch applies cleanly to stable trees
- No dependencies on other commits
- Zero regression risk for normal operations
- On `panic_on_warn` systems, this prevents a kernel panic
**AGAINST backporting:**
- No explicit Fixes: tag (expected, not a negative signal)
- Only the unlink path is fixed; ext2_rmdir has a similar unprotected
path (but this fix is still standalone and valuable)
- Trigger requires corrupted disk image (not common in normal usage)
### Step 9.2: Stable Rules Checklist
1. **Obviously correct and tested?** YES — trivial guard, same pattern
as ext4 (in stable since 2019)
2. **Fixes a real bug?** YES — WARN_ON and nlink underflow from
corrupted images
3. **Important issue?** YES — kernel warning, potential data corruption,
panic-on-warn
4. **Small and contained?** YES — 2 lines, single function, single file
5. **No new features/APIs?** YES — purely defensive check
6. **Applies to stable?** YES — verified identical code in 6.19.12
### Step 9.3: Exception Categories
Not needed — this meets standard stable criteria as a bug fix.
### Step 9.4: Decision
Clear YES. This is a textbook stable backport: a tiny, obviously correct
fix that prevents a kernel warning and nlink corruption on mounted
corrupted ext2 filesystems, following an established pattern across
multiple filesystems, signed by the subsystem maintainer.
---
## Verification
- [Phase 1] Parsed tags: Link to patch.msgid.link, Signed-off-by Jan
Kara (ext2 maintainer)
- [Phase 2] Diff analysis: 2 lines added — `if (inode->i_nlink)` guard
around `inode_dec_link_count(inode)` in `ext2_unlink()`
- [Phase 2] Confirmed `drop_nlink()` in `fs/inode.c:416-422` has
`WARN_ON(inode->i_nlink == 0)` followed by `inode->__i_nlink--`
- [Phase 2] Confirmed `inode_dec_link_count()` in
`include/linux/fs.h:2251-2255` calls `drop_nlink()` then
`mark_inode_dirty()`
- [Phase 3] git blame: buggy `inode_dec_link_count` introduced in
a513b035eadf80 (2006), underlying logic from 1da177e4c3f41 (2005,
original kernel)
- [Phase 3] No prerequisites found; fix is standalone
- [Phase 3] git log: no related ext2 unlink fixes in recent history
- [Phase 4] b4 dig: could not match due to commit not being in this
tree; lore.kernel.org blocked by Anubis
- [Phase 4] ext4 equivalent fix c7df4a1ecb857 (Theodore Ts'o, 2019)
verified — has `Cc: stable@kernel.org` and `Reviewed-by: Andreas
Dilger`
- [Phase 4] minix equivalents 009a2ba40303c and d3e0e8661ceb4 verified —
syzbot-reported, Reviewed-by Jan Kara
- [Phase 5] Callers: ext2_unlink is VFS `.unlink` handler, reachable
from `unlink()` syscall — common path
- [Phase 5] Also called from ext2_rmdir (which has its own unprotected
inode_dec_link_count)
- [Phase 6] Verified: 6.19.12 stable tree has identical unfixed code at
same location in ext2_unlink()
- [Phase 6] Patch applies cleanly — surrounding context is identical
- [Phase 7] ext2 is a mature, widely-deployed filesystem — IMPORTANT
criticality
- [Phase 8] Failure mode: WARN_ON + nlink underflow; CRITICAL on
panic_on_warn systems
- [Phase 8] Risk: near-zero (2-line if guard, only activates on
corrupted inodes)
**YES**
fs/ext2/namei.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c
index bde617a66cecd..728c487308baf 100644
--- a/fs/ext2/namei.c
+++ b/fs/ext2/namei.c
@@ -293,7 +293,10 @@ static int ext2_unlink(struct inode *dir, struct dentry *dentry)
goto out;
inode_set_ctime_to_ts(inode, inode_get_ctime(dir));
- inode_dec_link_count(inode);
+
+ if (inode->i_nlink)
+ inode_dec_link_count(inode);
+
err = 0;
out:
return err;
--
2.53.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox