From: Christian Brauner <brauner@kernel.org>
To: Jan Kara <jack@suse.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Chao Yu <chao@kernel.org>,
linux-f2fs-devel@lists.sourceforge.net
Cc: Christian Brauner <brauner@kernel.org>,
syzbot <syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com>,
Oleg Nesterov <oleg@redhat.com>,
Mateusz Guzik <mjguzik@gmail.com>,
paulmck@kernel.org, Hillf Danton <hdanton@sina.com>,
rcu@vger.kernel.org, frank.li@vivo.com, jack@suse.cz,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Subject: Re: [syzbot] [f2fs?] WARNING in rcu_sync_dtor
Date: Mon, 29 Jul 2024 11:10:09 +0200 [thread overview]
Message-ID: <20240729-himbeeren-funknetz-96e62f9c7aee@brauner> (raw)
In-Reply-To: <0000000000004ff2dc061e281637@google.com>
On Fri, Jul 26, 2024 at 08:23:02AM GMT, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit b62e71be2110d8b52bf5faf3c3ed7ca1a0c113a5
> Author: Chao Yu <chao@kernel.org>
> Date: Sun Apr 23 15:49:15 2023 +0000
>
> f2fs: support errors=remount-ro|continue|panic mountoption
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=119745f1980000
> start commit: 1722389b0d86 Merge tag 'net-6.11-rc1' of git://git.kernel...
> git tree: upstream
> final oops: https://syzkaller.appspot.com/x/report.txt?x=139745f1980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=159745f1980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=b698a1b2fcd7ef5f
> dashboard link: https://syzkaller.appspot.com/bug?extid=20d7e439f76bbbd863a7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1237a1f1980000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=115edac9980000
>
> Reported-by: syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com
> Fixes: b62e71be2110 ("f2fs: support errors=remount-ro|continue|panic mountoption")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Thanks to Paul and Oleg for point me in the right direction and
explaining that rcu sync warning.
That patch here is remounting a superblock read-only directly by raising
SB_RDONLY without the involvement of the VFS at all. That's pretty
broken and is likely to cause trouble if done wrong. The rough order of
operations to transition rw->ro usualy include checking that the
filsystem is unfrozen, and marking all mounts read-only, then calling
into the filesystem so it can do whatever it wants to do.
In any case, all of this requires holding sb->s_umount. Not holding
sb->s_umount will end up confusing freeze_super() (Thanks to Oleg for
noticing!). When freeze_super() is called on a non-ro filesystem it will
acquire
percpu_down_write(SB_FREEZE_WRITE+SB_FREEZE_PAGEFAULT+SB_FREEZE_FS) and
thaw_super() needs to call
sb_freeze_unlock(SB_FREEZE_FS+SB_FREEZE_PAGEFAULT+SB_FREEZE_WRITE) but
because you just raise SB_RDONLY you end up causing thaw_super() to skip
that step causing the bug in rcu_sync_dtor() to be noticed.
Btw, ext4 has similar logic where it raises SB_RDONLY without checking
whether the filesystem is frozen.
So I guess, this is technically ok as long as that emergency SB_RDONLY raising
in sb->s_flags is not done while the fs is already frozen. I think ext4 can
probably never do that. Jan?
My guess is that something in f2fs can end up raising SB_RDONLY after
the filesystem is frozen and so it causes this bug. I suspect this is coming
from the gc_thread() which might issue a f2fs_stop_checkpoint() while the fs is
already about to be frozen but before the gc thread is stopped as part of the
freeze.
next prev parent reply other threads:[~2024-07-29 9:11 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-26 7:54 [syzbot] [f2fs?] WARNING in rcu_sync_dtor syzbot
2024-07-26 15:23 ` syzbot
2024-07-29 9:10 ` Christian Brauner [this message]
2024-07-29 13:27 ` Jan Kara
2024-07-29 13:58 ` Theodore Ts'o
2024-07-30 12:38 ` Jan Kara
2024-08-01 22:28 ` Dave Chinner
2024-09-11 1:48 ` Chao Yu
2024-09-11 2:12 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240729-himbeeren-funknetz-96e62f9c7aee@brauner \
--to=brauner@kernel.org \
--cc=chao@kernel.org \
--cc=frank.li@vivo.com \
--cc=hdanton@sina.com \
--cc=jack@suse.com \
--cc=jack@suse.cz \
--cc=jaegeuk@kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=oleg@redhat.com \
--cc=paulmck@kernel.org \
--cc=rcu@vger.kernel.org \
--cc=syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).