[Bug report] crypto: zstd: kernel dump during UBIFS write back

[Bug report] crypto: zstd: kernel dump during UBIFS write back

[Han Xu]

Hi Suman,

The patch f5ad93ffb5411 "crypto: zstd - convert to acomp"
leads to the following kernel dump during UBIFS write back.

To reproduce:
Build arm64 kernel with defconfig, plus CONFIG_MTD_NAND_NANDSIM, CONFIG_MTD_UBI and CONFIG_UBIFS_FS enabled.

Run the following bash script to trigger the kernel dump:
mkdir -p tmp
flash_erase /dev/mtd0 0 0
ubiattach /dev/ubi_ctrl -m 0
ubimkvol /dev/ubi0 -N test -m
mount -t ubifs ubi0:test tmp
dd if=/dev/urandom of=testfile bs=128 count=1
cp testfile tmp
sync 

Log:
Erasing 131072 Kibyte @ 0 -- 100 % complete
[   60.179066] ubi0: attaching mtd0
[   60.232494] ubi0: scanning is finished
[   60.236291] ubi0: empty MTD device detected
[   60.282193] ubi0: attached mtd0 (name "NAND simulator partition 0", size 128 MiB)
[   60.289761] ubi0: PEB size: 16384 bytes (16 KiB), LEB size: 15872 bytes
[   60.296462] ubi0: min./max. I/O unit sizes: 512/512, sub-page size 256
[   60.303076] ubi0: VID header offset: 256 (aligned 256), data offset: 512
[   60.309832] ubi0: good PEBs: 8192, bad PEBs: 0, corrupted PEBs: 0
[   60.315987] ubi0: user volume: 0, internal volumes: 1, max. volumes count: 92
[   60.323160] ubi0: max/mean erase counter: 0/0, WL threshold: 4096, image sequence number: 3176911815
[   60.332327] ubi0: available PEBs: 8028, total reserved PEBs: 164, PEBs reserved for bad PEB handling: 160
[   60.341953] ubi0: background thread "ubi_bgt0d" started, PID 466
UBI device number 0, total 8192 LEBs (130023424 bytes, 124.0 MiB), available 8028 LEBs (127420416 bytes, 121.5 MiB), LEB size 15872 bytes (15.5 KiB)
Set volume size to 127420416
Volume ID 0, size 8028 LEBs (127420416 bytes, 121.5 MiB), LEB size 15872 bytes (15.5 KiB), dynamic, name "test", alignment 1
[   60.407476] UBIFS (ubi0:0): default file-system created
[   60.412898] UBIFS (ubi0:0): Mounting in unauthenticated mode
[   60.420849] UBIFS (ubi0:0): UBIFS: mounted UBI device 0, volume 0, name "test"
[   60.428137] UBIFS (ubi0:0): background thread "ubifs_bgt0_0" started, PID 470
[   60.435337] UBIFS (ubi0:0): LEB size: 15872 bytes (15 KiB), min./max. I/O unit sizes: 512 bytes/512 bytes
[   60.444981] UBIFS (ubi0:0): FS size: 126722048 bytes (120 MiB, 7984 LEBs), max 8028 LEBs, journal size 6364672 bytes (6 MiB, 401 LEBs)
[   60.457141] UBIFS (ubi0:0): reserved for root: 4952683 bytes (4836 KiB)
[   60.463806] UBIFS (ubi0:0): media format: w5/r0 (latest is w5/r0), UUID 2B0FCD95-73DD-4B63-B790-33F6C7212991, big LPT model
1+0 records in
1+0 records out
128 bytes copied, 0.0035255 s, 36.3 kB/s
[   61.243714] Unable to handle kernel paging request at virtual address ffff000840000000
[   61.251726] Mem abort info:
[   61.254564]   ESR = 0x0000000096000005
[   61.258346]   EC = 0x25: DABT (current EL), IL = 32 bits
[   61.263684]   SET = 0, FnV = 0
[   61.266760]   EA = 0, S1PTW = 0
[   61.269919]   FSC = 0x05: level 1 translation fault
[   61.274821] Data abort info:
[   61.277721]   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[   61.283229]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[   61.288307]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[   61.293647] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000082084000
[   61.300380] [ffff000840000000] pgd=0000000000000000, p4d=18000008bffff403, pud=0000000000000000
[   61.309121] Internal error: Oops: 0000000096000005 [#1]  SMP
[   61.314791] Modules linked in:
[   61.317861] CPU: 0 UID: 0 PID: 115 Comm: kworker/u16:4 Not tainted 6.16.0-rc1-00055-gf5ad93ffb541 #171 PREEMPT
[   61.327960] Hardware name: Freescale i.MX8QXP MEK (DT)
[   61.333105] Workqueue: writeback wb_workfn (flush-ubifs_0_0)
[   61.338794] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   61.345769] pc : crc32_le_arm64_4way+0x60/0xc0
[   61.350225] lr : crc32_le_arch+0xa8/0xe4
[   61.354151] sp : ffff800083dbb720
[   61.357472] x29: ffff800083dbb720 x28: 00000000ffffffea x27: 0000000000000000
[   61.364628] x26: fffffdffe0590940 x25: 0000000000000000 x24: 0000000000000001
[   61.371786] x23: ffff800083dbb890 x22: ffff000815eac310 x21: 0000000000000000
[   61.378945] x20: ffff0008134aa000 x19: 00000000ffffffff x18: 000000000000000a
[   61.386103] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[   61.393262] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[   61.400420] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff00083ffffff8
[   61.407579] x8 : ffff00083ffffc08 x7 : ffff00083ffff808 x6 : 0000000000000000
[   61.414739] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[   61.421896] x2 : 03ffffffff4d2a7f x1 : ffff00083ffff408 x0 : 00000000b4fb8473
[   61.429057] Call trace:
[   61.431508]  crc32_le_arm64_4way+0x60/0xc0 (P)
[   61.435964]  ubifs_prepare_node+0x30/0x44
[   61.439986]  ubifs_jnl_write_data+0x174/0x280
[   61.444355]  do_writepage+0x94/0x320
[   61.447943]  ubifs_writepage+0xf4/0x194
[   61.451792]  write_cache_pages+0x64/0xd4
[   61.455727]  ubifs_writepages+0x1c/0x28
[   61.459576]  do_writepages+0xa8/0x17c
[   61.463250]  __writeback_single_inode+0x38/0x19c
[   61.467881]  writeback_sb_inodes+0x23c/0x408
[   61.472164]  __writeback_inodes_wb+0x50/0x108
[   61.476534]  wb_writeback.isra.0+0x164/0x1f0
[   61.480817]  wb_workfn+0x220/0x324
[   61.484231]  process_one_work+0x150/0x294
[   61.488253]  worker_thread+0x2dc/0x3dc
[   61.492015]  kthread+0x130/0x204
[   61.495255]  ret_from_fork+0x10/0x20
[   61.498849] Code: 9ad14cc6 a8c12c2a a8c134ec a8c13d0e (a8c14530)
[   61.504953] ---[ end trace 0000000000000000 ]---
[   61.509627] ------------[ cut here ]------------
[   61.514259] WARNING: CPU: 0 PID: 115 at kernel/exit.c:902 do_exit+0x6f4/0x8e8
[   61.521422] Modules linked in:
[   61.524495] CPU: 0 UID: 0 PID: 115 Comm: kworker/u16:4 Tainted: G      D             6.16.0-rc1-00055-gf5ad93ffb541 #171 PREEMPT
[   61.536167] Tainted: [D]=DIE
[   61.539048] Hardware name: Freescale i.MX8QXP MEK (DT)
[   61.544195] Workqueue: writeback wb_workfn (flush-ubifs_0_0)
[   61.549883] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   61.556858] pc : do_exit+0x6f4/0x8e8
[   61.560444] lr : make_task_dead+0x84/0x180
[   61.564553] sp : ffff800083dbb350
[   61.567874] x29: ffff800083dbb350 x28: fffffffffffffcff x27: ffff800081de5000
[   61.575030] x26: ffff800081bd8f90 x25: 0000000000000000 x24: 0000000000000000
[   61.582191] x23: ffff800081bde168 x22: 000000000000000b x21: ffff00081238c600
[   61.589347] x20: 000000000000000b x19: ffff00081238c600 x18: 00000000ffffffff
[   61.596506] x17: 3734386266346230 x16: 3030303030303020 x15: ffff800103dbb047
[   61.603664] x14: ffff00081238c680 x13: ffff8000829d6c98 x12: 00000000000005fd
[   61.610823] x11: 00000000000001ff x10: ffff00081238c680 x9 : 0000000000000023
[   61.617981] x8 : 0000000000000000 x7 : ffff00081238c680 x6 : 00000000000091c5
[   61.625140] x5 : 000000000000002c x4 : 000000000000b5c5 x3 : 0000000000000000
[   61.632298] x2 : ffff00081238c600 x1 : 0000000000002710 x0 : ffff800083dbbca8
[   61.639459] Call trace:
[   61.641910]  do_exit+0x6f4/0x8e8 (P)
[   61.645497]  make_task_dead+0x84/0x180
[   61.649259]  arm64_force_sig_fault+0x0/0x70
[   61.653452]  die_kernel_fault+0x234/0x4e0
[   61.657476]  __do_kernel_fault+0x11c/0x188
[   61.661586]  do_translation_fault+0x60/0xcc
[   61.665782]  do_mem_abort+0x44/0x94
[   61.669281]  el1_abort+0x40/0x64
[   61.672524]  el1h_64_sync_handler+0xa4/0x120
[   61.676807]  el1h_64_sync+0x6c/0x70
[   61.680308]  crc32_le_arm64_4way+0x60/0xc0 (P)
[   61.684762]  ubifs_prepare_node+0x30/0x44
[   61.688785]  ubifs_jnl_write_data+0x174/0x280
[   61.693157]  do_writepage+0x94/0x320
[   61.696744]  ubifs_writepage+0xf4/0x194
[   61.700593]  write_cache_pages+0x64/0xd4
[   61.704528]  ubifs_writepages+0x1c/0x28
[   61.708377]  do_writepages+0xa8/0x17c
[   61.712052]  __writeback_single_inode+0x38/0x19c
[   61.716682]  writeback_sb_inodes+0x23c/0x408
[   61.720965]  __writeback_inodes_wb+0x50/0x108
[   61.725335]  wb_writeback.isra.0+0x164/0x1f0
[   61.729618]  wb_workfn+0x220/0x324
[   61.733032]  process_one_work+0x150/0x294
[   61.737055]  worker_thread+0x2dc/0x3dc
[   61.740816]  kthread+0x130/0x204
[   61.744056]  ret_from_fork+0x10/0x20
[   61.747645] ---[ end trace 0000000000000000 ]---
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

[PATCH] crypto: zstd - Fix compression bug caused by truncation

[Herbert Xu]

On Mon, Sep 29, 2025 at 11:51:36PM +0000, Han Xu wrote:
> Hi Suman,
> 
> The patch f5ad93ffb5411 "crypto: zstd - convert to acomp"
> leads to the following kernel dump during UBIFS write back.

Thanks for the detailed report and instructions!

Please let me know if you still get the crash with this patch:

---8<---
Use size_t for the return value of zstd_compress_cctx as otherwise
negative errors will be truncated to a positive value.

Reported-by: Han Xu <han.xu@nxp.com>
Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/crypto/zstd.c b/crypto/zstd.c
index c2a19cb0879d..ac318d333b68 100644
--- a/crypto/zstd.c
+++ b/crypto/zstd.c
@@ -83,7 +83,7 @@ static void zstd_exit(struct crypto_acomp *acomp_tfm)
 static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
 			     const void *src, void *dst, unsigned int *dlen)
 {
-	unsigned int out_len;
+	size_t out_len;
 
 	ctx->cctx = zstd_init_cctx(ctx->wksp, ctx->wksp_size);
 	if (!ctx->cctx)
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

Re: [PATCH] crypto: zstd - Fix compression bug caused by truncation

[Suman Kumar Chakraborty]

On Tue, Sep 30, 2025 at 04:08:34PM +0800, Herbert Xu wrote:
> On Mon, Sep 29, 2025 at 11:51:36PM +0000, Han Xu wrote:
> > Hi Suman,
> > 
> > The patch f5ad93ffb5411 "crypto: zstd - convert to acomp"
> > leads to the following kernel dump during UBIFS write back.
> 
> Thanks for the detailed report and instructions!
> 
> Please let me know if you still get the crash with this patch:

Thank you Herbert. It fixes the issue.

> 
> ---8<---
> Use size_t for the return value of zstd_compress_cctx as otherwise
> negative errors will be truncated to a positive value.
> 
> Reported-by: Han Xu <han.xu@nxp.com>
> Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> diff --git a/crypto/zstd.c b/crypto/zstd.c
> index c2a19cb0879d..ac318d333b68 100644
> --- a/crypto/zstd.c
> +++ b/crypto/zstd.c
> @@ -83,7 +83,7 @@ static void zstd_exit(struct crypto_acomp *acomp_tfm)
>  static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
>  			     const void *src, void *dst, unsigned int *dlen)
>  {
> -	unsigned int out_len;
> +	size_t out_len;
>  
>  	ctx->cctx = zstd_init_cctx(ctx->wksp, ctx->wksp_size);
>  	if (!ctx->cctx)
> -- 
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

Re: [PATCH] crypto: zstd - Fix compression bug caused by truncation

[David Sterba]

On Tue, Sep 30, 2025 at 04:08:34PM +0800, Herbert Xu wrote:
> On Mon, Sep 29, 2025 at 11:51:36PM +0000, Han Xu wrote:
> > Hi Suman,
> > 
> > The patch f5ad93ffb5411 "crypto: zstd - convert to acomp"
> > leads to the following kernel dump during UBIFS write back.
> 
> Thanks for the detailed report and instructions!
> 
> Please let me know if you still get the crash with this patch:
> 
> ---8<---
> Use size_t for the return value of zstd_compress_cctx as otherwise
> negative errors will be truncated to a positive value.
> 
> Reported-by: Han Xu <han.xu@nxp.com>
> Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Reviewed-by: David Sterba <dsterba@suse.com>

> 
> diff --git a/crypto/zstd.c b/crypto/zstd.c
> index c2a19cb0879d..ac318d333b68 100644
> --- a/crypto/zstd.c
> +++ b/crypto/zstd.c
> @@ -83,7 +83,7 @@ static void zstd_exit(struct crypto_acomp *acomp_tfm)
>  static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
>  			     const void *src, void *dst, unsigned int *dlen)
>  {
> -	unsigned int out_len;
> +	size_t out_len;
>  
>  	ctx->cctx = zstd_init_cctx(ctx->wksp, ctx->wksp_size);
>  	if (!ctx->cctx)
> -- 
> Email: Herbert Xu <herbert@gondor.apana.org.au>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

Re: [PATCH] crypto: zstd - Fix compression bug caused by truncation

[Han Xu]

On 25/09/30 03:32PM, David Sterba wrote:
> 
> On Tue, Sep 30, 2025 at 04:08:34PM +0800, Herbert Xu wrote:
> > On Mon, Sep 29, 2025 at 11:51:36PM +0000, Han Xu wrote:
> > > Hi Suman,
> > >
> > > The patch f5ad93ffb5411 "crypto: zstd - convert to acomp"
> > > leads to the following kernel dump during UBIFS write back.
> >
> > Thanks for the detailed report and instructions!
> >
> > Please let me know if you still get the crash with this patch:
> >
> > ---8<---
> > Use size_t for the return value of zstd_compress_cctx as otherwise
> > negative errors will be truncated to a positive value.
> >
> > Reported-by: Han Xu <han.xu@nxp.com>
> > Fixes: f5ad93ffb541 ("crypto: zstd - convert to acomp")
> > Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> 
> Reviewed-by: David Sterba <dsterba@suse.com>

It works well now. Thanks for the quick fix.

Tested-by: Han Xu <han.xu@nxp.com>

> 
> >
> > diff --git a/crypto/zstd.c b/crypto/zstd.c
> > index c2a19cb0879d..ac318d333b68 100644
> > --- a/crypto/zstd.c
> > +++ b/crypto/zstd.c
> > @@ -83,7 +83,7 @@ static void zstd_exit(struct crypto_acomp *acomp_tfm)
> >  static int zstd_compress_one(struct acomp_req *req, struct zstd_ctx *ctx,
> >                            const void *src, void *dst, unsigned int *dlen)
> >  {
> > -     unsigned int out_len;
> > +     size_t out_len;
> >
> >       ctx->cctx = zstd_init_cctx(ctx->wksp, ctx->wksp_size);
> >       if (!ctx->cctx)
> > --

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/