[syzbot] [nilfs?] INFO: task hung in nilfs_transaction_begin (2)

[syzbot] [nilfs?] INFO: task hung in nilfs_transaction_begin (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    897d54018cc9 Merge tag 'fbdev-for-7.1-rc1-2' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=158d02ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4caf64b1ee83dac0
dashboard link: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15c1d2d2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=104609ba580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7ee63649b268/disk-897d5401.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/dea757dcebb8/vmlinux-897d5401.xz
kernel image: https://storage.googleapis.com/syzbot-assets/340e219de0d5/bzImage-897d5401.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/f712fa2cd562/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com

INFO: task syz.0.17:5918 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17        state:D stack:25832 pid:5918  tgid:5911  ppid:5833   task_flags:0x400040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5387 [inline]
 __schedule+0x17b4/0x5680 kernel/sched/core.c:7188
 __schedule_loop kernel/sched/core.c:7267 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7282
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7339
 rwsem_down_read_slowpath+0x6d9/0x940 kernel/locking/rwsem.c:1114
 __down_read_common kernel/locking/rwsem.c:1291 [inline]
 __down_read kernel/locking/rwsem.c:1304 [inline]
 down_read+0x99/0x2e0 kernel/locking/rwsem.c:1570
 nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
 nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 notify_change+0xc1a/0xf40 fs/attr.c:556
 chmod_common+0x273/0x4a0 fs/open.c:637
 do_fchmodat+0x12d/0x230 fs/open.c:682
 __do_sys_fchmodat fs/open.c:701 [inline]
 __se_sys_fchmodat fs/open.c:698 [inline]
 __x64_sys_fchmodat+0x7d/0x90 fs/open.c:698
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc71999cdd9
RSP: 002b:00007fc71a8fe028 EFLAGS: 00000246
 ORIG_RAX: 000000000000010c
RAX: ffffffffffffffda RBX: 00007fc719c16090 RCX: 00007fc71999cdd9
RDX: 000000000000017f RSI: 0000200000000300 RDI: ffffffffffffff9c
RBP: 00007fc719a32d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc719c16128 R14: 00007fc719c16090 R15: 00007fffbf6a8c68
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/31:
 #0: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #0: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #0: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
2 locks held by getty/5375:
 #0: ffff888035c970a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000321e2e8 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x45c/0x13a0 drivers/tty/n_tty.c:2211
2 locks held by syz.0.17/5912:
4 locks held by syz.0.17/5918:
 #0: ffff888079e74410 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88805f4f0ec0 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: inode_lock_killable include/linux/fs.h:1034 [inline]
 #1: ffff88805f4f0ec0 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: ffff888079e74600 (sb_internal#2){.+.+}-{0:0}, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: ffff888078880288 (&nilfs->ns_segctor_sem){++++}-{4:4}, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
3 locks held by syz.1.18/6027:
4 locks held by syz.1.18/6029:
 #0: ffff888076484410 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88805f41ddf8 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: inode_lock_killable include/linux/fs.h:1034 [inline]
 #1: ffff88805f41ddf8 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: ffff888076484600 (sb_internal#2){.+.+}-{0:0}, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: ffff8880316d2288 (&nilfs->ns_segctor_sem){++++}-{4:4}, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
2 locks held by syz.2.19/6067:
4 locks held by syz.2.19/6069:
 #0: 
ffff888032d1a410
 (
sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88805f4f3968 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: inode_lock_killable include/linux/fs.h:1034 [inline]
 #1: ffff88805f4f3968 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: ffff888032d1a600 (sb_internal#2
){.+.+}-{0:0}
, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: 
ffff888079970288
 (
&nilfs->ns_segctor_sem
){++++}-{4:4}
, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
2 locks held by syz.3.20/6113:
4 locks held by syz.3.20/6115:
 #0: 
ffff88802539c410
 (
sb_writers
#12
){.+.+}-{0:0}
, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: 
ffff88806f1d0290
 (
&type->i_mutex_dir_key
#8
){++++}-{4:4}
, at: inode_lock_killable include/linux/fs.h:1034 [inline]
, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: 
ffff88802539c600
 (sb_internal#2){.+.+}-{0:0}, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: 
ffff88802512c288
 (
&nilfs->ns_segctor_sem
){++++}-{4:4}, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
7 locks held by syz.4.21/6161:
4 locks held by syz.4.21/6163:
 #0: ffff888067cac410
 (sb_writers
#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88806f1d5df8
 (&type->i_mutex_dir_key
#8
){++++}-{4:4}
, at: inode_lock_killable include/linux/fs.h:1034 [inline]
, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: 
ffff888067cac600
 (
sb_internal
#2){.+.+}-{0:0}, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: 
ffff888076c65288
 (
&nilfs->ns_segctor_sem
){++++}-{4:4}
, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
2 locks held by syz.5.22/6208:
4 locks held by syz.5.22/6210:
 #0: 
ffff88807c43a410
 (
sb_writers
#12
){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88806f01a720 (&type->i_mutex_dir_key#8
){++++}-{4:4}
, at: inode_lock_killable include/linux/fs.h:1034 [inline]
, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: 
ffff88807c43a600
 (
sb_internal
#2
){.+.+}-{0:0}
, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: ffff88802990c288 (
&nilfs->ns_segctor_sem
){++++}-{4:4}
, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
3 locks held by syz.6.23/6263:
4 locks held by syz.6.23/6265:
 #0: 
ffff88802ba72410
 (
sb_writers
#12
){.+.+}-{0:0}
, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: 
ffff88806f01a108 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: inode_lock_killable include/linux/fs.h:1034 [inline]
ffff88806f01a108 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: ffff88802ba72600 (sb_internal#2){.+.+}-{0:0}, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: ffff88802877f288 (&nilfs->ns_segctor_sem){++++}-{4:4}, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
1 lock held by modprobe/6273:

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:353 [inline]
 watchdog+0xfd3/0x1030 kernel/hung_task.c:561
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6113 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:srso_alias_safe_ret+0x0/0x7 arch/x86/lib/retpoline.S:210
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc <48> 8d 64 24 08 c3 cc e8 f4 ff ff ff 0f 0b cc cc cc cc cc cc cc cc
RSP: 0018:ffffc900000075d8 EFLAGS: 00000292
RAX: 0000000091643301 RBX: ffffc900000076a0 RCX: 0000000000000102
RDX: 0000000000000007 RSI: ffffffff8e216b62 RDI: ffff88802e838000
RBP: ffffc90000007670 R08: ffffc90000007d98 R09: ffffc90000007638
R10: dffffc0000000000 R11: fffff52000000ec9 R12: ffff88802e838000
R13: 00000000000000f0 R14: ffffffff81b0d880 R15: ffffc900000075e8
FS:  00007faaf1ac36c0(0000) GS:ffff888125295000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7ac9347e20 CR3: 0000000077017000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 srso_alias_return_thunk+0x5/0xfbef5 arch/x86/lib/retpoline.S:220
 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 unpoison_slab_object mm/kasan/common.c:340 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4569 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4950
 __alloc_skb+0x1d0/0x7d0 net/core/skbuff.c:702
 skb_copy+0x188/0x800 net/core/skbuff.c:2182
 mac80211_hwsim_tx_frame_no_nl+0xe82/0x1650 drivers/net/wireless/virtual/mac80211_hwsim.c:1991
 mac80211_hwsim_tx_frame+0x1b5/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2400
 mac80211_hwsim_beacon_tx+0x3e8/0x870 drivers/net/wireless/virtual/mac80211_hwsim.c:2501
 __iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:772
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:808
 mac80211_hwsim_beacon+0xbb/0x180 drivers/net/wireless/virtual/mac80211_hwsim.c:2531
 __run_hrtimer kernel/time/hrtimer.c:1930 [inline]
 __hrtimer_run_queues+0x3c0/0xa20 kernel/time/hrtimer.c:1994
 hrtimer_run_softirq+0x17a/0x240 kernel/time/hrtimer.c:2011
 handle_softirqs+0x22a/0x840 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:console_flush_one_record arch/x86/include/asm/irqflags.h:-1 [inline]
RIP: 0010:console_flush_all+0x801/0xb20 kernel/printk/printk.c:3343
Code: ff ff e8 42 e1 20 00 90 0f 0b 90 e9 85 fc ff ff e8 34 e1 20 00 e8 9f f2 02 0a 48 85 db 74 c0 e8 25 e1 20 00 fb 48 8b 5c 24 08 <48> 8b 44 24 20 42 80 3c 20 00 4c 8b 74 24 18 74 08 4c 89 f7 e8 f6
RSP: 0018:ffffc90003236c40 EFLAGS: 00000293
RAX: ffffffff81a4c28b RBX: ffffc90003236da0 RCX: ffff88802e838000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003236d50 R08: ffffffff903096f7 R09: 1ffffffff20612de
R10: dffffc0000000000 R11: fffffbfff20612df R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffffffff8f2195a0
 __console_flush_and_unlock kernel/printk/printk.c:3373 [inline]
 console_unlock+0xd1/0x1c0 kernel/printk/printk.c:3413
 vprintk_emit+0x485/0x560 kernel/printk/printk.c:2479
 _printk+0xdd/0x130 kernel/printk/printk.c:2504
 __nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
 nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
 nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
 nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
 nilfs_segctor_collect fs/nilfs2/segment.c:1547 [inline]
 nilfs_segctor_do_construct+0x1f55/0x76c0 fs/nilfs2/segment.c:2122
 nilfs_segctor_construct+0x17b/0x690 fs/nilfs2/segment.c:2462
 nilfs_clean_segments+0x3bd/0xa50 fs/nilfs2/segment.c:2536
 nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
 nilfs_ioctl+0x261f/0x2780 fs/nilfs2/ioctl.c:1352
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faaf0b9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007faaf1ac3028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faaf0e15fa0 RCX: 00007faaf0b9cdd9
RDX: 0000200000000640 RSI: 0000000040786e88 RDI: 0000000000000004
RBP: 00007faaf0c32d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007faaf0e16038 R14: 00007faaf0e15fa0 R15: 00007ffe90caddb8
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] nilfs2: reject CLEAN_SEGMENTS ioctl with nsegs exceeding ns_nsegments

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] nilfs2: reject CLEAN_SEGMENTS ioctl with nsegs exceeding ns_nsegments
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Syzbot reported a hung task in nilfs_transaction_begin() where multiple
tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
waiting to acquire ns_segctor_sem for read:

  INFO: task syz.0.17:5918 blocked for more than 143 seconds.
        Not tainted syzkaller #0
  Call Trace:
   schedule+0x164/0x360
   rwsem_down_read_slowpath+0x6d9/0x940
   down_read+0x99/0x2e0
   nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
   nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
   notify_change+0xc1a/0xf40
   chmod_common+0x273/0x4a0
   do_fchmodat+0x12d/0x230

The writer holding ns_segctor_sem was a concurrent NILFS_IOCTL_CLEAN_SEGMENTS
caller, stuck inside printk while emitting per-element warnings from
nilfs_sufile_updatev():

   __nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
   nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
   nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
   nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
   nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
   nilfs_segctor_do_construct+0x1f55/0x76c0
   nilfs_clean_segments+0x3bd/0xa50
   nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
   nilfs_ioctl+0x261f/0x2780

The root cause is that nilfs_ioctl_clean_segments() does not bound
argv[4].v_nmembs (nsegs) against the actual number of segments on the
filesystem.  Userspace can therefore pass an arbitrarily large array of
segment numbers, which is copied in via memdup_array_user() and then
walked under both the sufile mi_sem and ns_segctor_sem (held for write
by nilfs_clean_segments()).  Each invalid entry produces a nilfs_warn()
inside that critical section, and on a slow console the cumulative
printk latency keeps ns_segctor_sem held long enough to trip the
hung_task watchdog.  Any concurrent operation needing
ns_segctor_sem for read -- e.g. chmod() through nilfs_setattr() -- then
stalls for the duration.

While argv[0..3] are bounded by nsegs * ns_blocks_per_segment, nsegs
itself is the root of that dependency chain and has no upper bound.
There is no legitimate reason for a CLEAN_SEGMENTS request to reference
more segments than exist on the filesystem.

Reject such requests at the ioctl entry point so that the malformed
input is refused before any FS-wide lock is acquired.

Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/nilfs2/ioctl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index e0a606643e87..a1688e940f7a 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -863,6 +863,9 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
 	if (argv[4].v_size != argsz[4])
 		goto out;
 
+	nilfs = inode->i_sb->s_fs_info;
+	if (nsegs > nilfs->ns_nsegments)
+		goto out;
 	/*
 	 * argv[4] points to segment numbers this ioctl cleans.  We
 	 * use kmalloc() for its buffer because the memory used for the
@@ -874,7 +877,6 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
 		ret = PTR_ERR(kbufs[4]);
 		goto out;
 	}
-	nilfs = inode->i_sb->s_fs_info;
 
 	for (n = 0; n < 4; n++) {
 		ret = -EINVAL;
-- 
2.43.0

Forwarded: [PATCH] nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] nilfs2: reject CLEAN_SEGMENTS ioctl with out-of-range segment numbers
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


Syzbot reported a hung task in nilfs_transaction_begin() where multiple
tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
waiting to acquire ns_segctor_sem for read:

  INFO: task syz.0.17:5918 blocked for more than 143 seconds.
  Call Trace:
   schedule+0x164/0x360
   rwsem_down_read_slowpath+0x6d9/0x940
   down_read+0x99/0x2e0
   nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
   nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
   notify_change+0xc1a/0xf40
   chmod_common+0x273/0x4a0
   do_fchmodat+0x12d/0x230

The writer holding ns_segctor_sem was a concurrent NILFS_IOCTL_CLEAN_SEGMENTS
caller, stuck inside printk while emitting per-element warnings from
nilfs_sufile_updatev():

   __nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
   nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
   nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
   nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
   nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
   nilfs_segctor_do_construct+0x1f55/0x76c0
   nilfs_clean_segments+0x3bd/0xa50
   nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
   nilfs_ioctl+0x261f/0x2780

The root cause is that nilfs_ioctl_clean_segments() does not validate
the user-supplied segment numbers in kbufs[4] before calling
nilfs_clean_segments(), which acquires ns_segctor_sem for write.  The
range check on each segnum is performed deep inside the call chain by
nilfs_sufile_updatev(), which emits a nilfs_warn() per invalid entry
while still under the segctor lock and the sufile mi_sem.  Under load
(repeated invocations across multiple mounts saturating the global
printk path), the cumulative printk latency keeps ns_segctor_sem held
long enough to trip the hung_task watchdog, blocking concurrent
operations such as chmod() that need ns_segctor_sem for read.

Fix by validating the contents of kbufs[4] in the ioctl entry path,
before any FS-wide lock is acquired.  Out-of-range segment numbers are
rejected with -EINVAL synchronously, with no work performed under
ns_segctor_sem.

Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/nilfs2/ioctl.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c
index e0a606643e87..38822dce1839 100644
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -846,6 +846,7 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
 	struct the_nilfs *nilfs;
 	size_t len, nsegs;
 	int n, ret;
+	size_t i;
 
 	if (!capable(CAP_SYS_ADMIN))
 		return -EPERM;
@@ -876,6 +877,21 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp,
 	}
 	nilfs = inode->i_sb->s_fs_info;
 
+	/*
+	 * Validate segment numbers against the filesystem's segment count
+	 * before entering nilfs_clean_segments(), which acquires
+	 * ns_segctor_sem for write.  Catching invalid segnums here avoids
+	 * holding that lock while emitting per-element diagnostics under
+	 * the segment constructor.
+	 */
+	for (i = 0; i < nsegs; i++) {
+		if (((__u64 *)kbufs[4])[i] >= nilfs->ns_nsegments) {
+			ret = -EINVAL;
+			kfree(kbufs[4]);
+			goto out;
+		}
+	}
+
 	for (n = 0; n < 4; n++) {
 		ret = -EINVAL;
 		if (argv[n].v_size != argsz[n])
-- 
2.43.0

Re: [syzbot] [nilfs?] INFO: task hung in nilfs_transaction_begin (2)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in nilfs_transaction_begin

INFO: task syz.0.17:6369 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17        state:D
 stack:26072 pid:6369  tgid:6366  ppid:6267   task_flags:0x400040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5387 [inline]
 __schedule+0x17b4/0x5680 kernel/sched/core.c:7188
 __schedule_loop kernel/sched/core.c:7267 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7282
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7339
 rwsem_down_read_slowpath+0x6d9/0x940 kernel/locking/rwsem.c:1114
 __down_read_common kernel/locking/rwsem.c:1291 [inline]
 __down_read kernel/locking/rwsem.c:1304 [inline]
 down_read+0x99/0x2e0 kernel/locking/rwsem.c:1570
 nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
 nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 notify_change+0xc1a/0xf40 fs/attr.c:556
 chmod_common+0x273/0x4a0 fs/open.c:637
 do_fchmodat+0x12d/0x230 fs/open.c:682
 __do_sys_fchmodat fs/open.c:701 [inline]
 __se_sys_fchmodat fs/open.c:698 [inline]
 __x64_sys_fchmodat+0x7d/0x90 fs/open.c:698
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5998f9cdd9
RSP: 002b:00007f5999d84028 EFLAGS: 00000246
 ORIG_RAX: 000000000000010c
RAX: ffffffffffffffda RBX: 00007f5999216090 RCX: 00007f5998f9cdd9
RDX: 000000000000017f RSI: 0000200000000300 RDI: ffffffffffffff9c
RBP: 00007f5999032d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5999216128 R14: 00007f5999216090 R15: 00007ffdbc74df58
 </TASK>
INFO: task syz.1.18:6408 blocked for more than 146 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.18        state:D
 stack:26072 pid:6408  tgid:6405  ppid:6371   task_flags:0x400040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5387 [inline]
 __schedule+0x17b4/0x5680 kernel/sched/core.c:7188
 __schedule_loop kernel/sched/core.c:7267 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7282
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7339
 rwsem_down_read_slowpath+0x6d9/0x940 kernel/locking/rwsem.c:1114
 __down_read_common kernel/locking/rwsem.c:1291 [inline]
 __down_read kernel/locking/rwsem.c:1304 [inline]
 down_read+0x99/0x2e0 kernel/locking/rwsem.c:1570
 nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
 nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 notify_change+0xc1a/0xf40 fs/attr.c:556
 chmod_common+0x273/0x4a0 fs/open.c:637
 do_fchmodat+0x12d/0x230 fs/open.c:682
 __do_sys_fchmodat fs/open.c:701 [inline]
 __se_sys_fchmodat fs/open.c:698 [inline]
 __x64_sys_fchmodat+0x7d/0x90 fs/open.c:698
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc13b9cdd9
RSP: 002b:00007fbc14a1b028 EFLAGS: 00000246 ORIG_RAX: 000000000000010c
RAX: ffffffffffffffda RBX: 00007fbc13e16090 RCX: 00007fbc13b9cdd9
RDX: 000000000000017f RSI: 0000200000000300 RDI: ffffffffffffff9c
RBP: 00007fbc13c32d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fbc13e16128 R14: 00007fbc13e16090 R15: 00007ffcbf037038
 </TASK>

Showing all locks held in the system:
5 locks held by kworker/u8:1/13:
 #0: 
ffff8880b863aea0
 (
&rq->__lock
){-.-.}-{2:2}
, at: raw_spin_rq_lock_nested+0x31/0x150 kernel/sched/core.c:652
 #1: 
ffff8880b8624588
 (
psi_seq
){-.-.}-{0:0}, at: psi_task_switch+0x53/0x880 kernel/sched/psi.c:933
 #2: ffff8880b8626118 (&base->lock){-.-.}-{2:2}, at: lock_timer_base kernel/time/timer.c:1004 [inline]
 #2: ffff8880b8626118 (&base->lock){-.-.}-{2:2}, at: __mod_timer+0x1ae/0xf30 kernel/time/timer.c:1085
 #3: 
ffffffff9a6630d8
 (
&obj_hash[i].lock){-.-.}-{2:2}, at: debug_object_activate+0x83/0x580 lib/debugobjects.c:835
 #4: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #4: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #4: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1181 [inline]
 #4: ffffffff8e95cd60 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xa6/0x2550 arch/x86/kernel/unwind_orc.c:495
1 lock held by khungtaskd/32:
 #0: 
ffffffff8e95cd60
 (
rcu_read_lock
){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
4 locks held by kworker/u8:3/49:
 #0: ffff88813fe7c140 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3277 [inline]
 #0: ffff88813fe7c140 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa35/0x1860 kernel/workqueue.c:3385
 #1: ffffc90000b97c40 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3278 [inline]
 #1: ffffc90000b97c40 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0xa70/0x1860 kernel/workqueue.c:3385
 #2: ffffffff8fdceac0 (rtnl_mutex){+.+.}-{4:4}
, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:313
 #3: 
ffffffff8e963068
 (
rcu_state.exp_mutex
){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:311 [inline]
){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2d0/0x770 kernel/rcu/tree_exp.h:961
2 locks held by getty/5374:
 #0: 
ffff8880369100a0
 (
&tty->ldisc_sem
){++++}-{0:0}
, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: 
ffffc9000322b2e8
 (
&ldata->atomic_read_lock
){+.+.}-{4:4}
, at: n_tty_read+0x45c/0x13a0 drivers/tty/n_tty.c:2211
2 locks held by syz.0.17/6367:
4 locks held by syz.0.17/6369:
 #0: 
ffff8880793ac410
 (
sb_writers
#12
){.+.+}-{0:0}
, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: 
ffff88806a8f9af0
 (
&type->i_mutex_dir_key
#8
){++++}-{4:4}, at: inode_lock_killable include/linux/fs.h:1034 [inline]
){++++}-{4:4}, at: chmod_common+0x191/0x4a0 fs/open.c:629
 #2: ffff8880793ac600 (sb_internal#2){.+.+}-{0:0}, at: nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
 #3: ffff88807c577288 (&nilfs->ns_segctor_sem){++++}-{4:4}, at: nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
3 locks held by syz.1.18/6406:
4 locks held by syz.1.18/6408:
 #0: ffff888033ae0410
 (
sb_writers
#12){.+.+}-{0:0}
, at: mnt_want_write+0x41/0x90 fs/namespace.c:493


Tested on:

commit:         3b3bea6d Merge tag 'cgroup-for-7.1-rc1-fixes' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=175d9348580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4caf64b1ee83dac0
dashboard link: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=169f5ace580000

Re: [syzbot] [nilfs?] INFO: task hung in nilfs_transaction_begin (2)

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Tested-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com

Tested on:

commit:         3b3bea6d Merge tag 'cgroup-for-7.1-rc1-fixes' of git:/..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1140dace580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4caf64b1ee83dac0
dashboard link: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17151326580000

Note: testing is done by a robot and is best-effort only.