* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-02-20 16:00 [syzbot] [netfs?] kernel BUG in folio_unlock (3) syzbot
@ 2025-02-20 16:15 ` Matthew Wilcox
2025-02-20 22:05 ` Dominique Martinet
2025-02-21 23:35 ` Hillf Danton
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Matthew Wilcox @ 2025-02-20 16:15 UTC (permalink / raw)
To: syzbot
Cc: Dominique Martinet, v9fs, dhowells, jlayton, linux-fsdevel,
linux-kernel, netfs, syzkaller-bugs
On Thu, Feb 20, 2025 at 08:00:24AM -0800, syzbot wrote:
> ------------[ cut here ]------------
> kernel BUG at mm/filemap.c:1499!
Tried to unlock a folio that wasn't locked.
The entire log is interesting:
https://syzkaller.appspot.com/x/log.txt?x=12af2fdf980000
It injects a failure which hits p9_tag_alloc() (so adding the 9p people
to the cc)
The page dump is:
page: refcount:1 mapcount:0 mapping:ffff888035b30890 index:0x0 pfn:0x37e9a
memcg:ffff88801c6be000
aops:v9fs_addr_operations ino:2721d72 dentry name(?):"file0"
flags: 0xfff20000000020(lru|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff20000000020 ffffea0000e1d1c8 ffff88801b0b31a0 ffff888035b30890
raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88801c6be000
page dumped because: VM_BUG_ON_FOLIO(!folio_test_locked(folio))
> Call Trace:
> <TASK>
> netfs_perform_write+0xc04/0x2140 fs/netfs/buffered_write.c:400
> netfs_buffered_write_iter_locked fs/netfs/buffered_write.c:445 [inline]
> netfs_file_write_iter+0x494/0x550 fs/netfs/buffered_write.c:484
> v9fs_file_write_iter+0x9b/0x100 fs/9p/vfs_file.c:407
> new_sync_write fs/read_write.c:586 [inline]
> vfs_write+0x5ae/0x1150 fs/read_write.c:679
> ksys_write+0x12b/0x250 fs/read_write.c:731
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-02-20 16:15 ` Matthew Wilcox
@ 2025-02-20 22:05 ` Dominique Martinet
0 siblings, 0 replies; 9+ messages in thread
From: Dominique Martinet @ 2025-02-20 22:05 UTC (permalink / raw)
To: Matthew Wilcox
Cc: syzbot, v9fs, dhowells, jlayton, linux-fsdevel, linux-kernel,
netfs, syzkaller-bugs
Matthew Wilcox wrote on Thu, Feb 20, 2025 at 04:15:53PM +0000:
> On Thu, Feb 20, 2025 at 08:00:24AM -0800, syzbot wrote:
> > ------------[ cut here ]------------
> > kernel BUG at mm/filemap.c:1499!
>
> Tried to unlock a folio that wasn't locked.
>
> The entire log is interesting:
>
> https://syzkaller.appspot.com/x/log.txt?x=12af2fdf980000
>
> It injects a failure which hits p9_tag_alloc() (so adding the 9p people
> to the cc)
9p is calling iov_iter_revert() in p9_client_write() on failure, but at
this point of the failure copy_from_iter_full (which advanced the iter)
wasn't called yet because the format processing happens after
allocation...
This was changed by Al Viro in 2015 so it's a "fairly old" bug, but it's
a bug on 9p side alright - thanks for the cc
Now to figure out how to decide if we want to revert or not... I
honestly don't have any bright idea, but I don't know the iov API well
at all -- perhaps it's possible to copy without advancing and only
advance the iov if IO worked?
--
Dominique Martinet | Asmadeus
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-02-20 16:00 [syzbot] [netfs?] kernel BUG in folio_unlock (3) syzbot
2025-02-20 16:15 ` Matthew Wilcox
@ 2025-02-21 23:35 ` Hillf Danton
2025-02-21 23:58 ` syzbot
2025-02-26 8:41 ` David Howells
2025-05-31 23:20 ` syzbot
3 siblings, 1 reply; 9+ messages in thread
From: Hillf Danton @ 2025-02-21 23:35 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
On Thu, 20 Feb 2025 08:00:24 -0800
> syzbot found the following issue on:
>
> HEAD commit: 6537cfb395f3 Merge tag 'sound-6.14-rc4' of git://git.kerne..
> git tree: upstream
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141b4ba4580000
#syz test
--- x/fs/netfs/buffered_write.c
+++ y/fs/netfs/buffered_write.c
@@ -338,7 +338,7 @@ ssize_t netfs_perform_write(struct kiocb
folio_put(folio);
ret = filemap_write_and_wait_range(mapping, fpos, fpos + flen - 1);
if (ret < 0)
- goto error_folio_unlock;
+ break;
continue;
copied:
--
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-02-20 16:00 [syzbot] [netfs?] kernel BUG in folio_unlock (3) syzbot
2025-02-20 16:15 ` Matthew Wilcox
2025-02-21 23:35 ` Hillf Danton
@ 2025-02-26 8:41 ` David Howells
2025-05-31 23:20 ` syzbot
3 siblings, 0 replies; 9+ messages in thread
From: David Howells @ 2025-02-26 8:41 UTC (permalink / raw)
To: syzbot
Cc: dhowells, Dominique Martinet, jlayton, linux-fsdevel,
linux-kernel, netfs, syzkaller-bugs
syzbot <syzbot+c0dc46208750f063d0e0@syzkaller.appspotmail.com> wrote:
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=141b4ba4580000
I'm not sure how this would even work.
memcpy((void*)0x4000000001c0, "syz\000", 4);
memcpy((void*)0x400000000480, "./file0\000", 8);
memcpy((void*)0x4000000004c0, "9p\000", 3);
memcpy((void*)0x400000000c00,
"\x56\xc7\x8e\x3c\x73\x3d\x76\x69\x72\x74\x69\x6f\x2c\x6e\x6f\x65\x78"
"\x74\x65\x6e\x64\x2c\x61\x63\x63\x81\x73\x73\x3d\x61\x6e\x79\x2c\x63"
"\x61\x63\x68\x65\x3d\x66\x73\x63\x61\x63\x68\x65\x2c\x76\x65\x72\x73"
"\x69\x6f\x6e\x3d\x39\x70\x32\x30\x30\x30\x2e\x75",
63);
syscall(__NR_mount, /*src=*/0x4000000001c0ul, /*dst=*/0x400000000480ul,
/*type=*/0x4000000004c0ul, /*flags=*/0ul, /*opts=*/0x400000000c00ul);
The options string is rubbish:
[pid 8084] mount("syz", "./file0", "9p", 0, "V\307\216<s=virtio,noextend,acc\201ss=any,cache=fscache,version=9p2000.u") = -1 EINVAL (Invalid argument)
David
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-02-20 16:00 [syzbot] [netfs?] kernel BUG in folio_unlock (3) syzbot
` (2 preceding siblings ...)
2025-02-26 8:41 ` David Howells
@ 2025-05-31 23:20 ` syzbot
2025-06-01 0:26 ` Matthew Wilcox
3 siblings, 1 reply; 9+ messages in thread
From: syzbot @ 2025-05-31 23:20 UTC (permalink / raw)
To: asmadeus, chao, dhowells, hch, hdanton, jaegeuk, jlayton,
linux-f2fs-devel, linux-fsdevel, linux-kernel, netfs,
syzkaller-bugs, v9fs, willy
syzbot has bisected this issue to:
commit 80f31d2a7e5f4efa7150c951268236c670bcb068
Author: Christoph Hellwig <hch@lst.de>
Date: Thu May 8 05:14:32 2025 +0000
f2fs: return bool from __write_node_folio
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1129d00c580000
start commit: 0f70f5b08a47 Merge tag 'pull-automount' of git://git.kerne..
git tree: upstream
final oops: https://syzkaller.appspot.com/x/report.txt?x=1329d00c580000
console output: https://syzkaller.appspot.com/x/log.txt?x=1529d00c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=22765942f2e2ebcf
dashboard link: https://syzkaller.appspot.com/bug?extid=c0dc46208750f063d0e0
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bfe970580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13bfe970580000
Reported-by: syzbot+c0dc46208750f063d0e0@syzkaller.appspotmail.com
Fixes: 80f31d2a7e5f ("f2fs: return bool from __write_node_folio")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-05-31 23:20 ` syzbot
@ 2025-06-01 0:26 ` Matthew Wilcox
2025-06-11 14:08 ` Aleksandr Nogikh
0 siblings, 1 reply; 9+ messages in thread
From: Matthew Wilcox @ 2025-06-01 0:26 UTC (permalink / raw)
To: syzbot
Cc: asmadeus, chao, dhowells, hch, hdanton, jaegeuk, jlayton,
linux-f2fs-devel, linux-fsdevel, linux-kernel, netfs,
syzkaller-bugs, v9fs
On Sat, May 31, 2025 at 04:20:02PM -0700, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 80f31d2a7e5f4efa7150c951268236c670bcb068
> Author: Christoph Hellwig <hch@lst.de>
> Date: Thu May 8 05:14:32 2025 +0000
That's not possible; this commit is after the original report.
That said, there _is_ a double folio_unlock() in this patch, which
I'm about to send a fix for. It's just not fixing the original report.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
2025-06-01 0:26 ` Matthew Wilcox
@ 2025-06-11 14:08 ` Aleksandr Nogikh
0 siblings, 0 replies; 9+ messages in thread
From: Aleksandr Nogikh @ 2025-06-11 14:08 UTC (permalink / raw)
To: Matthew Wilcox
Cc: syzbot, asmadeus, chao, dhowells, hch, hdanton, jaegeuk, jlayton,
linux-f2fs-devel, linux-fsdevel, linux-kernel, netfs,
syzkaller-bugs, v9fs
On Sun, Jun 1, 2025 at 2:26 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Sat, May 31, 2025 at 04:20:02PM -0700, syzbot wrote:
> > syzbot has bisected this issue to:
> >
> > commit 80f31d2a7e5f4efa7150c951268236c670bcb068
> > Author: Christoph Hellwig <hch@lst.de>
> > Date: Thu May 8 05:14:32 2025 +0000
>
> That's not possible; this commit is after the original report.
>
> That said, there _is_ a double folio_unlock() in this patch, which
> I'm about to send a fix for. It's just not fixing the original report.
>
Thanks for bringing this up!
The underlying problem is that syzbot has merged several unrelated
kernel crashes into one bug report (`kernel BUG in folio_unlock` is
just a too generic title). The reported bisection result seems to be
correct, but it refers to only one of those incorrectly merged bugs.
I've just sent a fix for the syzbot's crash report parsing code [1].
It won't affect this specific bug report, but once the new code is
deployed, syzbot will re-report the two underlying findings
separately.
[1] https://github.com/google/syzkaller/pull/6081
--
Aleksandr
^ permalink raw reply [flat|nested] 9+ messages in thread