From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com,
Jun Nie <jun.nie@linaro.org>, Ye Bin <yebin10@huawei.com>,
Theodore Tso <tytso@mit.edu>,
stable@kernel.org, Tudor Ambarus <tudor.ambarus@linaro.org>
Subject: [PATCH 4.14 64/66] ext4: fix kernel BUG in ext4_write_inline_data_end()
Date: Mon, 3 Apr 2023 16:09:12 +0200 [thread overview]
Message-ID: <20230403140354.015532633@linuxfoundation.org> (raw)
In-Reply-To: <20230403140351.636471867@linuxfoundation.org>
From: Ye Bin <yebin10@huawei.com>
commit 5c099c4fdc438014d5893629e70a8ba934433ee8 upstream.
Syzbot report follow issue:
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:227!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3629 Comm: syz-executor212 Not tainted 6.1.0-rc5-syzkaller-00018-g59d0d52c30d4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:ext4_write_inline_data+0x344/0x3e0 fs/ext4/inline.c:227
RSP: 0018:ffffc90003b3f368 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8880704e16c0 RCX: 0000000000000000
RDX: ffff888021763a80 RSI: ffffffff821e31a4 RDI: 0000000000000006
RBP: 000000000006818e R08: 0000000000000006 R09: 0000000000068199
R10: 0000000000000079 R11: 0000000000000000 R12: 000000000000000b
R13: 0000000000068199 R14: ffffc90003b3f408 R15: ffff8880704e1c82
FS: 000055555723e3c0(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffe8ac9080 CR3: 0000000079f81000 CR4: 0000000000350ee0
Call Trace:
<TASK>
ext4_write_inline_data_end+0x2a3/0x12f0 fs/ext4/inline.c:768
ext4_write_end+0x242/0xdd0 fs/ext4/inode.c:1313
ext4_da_write_end+0x3ed/0xa30 fs/ext4/inode.c:3063
generic_perform_write+0x316/0x570 mm/filemap.c:3764
ext4_buffered_write_iter+0x15b/0x460 fs/ext4/file.c:285
ext4_file_write_iter+0x8bc/0x16e0 fs/ext4/file.c:700
call_write_iter include/linux/fs.h:2191 [inline]
do_iter_readv_writev+0x20b/0x3b0 fs/read_write.c:735
do_iter_write+0x182/0x700 fs/read_write.c:861
vfs_iter_write+0x74/0xa0 fs/read_write.c:902
iter_file_splice_write+0x745/0xc90 fs/splice.c:686
do_splice_from fs/splice.c:764 [inline]
direct_splice_actor+0x114/0x180 fs/splice.c:931
splice_direct_to_actor+0x335/0x8a0 fs/splice.c:886
do_splice_direct+0x1ab/0x280 fs/splice.c:974
do_sendfile+0xb19/0x1270 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1d0/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
---[ end trace 0000000000000000 ]---
Above issue may happens as follows:
ext4_da_write_begin
ext4_da_write_inline_data_begin
ext4_da_convert_inline_data_to_extent
ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
ext4_da_write_end
ext4_run_li_request
ext4_mb_prefetch
ext4_read_block_bitmap_nowait
ext4_validate_block_bitmap
ext4_mark_group_bitmap_corrupted(sb, block_group, EXT4_GROUP_INFO_BBITMAP_CORRUPT)
percpu_counter_sub(&sbi->s_freeclusters_counter,grp->bb_free);
-> sbi->s_freeclusters_counter become zero
ext4_da_write_begin
if (ext4_nonda_switch(inode->i_sb)) -> As freeclusters_counter is zero will return true
*fsdata = (void *)FALL_BACK_TO_NONDELALLOC;
ext4_write_begin
ext4_da_write_end
if (write_mode == FALL_BACK_TO_NONDELALLOC)
ext4_write_end
if (inline_data)
ext4_write_inline_data_end
ext4_write_inline_data
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
-> As inode is already convert to extent, so 'pos + len' > inline_size
-> then trigger BUG.
To solve this issue, instead of checking ext4_has_inline_data() which
is only cleared after data has been written back, check the
EXT4_STATE_MAY_INLINE_DATA flag in ext4_write_end().
Fixes: f19d5870cbf7 ("ext4: add normal write support for inline data")
Reported-by: syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/r/20221206144134.1919987-1-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ta: Fix conflict in if expression and use the local variable inline_data
as it is initialized with ext4_has_inline_data(inode) anyway.]
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1425,7 +1425,8 @@ static int ext4_write_end(struct file *f
int inline_data = ext4_has_inline_data(inode);
trace_ext4_write_end(inode, pos, len, copied);
- if (inline_data) {
+ if (inline_data &&
+ ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA)) {
ret = ext4_write_inline_data_end(inode, pos, len,
copied, page);
if (ret < 0) {
next prev parent reply other threads:[~2023-04-03 14:14 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-03 14:08 [PATCH 4.14 00/66] 4.14.312-rc1 review Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 01/66] power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 02/66] iavf: fix inverted Rx hash condition leading to disabled hash Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 03/66] intel/igbvf: free irq on the error path in igbvf_request_msix() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 04/66] igbvf: Regard vf reset nack as success Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 05/66] i2c: imx-lpi2c: check only for enabled interrupt flags Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 06/66] scsi: scsi_dh_alua: Fix memleak for qdata in alua_activate() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 07/66] net: usb: smsc95xx: Limit packet length to skb->len Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 08/66] qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 09/66] xirc2ps_cs: Fix use after free bug in xirc2ps_detach Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 10/66] net: qcom/emac: Fix use after free bug in emac_remove due to race condition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 11/66] net/ps3_gelic_net: Fix RX sk_buff length Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 12/66] net/ps3_gelic_net: Use dma_mapping_error Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 13/66] bpf: Adjust insufficient default bpf_jit_limit Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 14/66] net/mlx5: Read the TC mapping of all priorities on ETS query Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 15/66] atm: idt77252: fix kmemleak when rmmod idt77252 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 16/66] hvc/xen: prevent concurrent accesses to the shared ring Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 17/66] net: mdio: thunder: Add missing fwnode_handle_put() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 18/66] Bluetooth: btqcomsmd: Fix command timeout after setting BD address Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 19/66] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 20/66] hwmon (it87): Fix voltage scaling for chips with 10.9mV ADCs Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 21/66] uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 22/66] thunderbolt: Use const qualifier for `ring_interrupt_index` Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 23/66] riscv: Bump COMMAND_LINE_SIZE value to 1024 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 24/66] ca8210: fix mac_len negative array access Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 25/66] m68k: Only force 030 bus error if PC not in exception table Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 26/66] scsi: target: iscsi: Fix an error message in iscsi_check_key() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 27/66] scsi: ufs: core: Add soft dependency on governor_simpleondemand Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 28/66] net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 29/66] net: usb: qmi_wwan: add Telit 0x1080 composition Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 30/66] sh: sanitize the flags on sigreturn Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 31/66] scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 32/66] usb: gadget: u_audio: dont let userspace block driver unbind Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 33/66] igb: revert rtnl_lock() that causes deadlock Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 34/66] usb: chipdea: core: fix return -EINVAL if request role is the same with current role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 35/66] usb: chipidea: core: fix possible concurrent when switch role Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 36/66] nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 37/66] i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 38/66] dm stats: check for and propagate alloc_percpu failure Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 39/66] dm crypt: add cond_resched() to dmcrypt_write() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 40/66] sched/fair: sanitize vruntime of entity being placed Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 41/66] sched/fair: Sanitize vruntime of entity being migrated Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 42/66] ocfs2: fix data corruption after failed write Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 43/66] md: avoid signed overflow in slot_store() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 44/66] ALSA: asihpi: check pao in control_message() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 45/66] ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 46/66] fbdev: tgafb: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 47/66] sched_getaffinity: dont assume cpumask_size() is fully initialized Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 48/66] fbdev: nvidia: Fix potential divide by zero Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 49/66] fbdev: intelfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 50/66] fbdev: lxfb: " Greg Kroah-Hartman
2023-04-03 14:08 ` [PATCH 4.14 51/66] fbdev: au1200fb: " Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 52/66] scsi: megaraid_sas: Fix crash after a double completion Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 53/66] can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 54/66] i40e: fix registers dump after run ethtool adapter self test Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 55/66] Input: focaltech - use explicitly signed char type Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 56/66] cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 57/66] xen/netback: dont do grant copy across page boundary Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 58/66] pinctrl: at91-pio4: fix domain name assignment Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 59/66] ALSA: hda/conexant: Partial revert of a quirk for Lenovo Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 60/66] ALSA: usb-audio: Fix regression on detection of Roland VS-100 Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 61/66] drm/etnaviv: fix reference leak when mmaping imported buffer Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 62/66] s390/uaccess: add missing earlyclobber annotations to __clear_user() Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 63/66] usb: host: ohci-pxa27x: Fix and & vs | typo Greg Kroah-Hartman
2023-04-03 14:09 ` Greg Kroah-Hartman [this message]
2023-04-03 14:09 ` [PATCH 4.14 65/66] net: sched: cbq: dont intepret cls results when asked to drop Greg Kroah-Hartman
2023-04-03 14:09 ` [PATCH 4.14 66/66] ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() Greg Kroah-Hartman
2023-04-04 5:11 ` [PATCH 4.14 00/66] 4.14.312-rc1 review Naresh Kamboju
2023-04-04 10:48 ` Chris Paterson
2023-04-04 21:20 ` Guenter Roeck
2023-04-05 6:06 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230403140354.015532633@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jun.nie@linaro.org \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+4faa160fa96bfba639f8@syzkaller.appspotmail.com \
--cc=tudor.ambarus@linaro.org \
--cc=tytso@mit.edu \
--cc=yebin10@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox