public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: Muhammad Usama Anjum <usama.anjum@collabora.com>
Cc: syzbot <syzbot+a8068dd81edde0186829@syzkaller.appspotmail.com>,
	syzkaller-lts-bugs@googlegroups.com, linux-ext4@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-stable <stable@vger.kernel.org>,
	regressions@lists.linux.dev, Baokun Li <libaokun1@huawei.com>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	Jan Kara <jack@suse.cz>
Subject: Re: [v6.1] kernel BUG in ext4_writepages
Date: Mon, 14 Aug 2023 18:05:36 -0400	[thread overview]
Message-ID: <20230814220536.GE2247938@mit.edu> (raw)
In-Reply-To: <0fc2546b-da7c-aac4-b402-3ef4970a1789@collabora.com>

On Mon, Aug 14, 2023 at 10:35:57AM +0500, Muhammad Usama Anjum wrote:
> > The last refactoring was done by 4e7ea81db53465 on this code in 2013. The
> > code segment in question is present from even before that. It means that
> > this bug is present for several years. 4.14 is the most old kernel being
> > maintained today. So it affects all current LTS and mainline kernels. I'll
> > report 4e7ea81db53465 with regzbot for proper tracking. Thus probably the
> > bug report will get associated with all LTS kernels as well.
> > 
> > #regzbot title: Race condition between buffer write and page_mkwrite
> 
> #regzbot title: ext4: Race condition between buffer write and page_mkwrite

If it's a long-standing bug, then it's really not something I consider
a regression.  That being said, you're assuming that the refactoring
is what has introduced the bug; that's not necessarily case.

*Especially* if it requires a maliciously fuzzed file system, since
you have to be root to mount a file system.  That's the other thing;
the different reports at the console have different reproducers, and
at least one of them has a very badly corrupted file system --- and
since you need to have root to mount the a maliciously fuzzed file
system, these are treated with a much lower priority as far as I'm
concerned.

(If you think it should be higher priority, and your company is
willing to fund such work, patches are greatfully appreciated.  :-)

I tried to reproduce this using one of the reproducers on a modern
kernel, and it doesn't reproduce there.  That being said, it's not
entirely what the reproducer is doing, since (a) passing -1 to the
in_fd and out_fd to sendfile *should* just cause sendfile to to return
an EBADF error, and (b) when I ran it, it just segfaulted on an mmap()
before it executed anything interesting.

Please let me know (a) if you can replicate this on the latest
upstream kernel, and (b) if the reproducer doesn't require a
maliciously fuzzed kernel, or where the reproducer is scribbling on
the file system image while it is mounted.

Cheers,

						- Ted

  reply	other threads:[~2023-08-14 22:07 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <00000000000081f8c905f6c24e0d@google.com>
2023-08-10 10:49 ` [v6.1] kernel BUG in ext4_writepages Muhammad Usama Anjum
2023-08-10 11:30   ` Baokun Li
2023-08-10 11:35     ` Muhammad Usama Anjum
2023-08-14  5:31   ` Muhammad Usama Anjum
2023-08-14  5:35     ` Muhammad Usama Anjum
2023-08-14 22:05       ` Theodore Ts'o [this message]
2023-08-15 16:31         ` Muhammad Usama Anjum
2023-08-15 16:44           ` Linux regression tracking (Thorsten Leemhuis)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230814220536.GE2247938@mit.edu \
    --to=tytso@mit.edu \
    --cc=adilger.kernel@dilger.ca \
    --cc=jack@suse.cz \
    --cc=libaokun1@huawei.com \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=regressions@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+a8068dd81edde0186829@syzkaller.appspotmail.com \
    --cc=syzkaller-lts-bugs@googlegroups.com \
    --cc=usama.anjum@collabora.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox