diff mbox series

[v5,03/10] ext4: warn if delalloc counters are not zero on inactive

Message ID 20240517124005.347221-4-yi.zhang@huaweicloud.com (mailing list archive)
State New
Headers show
Series ext4: support adding multi-delalloc blocks | expand

Commit Message

Zhang Yi May 17, 2024, 12:39 p.m. UTC
From: Zhang Yi <yi.zhang@huawei.com>

The per-inode i_reserved_data_blocks count the reserved delalloc blocks
in a regular file, it should be zero when destroying the file. The
per-fs s_dirtyclusters_counter count all reserved delalloc blocks in a
filesystem, it also should be zero when umounting the filesystem. Now we
have only an error message if the i_reserved_data_blocks is not zero,
which is unable to be simply captured, so add WARN_ON_ONCE to make it
more visable.

Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
---
 fs/ext4/super.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Comments

Jan Kara May 20, 2024, 9:35 a.m. UTC | #1
On Fri 17-05-24 20:39:58, Zhang Yi wrote:
> From: Zhang Yi <yi.zhang@huawei.com>
> 
> The per-inode i_reserved_data_blocks count the reserved delalloc blocks
> in a regular file, it should be zero when destroying the file. The
> per-fs s_dirtyclusters_counter count all reserved delalloc blocks in a
> filesystem, it also should be zero when umounting the filesystem. Now we
> have only an error message if the i_reserved_data_blocks is not zero,
> which is unable to be simply captured, so add WARN_ON_ONCE to make it
> more visable.
> 
> Signed-off-by: Zhang Yi <yi.zhang@huawei.com>

Looks good. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
>  fs/ext4/super.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 044135796f2b..b68064c877e3 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1343,6 +1343,9 @@ static void ext4_put_super(struct super_block *sb)
>  
>  	ext4_group_desc_free(sbi);
>  	ext4_flex_groups_free(sbi);
> +
> +	WARN_ON_ONCE(!(sbi->s_mount_state & EXT4_ERROR_FS) &&
> +		     percpu_counter_sum(&sbi->s_dirtyclusters_counter));
>  	ext4_percpu_param_destroy(sbi);
>  #ifdef CONFIG_QUOTA
>  	for (int i = 0; i < EXT4_MAXQUOTAS; i++)
> @@ -1473,7 +1476,8 @@ static void ext4_destroy_inode(struct inode *inode)
>  		dump_stack();
>  	}
>  
> -	if (EXT4_I(inode)->i_reserved_data_blocks)
> +	if (!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ERROR_FS) &&
> +	    WARN_ON_ONCE(EXT4_I(inode)->i_reserved_data_blocks))
>  		ext4_msg(inode->i_sb, KERN_ERR,
>  			 "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
>  			 inode->i_ino, EXT4_I(inode),
> -- 
> 2.39.2
>
Lai, Yi Sept. 24, 2024, 3:25 a.m. UTC | #2
Hi Zhang Yi,

Greetings!

I used Syzkaller and found that there is WARNING in ext4_destroy_inode.

After bisection and the first bad commit is:
"
b37c907073e8 ext4: warn if delalloc counters are not zero on inactive
"

I understand that the commit is to add WARN_ON_ONCE to make error message more visible. I hope the reproduction program will be insightful for you.

All detailed into can be found at:
https://github.com/laifryiee/syzkaller_logs/tree/main/240923_043748_ext4_destroy_inode
Syzkaller repro code:
https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.c
Syzkaller repro syscall steps:
https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.prog
Syzkaller report:
https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.report
Kconfig(make olddefconfig):
https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/kconfig_origin
Bisect info:
https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/bisect_info.log
bzImage:
https://github.com/laifryiee/syzkaller_logs/raw/main/240923_043748_ext4_destroy_inode/bzImage_98f7e32f20d28ec452afb208f9cffc08448a2652
Issue dmesg:
https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/98f7e32f20d28ec452afb208f9cffc08448a2652_dmesg.log

"
[   25.223775] ------------[ cut here ]------------
[   25.224177] WARNING: CPU: 0 PID: 740 at fs/ext4/super.c:1464 ext4_destroy_inode+0x1de/0x280
[   25.224724] Modules linked in:
[   25.224920] CPU: 0 UID: 0 PID: 740 Comm: repro Not tainted 6.11.0-98f7e32f20d2 #1
[   25.225393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[   25.226103] RIP: 0010:ext4_destroy_inode+0x1de/0x280
[   25.226429] Code: 31 ff 44 89 e6 e8 62 ad 45 ff 45 85 e4 75 16 e8 d8 a9 45 ff 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d c3 cc cc cc cc e8 c2 a9 45 ff <0f> 0b 48 8d 7b 40 4c 8d 83 50 fd ff ff 48 b8 00 00 00 00 00 fc ff
[   25.227570] RSP: 0018:ff11000023707c08 EFLAGS: 00010293
[   25.227915] RAX: 0000000000000000 RBX: ff11000022f22a50 RCX: ffffffff822028de
[   25.228357] RDX: ff110000139a8000 RSI: ffffffff822028fe RDI: 0000000000000005
[   25.228840] RBP: ff11000023707c30 R08: 0000000000000001 R09: ffe21c00024e24eb
[   25.229284] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
[   25.229712] R13: ff11000012712000 R14: ff11000022f22ad0 R15: ff1100006c1aa440
[   25.230168] FS:  00007f1d418a7800(0000) GS:ff1100006c400000(0000) knlGS:0000000000000000
[   25.230666] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   25.230818] EXT4-fs (sda): Inode 151593 (000000004419e1b8): i_reserved_data_blocks (1) not cleared!
[   25.231037] CR2: 00007f1d416b1ac0 CR3: 00000000140e4004 CR4: 0000000000771ef0
[   25.232104] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   25.232546] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[   25.233006] PKRU: 55555554
[   25.233184] Call Trace:
[   25.233348]  <TASK>
[   25.233489]  ? show_regs+0xa8/0xc0
[   25.233724]  ? __warn+0xee/0x380
[   25.233953]  ? report_bug+0x25e/0x4b0
[   25.234201]  ? ext4_destroy_inode+0x1de/0x280
[   25.234485]  ? report_bug+0x2cb/0x4b0
[   25.234729]  ? ext4_destroy_inode+0x1de/0x280
[   25.235020]  ? handle_bug+0xa2/0x130
[   25.235266]  ? exc_invalid_op+0x3c/0x80
[   25.235513]  ? asm_exc_invalid_op+0x1f/0x30
[   25.235786]  ? ext4_destroy_inode+0x1be/0x280
[   25.236072]  ? ext4_destroy_inode+0x1de/0x280
[   25.236356]  ? ext4_destroy_inode+0x1de/0x280
[   25.236637]  ? ext4_destroy_inode+0x1de/0x280
[   25.236949]  ? __pfx_ext4_destroy_inode+0x10/0x10
[   25.237257]  destroy_inode+0xd6/0x1d0
[   25.237507]  evict+0x5a7/0x930
[   25.237708]  ? lock_release+0x441/0x870
[   25.237975]  ? do_raw_spin_lock+0x141/0x280
[   25.238246]  ? __pfx_evict+0x10/0x10
[   25.238486]  ? __pfx_lock_release+0x10/0x10
[   25.238757]  ? lock_release+0x441/0x870
[   25.239015]  ? lock_release+0x441/0x870
[   25.239266]  ? do_raw_spin_unlock+0x15c/0x210
[   25.239552]  iput.part.0+0x543/0x740
[   25.239788]  ? __pfx_ext4_drop_inode+0x10/0x10
[   25.240081]  iput+0x68/0x90
[   25.240265]  do_unlinkat+0x5dc/0x730
[   25.240503]  ? __pfx_do_unlinkat+0x10/0x10
[   25.240791]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
[   25.241149]  ? strncpy_from_user+0x1ef/0x2e0
[   25.241436]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
[   25.241774]  ? getname_flags.part.0+0x1d5/0x570
[   25.242459]  __x64_sys_unlink+0xd1/0x120
[   25.242749]  x64_sys_call+0x2014/0x20d0
[   25.243031]  do_syscall_64+0x6d/0x140
[   25.243304]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   25.243630] RIP: 0033:0x7f1d4163eb7b
[   25.243878] Code: f0 ff ff 73 01 c3 48 8b 0d a2 b2 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 75 b2 1b 00 f7 d8 64 89 01 48
[   25.245038] RSP: 002b:00007fffffa2ca48 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
[   25.245508] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1d4163eb7b
[   25.245966] RDX: 00007fffffa2ca60 RSI: 00007fffffa2caf0 RDI: 00007fffffa2caf0
[   25.246412] RBP: 00007fffffa2db30 R08: 0000000000000000 R09: 00007fffffa2c8e0
[   25.246872] R10: 00007f1d4160b208 R11: 0000000000000206 R12: 00007fffffa2dca8
[   25.247310] R13: 0000000000402e4b R14: 0000000000404e08 R15: 00007f1d418f2000
[   25.247759]  </TASK>
[   25.247912] irq event stamp: 5719
[   25.248127] hardirqs last  enabled at (5727): [<ffffffff81458eb4>] console_unlock+0x224/0x240
[   25.248690] hardirqs last disabled at (5736): [<ffffffff81458e99>] console_unlock+0x209/0x240
[   25.249236] softirqs last  enabled at (5252): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
[   25.249768] softirqs last disabled at (5247): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
[   25.250311] ---[ end trace 0000000000000000 ]---
[   25.250602] EXT4-fs (sda): Inode 151586 (00000000f9d6a315): i_reserved_data_blocks (1) not cleared!
[   25.326263] EXT4-fs (sda): Inode 151578 (00000000d86ad2f9): i_reserved_data_blocks (1) not cleared!
[   25.680884] EXT4-fs (sda): Inode 151596 (00000000da9177c9): i_reserved_data_blocks (1) not cleared!
[   25.717550] EXT4-fs (sda): Inode 151573 (0000000088687caa): i_reserved_data_blocks (1) not cleared!
[   25.726089] EXT4-fs (sda): Inode 151585 (000000005d7aed9a): i_reserved_data_blocks (1) not cleared!
[   25.838592] EXT4-fs (sda): Inode 151573 (000000004af622df): i_reserved_data_blocks (1) not cleared!
[   25.955073] EXT4-fs (sda): Inode 151598 (00000000a6e598ec): i_reserved_data_blocks (1) not cleared!
[   26.525552] EXT4-fs (sda): Inode 151593 (0000000026aef1cd): i_reserved_data_blocks (1) not cleared!
[   26.554067] EXT4-fs (sda): Inode 151591 (0000000051e990da): i_reserved_data_blocks (1) not cleared!
[   30.291490] EXT4-fs: 14 callbacks suppressed
[   30.291510] EXT4-fs (sda): Inode 151591 (0000000050be254a): i_reserved_data_blocks (1) not cleared!
[   30.301238] EXT4-fs (sda): Inode 151587 (000000004ba9ad70): i_reserved_data_blocks (1) not cleared!
[   30.414377] EXT4-fs (sda): Inode 151583 (00000000f6751ad3): i_reserved_data_blocks (1) not cleared!
[   30.417213] EXT4-fs (sda): Inode 151591 (0000000090a0dce3): i_reserved_data_blocks (1) not cleared!
[   30.537920] EXT4-fs (sda): Inode 151587 (00000000de72acf9): i_reserved_data_blocks (1) not cleared!
[   30.645791] EXT4-fs (sda): Inode 151580 (00000000a40a052f): i_reserved_data_blocks (1) not cleared!
[   30.665732] EXT4-fs (sda): Inode 151587 (00000000d9452edd): i_reserved_data_blocks (1) not cleared!
[   30.670204] EXT4-fs (sda): Inode 151597 (00000000f861d75f): i_reserved_data_blocks (1) not cleared!
[   31.964931] EXT4-fs (sda): Inode 151589 (000000009baa4064): i_reserved_data_blocks (1) not cleared!
[   32.101343] EXT4-fs (sda): Inode 151598 (000000003fca6cd5): i_reserved_data_blocks (1) not cleared!
"

I hope you find it useful.

Regards,
Yi Lai

---

If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.

How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
  // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
  // You could change the bzImage_xxx as you want
  // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@localhost

After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@localhost:/root/

Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage           //x should equal or less than cpu num your pc has

Fill the bzImage file into above start3.sh to load the target kernel in vm.

Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install 

On Fri, May 17, 2024 at 08:39:58PM +0800, Zhang Yi wrote:
> From: Zhang Yi <yi.zhang@huawei.com>
> 
> The per-inode i_reserved_data_blocks count the reserved delalloc blocks
> in a regular file, it should be zero when destroying the file. The
> per-fs s_dirtyclusters_counter count all reserved delalloc blocks in a
> filesystem, it also should be zero when umounting the filesystem. Now we
> have only an error message if the i_reserved_data_blocks is not zero,
> which is unable to be simply captured, so add WARN_ON_ONCE to make it
> more visable.
> 
> Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
> ---
>  fs/ext4/super.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 044135796f2b..b68064c877e3 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1343,6 +1343,9 @@ static void ext4_put_super(struct super_block *sb)
>  
>  	ext4_group_desc_free(sbi);
>  	ext4_flex_groups_free(sbi);
> +
> +	WARN_ON_ONCE(!(sbi->s_mount_state & EXT4_ERROR_FS) &&
> +		     percpu_counter_sum(&sbi->s_dirtyclusters_counter));
>  	ext4_percpu_param_destroy(sbi);
>  #ifdef CONFIG_QUOTA
>  	for (int i = 0; i < EXT4_MAXQUOTAS; i++)
> @@ -1473,7 +1476,8 @@ static void ext4_destroy_inode(struct inode *inode)
>  		dump_stack();
>  	}
>  
> -	if (EXT4_I(inode)->i_reserved_data_blocks)
> +	if (!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ERROR_FS) &&
> +	    WARN_ON_ONCE(EXT4_I(inode)->i_reserved_data_blocks))
>  		ext4_msg(inode->i_sb, KERN_ERR,
>  			 "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
>  			 inode->i_ino, EXT4_I(inode),
> -- 
> 2.39.2
>
Zhang Yi Sept. 24, 2024, 8:38 a.m. UTC | #3
On 2024/9/24 11:25, Lai, Yi wrote:
> Hi Zhang Yi,
> 
> Greetings!
> 
> I used Syzkaller and found that there is WARNING in ext4_destroy_inode.
> 
> After bisection and the first bad commit is:
> "
> b37c907073e8 ext4: warn if delalloc counters are not zero on inactive
> "
> 
> I understand that the commit is to add WARN_ON_ONCE to make error message more visible. I hope the reproduction program will be insightful for you.
> 

Thanks for the report! It seems that this patch worked, it start exposing
problems about inconsistent delalloc counter, which were previously hidden.
However, the counter updating logic has changed after this series:

https://lore.kernel.org/linux-ext4/20240813123452.2824659-1-yi.zhang@huaweicloud.com/

Could you reproduce this issue with this series or in the latest upstream
kernel?

Thanks,
Yi.

> All detailed into can be found at:
> https://github.com/laifryiee/syzkaller_logs/tree/main/240923_043748_ext4_destroy_inode
> Syzkaller repro code:
> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.c
> Syzkaller repro syscall steps:
> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.prog
> Syzkaller report:
> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.report
> Kconfig(make olddefconfig):
> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/kconfig_origin
> Bisect info:
> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/bisect_info.log
> bzImage:
> https://github.com/laifryiee/syzkaller_logs/raw/main/240923_043748_ext4_destroy_inode/bzImage_98f7e32f20d28ec452afb208f9cffc08448a2652
> Issue dmesg:
> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/98f7e32f20d28ec452afb208f9cffc08448a2652_dmesg.log
> 
> "
> [   25.223775] ------------[ cut here ]------------
> [   25.224177] WARNING: CPU: 0 PID: 740 at fs/ext4/super.c:1464 ext4_destroy_inode+0x1de/0x280
> [   25.224724] Modules linked in:
> [   25.224920] CPU: 0 UID: 0 PID: 740 Comm: repro Not tainted 6.11.0-98f7e32f20d2 #1
> [   25.225393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> [   25.226103] RIP: 0010:ext4_destroy_inode+0x1de/0x280
> [   25.226429] Code: 31 ff 44 89 e6 e8 62 ad 45 ff 45 85 e4 75 16 e8 d8 a9 45 ff 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d c3 cc cc cc cc e8 c2 a9 45 ff <0f> 0b 48 8d 7b 40 4c 8d 83 50 fd ff ff 48 b8 00 00 00 00 00 fc ff
> [   25.227570] RSP: 0018:ff11000023707c08 EFLAGS: 00010293
> [   25.227915] RAX: 0000000000000000 RBX: ff11000022f22a50 RCX: ffffffff822028de
> [   25.228357] RDX: ff110000139a8000 RSI: ffffffff822028fe RDI: 0000000000000005
> [   25.228840] RBP: ff11000023707c30 R08: 0000000000000001 R09: ffe21c00024e24eb
> [   25.229284] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
> [   25.229712] R13: ff11000012712000 R14: ff11000022f22ad0 R15: ff1100006c1aa440
> [   25.230168] FS:  00007f1d418a7800(0000) GS:ff1100006c400000(0000) knlGS:0000000000000000
> [   25.230666] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   25.230818] EXT4-fs (sda): Inode 151593 (000000004419e1b8): i_reserved_data_blocks (1) not cleared!
> [   25.231037] CR2: 00007f1d416b1ac0 CR3: 00000000140e4004 CR4: 0000000000771ef0
> [   25.232104] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   25.232546] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> [   25.233006] PKRU: 55555554
> [   25.233184] Call Trace:
> [   25.233348]  <TASK>
> [   25.233489]  ? show_regs+0xa8/0xc0
> [   25.233724]  ? __warn+0xee/0x380
> [   25.233953]  ? report_bug+0x25e/0x4b0
> [   25.234201]  ? ext4_destroy_inode+0x1de/0x280
> [   25.234485]  ? report_bug+0x2cb/0x4b0
> [   25.234729]  ? ext4_destroy_inode+0x1de/0x280
> [   25.235020]  ? handle_bug+0xa2/0x130
> [   25.235266]  ? exc_invalid_op+0x3c/0x80
> [   25.235513]  ? asm_exc_invalid_op+0x1f/0x30
> [   25.235786]  ? ext4_destroy_inode+0x1be/0x280
> [   25.236072]  ? ext4_destroy_inode+0x1de/0x280
> [   25.236356]  ? ext4_destroy_inode+0x1de/0x280
> [   25.236637]  ? ext4_destroy_inode+0x1de/0x280
> [   25.236949]  ? __pfx_ext4_destroy_inode+0x10/0x10
> [   25.237257]  destroy_inode+0xd6/0x1d0
> [   25.237507]  evict+0x5a7/0x930
> [   25.237708]  ? lock_release+0x441/0x870
> [   25.237975]  ? do_raw_spin_lock+0x141/0x280
> [   25.238246]  ? __pfx_evict+0x10/0x10
> [   25.238486]  ? __pfx_lock_release+0x10/0x10
> [   25.238757]  ? lock_release+0x441/0x870
> [   25.239015]  ? lock_release+0x441/0x870
> [   25.239266]  ? do_raw_spin_unlock+0x15c/0x210
> [   25.239552]  iput.part.0+0x543/0x740
> [   25.239788]  ? __pfx_ext4_drop_inode+0x10/0x10
> [   25.240081]  iput+0x68/0x90
> [   25.240265]  do_unlinkat+0x5dc/0x730
> [   25.240503]  ? __pfx_do_unlinkat+0x10/0x10
> [   25.240791]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
> [   25.241149]  ? strncpy_from_user+0x1ef/0x2e0
> [   25.241436]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
> [   25.241774]  ? getname_flags.part.0+0x1d5/0x570
> [   25.242459]  __x64_sys_unlink+0xd1/0x120
> [   25.242749]  x64_sys_call+0x2014/0x20d0
> [   25.243031]  do_syscall_64+0x6d/0x140
> [   25.243304]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [   25.243630] RIP: 0033:0x7f1d4163eb7b
> [   25.243878] Code: f0 ff ff 73 01 c3 48 8b 0d a2 b2 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 75 b2 1b 00 f7 d8 64 89 01 48
> [   25.245038] RSP: 002b:00007fffffa2ca48 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
> [   25.245508] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1d4163eb7b
> [   25.245966] RDX: 00007fffffa2ca60 RSI: 00007fffffa2caf0 RDI: 00007fffffa2caf0
> [   25.246412] RBP: 00007fffffa2db30 R08: 0000000000000000 R09: 00007fffffa2c8e0
> [   25.246872] R10: 00007f1d4160b208 R11: 0000000000000206 R12: 00007fffffa2dca8
> [   25.247310] R13: 0000000000402e4b R14: 0000000000404e08 R15: 00007f1d418f2000
> [   25.247759]  </TASK>
> [   25.247912] irq event stamp: 5719
> [   25.248127] hardirqs last  enabled at (5727): [<ffffffff81458eb4>] console_unlock+0x224/0x240
> [   25.248690] hardirqs last disabled at (5736): [<ffffffff81458e99>] console_unlock+0x209/0x240
> [   25.249236] softirqs last  enabled at (5252): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
> [   25.249768] softirqs last disabled at (5247): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
> [   25.250311] ---[ end trace 0000000000000000 ]---
> [   25.250602] EXT4-fs (sda): Inode 151586 (00000000f9d6a315): i_reserved_data_blocks (1) not cleared!
> [   25.326263] EXT4-fs (sda): Inode 151578 (00000000d86ad2f9): i_reserved_data_blocks (1) not cleared!
> [   25.680884] EXT4-fs (sda): Inode 151596 (00000000da9177c9): i_reserved_data_blocks (1) not cleared!
> [   25.717550] EXT4-fs (sda): Inode 151573 (0000000088687caa): i_reserved_data_blocks (1) not cleared!
> [   25.726089] EXT4-fs (sda): Inode 151585 (000000005d7aed9a): i_reserved_data_blocks (1) not cleared!
> [   25.838592] EXT4-fs (sda): Inode 151573 (000000004af622df): i_reserved_data_blocks (1) not cleared!
> [   25.955073] EXT4-fs (sda): Inode 151598 (00000000a6e598ec): i_reserved_data_blocks (1) not cleared!
> [   26.525552] EXT4-fs (sda): Inode 151593 (0000000026aef1cd): i_reserved_data_blocks (1) not cleared!
> [   26.554067] EXT4-fs (sda): Inode 151591 (0000000051e990da): i_reserved_data_blocks (1) not cleared!
> [   30.291490] EXT4-fs: 14 callbacks suppressed
> [   30.291510] EXT4-fs (sda): Inode 151591 (0000000050be254a): i_reserved_data_blocks (1) not cleared!
> [   30.301238] EXT4-fs (sda): Inode 151587 (000000004ba9ad70): i_reserved_data_blocks (1) not cleared!
> [   30.414377] EXT4-fs (sda): Inode 151583 (00000000f6751ad3): i_reserved_data_blocks (1) not cleared!
> [   30.417213] EXT4-fs (sda): Inode 151591 (0000000090a0dce3): i_reserved_data_blocks (1) not cleared!
> [   30.537920] EXT4-fs (sda): Inode 151587 (00000000de72acf9): i_reserved_data_blocks (1) not cleared!
> [   30.645791] EXT4-fs (sda): Inode 151580 (00000000a40a052f): i_reserved_data_blocks (1) not cleared!
> [   30.665732] EXT4-fs (sda): Inode 151587 (00000000d9452edd): i_reserved_data_blocks (1) not cleared!
> [   30.670204] EXT4-fs (sda): Inode 151597 (00000000f861d75f): i_reserved_data_blocks (1) not cleared!
> [   31.964931] EXT4-fs (sda): Inode 151589 (000000009baa4064): i_reserved_data_blocks (1) not cleared!
> [   32.101343] EXT4-fs (sda): Inode 151598 (000000003fca6cd5): i_reserved_data_blocks (1) not cleared!
> "
> 
> I hope you find it useful.
> 
> Regards,
> Yi Lai
> 
> ---
> 
> If you don't need the following environment to reproduce the problem or if you
> already have one reproduced environment, please ignore the following information.
> 
> How to reproduce:
> git clone https://gitlab.com/xupengfe/repro_vm_env.git
> cd repro_vm_env
> tar -xvf repro_vm_env.tar.gz
> cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
>   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
>   // You could change the bzImage_xxx as you want
>   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
> You could use below command to log in, there is no password for root.
> ssh -p 10023 root@localhost
> 
> After login vm(virtual machine) successfully, you could transfer reproduced
> binary to the vm by below way, and reproduce the problem in vm:
> gcc -pthread -o repro repro.c
> scp -P 10023 repro root@localhost:/root/
> 
> Get the bzImage for target kernel:
> Please use target kconfig and copy it to kernel_src/.config
> make olddefconfig
> make -jx bzImage           //x should equal or less than cpu num your pc has
> 
> Fill the bzImage file into above start3.sh to load the target kernel in vm.
> 
> Tips:
> If you already have qemu-system-x86_64, please ignore below info.
> If you want to install qemu v7.1.0 version:
> git clone https://github.com/qemu/qemu.git
> cd qemu
> git checkout -f v7.1.0
> mkdir build
> cd build
> yum install -y ninja-build.x86_64
> yum -y install libslirp-devel.x86_64
> ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
> make
> make install 
> 
> On Fri, May 17, 2024 at 08:39:58PM +0800, Zhang Yi wrote:
>> From: Zhang Yi <yi.zhang@huawei.com>
>>
>> The per-inode i_reserved_data_blocks count the reserved delalloc blocks
>> in a regular file, it should be zero when destroying the file. The
>> per-fs s_dirtyclusters_counter count all reserved delalloc blocks in a
>> filesystem, it also should be zero when umounting the filesystem. Now we
>> have only an error message if the i_reserved_data_blocks is not zero,
>> which is unable to be simply captured, so add WARN_ON_ONCE to make it
>> more visable.
>>
>> Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
>> ---
>>  fs/ext4/super.c | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>> index 044135796f2b..b68064c877e3 100644
>> --- a/fs/ext4/super.c
>> +++ b/fs/ext4/super.c
>> @@ -1343,6 +1343,9 @@ static void ext4_put_super(struct super_block *sb)
>>  
>>  	ext4_group_desc_free(sbi);
>>  	ext4_flex_groups_free(sbi);
>> +
>> +	WARN_ON_ONCE(!(sbi->s_mount_state & EXT4_ERROR_FS) &&
>> +		     percpu_counter_sum(&sbi->s_dirtyclusters_counter));
>>  	ext4_percpu_param_destroy(sbi);
>>  #ifdef CONFIG_QUOTA
>>  	for (int i = 0; i < EXT4_MAXQUOTAS; i++)
>> @@ -1473,7 +1476,8 @@ static void ext4_destroy_inode(struct inode *inode)
>>  		dump_stack();
>>  	}
>>  
>> -	if (EXT4_I(inode)->i_reserved_data_blocks)
>> +	if (!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ERROR_FS) &&
>> +	    WARN_ON_ONCE(EXT4_I(inode)->i_reserved_data_blocks))
>>  		ext4_msg(inode->i_sb, KERN_ERR,
>>  			 "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
>>  			 inode->i_ino, EXT4_I(inode),
>> -- 
>> 2.39.2
>>
>
Lai, Yi Sept. 25, 2024, 9:52 a.m. UTC | #4
Hi,

I have applied your mentioned patch series on top of linux tag v6.11.
Using the same repro binary, issue cannot be reproduced.

Regards,
Yi Lai

On Tue, Sep 24, 2024 at 04:38:22PM +0800, Zhang Yi wrote:
> On 2024/9/24 11:25, Lai, Yi wrote:
> > Hi Zhang Yi,
> > 
> > Greetings!
> > 
> > I used Syzkaller and found that there is WARNING in ext4_destroy_inode.
> > 
> > After bisection and the first bad commit is:
> > "
> > b37c907073e8 ext4: warn if delalloc counters are not zero on inactive
> > "
> > 
> > I understand that the commit is to add WARN_ON_ONCE to make error message more visible. I hope the reproduction program will be insightful for you.
> > 
> 
> Thanks for the report! It seems that this patch worked, it start exposing
> problems about inconsistent delalloc counter, which were previously hidden.
> However, the counter updating logic has changed after this series:
> 
> https://lore.kernel.org/linux-ext4/20240813123452.2824659-1-yi.zhang@huaweicloud.com/
> 
> Could you reproduce this issue with this series or in the latest upstream
> kernel?
> 
> Thanks,
> Yi.
> 
> > All detailed into can be found at:
> > https://github.com/laifryiee/syzkaller_logs/tree/main/240923_043748_ext4_destroy_inode
> > Syzkaller repro code:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.c
> > Syzkaller repro syscall steps:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.prog
> > Syzkaller report:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.report
> > Kconfig(make olddefconfig):
> > https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/kconfig_origin
> > Bisect info:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/bisect_info.log
> > bzImage:
> > https://github.com/laifryiee/syzkaller_logs/raw/main/240923_043748_ext4_destroy_inode/bzImage_98f7e32f20d28ec452afb208f9cffc08448a2652
> > Issue dmesg:
> > https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/98f7e32f20d28ec452afb208f9cffc08448a2652_dmesg.log
> > 
> > "
> > [   25.223775] ------------[ cut here ]------------
> > [   25.224177] WARNING: CPU: 0 PID: 740 at fs/ext4/super.c:1464 ext4_destroy_inode+0x1de/0x280
> > [   25.224724] Modules linked in:
> > [   25.224920] CPU: 0 UID: 0 PID: 740 Comm: repro Not tainted 6.11.0-98f7e32f20d2 #1
> > [   25.225393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
> > [   25.226103] RIP: 0010:ext4_destroy_inode+0x1de/0x280
> > [   25.226429] Code: 31 ff 44 89 e6 e8 62 ad 45 ff 45 85 e4 75 16 e8 d8 a9 45 ff 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d c3 cc cc cc cc e8 c2 a9 45 ff <0f> 0b 48 8d 7b 40 4c 8d 83 50 fd ff ff 48 b8 00 00 00 00 00 fc ff
> > [   25.227570] RSP: 0018:ff11000023707c08 EFLAGS: 00010293
> > [   25.227915] RAX: 0000000000000000 RBX: ff11000022f22a50 RCX: ffffffff822028de
> > [   25.228357] RDX: ff110000139a8000 RSI: ffffffff822028fe RDI: 0000000000000005
> > [   25.228840] RBP: ff11000023707c30 R08: 0000000000000001 R09: ffe21c00024e24eb
> > [   25.229284] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
> > [   25.229712] R13: ff11000012712000 R14: ff11000022f22ad0 R15: ff1100006c1aa440
> > [   25.230168] FS:  00007f1d418a7800(0000) GS:ff1100006c400000(0000) knlGS:0000000000000000
> > [   25.230666] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   25.230818] EXT4-fs (sda): Inode 151593 (000000004419e1b8): i_reserved_data_blocks (1) not cleared!
> > [   25.231037] CR2: 00007f1d416b1ac0 CR3: 00000000140e4004 CR4: 0000000000771ef0
> > [   25.232104] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > [   25.232546] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
> > [   25.233006] PKRU: 55555554
> > [   25.233184] Call Trace:
> > [   25.233348]  <TASK>
> > [   25.233489]  ? show_regs+0xa8/0xc0
> > [   25.233724]  ? __warn+0xee/0x380
> > [   25.233953]  ? report_bug+0x25e/0x4b0
> > [   25.234201]  ? ext4_destroy_inode+0x1de/0x280
> > [   25.234485]  ? report_bug+0x2cb/0x4b0
> > [   25.234729]  ? ext4_destroy_inode+0x1de/0x280
> > [   25.235020]  ? handle_bug+0xa2/0x130
> > [   25.235266]  ? exc_invalid_op+0x3c/0x80
> > [   25.235513]  ? asm_exc_invalid_op+0x1f/0x30
> > [   25.235786]  ? ext4_destroy_inode+0x1be/0x280
> > [   25.236072]  ? ext4_destroy_inode+0x1de/0x280
> > [   25.236356]  ? ext4_destroy_inode+0x1de/0x280
> > [   25.236637]  ? ext4_destroy_inode+0x1de/0x280
> > [   25.236949]  ? __pfx_ext4_destroy_inode+0x10/0x10
> > [   25.237257]  destroy_inode+0xd6/0x1d0
> > [   25.237507]  evict+0x5a7/0x930
> > [   25.237708]  ? lock_release+0x441/0x870
> > [   25.237975]  ? do_raw_spin_lock+0x141/0x280
> > [   25.238246]  ? __pfx_evict+0x10/0x10
> > [   25.238486]  ? __pfx_lock_release+0x10/0x10
> > [   25.238757]  ? lock_release+0x441/0x870
> > [   25.239015]  ? lock_release+0x441/0x870
> > [   25.239266]  ? do_raw_spin_unlock+0x15c/0x210
> > [   25.239552]  iput.part.0+0x543/0x740
> > [   25.239788]  ? __pfx_ext4_drop_inode+0x10/0x10
> > [   25.240081]  iput+0x68/0x90
> > [   25.240265]  do_unlinkat+0x5dc/0x730
> > [   25.240503]  ? __pfx_do_unlinkat+0x10/0x10
> > [   25.240791]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
> > [   25.241149]  ? strncpy_from_user+0x1ef/0x2e0
> > [   25.241436]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
> > [   25.241774]  ? getname_flags.part.0+0x1d5/0x570
> > [   25.242459]  __x64_sys_unlink+0xd1/0x120
> > [   25.242749]  x64_sys_call+0x2014/0x20d0
> > [   25.243031]  do_syscall_64+0x6d/0x140
> > [   25.243304]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > [   25.243630] RIP: 0033:0x7f1d4163eb7b
> > [   25.243878] Code: f0 ff ff 73 01 c3 48 8b 0d a2 b2 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 75 b2 1b 00 f7 d8 64 89 01 48
> > [   25.245038] RSP: 002b:00007fffffa2ca48 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
> > [   25.245508] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1d4163eb7b
> > [   25.245966] RDX: 00007fffffa2ca60 RSI: 00007fffffa2caf0 RDI: 00007fffffa2caf0
> > [   25.246412] RBP: 00007fffffa2db30 R08: 0000000000000000 R09: 00007fffffa2c8e0
> > [   25.246872] R10: 00007f1d4160b208 R11: 0000000000000206 R12: 00007fffffa2dca8
> > [   25.247310] R13: 0000000000402e4b R14: 0000000000404e08 R15: 00007f1d418f2000
> > [   25.247759]  </TASK>
> > [   25.247912] irq event stamp: 5719
> > [   25.248127] hardirqs last  enabled at (5727): [<ffffffff81458eb4>] console_unlock+0x224/0x240
> > [   25.248690] hardirqs last disabled at (5736): [<ffffffff81458e99>] console_unlock+0x209/0x240
> > [   25.249236] softirqs last  enabled at (5252): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
> > [   25.249768] softirqs last disabled at (5247): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
> > [   25.250311] ---[ end trace 0000000000000000 ]---
> > [   25.250602] EXT4-fs (sda): Inode 151586 (00000000f9d6a315): i_reserved_data_blocks (1) not cleared!
> > [   25.326263] EXT4-fs (sda): Inode 151578 (00000000d86ad2f9): i_reserved_data_blocks (1) not cleared!
> > [   25.680884] EXT4-fs (sda): Inode 151596 (00000000da9177c9): i_reserved_data_blocks (1) not cleared!
> > [   25.717550] EXT4-fs (sda): Inode 151573 (0000000088687caa): i_reserved_data_blocks (1) not cleared!
> > [   25.726089] EXT4-fs (sda): Inode 151585 (000000005d7aed9a): i_reserved_data_blocks (1) not cleared!
> > [   25.838592] EXT4-fs (sda): Inode 151573 (000000004af622df): i_reserved_data_blocks (1) not cleared!
> > [   25.955073] EXT4-fs (sda): Inode 151598 (00000000a6e598ec): i_reserved_data_blocks (1) not cleared!
> > [   26.525552] EXT4-fs (sda): Inode 151593 (0000000026aef1cd): i_reserved_data_blocks (1) not cleared!
> > [   26.554067] EXT4-fs (sda): Inode 151591 (0000000051e990da): i_reserved_data_blocks (1) not cleared!
> > [   30.291490] EXT4-fs: 14 callbacks suppressed
> > [   30.291510] EXT4-fs (sda): Inode 151591 (0000000050be254a): i_reserved_data_blocks (1) not cleared!
> > [   30.301238] EXT4-fs (sda): Inode 151587 (000000004ba9ad70): i_reserved_data_blocks (1) not cleared!
> > [   30.414377] EXT4-fs (sda): Inode 151583 (00000000f6751ad3): i_reserved_data_blocks (1) not cleared!
> > [   30.417213] EXT4-fs (sda): Inode 151591 (0000000090a0dce3): i_reserved_data_blocks (1) not cleared!
> > [   30.537920] EXT4-fs (sda): Inode 151587 (00000000de72acf9): i_reserved_data_blocks (1) not cleared!
> > [   30.645791] EXT4-fs (sda): Inode 151580 (00000000a40a052f): i_reserved_data_blocks (1) not cleared!
> > [   30.665732] EXT4-fs (sda): Inode 151587 (00000000d9452edd): i_reserved_data_blocks (1) not cleared!
> > [   30.670204] EXT4-fs (sda): Inode 151597 (00000000f861d75f): i_reserved_data_blocks (1) not cleared!
> > [   31.964931] EXT4-fs (sda): Inode 151589 (000000009baa4064): i_reserved_data_blocks (1) not cleared!
> > [   32.101343] EXT4-fs (sda): Inode 151598 (000000003fca6cd5): i_reserved_data_blocks (1) not cleared!
> > "
> > 
> > I hope you find it useful.
> > 
> > Regards,
> > Yi Lai
> > 
> > ---
> > 
> > If you don't need the following environment to reproduce the problem or if you
> > already have one reproduced environment, please ignore the following information.
> > 
> > How to reproduce:
> > git clone https://gitlab.com/xupengfe/repro_vm_env.git
> > cd repro_vm_env
> > tar -xvf repro_vm_env.tar.gz
> > cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
> >   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
> >   // You could change the bzImage_xxx as you want
> >   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
> > You could use below command to log in, there is no password for root.
> > ssh -p 10023 root@localhost
> > 
> > After login vm(virtual machine) successfully, you could transfer reproduced
> > binary to the vm by below way, and reproduce the problem in vm:
> > gcc -pthread -o repro repro.c
> > scp -P 10023 repro root@localhost:/root/
> > 
> > Get the bzImage for target kernel:
> > Please use target kconfig and copy it to kernel_src/.config
> > make olddefconfig
> > make -jx bzImage           //x should equal or less than cpu num your pc has
> > 
> > Fill the bzImage file into above start3.sh to load the target kernel in vm.
> > 
> > Tips:
> > If you already have qemu-system-x86_64, please ignore below info.
> > If you want to install qemu v7.1.0 version:
> > git clone https://github.com/qemu/qemu.git
> > cd qemu
> > git checkout -f v7.1.0
> > mkdir build
> > cd build
> > yum install -y ninja-build.x86_64
> > yum -y install libslirp-devel.x86_64
> > ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
> > make
> > make install 
> > 
> > On Fri, May 17, 2024 at 08:39:58PM +0800, Zhang Yi wrote:
> >> From: Zhang Yi <yi.zhang@huawei.com>
> >>
> >> The per-inode i_reserved_data_blocks count the reserved delalloc blocks
> >> in a regular file, it should be zero when destroying the file. The
> >> per-fs s_dirtyclusters_counter count all reserved delalloc blocks in a
> >> filesystem, it also should be zero when umounting the filesystem. Now we
> >> have only an error message if the i_reserved_data_blocks is not zero,
> >> which is unable to be simply captured, so add WARN_ON_ONCE to make it
> >> more visable.
> >>
> >> Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
> >> ---
> >>  fs/ext4/super.c | 6 +++++-
> >>  1 file changed, 5 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> >> index 044135796f2b..b68064c877e3 100644
> >> --- a/fs/ext4/super.c
> >> +++ b/fs/ext4/super.c
> >> @@ -1343,6 +1343,9 @@ static void ext4_put_super(struct super_block *sb)
> >>  
> >>  	ext4_group_desc_free(sbi);
> >>  	ext4_flex_groups_free(sbi);
> >> +
> >> +	WARN_ON_ONCE(!(sbi->s_mount_state & EXT4_ERROR_FS) &&
> >> +		     percpu_counter_sum(&sbi->s_dirtyclusters_counter));
> >>  	ext4_percpu_param_destroy(sbi);
> >>  #ifdef CONFIG_QUOTA
> >>  	for (int i = 0; i < EXT4_MAXQUOTAS; i++)
> >> @@ -1473,7 +1476,8 @@ static void ext4_destroy_inode(struct inode *inode)
> >>  		dump_stack();
> >>  	}
> >>  
> >> -	if (EXT4_I(inode)->i_reserved_data_blocks)
> >> +	if (!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ERROR_FS) &&
> >> +	    WARN_ON_ONCE(EXT4_I(inode)->i_reserved_data_blocks))
> >>  		ext4_msg(inode->i_sb, KERN_ERR,
> >>  			 "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
> >>  			 inode->i_ino, EXT4_I(inode),
> >> -- 
> >> 2.39.2
> >>
> > 
>
Zhang Yi Sept. 25, 2024, 11:34 a.m. UTC | #5
On 2024/9/25 17:52, Lai, Yi wrote:
> Hi,
> 
> I have applied your mentioned patch series on top of linux tag v6.11.
> Using the same repro binary, issue cannot be reproduced.
> 

Ah, that's great, this series seems had fixed some corner problems
as well, thanks a lot for testing this.

Thanks,
Yi.

> Regards,
> Yi Lai
> 
> On Tue, Sep 24, 2024 at 04:38:22PM +0800, Zhang Yi wrote:
>> On 2024/9/24 11:25, Lai, Yi wrote:
>>> Hi Zhang Yi,
>>>
>>> Greetings!
>>>
>>> I used Syzkaller and found that there is WARNING in ext4_destroy_inode.
>>>
>>> After bisection and the first bad commit is:
>>> "
>>> b37c907073e8 ext4: warn if delalloc counters are not zero on inactive
>>> "
>>>
>>> I understand that the commit is to add WARN_ON_ONCE to make error message more visible. I hope the reproduction program will be insightful for you.
>>>
>>
>> Thanks for the report! It seems that this patch worked, it start exposing
>> problems about inconsistent delalloc counter, which were previously hidden.
>> However, the counter updating logic has changed after this series:
>>
>> https://lore.kernel.org/linux-ext4/20240813123452.2824659-1-yi.zhang@huaweicloud.com/
>>
>> Could you reproduce this issue with this series or in the latest upstream
>> kernel?
>>
>> Thanks,
>> Yi.
>>
>>> All detailed into can be found at:
>>> https://github.com/laifryiee/syzkaller_logs/tree/main/240923_043748_ext4_destroy_inode
>>> Syzkaller repro code:
>>> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.c
>>> Syzkaller repro syscall steps:
>>> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.prog
>>> Syzkaller report:
>>> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/repro.report
>>> Kconfig(make olddefconfig):
>>> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/kconfig_origin
>>> Bisect info:
>>> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/bisect_info.log
>>> bzImage:
>>> https://github.com/laifryiee/syzkaller_logs/raw/main/240923_043748_ext4_destroy_inode/bzImage_98f7e32f20d28ec452afb208f9cffc08448a2652
>>> Issue dmesg:
>>> https://github.com/laifryiee/syzkaller_logs/blob/main/240923_043748_ext4_destroy_inode/98f7e32f20d28ec452afb208f9cffc08448a2652_dmesg.log
>>>
>>> "
>>> [   25.223775] ------------[ cut here ]------------
>>> [   25.224177] WARNING: CPU: 0 PID: 740 at fs/ext4/super.c:1464 ext4_destroy_inode+0x1de/0x280
>>> [   25.224724] Modules linked in:
>>> [   25.224920] CPU: 0 UID: 0 PID: 740 Comm: repro Not tainted 6.11.0-98f7e32f20d2 #1
>>> [   25.225393] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
>>> [   25.226103] RIP: 0010:ext4_destroy_inode+0x1de/0x280
>>> [   25.226429] Code: 31 ff 44 89 e6 e8 62 ad 45 ff 45 85 e4 75 16 e8 d8 a9 45 ff 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d c3 cc cc cc cc e8 c2 a9 45 ff <0f> 0b 48 8d 7b 40 4c 8d 83 50 fd ff ff 48 b8 00 00 00 00 00 fc ff
>>> [   25.227570] RSP: 0018:ff11000023707c08 EFLAGS: 00010293
>>> [   25.227915] RAX: 0000000000000000 RBX: ff11000022f22a50 RCX: ffffffff822028de
>>> [   25.228357] RDX: ff110000139a8000 RSI: ffffffff822028fe RDI: 0000000000000005
>>> [   25.228840] RBP: ff11000023707c30 R08: 0000000000000001 R09: ffe21c00024e24eb
>>> [   25.229284] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000001
>>> [   25.229712] R13: ff11000012712000 R14: ff11000022f22ad0 R15: ff1100006c1aa440
>>> [   25.230168] FS:  00007f1d418a7800(0000) GS:ff1100006c400000(0000) knlGS:0000000000000000
>>> [   25.230666] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [   25.230818] EXT4-fs (sda): Inode 151593 (000000004419e1b8): i_reserved_data_blocks (1) not cleared!
>>> [   25.231037] CR2: 00007f1d416b1ac0 CR3: 00000000140e4004 CR4: 0000000000771ef0
>>> [   25.232104] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> [   25.232546] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
>>> [   25.233006] PKRU: 55555554
>>> [   25.233184] Call Trace:
>>> [   25.233348]  <TASK>
>>> [   25.233489]  ? show_regs+0xa8/0xc0
>>> [   25.233724]  ? __warn+0xee/0x380
>>> [   25.233953]  ? report_bug+0x25e/0x4b0
>>> [   25.234201]  ? ext4_destroy_inode+0x1de/0x280
>>> [   25.234485]  ? report_bug+0x2cb/0x4b0
>>> [   25.234729]  ? ext4_destroy_inode+0x1de/0x280
>>> [   25.235020]  ? handle_bug+0xa2/0x130
>>> [   25.235266]  ? exc_invalid_op+0x3c/0x80
>>> [   25.235513]  ? asm_exc_invalid_op+0x1f/0x30
>>> [   25.235786]  ? ext4_destroy_inode+0x1be/0x280
>>> [   25.236072]  ? ext4_destroy_inode+0x1de/0x280
>>> [   25.236356]  ? ext4_destroy_inode+0x1de/0x280
>>> [   25.236637]  ? ext4_destroy_inode+0x1de/0x280
>>> [   25.236949]  ? __pfx_ext4_destroy_inode+0x10/0x10
>>> [   25.237257]  destroy_inode+0xd6/0x1d0
>>> [   25.237507]  evict+0x5a7/0x930
>>> [   25.237708]  ? lock_release+0x441/0x870
>>> [   25.237975]  ? do_raw_spin_lock+0x141/0x280
>>> [   25.238246]  ? __pfx_evict+0x10/0x10
>>> [   25.238486]  ? __pfx_lock_release+0x10/0x10
>>> [   25.238757]  ? lock_release+0x441/0x870
>>> [   25.239015]  ? lock_release+0x441/0x870
>>> [   25.239266]  ? do_raw_spin_unlock+0x15c/0x210
>>> [   25.239552]  iput.part.0+0x543/0x740
>>> [   25.239788]  ? __pfx_ext4_drop_inode+0x10/0x10
>>> [   25.240081]  iput+0x68/0x90
>>> [   25.240265]  do_unlinkat+0x5dc/0x730
>>> [   25.240503]  ? __pfx_do_unlinkat+0x10/0x10
>>> [   25.240791]  ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30
>>> [   25.241149]  ? strncpy_from_user+0x1ef/0x2e0
>>> [   25.241436]  ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20
>>> [   25.241774]  ? getname_flags.part.0+0x1d5/0x570
>>> [   25.242459]  __x64_sys_unlink+0xd1/0x120
>>> [   25.242749]  x64_sys_call+0x2014/0x20d0
>>> [   25.243031]  do_syscall_64+0x6d/0x140
>>> [   25.243304]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>>> [   25.243630] RIP: 0033:0x7f1d4163eb7b
>>> [   25.243878] Code: f0 ff ff 73 01 c3 48 8b 0d a2 b2 1b 00 f7 d8 64 89 01 48 83 c8 ff c3 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 75 b2 1b 00 f7 d8 64 89 01 48
>>> [   25.245038] RSP: 002b:00007fffffa2ca48 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
>>> [   25.245508] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1d4163eb7b
>>> [   25.245966] RDX: 00007fffffa2ca60 RSI: 00007fffffa2caf0 RDI: 00007fffffa2caf0
>>> [   25.246412] RBP: 00007fffffa2db30 R08: 0000000000000000 R09: 00007fffffa2c8e0
>>> [   25.246872] R10: 00007f1d4160b208 R11: 0000000000000206 R12: 00007fffffa2dca8
>>> [   25.247310] R13: 0000000000402e4b R14: 0000000000404e08 R15: 00007f1d418f2000
>>> [   25.247759]  </TASK>
>>> [   25.247912] irq event stamp: 5719
>>> [   25.248127] hardirqs last  enabled at (5727): [<ffffffff81458eb4>] console_unlock+0x224/0x240
>>> [   25.248690] hardirqs last disabled at (5736): [<ffffffff81458e99>] console_unlock+0x209/0x240
>>> [   25.249236] softirqs last  enabled at (5252): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
>>> [   25.249768] softirqs last disabled at (5247): [<ffffffff81289d19>] __irq_exit_rcu+0xa9/0x120
>>> [   25.250311] ---[ end trace 0000000000000000 ]---
>>> [   25.250602] EXT4-fs (sda): Inode 151586 (00000000f9d6a315): i_reserved_data_blocks (1) not cleared!
>>> [   25.326263] EXT4-fs (sda): Inode 151578 (00000000d86ad2f9): i_reserved_data_blocks (1) not cleared!
>>> [   25.680884] EXT4-fs (sda): Inode 151596 (00000000da9177c9): i_reserved_data_blocks (1) not cleared!
>>> [   25.717550] EXT4-fs (sda): Inode 151573 (0000000088687caa): i_reserved_data_blocks (1) not cleared!
>>> [   25.726089] EXT4-fs (sda): Inode 151585 (000000005d7aed9a): i_reserved_data_blocks (1) not cleared!
>>> [   25.838592] EXT4-fs (sda): Inode 151573 (000000004af622df): i_reserved_data_blocks (1) not cleared!
>>> [   25.955073] EXT4-fs (sda): Inode 151598 (00000000a6e598ec): i_reserved_data_blocks (1) not cleared!
>>> [   26.525552] EXT4-fs (sda): Inode 151593 (0000000026aef1cd): i_reserved_data_blocks (1) not cleared!
>>> [   26.554067] EXT4-fs (sda): Inode 151591 (0000000051e990da): i_reserved_data_blocks (1) not cleared!
>>> [   30.291490] EXT4-fs: 14 callbacks suppressed
>>> [   30.291510] EXT4-fs (sda): Inode 151591 (0000000050be254a): i_reserved_data_blocks (1) not cleared!
>>> [   30.301238] EXT4-fs (sda): Inode 151587 (000000004ba9ad70): i_reserved_data_blocks (1) not cleared!
>>> [   30.414377] EXT4-fs (sda): Inode 151583 (00000000f6751ad3): i_reserved_data_blocks (1) not cleared!
>>> [   30.417213] EXT4-fs (sda): Inode 151591 (0000000090a0dce3): i_reserved_data_blocks (1) not cleared!
>>> [   30.537920] EXT4-fs (sda): Inode 151587 (00000000de72acf9): i_reserved_data_blocks (1) not cleared!
>>> [   30.645791] EXT4-fs (sda): Inode 151580 (00000000a40a052f): i_reserved_data_blocks (1) not cleared!
>>> [   30.665732] EXT4-fs (sda): Inode 151587 (00000000d9452edd): i_reserved_data_blocks (1) not cleared!
>>> [   30.670204] EXT4-fs (sda): Inode 151597 (00000000f861d75f): i_reserved_data_blocks (1) not cleared!
>>> [   31.964931] EXT4-fs (sda): Inode 151589 (000000009baa4064): i_reserved_data_blocks (1) not cleared!
>>> [   32.101343] EXT4-fs (sda): Inode 151598 (000000003fca6cd5): i_reserved_data_blocks (1) not cleared!
>>> "
>>>
>>> I hope you find it useful.
>>>
>>> Regards,
>>> Yi Lai
>>>
>>> ---
>>>
>>> If you don't need the following environment to reproduce the problem or if you
>>> already have one reproduced environment, please ignore the following information.
>>>
>>> How to reproduce:
>>> git clone https://gitlab.com/xupengfe/repro_vm_env.git
>>> cd repro_vm_env
>>> tar -xvf repro_vm_env.tar.gz
>>> cd repro_vm_env; ./start3.sh  // it needs qemu-system-x86_64 and I used v7.1.0
>>>   // start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
>>>   // You could change the bzImage_xxx as you want
>>>   // Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
>>> You could use below command to log in, there is no password for root.
>>> ssh -p 10023 root@localhost
>>>
>>> After login vm(virtual machine) successfully, you could transfer reproduced
>>> binary to the vm by below way, and reproduce the problem in vm:
>>> gcc -pthread -o repro repro.c
>>> scp -P 10023 repro root@localhost:/root/
>>>
>>> Get the bzImage for target kernel:
>>> Please use target kconfig and copy it to kernel_src/.config
>>> make olddefconfig
>>> make -jx bzImage           //x should equal or less than cpu num your pc has
>>>
>>> Fill the bzImage file into above start3.sh to load the target kernel in vm.
>>>
>>> Tips:
>>> If you already have qemu-system-x86_64, please ignore below info.
>>> If you want to install qemu v7.1.0 version:
>>> git clone https://github.com/qemu/qemu.git
>>> cd qemu
>>> git checkout -f v7.1.0
>>> mkdir build
>>> cd build
>>> yum install -y ninja-build.x86_64
>>> yum -y install libslirp-devel.x86_64
>>> ../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
>>> make
>>> make install 
>>>
>>> On Fri, May 17, 2024 at 08:39:58PM +0800, Zhang Yi wrote:
>>>> From: Zhang Yi <yi.zhang@huawei.com>
>>>>
>>>> The per-inode i_reserved_data_blocks count the reserved delalloc blocks
>>>> in a regular file, it should be zero when destroying the file. The
>>>> per-fs s_dirtyclusters_counter count all reserved delalloc blocks in a
>>>> filesystem, it also should be zero when umounting the filesystem. Now we
>>>> have only an error message if the i_reserved_data_blocks is not zero,
>>>> which is unable to be simply captured, so add WARN_ON_ONCE to make it
>>>> more visable.
>>>>
>>>> Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
>>>> ---
>>>>  fs/ext4/super.c | 6 +++++-
>>>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>>>> index 044135796f2b..b68064c877e3 100644
>>>> --- a/fs/ext4/super.c
>>>> +++ b/fs/ext4/super.c
>>>> @@ -1343,6 +1343,9 @@ static void ext4_put_super(struct super_block *sb)
>>>>  
>>>>  	ext4_group_desc_free(sbi);
>>>>  	ext4_flex_groups_free(sbi);
>>>> +
>>>> +	WARN_ON_ONCE(!(sbi->s_mount_state & EXT4_ERROR_FS) &&
>>>> +		     percpu_counter_sum(&sbi->s_dirtyclusters_counter));
>>>>  	ext4_percpu_param_destroy(sbi);
>>>>  #ifdef CONFIG_QUOTA
>>>>  	for (int i = 0; i < EXT4_MAXQUOTAS; i++)
>>>> @@ -1473,7 +1476,8 @@ static void ext4_destroy_inode(struct inode *inode)
>>>>  		dump_stack();
>>>>  	}
>>>>  
>>>> -	if (EXT4_I(inode)->i_reserved_data_blocks)
>>>> +	if (!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ERROR_FS) &&
>>>> +	    WARN_ON_ONCE(EXT4_I(inode)->i_reserved_data_blocks))
>>>>  		ext4_msg(inode->i_sb, KERN_ERR,
>>>>  			 "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
>>>>  			 inode->i_ino, EXT4_I(inode),
>>>> -- 
>>>> 2.39.2
>>>>
>>>
>>
diff mbox series

Patch

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 044135796f2b..b68064c877e3 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1343,6 +1343,9 @@  static void ext4_put_super(struct super_block *sb)
 
 	ext4_group_desc_free(sbi);
 	ext4_flex_groups_free(sbi);
+
+	WARN_ON_ONCE(!(sbi->s_mount_state & EXT4_ERROR_FS) &&
+		     percpu_counter_sum(&sbi->s_dirtyclusters_counter));
 	ext4_percpu_param_destroy(sbi);
 #ifdef CONFIG_QUOTA
 	for (int i = 0; i < EXT4_MAXQUOTAS; i++)
@@ -1473,7 +1476,8 @@  static void ext4_destroy_inode(struct inode *inode)
 		dump_stack();
 	}
 
-	if (EXT4_I(inode)->i_reserved_data_blocks)
+	if (!(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ERROR_FS) &&
+	    WARN_ON_ONCE(EXT4_I(inode)->i_reserved_data_blocks))
 		ext4_msg(inode->i_sb, KERN_ERR,
 			 "Inode %lu (%p): i_reserved_data_blocks (%u) not cleared!",
 			 inode->i_ino, EXT4_I(inode),