214765 – ubifs: UBIFS error (ubi0:0 pid 124): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554

Bug 214765 - ubifs: UBIFS error (ubi0:0 pid 124): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554

Summary: ubifs: UBIFS error (ubi0:0 pid 124): ubifs_assert_failed [ubifs]: UBIFS asser...

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-10-20 02:34 UTC by Zhihao Cheng
Modified:	2021-10-20 06:50 UTC (History)
CC List:	0 users

See Also:
Kernel Version:	5.15-rc5
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
delay.patch (1.04 KB, patch) 2021-10-20 06:49 UTC, Zhihao Cheng	Details \| Diff
test.sh (504 bytes, application/x-shellscript) 2021-10-20 06:49 UTC, Zhihao Cheng	Details
a.c (1.02 KB, text/plain) 2021-10-20 06:50 UTC, Zhihao Cheng	Details
Add an attachment (proposed patch, testcase, etc.)

Description Zhihao Cheng 2021-10-20 02:34:01 UTC

[   23.247289] UBIFS error (ubi0:0 pid 124): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554
[   23.253718] UBIFS warning (ubi0:0 pid 124): ubifs_ro_mode [ubifs]: switched to read-only mode, error -22
[   23.256672] CPU: 3 PID: 124 Comm: kworker/u8:2 Not tainted 5.15.0-rc5-00259-g1c6a7ce3cb2d-dirty #136
[   23.258300] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[   23.260054] Workqueue: writeback wb_workfn (flush-ubifs_0_0)
[   23.260816] Call Trace:
[   23.261156]  ? dump_stack_lvl+0x73/0x9f
[   23.261674]  ? dump_stack+0x13/0x1b
[   23.262152]  ? ubifs_ro_mode+0x54/0x60 [ubifs]
[   23.262766]  ? ubifs_assert_failed+0x4b/0x80 [ubifs]
[   23.263454]  ? ubifs_release_budget+0x468/0x5a0 [ubifs]
[   23.264175]  ? ubifs_release_dirty_inode_budget+0x53/0x80 [ubifs]
[   23.265006]  ? ubifs_write_inode+0x121/0x1f0 [ubifs]
[   23.265786]  ? __writeback_single_inode+0x43c/0x570
[   23.266477]  ? writeback_sb_inodes+0x259/0x740
[   23.267099]  ? __writeback_inodes_wb+0x88/0x120
[   23.267732]  ? wb_writeback+0x3cf/0x4d0
[   23.268272]  ? wb_workfn+0x283/0x7b0
[   23.268782]  ? check_preempt_curr+0x8d/0xb0
[   23.269384]  ? ttwu_do_activate+0xb2/0x200
[   23.269948]  ? process_one_work+0x291/0x650
[   23.270534]  ? worker_thread+0x2b7/0x700
[   23.271183]  ? rescuer_thread+0x580/0x580
[   23.271778]  ? kthread+0x18c/0x1e0
[   23.272286]  ? set_kthread_struct+0x70/0x70
[   23.272918]  ? ret_from_fork+0x1f/0x30

Comment 1 Zhihao Cheng 2021-10-20 02:34:42 UTC

generic/476 can easily trigger this problem.

Comment 2 Zhihao Cheng 2021-10-20 06:30:27 UTC

'ui->dirty' is not protected by ui_mutex in function do_tmpfile() which may race with ubifs_write_inode(wb_workfn) to access/update 'ui->dirty', finally dirty space is released twice.

           open(O_TMPFILE)                wb_workfn
do_tmpfile
  ubifs_budget_space(ino_req = { .dirtied_ino = 1})
  d_tmpfile // mark inode(tmpfile) dirty
  ubifs_jnl_update // without holding tmpfile's ui_mutex
    mark_inode_clean(ui)
      if (ui->dirty)
        ubifs_release_dirty_inode_budget(ui)  // release 
                                       ubifs_write_inode
                                         ubifs_release_dirty_inode_budget(ui)
      ui->dirty = 0

Comment 3 Zhihao Cheng 2021-10-20 06:33:34 UTC

Reproducer:
1. Apply delay.patch and compile kernel (UBIFS/UBI/NANDSIM = m)
2. ./test.sh
3. Compile and run a.c

You may get:
[14569.338625] release dirty budget 65
[14570.338640] wb release 65
[14570.348279] UBIFS error (ubi0:0 pid 2578): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554
[14570.351928] UBIFS warning (ubi0:0 pid 2578): ubifs_ro_mode [ubifs]: switched to read-only mode, error -22
[14570.353452] CPU: 2 PID: 2578 Comm: kworker/u8:2 Not tainted 5.15.0-rc5-00259-g1c6a7ce3cb2d-dirty #136
[14570.355243] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[14570.357187] Workqueue: writeback wb_workfn (flush-ubifs_0_0)
[14570.358024] Call Trace:
[14570.358388]  ? dump_stack_lvl+0x73/0x9f
[14570.358963]  ? dump_stack+0x13/0x1b
[14570.359477]  ? ubifs_ro_mode+0x54/0x60 [ubifs]
[14570.360132]  ? ubifs_assert_failed+0x4b/0x80 [ubifs]
[14570.360865]  ? ubifs_release_budget+0x468/0x5a0 [ubifs]
[14570.361632]  ? ubifs_release_dirty_inode_budget+0x53/0x80 [ubifs]
[14570.362522]  ? ubifs_write_inode+0x121/0x1f0 [ubifs]
[14570.363247]  ? __writeback_single_inode+0x43c/0x570
[14570.363953]  ? writeback_sb_inodes+0x259/0x740
[14570.364601]  ? __writeback_inodes_wb+0x88/0x120
[14570.365266]  ? wb_writeback+0x3cf/0x4d0
[14570.365843]  ? wb_workfn+0x283/0x7b0
[14570.366362]  ? send_call_function_single_ipi+0x9b/0x130
[14570.367148]  ? __smp_call_single_queue+0x48/0x60
[14570.367849]  ? ttwu_queue_wakelist+0xfa/0x1c0
[14570.368490]  ? process_one_work+0x291/0x650
[14570.369114]  ? worker_thread+0x2b7/0x700
[14570.369702]  ? rescuer_thread+0x580/0x580
[14570.370296]  ? kthread+0x18c/0x1e0
[14570.370792]  ? set_kthread_struct+0x70/0x70
[14570.371402]  ? ret_from_fork+0x1f/0x30
[14574.819182] wb finish?

Comment 4 Zhihao Cheng 2021-10-20 06:49:40 UTC

Created attachment 299253 [details]
delay.patch

Comment 5 Zhihao Cheng 2021-10-20 06:49:56 UTC

Created attachment 299255 [details]
test.sh

Comment 6 Zhihao Cheng 2021-10-20 06:50:06 UTC

Created attachment 299257 [details]
a.c

Note You need to log in before you can comment on or make changes to this bug.