215902 – kernel BUG at fs/inode.c:611!

Bug 215902 - kernel BUG at fs/inode.c:611!

Summary: kernel BUG at fs/inode.c:611!

Status:	NEW

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	fs_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-27 13:18 UTC by bughunter
Modified:	2023-03-08 07:45 UTC (History)
CC List:	5 users (show)

See Also:
Kernel Version:	5.17
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
case.c to reproduce the bug (6.81 KB, text/x-csrc) 2022-04-27 13:18 UTC, bughunter	Details
Add an attachment (proposed patch, testcase, etc.)

Description bughunter 2022-04-27 13:18:29 UTC

Created attachment 300826 [details]
case.c to reproduce the bug

I have encountered a bug in the file system in kernel v5.17.

I have uploaded the system call sequence as case.c, and a fuzzed image can be found in google net disk (https://drive.google.com/file/d/1PKx2vYljtEEn88AdYHZElKfahOjtzfh2/view?usp=sharing).

The kernel should enable CONFIG_KASAN=y and CONFIG_KASAN_INLINE=y. You can reproduce the bug by running the following commands:

gcc -o case case.c
losetup /dev/loop0 case.img
mount -o "background_gc=on,disable_roll_forward,nodiscard,noacl,flush_merge,nobarrier,fastboot,extent_cache,checkpoint=disable,usrquota,test_dummy_encryption" /dev/loop0 /root/mnt
./case

The kernel message is shown below:

6,828,84762553,-;loop0: detected capacity change from 0 to 131072
6,829,84800241,-;F2FS-fs (loop0): Mismatch start address, segment0(512) cp_blkaddr(4060086784)
3,830,84800254,-;F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
4,831,84800328,-;F2FS-fs (loop0): Test dummy encryption mount option ignored
5,832,84804081,-;F2FS-fs (loop0): Disable nat_bits due to incorrect cp_ver (17468725613732348634, 17765647070955881174)
4,833,84831908,-;F2FS-fs (loop0): Start checkpoint disabled!
6,834,85341039,-;F2FS-fs (loop0): Try to recover 2th superblock, ret: 0
5,835,85341048,-;F2FS-fs (loop0): Mounted with checkpoint version = 7548c2db
4,836,85400108,-;------------[ cut here ]------------
2,837,85400113,-;kernel BUG at fs/inode.c:611!
4,838,85400126,-;invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
4,839,85400132,-;CPU: 3 PID: 1067 Comm: case Not tainted 5.17.0 #2
4,840,85400138,-;Hardware name: Dell Inc. OptiPlex 9020/03CPWF, BIOS A14 09/14/2015
4,841,85400142,-;RIP: 0010:clear_inode+0xdf/0x120
4,842,85400150,-;Code: fc ff df 48 89 ea 48 c1 ea 03 80 3c 02 00 75 42 48 8b 83 18 01 00 00 48 39 c5 75 16 48 c7 83 98 00 00 00 60 00 00 00 5b 5d c3 <0f> 0b 0f 0b 0f 0b 0f 0b 0f 0b e8 22 61 f8 ff e9 43 ff ff ff e8 18
4,843,85400158,-;RSP: 0018:ffff8881147d7c48 EFLAGS: 00010002
4,844,85400164,-;RAX: dffffc0000000000 RBX: ffff88814bbd1360 RCX: ffffffff9f4d4923
4,845,85400168,-;RDX: 1ffff1102977a2a9 RSI: 0000000000000004 RDI: ffff88814bbd1548
4,846,85400172,-;RBP: ffff88814bbd14d0 R08: 0000000000000001 R09: ffffed10228faf7f
4,847,85400176,-;R10: 0000000000000003 R11: ffffed10228faf7e R12: ffff88814bbd13f8
4,848,85400179,-;R13: ffff88814bbd1388 R14: ffffffff9fbc2fc0 R15: ffff888107473508
4,849,85400184,-;FS:  00007f32d4133540(0000) GS:ffff8881d56c0000(0000) knlGS:0000000000000000
4,850,85400189,-;CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
4,851,85400192,-;CR2: 00007ffd60dc7f5c CR3: 000000012b5fc002 CR4: 00000000001706e0
4,852,85400196,-;Call Trace:
4,853,85400199,-; <TASK>
4,854,85400202,-; evict+0x282/0x4e0
4,855,85400206,-; __dentry_kill+0x2b2/0x4d0
4,856,85400211,-; dput+0x2dd/0x720
4,857,85400215,-; do_renameat2+0x596/0x970
4,858,85400220,-; ? __x64_sys_link+0x90/0x90
4,859,85400224,-; ? _raw_spin_lock_irqsave+0x88/0xe0
4,860,85400230,-; ? kmem_cache_alloc+0xc4/0x220
4,861,85400234,-; ? _raw_spin_unlock_irqrestore+0x3d/0x70
4,862,85400239,-; ? kasan_unpoison+0x23/0x50
4,863,85400244,-; ? getname_flags+0xf8/0x4e0
4,864,85400250,-; __x64_sys_rename+0x78/0x90
4,865,85400254,-; do_syscall_64+0x3b/0x90
4,866,85400259,-; entry_SYSCALL_64_after_hwframe+0x44/0xae
4,867,85400264,-;RIP: 0033:0x7f32d405876d
4,868,85400267,-;Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f3 36 0d 00 f7 d8 64 89 01 48
4,869,85400274,-;RSP: 002b:00007ffd60dc7f48 EFLAGS: 00000286 ORIG_RAX: 0000000000000052
4,870,85400280,-;RAX: ffffffffffffffda RBX: 0000557225962190 RCX: 00007f32d405876d
4,871,85400284,-;RDX: ffffffffffffff80 RSI: 00007ffd60dc807a RDI: 00007ffd60dc802c
4,872,85400288,-;RBP: 00007ffd611c8340 R08: 00007ffd611c8438 R09: 00007ffd611c8438
4,873,85400292,-;R10: 00007ffd611c8438 R11: 0000000000000286 R12: 00005572259610a0
4,874,85400295,-;R13: 00007ffd611c8430 R14: 0000000000000000 R15: 0000000000000000
4,875,85400300,-; </TASK>
4,876,85400302,-;Modules linked in: x86_pkg_temp_thermal efivarfs
4,877,85400310,-;---[ end trace 0000000000000000 ]---

Comment 1 Zorro Lang 2022-05-22 09:15:14 UTC

I hit this panic too, on linux 5.18.0-rc7+. By running fstests on CIFS:

[ 2060.317812] run fstests generic/072 at 2022-05-21 03:46:16 
[ 2099.043374] restraintd[2206]: *** Current Time: Sat May 21 03:46:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2159.048237] restraintd[2206]: *** Current Time: Sat May 21 03:47:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2219.064124] restraintd[2206]: *** Current Time: Sat May 21 03:48:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2279.051516] restraintd[2206]: *** Current Time: Sat May 21 03:49:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[-- MARK -- Sat May 21 07:50:00 2022] 
[ 2339.067535] restraintd[2206]: *** Current Time: Sat May 21 03:50:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2399.060978] restraintd[2206]: *** Current Time: Sat May 21 03:51:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2459.048587] restraintd[2206]: *** Current Time: Sat May 21 03:52:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2479.117705] systemd-journald[496]: Data hash table of /run/log/journal/c03da93f15244bf788a7fc5b4a07f385/system.journal has a fill level at 75.0 (51968 of 69290 items, 33554432 file size, 645 bytes per hash table item), suggesting rotation. 
[ 2479.117757] systemd-journald[496]: /run/log/journal/c03da93f15244bf788a7fc5b4a07f385/system.journal: Journal header limits reached or header out-of-date, rotating. 
[ 2519.059168] restraintd[2206]: *** Current Time: Sat May 21 03:53:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2578.778169] CIFS: Attempting to mount \\ibm-p9z-15-lp11.lab.eng.bos.redhat.com\TEST_dev 
[ 2579.222226] CIFS: Attempting to mount \\ibm-p9z-15-lp11.lab.eng.bos.redhat.com\SCRATCH_dev 
[ 2579.262520] CIFS: Attempting to mount \\ibm-p9z-15-lp11.lab.eng.bos.redhat.com\SCRATCH_dev 
[ 2579.327088] run fstests generic/073 at 2022-05-21 03:54:55 
[ 2579.029460] restraintd[2206]: *** Current Time: Sat May 21 03:54:56 2022  Localwatchdog at: Mon May 23 03:13:55 2022 
[ 2579.723371] ------------[ cut here ]------------ 
[ 2579.723727] kernel BUG at fs/inode.c:611! 
[ 2579.723734] Oops: Exception in kernel mode, sig: 5 [#1] 
[ 2579.723739] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries 
[ 2579.723744] Modules linked in: loop dm_mod cifs rdma_cm iw_cm ib_cm ib_core dns_resolver fscache netfs bonding tls rfkill sunrpc pseries_rng drm fuse drm_panel_orientation_quirks xfs libcrc32c sd_mod t10_pi crc64_rocksoft_generic crc64_rocksoft crc64 sg ibmvscsi ibmveth scsi_transport_srp vmx_crypto 
[ 2579.723785] CPU: 2 PID: 393323 Comm: umount Kdump: loaded Not tainted 5.18.0-rc7+ #1 
[ 2579.723791] NIP:  c000000000628d48 LR: c000000000628d40 CTR: c000000000628d10 
[ 2579.723796] REGS: c00000006e8f3740 TRAP: 0700   Not tainted  (5.18.0-rc7+) 
[ 2579.723802] MSR:  800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  CR: 44002204  XER: 00000000 
[ 2579.723817] CFAR: c0000000010c1788 IRQMASK: 1  
[ 2579.723817] GPR00: c000000000628d40 c00000006e8f39e0 c000000002d06900 0000000000000001  
[ 2579.723817] GPR04: c00000005a4af760 0000000000000002 c000000003012b88 00000003fac90000  
[ 2579.723817] GPR08: c000000002e20748 0000000000000001 00000003fac90000 0000000000002000  
[ 2579.723817] GPR12: 00000003fac90000 c00000000ffce400 ffffffffffffffff 000000000ee6b280  
[ 2579.723817] GPR16: 00007fffde2f9f70 0000000108456508 00007fffde2f9f70 0000000000000000  
[ 2579.723817] GPR20: 0000000000000001 0000000000000000 c00000000142f3f8 c0000000c0b9da80  
[ 2579.723817] GPR24: c0000000c0b9d000 c000000063a1b000 c00000006e8f3af8 c0000000c0b9dac8  
[ 2579.723817] GPR28: c00000000142f3f8 c0080000035f0088 c00000005a4af6e0 c00000005a4af500  
[ 2579.723878] NIP [c000000000628d48] clear_inode+0x38/0xb0 
[ 2579.723886] LR [c000000000628d40] clear_inode+0x30/0xb0 
[ 2579.723892] Call Trace: 
[ 2579.723894] [c00000006e8f39e0] [c000000000628d40] clear_inode+0x30/0xb0 (unreliable) 
[ 2579.723903] [c00000006e8f3a20] [c00800000352b678] cifs_evict_inode+0x50/0xb0 [cifs] 
[ 2579.723944] [c00000006e8f3a50] [c00000000062b438] evict+0xf8/0x230 
[ 2579.723950] [c00000006e8f3a90] [c00000000062b600] dispose_list+0x90/0xe0 
[ 2579.723956] [c00000006e8f3ad0] [c00000000062b7e4] evict_inodes+0x194/0x220 
[ 2579.723962] [c00000006e8f3b60] [c0000000005f8850] generic_shutdown_super+0x70/0x1a0 
[ 2579.723970] [c00000006e8f3be0] [c0000000005f8c28] kill_anon_super+0x28/0x50 
[ 2579.723977] [c00000006e8f3c10] [c00800000352bc48] cifs_kill_sb+0xf0/0x120 [cifs] 
[ 2579.724010] [c00000006e8f3c60] [c0000000005fa0c4] deactivate_locked_super+0x74/0x130 
[ 2579.724018] [c00000006e8f3ca0] [c0000000006382fc] cleanup_mnt+0x14c/0x220 
[ 2579.724024] [c00000006e8f3cf0] [c00000000018ec04] task_work_run+0xb4/0x120 
[ 2579.724032] [c00000006e8f3d40] [c000000000022684] do_notify_resume+0x134/0x140 
[ 2579.724040] [c00000006e8f3d70] [c0000000000309a0] interrupt_exit_user_prepare_main+0x230/0x290 
[ 2579.724047] [c00000006e8f3de0] [c000000000030e84] syscall_exit_prepare+0xe4/0x1e0 
[ 2579.724053] [c00000006e8f3e10] [c00000000000be74] system_call_vectored_common+0xf4/0x278 
[ 2579.724061] --- interrupt: 3000 at 0x7fff896adaf4 
[ 2579.724066] NIP:  00007fff896adaf4 LR: 0000000000000000 CTR: 0000000000000000 
[ 2579.724071] REGS: c00000006e8f3e80 TRAP: 3000   Not tainted  (5.18.0-rc7+) 
[ 2579.724075] MSR:  800000000280f033 <SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 48002402  XER: 00000000 
[ 2579.724091] IRQMASK: 0  
[ 2579.724091] GPR00: 0000000000000034 00007fffde2f9c90 00007fff897a7200 0000000000000000  
[ 2579.724091] GPR04: 0000000000000000 00007fffde2f9ca8 0000000000000000 0000000000000001  
[ 2579.724091] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000  
[ 2579.724091] GPR12: 0000000000000000 00007fff898dc0c0 ffffffffffffffff 000000000ee6b280  
[ 2579.724091] GPR16: 00007fffde2f9f70 0000000108456508 00007fffde2f9f70 0000000000000000  
[ 2579.724091] GPR20: 0000000000000001 0000000000000000 0000000000000000 0000000000000000  
[ 2579.724091] GPR24: 00007fffde2fb610 0000000108456468 0000000108456ae8 000001001c780630  
[ 2579.724091] GPR28: 000001001c780510 0000000000000000 000001001c785390 000001001c780400  
[ 2579.724148] NIP [00007fff896adaf4] 0x7fff896adaf4 
[ 2579.724153] LR [0000000000000000] 0x0 
[ 2579.724156] --- interrupt: 3000 
[ 2579.724159] Instruction dump: 
[ 2579.724163] 7c0802a6 60000000 7c0802a6 fbe1fff8 7c7f1b78 38630248 f8010010 f821ffc1  
[ 2579.724174] f8610028 48a9899d 60000000 e93f0408 <0b090000> e8610028 48a98ee9 60000000  
[ 2579.724186] ---[ end trace 0000000000000000 ]--- 
[ 2579.725293]  
[ 2579.725296] note: umount[393323] exited with preempt_count 1 
[ 2579.747025] CIFS: Attempting to mount \\ibm-p9z-15-lp11.lab.eng.bos.redhat.com\TEST_dev 
[-- MARK -- Sat May 21 07:55:00 2022]

Comment 2 Chao Yu 2022-05-22 10:05:41 UTC

FYI, the root cause of f2fs bug:

https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/?h=dev&id=677a82b44ebf263d4f9a0cfbd576a6ade797a07b

Comment 3 Zorro Lang 2022-05-22 12:47:21 UTC

(In reply to Chao Yu from comment #2)
> FYI, the root cause of f2fs bug:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs.git/commit/
> ?h=dev&id=677a82b44ebf263d4f9a0cfbd576a6ade797a07b

Hmm... this bug is a f2fs specific bug? I thought this's a VFS issue... OK, if this bug has been fixed, I'll report a new one track the CIFS issue which I hit.

Thanks,
Zorro

Comment 4 Chao Yu 2022-05-24 13:28:09 UTC

(In reply to Zorro Lang from comment #3)
> Hmm... this bug is a f2fs specific bug? I thought this's a VFS issue... OK,

Yes, it is.

> if this bug has been fixed, I'll report a new one track the CIFS issue which
> I hit.

Looks fine.

Comment 5 Monthero Ronald 2023-03-08 07:45:52 UTC

And is the panic readily reproducible without the  - 'test_dummy_encryption' mount option too ?

Note You need to log in before you can comment on or make changes to this bug.