From nobody Fri Dec 19 16:19:00 2025
Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com
 [209.85.161.70])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8551F1FC7FB
	for <linux-kernel@vger.kernel.org>; Fri,  5 Dec 2025 04:54:28 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.161.70
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764910470; cv=none;
 b=Ud48Pi4VjR/dY/rUJs1u/YrzQNJz0Gj3pc0p2HE6Gz6XZhxW4U7Wt3yRLaBiyCQkrAmR0tNWWkFddWu07GLJW9q78YoHXxziwRIXjJAbkzeYoV+tr+HBu88v//v2nydZWqvCKtk5HyO4Ixvs3Pg1lIb+JcATs9LQIH9entSiV0Y=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764910470; c=relaxed/simple;
	bh=yogGfHyzMjzIFpfuQiQXLWD3Ka30k+AmJZbO6i25xyM=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=RHD2qEav6CrNhsUg1OPNz1BMKmQdpr8mS39ZIvf/bEGo+Khwf/4gC1LKC1ipMY3fmqP74taw+MVkk6HnKYIBcMj7C6mGWyzu5bfhfgi1W/tFfkAA227akyiejZuywmx95JXag3O7uiec1j0w0O/lr041/e8TbbA3iVy7OIt1V24=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.161.70
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f70.google.com with SMTP id
 006d021491bc7-65703b66ebfso2759798eaf.0
        for <linux-kernel@vger.kernel.org>;
 Thu, 04 Dec 2025 20:54:28 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764910467; x=1765515267;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=fqrwQkiCEg30G3lBAQJlKvcTbb6KQmZuTqxhOgeyF7o=;
        b=TC5lC5j9C6JUwvBxwHSn4UKMGn326Tsd4u8RTLoV8ZeDG5SzsChyIaC/ss/ZpahsnL
         fjyYbVAcuuBpaeiSJkNAhv5aym9SJczGh98n3gMV8pm4LEWt5XJDRhTG4CnTVjHFZgE1
         9kxOtNywWjfT1KpmezHjsY6McC2Rr3IzbPHv0c88qJRl+SEzqo2E4+O81isXO5VTCm50
         fUi2Kzw0CbMBYNofxsoCGttQ04yLM3JSrUgqhwCkniXX5O0sW1LlvMlsOMdorrE34+yi
         gh9nxHWsWPR0quv6QYQuuBf5p6kZosYJhhBgAw5Y5dp2d/4RAegJarV7nKA/JUuwG7qC
         30WQ==
X-Gm-Message-State: AOJu0Yw4G5ZtLRITCCuPTp1OK12ul0KP1Dsg6ZilVpb2FrrEEpvfk/x1
	RTAPbvxcCoFZttwsqUgGItxaZN0p06ayEytGBACETOxn3/t9+p5OAzpoNxlsWzReBPp6WE3ei4h
	fFlWu55A+hgXv+sOXDay7o6OtYznpAS8m+rgM7jaJABlOMwf3NXyVG9gaHC4=
X-Google-Smtp-Source: 
 AGHT+IHZvYzkjXtMYYzaS/lWUTGYm2kLTsBcJIYfCxWU0xqwTWqQqA41Ka9JFsKqbtT7qFG7p4uuf3NcBebAeg/eNPWuiyT9JVy9
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6808:2291:b0:450:aef0:ffd2 with SMTP id
 5614622812f47-45378dd24admr4045628b6e.5.1764910467661; Thu, 04 Dec 2025
 20:54:27 -0800 (PST)
Date: Thu, 04 Dec 2025 20:54:27 -0800
In-Reply-To: <691f44bb.a70a0220.2ea503.0032.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69326583.a70a0220.d98e3.01e4.GAE@google.com>
Subject: Forwarded: [PATCH v3] ext4: unmap invalidated folios from page tables
 in mpage_release_unused_pages()
From: syzbot <syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH v3] ext4: unmap invalidated folios from page tables in mpag=
e_release_unused_pages()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master

When delayed block allocation fails (e.g., due to filesystem corruption
detected in ext4_map_blocks()), the writeback error handler calls
mpage_release_unused_pages(invalidate=3Dtrue) which invalidates affected
folios by clearing their uptodate flag via folio_clear_uptodate().

However, these folios may still be mapped in process page tables. If a
subsequent operation (such as ftruncate calling ext4_block_truncate_page)
triggers a write fault, the existing page table entry allows access to
the now-invalidated folio. This leads to ext4_page_mkwrite() being called
with a non-uptodate folio, which then gets marked dirty, triggering:

    WARNING: CPU: 0 PID: 5 at mm/page-writeback.c:2960
    __folio_mark_dirty+0x578/0x880

    Call Trace:
     fault_dirty_shared_page+0x16e/0x2d0
     do_wp_page+0x38b/0xd20
     handle_pte_fault+0x1da/0x450

The sequence leading to this warning is:

1. Process writes to mmap'd file, folio becomes uptodate and dirty
2. Writeback begins, but delayed allocation fails due to corruption
3. mpage_release_unused_pages(invalidate=3Dtrue) is called:
   - block_invalidate_folio() clears dirty flag
   - folio_clear_uptodate() clears uptodate flag
   - But folio remains mapped in page tables
4. Later, ftruncate triggers ext4_block_truncate_page()
5. This causes a write fault on the still-mapped folio
6. ext4_page_mkwrite() is called with folio that is !uptodate
7. block_page_mkwrite() marks buffers dirty
8. fault_dirty_shared_page() tries to mark folio dirty
9. block_dirty_folio() calls __folio_mark_dirty(warn=3D1)
10. WARNING triggers: WARN_ON_ONCE(warn && !uptodate && !dirty)

Fix this by unmapping folios from page tables before invalidating them
using unmap_mapping_pages(). This ensures that subsequent accesses
trigger new page faults rather than reusing invalidated folios through
stale page table entries.

Note that this results in data loss for any writes to the mmap'd region
that couldn't be written back, but this is expected behavior when
writeback fails due to filesystem corruption. The existing error message
already states "This should not happen!! Data will be lost".

Reported-by: syzbot+b0a0670332b6b3230a0a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Db0a0670332b6b3230a0a
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/ext4/inode.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index e99306a8f47c..16f73c0c33c4 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1749,8 +1749,17 @@ static void mpage_release_unused_pages(struct mpage_=
da_data *mpd,
 			BUG_ON(!folio_test_locked(folio));
 			BUG_ON(folio_test_writeback(folio));
 			if (invalidate) {
-				if (folio_mapped(folio))
+				if (folio_mapped(folio)) {
 					folio_clear_dirty_for_io(folio);
+					/*
+					 * Unmap folio from page tables to prevent subsequent
+					 * accesses through stale PTEs. This ensures future
+					 * accesses trigger new page faults rather than reusing
+					 * the invalidated folio.
+					 */
+					unmap_mapping_pages(folio->mapping, folio->index,
+							    folio_nr_pages(folio), false);
+				}
 				block_invalidate_folio(folio, 0,
 						folio_size(folio));
 				folio_clear_uptodate(folio);
--=20
2.43.0