[v1] Forwarded: Re: [syzbot] [f2fs?] kernel BUG in clear_inode

Forwarded: Re: [syzbot] [f2fs?] kernel BUG in clear_inode
Posted by syzbot 4 days, 19 hours ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [f2fs?] kernel BUG in clear_inode
Author: kth5965@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

Corrected patch: this resend excludes the local-only inode.c hunk and tests only the upstream-applicable inline.c fix.

diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
index 0a1052d5ee62..92fcadf6d2cc 100644
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -53,8 +53,8 @@ bool f2fs_sanity_check_inline_data(struct inode *inode, struct folio *ifolio)
 	if (!f2fs_has_inline_data(inode))
 		return false;
 
-	if (inode_has_blocks(inode, ifolio))
-		return false;
+	if (!f2fs_exist_data(inode) && inode_has_blocks(inode, ifolio))
+		return true;
 
 	if (!support_inline_data(inode))
 		return true;
@@ -142,6 +142,17 @@ int f2fs_read_inline_data(struct inode *inode, struct folio *folio)
 	return 0;
 }
 
+static void f2fs_clear_inline_inode(struct dnode_of_data *dn)
+{
+	f2fs_folio_wait_writeback(dn->inode_folio, NODE, true, true);
+	clear_inode_flag(dn->inode, FI_DATA_EXIST);
+	clear_inode_flag(dn->inode, FI_INLINE_DATA);
+	set_raw_inline(dn->inode, F2FS_INODE(dn->inode_folio));
+	folio_mark_dirty(dn->inode_folio);
+	folio_clear_f2fs_inline(dn->inode_folio);
+	stat_dec_inline_inode(dn->inode);
+}
+
 int f2fs_convert_inline_folio(struct dnode_of_data *dn, struct folio *folio)
 {
 	struct f2fs_io_info fio = {
@@ -157,8 +168,10 @@ int f2fs_convert_inline_folio(struct dnode_of_data *dn, struct folio *folio)
 	struct node_info ni;
 	int dirty, err;
 
-	if (!f2fs_exist_data(dn->inode))
-		goto clear_out;
+	if (!f2fs_exist_data(dn->inode)) {
+		f2fs_clear_inline_inode(dn);
+		goto out;
+	}
 
 	err = f2fs_reserve_block(dn, 0);
 	if (err)
@@ -206,10 +219,8 @@ int f2fs_convert_inline_folio(struct dnode_of_data *dn, struct folio *folio)
 
 	/* clear inline data and flag after data writeback */
 	f2fs_truncate_inline_inode(dn->inode, dn->inode_folio, 0);
-	folio_clear_f2fs_inline(dn->inode_folio);
-clear_out:
-	stat_dec_inline_inode(dn->inode);
-	clear_inode_flag(dn->inode, FI_INLINE_DATA);
+	f2fs_clear_inline_inode(dn);
+out:
 	f2fs_put_dnode(dn);
 	return 0;
 }
@@ -232,9 +243,7 @@ int f2fs_convert_inline_inode(struct inode *inode)
 	if (err)
 		return err;
 
-	folio = f2fs_grab_cache_folio(inode->i_mapping, 0, false);
-	if (IS_ERR(folio))
-		return PTR_ERR(folio);
+	set_new_dnode(&dn, inode, NULL, NULL, 0);
 
 	f2fs_lock_op(sbi, &lc);
 
@@ -246,14 +255,23 @@ int f2fs_convert_inline_inode(struct inode *inode)
 
 	set_new_dnode(&dn, inode, ifolio, ifolio, 0);
 
+	if (f2fs_has_inline_data(inode) && f2fs_exist_data(inode)) {
+		folio = f2fs_grab_cache_folio(inode->i_mapping, 0, false);
+		if (IS_ERR(folio)) {
+			err = PTR_ERR(folio);
+			folio = NULL;
+			goto out;
+		}
+	}
+
 	if (f2fs_has_inline_data(inode))
 		err = f2fs_convert_inline_folio(&dn, folio);
 
-	f2fs_put_dnode(&dn);
 out:
+	f2fs_put_dnode(&dn);
 	f2fs_unlock_op(sbi, &lc);
-
-	f2fs_folio_put(folio, true);
+	if (folio)
+		f2fs_folio_put(folio, true);
 
 	if (!err)
 		f2fs_balance_fs(sbi, dn.node_changed);