From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com,
Edward Adam Davis <eadavis@qq.com>,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
Viacheslav Dubeyko <slava@dubeyko.com>
Subject: [PATCH 5.10 04/24] nilfs2: Fix potential block overflow that cause system hang
Date: Tue, 17 Feb 2026 21:31:17 +0100 [thread overview]
Message-ID: <20260217200000.879901190@linuxfoundation.org> (raw)
In-Reply-To: <20260217200000.708219618@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 upstream.
When a user executes the FITRIM command, an underflow can occur when
calculating nblocks if end_block is too small. Since nblocks is of
type sector_t, which is u64, a negative nblocks value will become a
very large positive integer. This ultimately leads to the block layer
function __blkdev_issue_discard() taking an excessively long time to
process the bio chain, and the ns_segctor_sem lock remains held for a
long period. This prevents other tasks from acquiring the ns_segctor_sem
lock, resulting in the hang reported by syzbot in [1].
If the ending block is too small, typically if it is smaller than 4KiB
range, depending on the usage of the segment 0, it may be possible to
attempt a discard request beyond the device size causing the hang.
Exiting successfully and assign the discarded size (0 in this case)
to range->len.
Although the start and len values in the user input range are too small,
a conservative strategy is adopted here to safely ignore them, which is
equivalent to a no-op; it will not perform any trimming and will not
throw an error.
[1]
task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000
Call Trace:
rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272
nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]
nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684
[ryusuke: corrected part of the commit message about the consequences]
Fixes: 82e11e857be3 ("nilfs2: add nilfs_sufile_trim_fs to trim clean segs")
Reported-by: syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7eedce5eb281acd832f0
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/sufile.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/nilfs2/sufile.c
+++ b/fs/nilfs2/sufile.c
@@ -1091,6 +1091,9 @@ int nilfs_sufile_trim_fs(struct inode *s
else
end_block = start_block + len - 1;
+ if (end_block < nilfs->ns_first_data_block)
+ goto out;
+
segnum = nilfs_get_segnum_of_block(nilfs, start_block);
segnum_end = nilfs_get_segnum_of_block(nilfs, end_block);
@@ -1188,6 +1191,7 @@ int nilfs_sufile_trim_fs(struct inode *s
out_sem:
up_read(&NILFS_MDT(sufile)->mi_sem);
+out:
range->len = ndiscarded << nilfs->ns_blocksize_bits;
return ret;
}
next prev parent reply other threads:[~2026-02-17 20:42 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:31 [PATCH 5.10 00/24] 5.10.251-rc1 review Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 01/24] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 02/24] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 03/24] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 5.10 05/24] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 06/24] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 07/24] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 08/24] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 09/24] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 10/24] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 11/24] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 12/24] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 13/24] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 14/24] fs: dlm: fix invalid derefence of sb_lvbptr Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 15/24] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 16/24] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 17/24] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 18/24] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 19/24] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 20/24] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 21/24] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 22/24] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 23/24] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.10 24/24] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 22:11 ` [PATCH 5.10 00/24] 5.10.251-rc1 review Florian Fainelli
2026-02-18 3:42 ` Woody Suwalski
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:08 ` Brett A C Sheffield
2026-02-18 9:12 ` Pavel Machek
2026-02-18 12:01 ` Mark Brown
2026-02-19 0:44 ` Barry K. Nathan
2026-02-19 2:11 ` Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200000.879901190@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=eadavis@qq.com \
--cc=konishi.ryusuke@gmail.com \
--cc=patches@lists.linux.dev \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.