From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, stable@kernel.org,
Sheng Yong <shengyong1@xiaomi.com>,
Jinbao Liu <liujinbao1@xiaomi.com>,
Yongpeng Yang <yangyongpeng@xiaomi.com>,
Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>
Subject: [PATCH 6.18 34/43] f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes
Date: Tue, 17 Feb 2026 21:32:14 +0100 [thread overview]
Message-ID: <20260217200007.779045524@linuxfoundation.org> (raw)
In-Reply-To: <20260217200006.470920131@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongpeng Yang <yangyongpeng@xiaomi.com>
commit 7633a7387eb4d0259d6bea945e1d3469cd135bbc upstream.
During SPO tests, when mounting F2FS, an -EINVAL error was returned from
f2fs_recover_inode_page. The issue occurred under the following scenario
Thread A Thread B
f2fs_ioc_commit_atomic_write
- f2fs_do_sync_file // atomic = true
- f2fs_fsync_node_pages
: last_folio = inode folio
: schedule before folio_lock(last_folio) f2fs_write_checkpoint
- block_operations// writeback last_folio
- schedule before f2fs_flush_nat_entries
: set_fsync_mark(last_folio, 1)
: set_dentry_mark(last_folio, 1)
: folio_mark_dirty(last_folio)
- __write_node_folio(last_folio)
: f2fs_down_read(&sbi->node_write)//block
- f2fs_flush_nat_entries
: {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)
- unblock_operations
: f2fs_up_write(&sbi->node_write)
f2fs_write_checkpoint//return
: f2fs_do_write_node_page()
f2fs_ioc_commit_atomic_write//return
SPO
Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has
already been written once. However, the {struct nat_entry}->flag did not
have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and
write last_folio again after Thread B finishes f2fs_write_checkpoint.
After SPO and reboot, it was detected that {struct node_info}->blk_addr
was not NULL_ADDR because Thread B successfully write the checkpoint.
This issue only occurs in atomic write scenarios. For regular file
fsync operations, the folio must be dirty. If
block_operations->f2fs_sync_node_pages successfully submit the folio
write, this path will not be executed. Otherwise, the
f2fs_write_checkpoint will need to wait for the folio write submission
to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the
situation where f2fs_need_dentry_mark checks that the {struct
nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has
already been submitted, will not occur.
Therefore, for atomic file fsync, sbi->node_write should be acquired
through __write_node_folio to ensure that the IS_CHECKPOINTED flag
correctly indicates that the checkpoint write has been completed.
Fixes: 608514deba38 ("f2fs: set fsync mark only for the last dnode")
Cc: stable@kernel.org
Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
Signed-off-by: Jinbao Liu <liujinbao1@xiaomi.com>
Signed-off-by: Yongpeng Yang <yangyongpeng@xiaomi.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/node.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/fs/f2fs/node.c
+++ b/fs/f2fs/node.c
@@ -1774,8 +1774,13 @@ static bool __write_node_folio(struct fo
goto redirty_out;
}
- if (atomic && !test_opt(sbi, NOBARRIER))
- fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
+ if (atomic) {
+ if (!test_opt(sbi, NOBARRIER))
+ fio.op_flags |= REQ_PREFLUSH | REQ_FUA;
+ if (IS_INODE(folio))
+ set_dentry_mark(folio,
+ f2fs_need_dentry_mark(sbi, ino_of_node(folio)));
+ }
/* should add to global list before clearing PAGECACHE status */
if (f2fs_in_warm_node_list(sbi, folio)) {
@@ -1916,8 +1921,9 @@ continue_unlock:
if (is_inode_flag_set(inode,
FI_DIRTY_INODE))
f2fs_update_inode(inode, folio);
- set_dentry_mark(folio,
- f2fs_need_dentry_mark(sbi, ino));
+ if (!atomic)
+ set_dentry_mark(folio,
+ f2fs_need_dentry_mark(sbi, ino));
}
/* may be written by other thread */
if (!folio_test_dirty(folio))
next prev parent reply other threads:[~2026-02-17 20:52 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:31 [PATCH 6.18 00/43] 6.18.13-rc1 review Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 01/43] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 02/43] rust: device: fix broken intra-doc links Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 03/43] rust: dma: " Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 04/43] rust: driver: fix broken intra-doc links to example driver types Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 05/43] ASoC: amd: yc: Add ASUS ExpertBook PM1503CDA to quirks list Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 06/43] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 07/43] ALSA: hda/realtek: Add quirk for Inspur S14-G1 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 08/43] ASoC: cs35l45: Corrects ASP_TX5 DAPM widget channel Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 09/43] ALSA: hda/realtek - fixed speaker no sound Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 10/43] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 11/43] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 12/43] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 13/43] ASoC: Intel: sof_es8336: Add DMI quirk for Huawei BOD-WXX9 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 14/43] ASoC: amd: yc: Add quirk for HP 200 G2a 16 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 15/43] ALSA: hda/realtek: Enable headset mic for Acer Nitro 5 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 16/43] platform/x86/amd/pmc: Add quirk for MECHREVO Wujie 15X Pro Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 17/43] ASoC: sof_sdw: Add a quirk for Lenovo laptop using sidecar amps with cs42l43 Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 18/43] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 6.18 19/43] ASoC: cs42l43: Correct handling of 3-pole jack load detection Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 20/43] tracing/dma: Cap dma_map_sg tracepoint arrays to prevent buffer overflow Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 21/43] drm/amd/display: extend delta clamping logic to CM3 LUT helper Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 22/43] drm/amd/display: remove assert around dpp_base replacement Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 23/43] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 24/43] io_uring/fdinfo: be a bit nicer when looping a lot of SQEs/CQEs Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 25/43] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 26/43] arm64: dts: mediatek: mt8183: Add missing endpoint IDs to display graph Greg Kroah-Hartman
2026-03-04 7:03 ` Evans Jahja
2026-02-17 20:32 ` [PATCH 6.18 27/43] mm/hugetlb: fix excessive IPI broadcasts when unsharing PMD tables using mmu_gather Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 28/43] LoongArch: Rework KASAN initialization for PTW-enabled systems Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 29/43] cpuset: Fix missing adaptation for cpuset_is_populated Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 30/43] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 31/43] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 32/43] f2fs: fix to add gc count stat in f2fs_gc_range Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 33/43] f2fs: fix to check sysfs filename w/ gc_pin_file_thresh correctly Greg Kroah-Hartman
2026-02-17 20:32 ` Greg Kroah-Hartman [this message]
2026-02-17 20:32 ` [PATCH 6.18 35/43] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 36/43] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 37/43] f2fs: support non-4KB block size without packed_ssa feature Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 38/43] f2fs: fix to avoid mapping wrong physical block for swapfile Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 39/43] f2fs: optimize f2fs_overwrite_io() for f2fs_iomap_begin Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 40/43] iommu/arm-smmu-qcom: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 41/43] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 42/43] f2fs: fix to do sanity check on node footer in __write_node_folio() Greg Kroah-Hartman
2026-02-17 20:32 ` [PATCH 6.18 43/43] f2fs: fix to do sanity check on node footer in {read,write}_end_io Greg Kroah-Hartman
2026-02-17 23:04 ` [PATCH 6.18 00/43] 6.18.13-rc1 review Florian Fainelli
2026-02-18 3:45 ` Peter Schneider
2026-02-18 8:23 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 12:17 ` Luna Jernberg
2026-02-18 16:48 ` Jeffrin Thalakkottoor
2026-02-18 23:42 ` Mark Brown
2026-02-19 1:00 ` Justin Forbes
2026-02-19 6:27 ` Ron Economos
2026-02-19 12:46 ` Miguel Ojeda
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200007.779045524@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=liujinbao1@xiaomi.com \
--cc=patches@lists.linux.dev \
--cc=shengyong1@xiaomi.com \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yangyongpeng@xiaomi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.