[PATCH 6.6.y] erofs: fix "BUG: Bad page state in z_erofs_do_read

public inbox for linux-erofs@ozlabs.org
 help / color / mirror / Atom feed

* [PATCH 6.6.y] erofs: fix "BUG: Bad page state in z_erofs_do_read_page"
@ 2026-03-27  4:15 Gao Xiang
  2026-03-31 13:12 ` Patch "erofs: fix "BUG: Bad page state in z_erofs_do_read_page"" has been added to the 6.6-stable tree gregkh
  0 siblings, 1 reply; 2+ messages in thread
From: Gao Xiang @ 2026-03-27  4:15 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman
  Cc: linux-erofs, Gao Xiang, syzbot+b6353e35ae2bab997538

It's actually a stable-only issue from backporting 9e2f9d34dd12
("erofs: handle overlapped pclusters out of crafted images properly")

We missed to update `oldpage` after `pcl->compressed_bvecs[nr].page`
is updated, so that the following cmpxchg() will fail; the original
upstream commit doesn't behave like this due to new features and
refactoring.

This backport issue only impacts some specific crafted images and
normal filesystems won't be impacted at all.

Fixes: 1bf7e414cac3 ("erofs: handle overlapped pclusters out of crafted images properly") # 6.6.y
Closes: https://syzkaller.appspot.com/bug?extid=b6353e35ae2bab997538
Reported-and-tested-by: syzbot+b6353e35ae2bab997538@syzkaller.appspotmail.com [1]
[1] https://lore.kernel.org/r/69c3b299.a70a0220.234938.004b.GAE@google.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
---
 fs/erofs/zdata.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index c1f802ecc47b..97764612fc76 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1500,6 +1500,7 @@ static struct page *pickup_page_for_submission(struct z_erofs_pcluster *pcl,
 	lock_page(page);
 	if (likely(page->mapping == mc)) {
 		WRITE_ONCE(pcl->compressed_bvecs[nr].page, page);
+		oldpage = page;
 
 		/*
 		 * The cached folio is still in managed cache but without
-- 
2.43.5



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Patch "erofs: fix "BUG: Bad page state in z_erofs_do_read_page"" has been added to the 6.6-stable tree
  2026-03-27  4:15 [PATCH 6.6.y] erofs: fix "BUG: Bad page state in z_erofs_do_read_page" Gao Xiang
@ 2026-03-31 13:12 ` gregkh
  0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2026-03-31 13:12 UTC (permalink / raw)
  To: 69c3b299.a70a0220.234938.004b.GAE, gregkh, hsiangkao, linux-erofs,
	syzbot+b6353e35ae2bab997538
  Cc: stable-commits


This is a note to let you know that I've just added the patch titled

    erofs: fix "BUG: Bad page state in z_erofs_do_read_page"

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     erofs-fix-bug-bad-page-state-in-z_erofs_do_read_page.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From hsiangkao@linux.alibaba.com Fri Mar 27 05:15:33 2026
From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Fri, 27 Mar 2026 12:15:24 +0800
Subject: erofs: fix "BUG: Bad page state in z_erofs_do_read_page"
To: stable@vger.kernel.org, Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-erofs@lists.ozlabs.org, Gao Xiang <hsiangkao@linux.alibaba.com>, syzbot+b6353e35ae2bab997538@syzkaller.appspotmail.com
Message-ID: <20260327041524.1087336-1-hsiangkao@linux.alibaba.com>

From: Gao Xiang <hsiangkao@linux.alibaba.com>

It's actually a stable-only issue from backporting 9e2f9d34dd12
("erofs: handle overlapped pclusters out of crafted images properly")

We missed to update `oldpage` after `pcl->compressed_bvecs[nr].page`
is updated, so that the following cmpxchg() will fail; the original
upstream commit doesn't behave like this due to new features and
refactoring.

This backport issue only impacts some specific crafted images and
normal filesystems won't be impacted at all.

Fixes: 1bf7e414cac3 ("erofs: handle overlapped pclusters out of crafted images properly") # 6.6.y
Closes: https://syzkaller.appspot.com/bug?extid=b6353e35ae2bab997538
Reported-and-tested-by: syzbot+b6353e35ae2bab997538@syzkaller.appspotmail.com [1]
[1] https://lore.kernel.org/r/69c3b299.a70a0220.234938.004b.GAE@google.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/erofs/zdata.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1503,6 +1503,7 @@ repeat:
 	lock_page(page);
 	if (likely(page->mapping == mc)) {
 		WRITE_ONCE(pcl->compressed_bvecs[nr].page, page);
+		oldpage = page;
 
 		/*
 		 * The cached folio is still in managed cache but without


Patches currently in stable-queue which might be from hsiangkao@linux.alibaba.com are

queue-6.6/erofs-add-gfp_noio-in-the-bio-completion-if-needed.patch
queue-6.6/erofs-fix-bug-bad-page-state-in-z_erofs_do_read_page.patch


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-31 13:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-27  4:15 [PATCH 6.6.y] erofs: fix "BUG: Bad page state in z_erofs_do_read_page" Gao Xiang
2026-03-31 13:12 ` Patch "erofs: fix "BUG: Bad page state in z_erofs_do_read_page"" has been added to the 6.6-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox