From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+15669ec8c35ddf6c3d43@syzkaller.appspotmail.com,
Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>,
Rajani Kantha <681739313@139.com>
Subject: [PATCH 6.12 28/40] f2fs: fix to avoid panic once fallocation fails for pinfile
Date: Fri, 31 Oct 2025 15:01:21 +0100 [thread overview]
Message-ID: <20251031140044.700899778@linuxfoundation.org> (raw)
In-Reply-To: <20251031140043.939381518@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 48ea8b200414ac69ea96f4c231f5c7ef1fbeffef ]
syzbot reports a f2fs bug as below:
------------[ cut here ]------------
kernel BUG at fs/f2fs/segment.c:2746!
CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0
RIP: 0010:get_new_segment fs/f2fs/segment.c:2746 [inline]
RIP: 0010:new_curseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876
Call Trace:
<TASK>
__allocate_new_segment+0x1ce/0x940 fs/f2fs/segment.c:3210
f2fs_allocate_new_section fs/f2fs/segment.c:3224 [inline]
f2fs_allocate_pinning_section+0xfa/0x4e0 fs/f2fs/segment.c:3238
f2fs_expand_inode_data+0x696/0xca0 fs/f2fs/file.c:1830
f2fs_fallocate+0x537/0xa10 fs/f2fs/file.c:1940
vfs_fallocate+0x569/0x6e0 fs/open.c:327
do_vfs_ioctl+0x258c/0x2e40 fs/ioctl.c:885
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0x80/0x170 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Concurrent pinfile allocation may run out of free section, result in
panic in get_new_segment(), let's expand pin_sem lock coverage to
include f2fs_gc(), so that we can make sure to reclaim enough free
space for following allocation.
In addition, do below changes to enhance error path handling:
- call f2fs_bug_on() only in non-pinfile allocation path in
get_new_segment().
- call reset_curseg_fields() to reset all fields of curseg in
new_curseg()
Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
Reported-by: syzbot+15669ec8c35ddf6c3d43@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/675cd64e.050a0220.37aaf.00bb.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 8 +++++---
fs/f2fs/segment.c | 20 ++++++++++----------
2 files changed, 15 insertions(+), 13 deletions(-)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1836,18 +1836,20 @@ static int f2fs_expand_inode_data(struct
map.m_len = sec_blks;
next_alloc:
+ f2fs_down_write(&sbi->pin_sem);
+
if (has_not_enough_free_secs(sbi, 0, f2fs_sb_has_blkzoned(sbi) ?
ZONED_PIN_SEC_REQUIRED_COUNT :
GET_SEC_FROM_SEG(sbi, overprovision_segments(sbi)))) {
f2fs_down_write(&sbi->gc_lock);
stat_inc_gc_call_count(sbi, FOREGROUND);
err = f2fs_gc(sbi, &gc_control);
- if (err && err != -ENODATA)
+ if (err && err != -ENODATA) {
+ f2fs_up_write(&sbi->pin_sem);
goto out_err;
+ }
}
- f2fs_down_write(&sbi->pin_sem);
-
err = f2fs_allocate_pinning_section(sbi);
if (err) {
f2fs_up_write(&sbi->pin_sem);
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -2749,7 +2749,7 @@ find_other_zone:
MAIN_SECS(sbi));
if (secno >= MAIN_SECS(sbi)) {
ret = -ENOSPC;
- f2fs_bug_on(sbi, 1);
+ f2fs_bug_on(sbi, !pinning);
goto out_unlock;
}
}
@@ -2795,7 +2795,7 @@ got_it:
out_unlock:
spin_unlock(&free_i->segmap_lock);
- if (ret == -ENOSPC)
+ if (ret == -ENOSPC && !pinning)
f2fs_stop_checkpoint(sbi, false, STOP_CP_REASON_NO_SEGMENT);
return ret;
}
@@ -2868,6 +2868,13 @@ static unsigned int __get_next_segno(str
return curseg->segno;
}
+static void reset_curseg_fields(struct curseg_info *curseg)
+{
+ curseg->inited = false;
+ curseg->segno = NULL_SEGNO;
+ curseg->next_segno = 0;
+}
+
/*
* Allocate a current working segment.
* This function always allocates a free segment in LFS manner.
@@ -2886,7 +2893,7 @@ static int new_curseg(struct f2fs_sb_inf
ret = get_new_segment(sbi, &segno, new_sec, pinning);
if (ret) {
if (ret == -ENOSPC)
- curseg->segno = NULL_SEGNO;
+ reset_curseg_fields(curseg);
return ret;
}
@@ -3640,13 +3647,6 @@ static void f2fs_randomize_chunk(struct
get_random_u32_inclusive(1, sbi->max_fragment_hole);
}
-static void reset_curseg_fields(struct curseg_info *curseg)
-{
- curseg->inited = false;
- curseg->segno = NULL_SEGNO;
- curseg->next_segno = 0;
-}
-
int f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
block_t old_blkaddr, block_t *new_blkaddr,
struct f2fs_summary *sum, int type,
next prev parent reply other threads:[~2025-10-31 14:04 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-31 14:00 [PATCH 6.12 00/40] 6.12.57-rc1 review Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 01/40] net/sched: sch_qfq: Fix null-deref in agg_dequeue Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 02/40] audit: record fanotify event regardless of presence of rules Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 03/40] perf/x86/intel: Add ICL_FIXED_0_ADAPTIVE bit into INTEL_FIXED_BITS_MASK Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 04/40] perf: Use current->flags & PF_KTHREAD|PF_USER_WORKER instead of current->mm == NULL Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 05/40] perf: Have get_perf_callchain() return NULL if crosstask and user are set Greg Kroah-Hartman
2025-10-31 14:00 ` [PATCH 6.12 06/40] perf: Skip user unwind if the task is a kernel thread Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 07/40] seccomp: passthrough uprobe systemcall without filtering Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 08/40] x86/bugs: Report correct retbleed mitigation status Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 09/40] x86/bugs: Fix reporting of LFENCE retpoline Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 10/40] EDAC/mc_sysfs: Increase legacy channel support to 16 Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 11/40] cpuset: Use new excpus for nocpu error check when enabling root partition Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 12/40] btrfs: abort transaction on specific error places when walking log tree Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 13/40] btrfs: abort transaction in the process_one_buffer() log tree walk callback Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 14/40] btrfs: zoned: return error from btrfs_zone_finish_endio() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 15/40] btrfs: zoned: refine extent allocator hint selection Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 16/40] btrfs: scrub: replace max_t()/min_t() with clamp() in scrub_throttle_dev_io() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 17/40] btrfs: always drop log root tree reference in btrfs_replay_log() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 18/40] btrfs: use level argument in log tree walk callback replay_one_buffer() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 19/40] btrfs: abort transaction if we fail to update inode in log replay dir fixup Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 20/40] btrfs: tree-checker: add inode extref checks Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 21/40] btrfs: use smp_mb__after_atomic() when forcing COW in create_pending_snapshot() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 22/40] sched_ext: Make qmap dump operation non-destructive Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 23/40] arch: Add the macro COMPILE_OFFSETS to all the asm-offsets.c Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 24/40] docs: kdoc: handle the obsolescensce of docutils.ErrorString() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 25/40] selftests: mptcp: disable add_addr retrans in endpoint_tests Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 26/40] selftests: mptcp: join: mark delete re-add signal as skipped if not supported Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 27/40] mptcp: pm: in-kernel: C-flag: handle late ADD_ADDR Greg Kroah-Hartman
2025-10-31 14:01 ` Greg Kroah-Hartman [this message]
2025-10-31 14:01 ` [PATCH 6.12 29/40] wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 30/40] bonding: return detailed error when loading native XDP fails Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 31/40] bonding: check xdp prog when set bond mode Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 32/40] bits: add comments and newlines to #if, #else and #endif directives Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 33/40] bits: introduce fixed-type GENMASK_U*() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 34/40] gpio: regmap: Allow to allocate regmap-irq device Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 35/40] gpio: regmap: add the .fixed_direction_output configuration parameter Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 36/40] gpio: idio-16: Define fixed direction of the GPIO lines Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 37/40] iommu/vt-d: Avoid use of NULL after WARN_ON_ONCE Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 38/40] wifi: ath12k: fix read pointer after free in ath12k_mac_assign_vif_to_vdev() Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 39/40] udmabuf: fix a buf size overflow issue during udmabuf creation Greg Kroah-Hartman
2025-10-31 14:01 ` [PATCH 6.12 40/40] sfc: fix NULL dereferences in ef100_process_design_param() Greg Kroah-Hartman
2025-10-31 15:57 ` [PATCH 6.12 00/40] 6.12.57-rc1 review Peter Schneider
2025-11-01 5:10 ` Dileep malepu
2025-10-31 19:11 ` Brett Mastbergen
2025-10-31 19:34 ` Jon Hunter
2025-10-31 20:39 ` Pavel Machek
2025-10-31 22:35 ` Shuah Khan
2025-11-01 9:51 ` Naresh Kamboju
2025-11-01 11:44 ` Ron Economos
2025-11-01 19:31 ` Brett A C Sheffield
2025-11-01 21:09 ` Miguel Ojeda
2025-11-03 16:50 ` Florian Fainelli
2025-11-13 3:02 ` Guenter Roeck
2025-11-13 20:32 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251031140044.700899778@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=681739313@139.com \
--cc=chao@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=syzbot+15669ec8c35ddf6c3d43@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).