From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oa1-f70.google.com (mail-oa1-f70.google.com [209.85.160.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E5BCF78F26 for ; Fri, 15 May 2026 01:55:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.70 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778810132; cv=none; b=ri6moYwbVFv2seBLE947Rentw23vIYJTlva6qfwt4pe/aWrBY0itPiToUY/7upAw+XWqjJdo5OIrr3uO3I/IgJ0pHPXaa9AI2LR3/JuSYQUTPwFfurRUeRyJ1wIJHsn9f9KVvHMCK+vxWBGsoZDhR6Z6KI7NfbTsQ+ubXDz3Pn4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778810132; c=relaxed/simple; bh=jUdJVqD/p2ro4hr2OHiOaJ+CGAv+4/dVn0V5I2o8U0k=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=t+pqxEJMOEGye9UOZUTdr+elcMTffKviOVKrN6wamQ3KFvwsxkX7KkEdurnkX3NBbm/qy27wldlSmvojq2Co2DvWuBTJ9JU4NPym5kitY1nzprzUC00/IAib11L2AUOqsFKB2Df/D1UWsD0ImmTVApAwxzGE3KpDjZzzDn7c5/w= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.160.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oa1-f70.google.com with SMTP id 586e51a60fabf-43a181bcc39so1239747fac.0 for ; Thu, 14 May 2026 18:55:30 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778810130; x=1779414930; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jRxKiu18vgOka/iCj5qKiMT46jp7ri1BA5b9x769RTc=; b=cv04sulLS8bNurMBpoGnf0S03WC5s0wry1WGRpn3+1Cm/hVShb7BtI2LofEk44xmvp MM/yBXx+bPPBqLyWgDW/T2GsCnKSb0AmGmN0n1RcFzsJmGQKunqMI7mDOgzlw6Gt4kH5 d4pgFqexpeXednNekp+vAyqVwtBDMSCv/Ew3IPyy4aZsmPQ82PcS4zVXkSoc6Y1NLpBx XLAXxs+ZFblnXFpwuLD6GkDoc095kBvCbjpjp6d65LH8qSh2nRhDj8uA3g6R50MPDrpn Mpsgc1gncijOfj6JhkTXVX4a2cdZUvHb9080NVIoUinMm/x31sxXgZ0wckzZ+q42f6eP yQHg== X-Gm-Message-State: AOJu0YzHPlza8eNm5/UIdDTP+Vv+AmX5/uq3UceeZojXJvd/3L92J4LM f11hoAEialMQk3eYxTHQ0JSSfO0PruFTZieuHopWgS0NYM/yTqVtjYrEVJUWfPpMCiI5bR8G2Zw JTetOKCFBcAT6rNrSc2cxATccwAcXieYc7gnqW8VEJMBdrKjsuTQikXLZt6c= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:16a6:b0:69b:544f:c172 with SMTP id 006d021491bc7-69c943714e6mr1278920eaf.25.1778810129930; Thu, 14 May 2026 18:55:29 -0700 (PDT) Date: Thu, 14 May 2026 18:55:29 -0700 In-Reply-To: <6a062e5c.170a0220.196691.0007.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <6a067d11.170a0220.9c1d9.07f3.GAE@google.com> Subject: Forwarded: [PATCH] f2fs: don't BUG on node footer mismatch in f2fs_write_end_io From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] f2fs: don't BUG on node footer mismatch in f2fs_write_end_io Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Syzbot reports a recurrence of the kernel BUG in f2fs_write_end_io: kernel BUG at fs/f2fs/data.c:388! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 PREEMPT_{RT,(full)} RIP: 0010:f2fs_write_end_io+0x16df/0x1740 Call Trace: blk_update_request+0x57e/0xe60 blk_mq_end_request+0x3e/0x70 blk_done_softirq+0x10a/0x160 handle_softirqs+0x1de/0x6d0 run_ksoftirqd+0x52/0x180 Commit 50ac3ecd8e05 ("f2fs: fix to do sanity check on node footer in {read,write}_end_io") added f2fs_sanity_check_node_footer() to both end_io paths to catch corrupted node footers reachable from fuzzed on-disk images. In f2fs_write_end_io(), however, the existing f2fs_bug_on(sbi, folio->index != nid_of_node(folio)); was left in place immediately after the new helper call. The helper detects the mismatch, sets SBI_NEED_FSCK and emits a ratelimited warning, but its return value is discarded and the following f2fs_bug_on() panics on the exact same condition. Tracing the reproducer confirms the failure path. A node folio with index=11 is looked up via __get_node_folio(), the synchronous sanity check at page_hit fails with -EFSCORRUPTED and out_err clears uptodate but leaves the dirty bit set from the folio's earlier lifecycle. A subsequent read_node_folio() fails with the same error (footer_nid=0, ino=0), and folio_end_read(folio, false) does not clear dirty either. The writeback iterator then finds the still-dirty folio via the PAGECACHE_TAG_DIRTY tag and submits it. f2fs_write_end_io() observes folio->index=11 with nid_of_node(folio)=0 and panics from softirq context via blk_done_softirq, even though f2fs_sanity_check_node_footer() has already correctly identified the corruption and would have signalled it via its return value. A filesystem inconsistency reachable from a mounted image must not panic the kernel. Mirror the handling already used in f2fs_finish_read_bio(): capture the helper's return value and mark the bio with BLK_STS_IOERR on mismatch instead of issuing BUG_ON. SBI_NEED_FSCK is set by the helper, so fsck.f2fs will repair the inconsistency on the next mount. Reported-by: syzbot+4af46ee83100e99bce09@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4af46ee83100e99bce09 Fixes: 50ac3ecd8e05 ("f2fs: fix to do sanity check on node footer in {read,write}_end_io") Signed-off-by: Deepanshu Kartikey --- fs/f2fs/data.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c index 8d4f1e75dee3..c149b0ccf22d 100644 --- a/fs/f2fs/data.c +++ b/fs/f2fs/data.c @@ -382,11 +382,11 @@ static void f2fs_write_end_io(struct bio *bio) STOP_CP_REASON_WRITE_FAIL); } - if (is_node_folio(folio)) { - f2fs_sanity_check_node_footer(sbi, folio, - folio->index, NODE_TYPE_REGULAR, true); - f2fs_bug_on(sbi, folio->index != nid_of_node(folio)); - } + if (is_node_folio(folio) && + f2fs_sanity_check_node_footer(sbi, folio, + folio->index, NODE_TYPE_REGULAR, true)) + bio->bi_status = BLK_STS_IOERR; + if (f2fs_in_warm_node_list(folio)) f2fs_del_fsync_node_entry(sbi, folio); -- 2.43.0