From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com,
Edward Adam Davis <eadavis@qq.com>,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
Viacheslav Dubeyko <slava@dubeyko.com>
Subject: [PATCH 6.12 11/24] nilfs2: Fix potential block overflow that cause system hang
Date: Fri, 13 Feb 2026 14:48:30 +0100 [thread overview]
Message-ID: <20260213134705.141008653@linuxfoundation.org> (raw)
In-Reply-To: <20260213134704.728003077@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 upstream.
When a user executes the FITRIM command, an underflow can occur when
calculating nblocks if end_block is too small. Since nblocks is of
type sector_t, which is u64, a negative nblocks value will become a
very large positive integer. This ultimately leads to the block layer
function __blkdev_issue_discard() taking an excessively long time to
process the bio chain, and the ns_segctor_sem lock remains held for a
long period. This prevents other tasks from acquiring the ns_segctor_sem
lock, resulting in the hang reported by syzbot in [1].
If the ending block is too small, typically if it is smaller than 4KiB
range, depending on the usage of the segment 0, it may be possible to
attempt a discard request beyond the device size causing the hang.
Exiting successfully and assign the discarded size (0 in this case)
to range->len.
Although the start and len values in the user input range are too small,
a conservative strategy is adopted here to safely ignore them, which is
equivalent to a no-op; it will not perform any trimming and will not
throw an error.
[1]
task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000
Call Trace:
rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272
nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]
nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684
[ryusuke: corrected part of the commit message about the consequences]
Fixes: 82e11e857be3 ("nilfs2: add nilfs_sufile_trim_fs to trim clean segs")
Reported-by: syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7eedce5eb281acd832f0
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/sufile.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/nilfs2/sufile.c
+++ b/fs/nilfs2/sufile.c
@@ -1106,6 +1106,9 @@ int nilfs_sufile_trim_fs(struct inode *s
else
end_block = start_block + len - 1;
+ if (end_block < nilfs->ns_first_data_block)
+ goto out;
+
segnum = nilfs_get_segnum_of_block(nilfs, start_block);
segnum_end = nilfs_get_segnum_of_block(nilfs, end_block);
@@ -1203,6 +1206,7 @@ int nilfs_sufile_trim_fs(struct inode *s
out_sem:
up_read(&NILFS_MDT(sufile)->mi_sem);
+out:
range->len = ndiscarded << nilfs->ns_blocksize_bits;
return ret;
}
next prev parent reply other threads:[~2026-02-13 13:55 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 13:48 [PATCH 6.12 00/24] 6.12.72-rc1 review Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 01/24] smb: client: split cached_fid bitfields to avoid shared-byte RMW races Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 02/24] ksmbd: fix infinite loop caused by next_smb2_rcv_hdr_off reset in error paths Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 03/24] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 04/24] driver core: enforce device_lock for driver_match_device() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 05/24] Bluetooth: btusb: Add USB ID 7392:e611 for Edimax EW-7611UXB Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 06/24] crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 07/24] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 08/24] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 09/24] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 10/24] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-13 13:48 ` Greg Kroah-Hartman [this message]
2026-02-13 13:48 ` [PATCH 6.12 12/24] wifi: rtw88: Fix alignment fault in rtw_core_enable_beacon() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 13/24] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 14/24] scsi: qla2xxx: Allow recovery for tape devices Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 15/24] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 16/24] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 17/24] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 18/24] bus: mhi: host: pci_generic: Add Telit FE990B40 modem support Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 19/24] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 20/24] erofs: fix UAF issue for file-backed mounts w/ directio option Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 21/24] xfs: fix UAF in xchk_btree_check_block_owner Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 22/24] PCI: endpoint: Avoid creating sub-groups asynchronously Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 23/24] wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add Greg Kroah-Hartman
2026-02-13 13:48 ` [PATCH 6.12 24/24] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-13 19:09 ` [PATCH 6.12 00/24] 6.12.72-rc1 review Florian Fainelli
2026-02-13 19:20 ` Jon Hunter
2026-02-13 23:54 ` Peter Schneider
2026-02-14 0:58 ` Brett Mastbergen
2026-02-14 10:42 ` Ron Economos
2026-02-14 16:01 ` Brett A C Sheffield
2026-02-14 23:58 ` Barry K. Nathan
2026-02-15 0:06 ` Miguel Ojeda
2026-02-16 14:27 ` Mark Brown
2026-02-16 15:35 ` Greg Kroah-Hartman
2026-02-16 15:47 ` Danilo Krummrich
2026-02-16 16:01 ` Danilo Krummrich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260213134705.141008653@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=eadavis@qq.com \
--cc=konishi.ryusuke@gmail.com \
--cc=patches@lists.linux.dev \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox