From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com,
Edward Adam Davis <eadavis@qq.com>,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
Viacheslav Dubeyko <slava@dubeyko.com>
Subject: [PATCH 5.15 04/39] nilfs2: Fix potential block overflow that cause system hang
Date: Tue, 17 Feb 2026 21:31:13 +0100 [thread overview]
Message-ID: <20260217200003.100149224@linuxfoundation.org> (raw)
In-Reply-To: <20260217200002.929083107@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit ed527ef0c264e4bed6c7b2a158ddf516b17f5f66 upstream.
When a user executes the FITRIM command, an underflow can occur when
calculating nblocks if end_block is too small. Since nblocks is of
type sector_t, which is u64, a negative nblocks value will become a
very large positive integer. This ultimately leads to the block layer
function __blkdev_issue_discard() taking an excessively long time to
process the bio chain, and the ns_segctor_sem lock remains held for a
long period. This prevents other tasks from acquiring the ns_segctor_sem
lock, resulting in the hang reported by syzbot in [1].
If the ending block is too small, typically if it is smaller than 4KiB
range, depending on the usage of the segment 0, it may be possible to
attempt a discard request beyond the device size causing the hang.
Exiting successfully and assign the discarded size (0 in this case)
to range->len.
Although the start and len values in the user input range are too small,
a conservative strategy is adopted here to safely ignore them, which is
equivalent to a no-op; it will not perform any trimming and will not
throw an error.
[1]
task:segctord state:D stack:28968 pid:6093 tgid:6093 ppid:2 task_flags:0x200040 flags:0x00080000
Call Trace:
rwbase_write_lock+0x3dd/0x750 kernel/locking/rwbase_rt.c:272
nilfs_transaction_lock+0x253/0x4c0 fs/nilfs2/segment.c:357
nilfs_segctor_thread_construct fs/nilfs2/segment.c:2569 [inline]
nilfs_segctor_thread+0x6ec/0xe00 fs/nilfs2/segment.c:2684
[ryusuke: corrected part of the commit message about the consequences]
Fixes: 82e11e857be3 ("nilfs2: add nilfs_sufile_trim_fs to trim clean segs")
Reported-by: syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7eedce5eb281acd832f0
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/sufile.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/nilfs2/sufile.c
+++ b/fs/nilfs2/sufile.c
@@ -1091,6 +1091,9 @@ int nilfs_sufile_trim_fs(struct inode *s
else
end_block = start_block + len - 1;
+ if (end_block < nilfs->ns_first_data_block)
+ goto out;
+
segnum = nilfs_get_segnum_of_block(nilfs, start_block);
segnum_end = nilfs_get_segnum_of_block(nilfs, end_block);
@@ -1188,6 +1191,7 @@ int nilfs_sufile_trim_fs(struct inode *s
out_sem:
up_read(&NILFS_MDT(sufile)->mi_sem);
+out:
range->len = ndiscarded << nilfs->ns_blocksize_bits;
return ret;
}
next prev parent reply other threads:[~2026-02-17 20:44 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 20:31 [PATCH 5.15 00/39] 5.15.201-rc1 review Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 01/39] crypto: octeontx - Fix length check to avoid truncation in ucode_load_store Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 02/39] crypto: omap - Allocate OMAP_CRYPTO_FORCE_COPY scatterlists correctly Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 03/39] crypto: virtio - Add spinlock protection with virtqueue notification Greg Kroah-Hartman
2026-02-17 20:31 ` Greg Kroah-Hartman [this message]
2026-02-17 20:31 ` [PATCH 5.15 05/39] scsi: qla2xxx: Validate sp before freeing associated memory Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 06/39] scsi: qla2xxx: Delay module unload while fabric scan in progress Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 07/39] scsi: qla2xxx: Query FW again before proceeding with login Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 08/39] gpio: omap: do not register driver in probe() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 09/39] ALSA: hda/realtek: Fix headset mic for TongFang X6AR55xU Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 10/39] gpio: sprd: Change sprd_gpio lock to raw_spin_lock Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 11/39] romfs: check sb_set_blocksize() return value Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 12/39] =?UTF-8?q?drm/tegra:=20hdmi:=20sor:=20Fix=20error:=20variable=20?= =?UTF-8?q?=E2=80=98j=E2=80=99=20set=20but=20not=20used?= Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 13/39] platform/x86: classmate-laptop: Add missing NULL pointer checks Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 14/39] platform/x86: panasonic-laptop: Fix sysfs group leak in error path Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 15/39] ASoC: fsl_xcvr: fix missing lock in fsl_xcvr_mode_put() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 16/39] gpiolib: acpi: Fix gpio count with string references Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 17/39] Revert "wireguard: device: enable threaded NAPI" Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 18/39] btrfs: fix racy bitfield write in btrfs_clear_space_info_full() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 19/39] smb: client: set correct id, uid and cruid for multiuser automounts Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 20/39] net: dsa: free routing table on probe failure Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 21/39] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 22/39] mptcp: fix race in mptcp_pm_nl_flush_addrs_doit() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 23/39] crypto: virtio - Remove duplicated virtqueue_kick in virtio_crypto_skcipher_crypt_req Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 24/39] smb: server: fix leak of active_num_conn in ksmbd_tcp_new_connection() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 25/39] bus: fsl-mc: Replace snprintf and sprintf with sysfs_emit in sysfs show functions Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 26/39] bus: fsl-mc: fix use-after-free in driver_override_show() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 27/39] scsi: qla2xxx: Fix bsg_done() causing double free Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 28/39] scsi: qla2xxx: Use named initializers for port_[d]state_str Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 29/39] scsi: qla2xxx: Remove dead code (GNN ID) Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 30/39] scsi: qla2xxx: Reduce fabric scan duplicate code Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 31/39] scsi: qla2xxx: Free sp in error path to fix system crash Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 32/39] PCI: endpoint: Automatically create a function specific attributes group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 33/39] PCI: endpoint: Remove unused field in struct pci_epf_group Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 34/39] PCI: endpoint: Avoid creating sub-groups asynchronously Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 35/39] fbdev: rivafb: fix divide error in nv3_arb() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 36/39] fbdev: smscufx: properly copy ioctl memory to kernelspace Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 37/39] f2fs: fix to avoid UAF in f2fs_write_end_io() Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 38/39] f2fs: fix out-of-bounds access in sysfs attribute read/write Greg Kroah-Hartman
2026-02-17 20:31 ` [PATCH 5.15 39/39] USB: serial: option: add Telit FN920C04 RNDIS compositions Greg Kroah-Hartman
2026-02-17 22:22 ` [PATCH 5.15 00/39] 5.15.201-rc1 review Florian Fainelli
2026-02-18 8:22 ` Jon Hunter
2026-02-18 9:09 ` Brett A C Sheffield
2026-02-18 11:59 ` Mark Brown
2026-02-18 16:27 ` Vijayendra Suman
2026-02-19 6:51 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217200003.100149224@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=eadavis@qq.com \
--cc=konishi.ryusuke@gmail.com \
--cc=patches@lists.linux.dev \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+7eedce5eb281acd832f0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox