This is a note to let you know that I've just added the patch titled erofs: fix refcount on the metabuf used for inode lookup to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: erofs-fix-refcount-on-the-metabuf-used-for-inode-lookup.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 56ee7db31187dc36d501622cb5f1415e88e01c2a Mon Sep 17 00:00:00 2001 From: Sandeep Dhavale <dhavale@xxxxxxxxxx> Date: Wed, 21 Feb 2024 13:03:47 -0800 Subject: erofs: fix refcount on the metabuf used for inode lookup From: Sandeep Dhavale <dhavale@xxxxxxxxxx> commit 56ee7db31187dc36d501622cb5f1415e88e01c2a upstream. In erofs_find_target_block() when erofs_dirnamecmp() returns 0, we do not assign the target metabuf. This causes the caller erofs_namei()'s erofs_put_metabuf() at the end to be not effective leaving the refcount on the page. As the page from metabuf (buf->page) is never put, such page cannot be migrated or reclaimed. Fix it now by putting the metabuf from previous loop and assigning the current metabuf to target before returning so caller erofs_namei() can do the final put as it was intended. Fixes: 500edd095648 ("erofs: use meta buffers for inode lookup") Cc: <stable@xxxxxxxxxxxxxxx> # 5.18+ Signed-off-by: Sandeep Dhavale <dhavale@xxxxxxxxxx> Reviewed-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx> Reviewed-by: Jingbo Xu <jefflexu@xxxxxxxxxxxxxxxxx> Reviewed-by: Chao Yu <chao@xxxxxxxxxx> Link: https://lore.kernel.org/r/20240221210348.3667795-1-dhavale@xxxxxxxxxx Signed-off-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/erofs/namei.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) --- a/fs/erofs/namei.c +++ b/fs/erofs/namei.c @@ -130,24 +130,24 @@ static void *erofs_find_target_block(str /* string comparison without already matched prefix */ diff = erofs_dirnamecmp(name, &dname, &matched); - if (!diff) { - *_ndirents = 0; - goto out; - } else if (diff > 0) { - head = mid + 1; - startprfx = matched; - - if (!IS_ERR(candidate)) - erofs_put_metabuf(target); - *target = buf; - candidate = de; - *_ndirents = ndirents; - } else { + if (diff < 0) { erofs_put_metabuf(&buf); - back = mid - 1; endprfx = matched; + continue; + } + + if (!IS_ERR(candidate)) + erofs_put_metabuf(target); + *target = buf; + if (!diff) { + *_ndirents = 0; + return de; } + head = mid + 1; + startprfx = matched; + candidate = de; + *_ndirents = ndirents; continue; } out: /* free if the candidate is valid */ Patches currently in stable-queue which might be from dhavale@xxxxxxxxxx are queue-6.6/erofs-fix-refcount-on-the-metabuf-used-for-inode-lookup.patch queue-6.6/fs-aio-restrict-kiocb_set_cancel_fn-to-i-o-submitted-via-libaio.patch