On Mon, Jul 29, 2024 at 9:45 PM <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > This is a note to let you know that I've just added the patch titled > > nilfs2: handle inconsistent state in nilfs_btnode_create_block() > > to the 6.6-stable tree which can be found at: > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch > and it can be found in the queue-6.6 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <stable@xxxxxxxxxxxxxxx> know about it. > Hi Greg, could you please drop this patch for 6.6-stable ? It unintentionally mixes folio and page references in the same function. The patch for 6.10-stable is fine. Since the backport to 4.19-stable ~ 6.1-stable failed, I'll post a patch that takes page/folio conversion into account anyway. So I'd like to address this for 6.6-stable as well. Thanks, Ryusuke Konishi > > From 4811f7af6090e8f5a398fbdd766f903ef6c0d787 Mon Sep 17 00:00:00 2001 > From: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Date: Thu, 25 Jul 2024 14:20:07 +0900 > Subject: nilfs2: handle inconsistent state in nilfs_btnode_create_block() > > From: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > > commit 4811f7af6090e8f5a398fbdd766f903ef6c0d787 upstream. > > Syzbot reported that a buffer state inconsistency was detected in > nilfs_btnode_create_block(), triggering a kernel bug. > > It is not appropriate to treat this inconsistency as a bug; it can occur > if the argument block address (the buffer index of the newly created > block) is a virtual block number and has been reallocated due to > corruption of the bitmap used to manage its allocation state. > > So, modify nilfs_btnode_create_block() and its callers to treat it as a > possible filesystem error, rather than triggering a kernel bug. > > Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@xxxxxxxxx > Fixes: a60be987d45d ("nilfs2: B-tree node cache") > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Reported-by: syzbot+89cc4f2324ed37988b60@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=89cc4f2324ed37988b60 > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > --- > fs/nilfs2/btnode.c | 25 ++++++++++++++++++++----- > fs/nilfs2/btree.c | 4 ++-- > 2 files changed, 22 insertions(+), 7 deletions(-) > > --- a/fs/nilfs2/btnode.c > +++ b/fs/nilfs2/btnode.c > @@ -51,12 +51,21 @@ nilfs_btnode_create_block(struct address > > bh = nilfs_grab_buffer(inode, btnc, blocknr, BIT(BH_NILFS_Node)); > if (unlikely(!bh)) > - return NULL; > + return ERR_PTR(-ENOMEM); > > if (unlikely(buffer_mapped(bh) || buffer_uptodate(bh) || > buffer_dirty(bh))) { > - brelse(bh); > - BUG(); > + /* > + * The block buffer at the specified new address was already > + * in use. This can happen if it is a virtual block number > + * and has been reallocated due to corruption of the bitmap > + * used to manage its allocation state (if not, the buffer > + * clearing of an abandoned b-tree node is missing somewhere). > + */ > + nilfs_error(inode->i_sb, > + "state inconsistency probably due to duplicate use of b-tree node block address %llu (ino=%lu)", > + (unsigned long long)blocknr, inode->i_ino); > + goto failed; > } > memset(bh->b_data, 0, i_blocksize(inode)); > bh->b_bdev = inode->i_sb->s_bdev; > @@ -67,6 +76,12 @@ nilfs_btnode_create_block(struct address > unlock_page(bh->b_page); > put_page(bh->b_page); > return bh; > + > +failed: > + folio_unlock(bh->b_folio); > + folio_put(bh->b_folio); > + brelse(bh); > + return ERR_PTR(-EIO); > } > > int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, > @@ -217,8 +232,8 @@ retry: > } > > nbh = nilfs_btnode_create_block(btnc, newkey); > - if (!nbh) > - return -ENOMEM; > + if (IS_ERR(nbh)) > + return PTR_ERR(nbh); > > BUG_ON(nbh == obh); > ctxt->newbh = nbh; > --- a/fs/nilfs2/btree.c > +++ b/fs/nilfs2/btree.c > @@ -63,8 +63,8 @@ static int nilfs_btree_get_new_block(con > struct buffer_head *bh; > > bh = nilfs_btnode_create_block(btnc, ptr); > - if (!bh) > - return -ENOMEM; > + if (IS_ERR(bh)) > + return PTR_ERR(bh); > > set_buffer_nilfs_volatile(bh); > *bhp = bh; > > > Patches currently in stable-queue which might be from konishi.ryusuke@xxxxxxxxx are > > queue-6.6/nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch > queue-6.6/nilfs2-avoid-undefined-behavior-in-nilfs_cnt32_ge-ma.patch
