lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6933c069.a70a0220.243dc6.0035.GAE@google.com>
Date: Fri, 05 Dec 2025 21:34:33 -0800
From: syzbot <syzbot+4235e4d7b6fd75704528@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: [PATCH] f2fs: fix hung task in block_operations during checkpoint

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: [PATCH] f2fs: fix hung task in block_operations during checkpoint
Author: kartikey406@...il.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

        f2fs_sync_inode_meta() can return 0 (success) even when
        f2fs_update_inode_page() fails and triggers f2fs_stop_checkpoint().
        This happens because the error flag check only occurs at the start
        of each loop iteration, not after f2fs_update_inode_page() returns.

        When I/O errors occur:
        1. f2fs_update_inode_page() retries 8 times then calls
           f2fs_stop_checkpoint(), which sets CP_ERROR_FLAG
        2. f2fs_sync_inode_meta() returns 0 without checking the error flag
        3. block_operations() sees success and loops back to retry_flush_quotas
        4. Dirty inodes remain on list (sync failed), loop repeats forever
        5. Checkpoint never completes, waiters block indefinitely

        This causes hung tasks when operations like unlink wait for checkpoint
        completion while holding locks that other tasks need.

        Fix by checking f2fs_cp_error() after processing each inode in
        f2fs_sync_inode_meta() to detect errors from f2fs_update_inode_page().

        Reported-by: syzbot+4235e4d7b6fd75704528@...kaller.appspotmail.com
        Closes: https://syzkaller.appspot.com/bug?extid=4235e4d7b6fd75704528
        Signed-off-by: Deepanshu Kartikey <kartikey406@...il.com>
---
 fs/f2fs/checkpoint.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
index bbe07e3a6c75..992637269a84 100644
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -1140,6 +1140,10 @@ static int f2fs_sync_inode_meta(struct f2fs_sb_info *sbi)
 			return -EIO;
 
 		spin_lock(&sbi->inode_lock[DIRTY_META]);
+		if (unlikely(f2fs_cp_error(sbi))) {
+			spin_unlock(&sbi->inode_lock[DIRTY_META]);
+			return -EIO;
+		}
 		if (list_empty(head)) {
 			spin_unlock(&sbi->inode_lock[DIRTY_META]);
 			return 0;
@@ -1155,6 +1159,8 @@ static int f2fs_sync_inode_meta(struct f2fs_sb_info *sbi)
 			if (is_inode_flag_set(inode, FI_DIRTY_INODE))
 				f2fs_update_inode_page(inode);
 			iput(inode);
+			if (unlikely(f2fs_cp_error(sbi)))
+				return EIO;
 		}
 	}
 	return 0;
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ