From nobody Fri Dec 19 09:46:57 2025 Received: from mail-gw01.astralinux.ru (mail-gw01.astralinux.ru [37.230.196.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 588BA273FE; Tue, 4 Mar 2025 11:06:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=37.230.196.243 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741086393; cv=none; b=COi1zqupmfeSPvQe67+0yp3wQ0bXzgHUW6jGiCd51AQ+RPLojRiQDsUQqOKjHpwQbcxzTgaqpQ1A7+6zHpJ2LJ7J7EBjEunB30AkBzobCCrGTZkim69cvc4sdoKZMNeMbtQfWq8PDXE5HxhI+0D+LsC9L+QtZtVkxY9Fz6eLU5Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741086393; c=relaxed/simple; bh=f0oj93IXTO5LNgGQvk1qKN5V91hRaPhpHYhwlYtcsug=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=BmMIs3VNUCBorIlChkPAHPinITy15HCZJtEsWMpjEgHmP4BFVsTeqf1Gzoke2bSQ+rrAk1Yo1ca/drGmvK+D4LPiWHrMEspElVSlWWj3H3jIM/Bue2UuDdY/vbUZPpHQWldfmqqdRyCA70/itozaUWA6aadZWB2NTpbpTk3WjLU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=astralinux.ru; spf=pass smtp.mailfrom=astralinux.ru; arc=none smtp.client-ip=37.230.196.243 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=astralinux.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=astralinux.ru Received: from gca-sc-a-srv-ksmg01.astralinux.ru (localhost [127.0.0.1]) by mail-gw01.astralinux.ru (Postfix) with ESMTP id 7D5C424D0E; Tue, 4 Mar 2025 14:06:20 +0300 (MSK) Received: from new-mail.astralinux.ru (gca-yc-ruca-srv-mail04.astralinux.ru [10.177.185.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail-gw01.astralinux.ru (Postfix) with ESMTPS; Tue, 4 Mar 2025 14:06:18 +0300 (MSK) Received: from rbta-msk-lt-156703.astralinux.ru (unknown [10.177.20.114]) by new-mail.astralinux.ru (Postfix) with ESMTPA id 4Z6XtK5RJwzkX1m; Tue, 4 Mar 2025 14:06:17 +0300 (MSK) From: Alexey Panov To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Alexey Panov , Gao Xiang , Chao Yu , Yue Hu , Jeffle Xu , linux-erofs@lists.ozlabs.org, linux-kernel@vger.kernel.org, syzbot+c8c8238b394be4a1087d@syzkaller.appspotmail.com, lvc-project@linuxtesting.org, Gao Xiang , Max Kellermann , syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com, syzbot+de04e06b28cfecf2281c@syzkaller.appspotmail.com Subject: [PATCH v2 6.1 1/2] erofs: handle overlapped pclusters out of crafted images properly Date: Tue, 4 Mar 2025 14:05:57 +0300 Message-Id: <20250304110558.8315-2-apanov@astralinux.ru> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250304110558.8315-1-apanov@astralinux.ru> References: <20250304110558.8315-1-apanov@astralinux.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-KSMG-AntiPhishing: NotDetected, bases: 2025/03/04 09:15:00 X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Envelope-From: apanov@astralinux.ru X-KSMG-AntiSpam-Info: LuaCore: 51 0.3.51 68896fb0083a027476849bf400a331a2d5d94398, {Tracking_uf_ne_domains}, {Tracking_internal2}, {Tracking_from_domain_doesnt_match_to}, new-mail.astralinux.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;lore.kernel.org:7.1.1;127.0.0.199:7.1.2;astralinux.ru:7.1.1, FromAlignment: s X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiSpam-Lua-Profiles: 191453 [Mar 04 2025] X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Version: 6.1.1.11 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854, bases: 2025/03/04 09:41:00 #27591543 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected, bases: 2025/03/04 09:15:00 X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 1 Content-Type: text/plain; charset="utf-8" From: Gao Xiang commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 upstream. syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os. After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below: Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ... Here, extent 0/1 are physically overlapped although it's entirely _impossible_ for normal filesystem images generated by mkfs. First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges z_erofs_fill_bio_vec() and BIO submission which causes unexpected BIO waits. Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness. Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up `struct z_erofs_bvec`") for simplicity although it shouldn't be any difference. Reported-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com Reported-by: syzbot+de04e06b28cfecf2281c@syzkaller.appspotmail.com Reported-by: syzbot+c8c8238b394be4a1087d@syzkaller.appspotmail.com Tested-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000002fda01061e334873@google.com Fixes: 8e6c8fa9f2e9 ("erofs: enable big pcluster feature") Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20240910070847.3356592-1-hsiangkao@linux.al= ibaba.com [Alexey: This patch follows linux 6.6.y conflict resolution changes of struct folio -> struct page] Signed-off-by: Alexey Panov --- Backport fix for CVE-2024-47736 --- v2: Corrected patch comment about a minor fix. I mistakenly assessed the significance of the changes relative to the backport from 6.6.y. fs/erofs/zdata.c | 59 +++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c index 94e9e0bf3bbd..ac01c0ede7f7 100644 --- a/fs/erofs/zdata.c +++ b/fs/erofs/zdata.c @@ -1346,14 +1346,13 @@ static struct page *pickup_page_for_submission(stru= ct z_erofs_pcluster *pcl, goto out; =20 lock_page(page); - - /* only true if page reclaim goes wrong, should never happen */ - DBG_BUGON(justfound && PagePrivate(page)); - - /* the page is still in manage cache */ - if (page->mapping =3D=3D mc) { + if (likely(page->mapping =3D=3D mc)) { WRITE_ONCE(pcl->compressed_bvecs[nr].page, page); =20 + /* + * The cached folio is still in managed cache but without + * a valid `->private` pcluster hint. Let's reconnect them. + */ if (!PagePrivate(page)) { /* * impossible to be !PagePrivate(page) for @@ -1367,22 +1366,24 @@ static struct page *pickup_page_for_submission(stru= ct z_erofs_pcluster *pcl, SetPagePrivate(page); } =20 - /* no need to submit io if it is already up-to-date */ - if (PageUptodate(page)) { - unlock_page(page); - page =3D NULL; + if (likely(page->private =3D=3D (unsigned long)pcl)) { + /* don't submit cache I/Os again if already uptodate */ + if (PageUptodate(page)) { + unlock_page(page); + page =3D NULL; + + } + goto out; } - goto out; + /* + * Already linked with another pcluster, which only appears in + * crafted images by fuzzers for now. But handle this anyway. + */ + tocache =3D false; /* use temporary short-lived pages */ + } else { + DBG_BUGON(1); /* referenced managed folios can't be truncated */ + tocache =3D true; } - - /* - * the managed page has been truncated, it's unsafe to - * reuse this one, let's allocate a new cache-managed page. - */ - DBG_BUGON(page->mapping); - DBG_BUGON(!justfound); - - tocache =3D true; unlock_page(page); put_page(page); out_allocpage: @@ -1536,16 +1537,11 @@ static void z_erofs_submit_queue(struct z_erofs_dec= ompress_frontend *f, end =3D cur + pcl->pclusterpages; =20 do { - struct page *page; - - page =3D pickup_page_for_submission(pcl, i++, pagepool, - mc); - if (!page) - continue; + struct page *page =3D NULL; =20 if (bio && (cur !=3D last_index + 1 || last_bdev !=3D mdev.m_bdev)) { -submit_bio_retry: +drain_io: submit_bio(bio); if (memstall) { psi_memstall_leave(&pflags); @@ -1554,6 +1550,13 @@ static void z_erofs_submit_queue(struct z_erofs_deco= mpress_frontend *f, bio =3D NULL; } =20 + if (!page) { + page =3D pickup_page_for_submission(pcl, i++, + pagepool, mc); + if (!page) + continue; + } + if (unlikely(PageWorkingset(page)) && !memstall) { psi_memstall_enter(&pflags); memstall =3D 1; @@ -1574,7 +1577,7 @@ static void z_erofs_submit_queue(struct z_erofs_decom= press_frontend *f, } =20 if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) - goto submit_bio_retry; + goto drain_io; =20 last_index =3D cur; bypass =3D false; --=20 2.39.5 From nobody Fri Dec 19 09:46:57 2025 Received: from mail-gw02.astralinux.ru (mail-gw02.astralinux.ru [195.16.41.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B6401EEA36; Tue, 4 Mar 2025 11:06:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.16.41.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741086391; cv=none; b=s5OzrJ2Yu7QZbZ1L1NXDar/mIF0FxiVEM/LtZCMTUSGdFCuRxkllynt8lh8+c5kQRWcOew8w/Rga0Dwgv8nBB05wxevXbA6rJSgkD2Nxlc1bPVHeG+nyRdtq67utzJ/LPSStveCKBazMgokyDTX2FJdsQyExzX6i0BH+XFpNiuM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741086391; c=relaxed/simple; bh=IP9g1eSFTx9/9l1F3zGbiHkCg+HxQDS6R0GpeyAaTeA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=e+kav5+wdqefUbe4v6oM/dIVBGgOSgMtzsVQqs6/553Q9BWuYdkahgem5SDq6ynocJ+079/W5XTDQbD0uCtZLAKE/jmvySZPAEJthKxil498EDhQnZUNCwg5KfdjvlyIwlc8KTnvvDp/28TAdqbmOUBqY8Z6OVB8kd7GpmWhqzw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=astralinux.ru; spf=pass smtp.mailfrom=astralinux.ru; arc=none smtp.client-ip=195.16.41.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=astralinux.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=astralinux.ru Received: from gca-msk-a-srv-ksmg01.astralinux.ru (localhost [127.0.0.1]) by mail-gw02.astralinux.ru (Postfix) with ESMTP id 9C0191F9EB; Tue, 4 Mar 2025 14:06:20 +0300 (MSK) Received: from new-mail.astralinux.ru (gca-yc-ruca-srv-mail04.astralinux.ru [10.177.185.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail-gw02.astralinux.ru (Postfix) with ESMTPS; Tue, 4 Mar 2025 14:06:19 +0300 (MSK) Received: from rbta-msk-lt-156703.astralinux.ru (unknown [10.177.20.114]) by new-mail.astralinux.ru (Postfix) with ESMTPA id 4Z6XtL4skQzkX1p; Tue, 4 Mar 2025 14:06:18 +0300 (MSK) From: Alexey Panov To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Alexey Panov , Gao Xiang , Chao Yu , Yue Hu , Jeffle Xu , linux-erofs@lists.ozlabs.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Gao Xiang , Max Kellermann Subject: [PATCH v2 6.1 2/2] erofs: fix PSI memstall accounting Date: Tue, 4 Mar 2025 14:05:58 +0300 Message-Id: <20250304110558.8315-3-apanov@astralinux.ru> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250304110558.8315-1-apanov@astralinux.ru> References: <20250304110558.8315-1-apanov@astralinux.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-KSMG-AntiPhishing: NotDetected, bases: 2025/03/04 09:15:00 X-KSMG-AntiSpam-Auth: dkim=none X-KSMG-AntiSpam-Envelope-From: apanov@astralinux.ru X-KSMG-AntiSpam-Info: LuaCore: 51 0.3.51 68896fb0083a027476849bf400a331a2d5d94398, {Tracking_uf_ne_domains}, {Tracking_internal2}, {Tracking_from_domain_doesnt_match_to}, lore.kernel.org:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;new-mail.astralinux.ru:7.1.1;127.0.0.199:7.1.2;astralinux.ru:7.1.1, FromAlignment: s X-KSMG-AntiSpam-Interceptor-Info: scan successful X-KSMG-AntiSpam-Lua-Profiles: 191452 [Mar 04 2025] X-KSMG-AntiSpam-Method: none X-KSMG-AntiSpam-Rate: 0 X-KSMG-AntiSpam-Status: not_detected X-KSMG-AntiSpam-Version: 6.1.1.11 X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854, bases: 2025/03/04 09:41:00 #27591543 X-KSMG-AntiVirus-Status: NotDetected, skipped X-KSMG-LinksScanning: NotDetected, bases: 2025/03/04 09:15:00 X-KSMG-Message-Action: skipped X-KSMG-Rule-ID: 1 Content-Type: text/plain; charset="utf-8" From: Gao Xiang commit 1a2180f6859c73c674809f9f82e36c94084682ba upstream. Max Kellermann recently reported psi_group_cpu.tasks[NR_MEMSTALL] is incorrect in the 6.11.9 kernel. The root cause appears to be that, since the problematic commit, bio can be NULL, causing psi_memstall_leave() to be skipped in z_erofs_submit_queue(). Reported-by: Max Kellermann Closes: https://lore.kernel.org/r/CAKPOu+8tvSowiJADW2RuKyofL_CSkm_SuyZA7ME5= vMLWmL6pqw@mail.gmail.com Fixes: 9e2f9d34dd12 ("erofs: handle overlapped pclusters out of crafted ima= ges properly") Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20241127085236.3538334-1-hsiangkao@linux.al= ibaba.com Signed-off-by: Alexey Panov --- fs/erofs/zdata.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c index ac01c0ede7f7..d175b5d0a2f5 100644 --- a/fs/erofs/zdata.c +++ b/fs/erofs/zdata.c @@ -1589,11 +1589,10 @@ static void z_erofs_submit_queue(struct z_erofs_dec= ompress_frontend *f, move_to_bypass_jobqueue(pcl, qtail, owned_head); } while (owned_head !=3D Z_EROFS_PCLUSTER_TAIL); =20 - if (bio) { + if (bio) submit_bio(bio); - if (memstall) - psi_memstall_leave(&pflags); - } + if (memstall) + psi_memstall_leave(&pflags); =20 /* * although background is preferred, no one is pending for submission. --=20 2.39.5