From nobody Thu Apr 2 23:54:09 2026 Received: from mail-pl1-f182.google.com (mail-pl1-f182.google.com [209.85.214.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B219D38BF60 for ; Wed, 25 Mar 2026 23:52:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774482726; cv=none; b=akL9dImeq+zr3uJQ943wbbRihrD2qy8RTJmOv0h9vHzXMt5oXPT+zvZ/l+mEs1Xa8RuOK+qLwysCZXYjNg6RUscDpR/lkVMtY49XTw0ZsiNyC9PvnH0ugDCKh/U5oy3BjOKXflqhimmSPy9Mr4PV9zfznyxU0blhCySxQqp4kJw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774482726; c=relaxed/simple; bh=2FvDzr0zkKxpwWcAuam0W5y0bIC8jjvBBrRXotJfBIc=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Q430EYfSE3x1iKMt8SWXdI7Wb9wqGsIB9LZPr8AsB2F8NNu+ytnDrvrQVujxq2s+15sbPcV4DNzmbZ82iSRn5zVKUbb4gCBQnKZEYbbfAG/gJBk0qK29WzmxxJCEQkX/m3NvKYx5EnrfshJFt4GAM4XMwcKslWBC8LQol+oFAKc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LM5vox/j; arc=none smtp.client-ip=209.85.214.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LM5vox/j" Received: by mail-pl1-f182.google.com with SMTP id d9443c01a7336-2b04d051664so3611315ad.0 for ; Wed, 25 Mar 2026 16:52:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774482724; x=1775087524; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ChE/DCAkwjRoMSkqrMLv/NhoJxc6D54T4bw90LEXp/w=; b=LM5vox/j8aZMA5t3d7V9NqSELzRGImNwT4yw7xT4I1wGkUqLTr03n+lo4qrMivtFAm BM2x4TlXbjjVG21GkLeqbf5WLOeSTy18MRSVAKeumYjrNobbgrnBOSdXbOG/WqNSKmxn GNXjsPTZibioQlr0YSjYqKuom4nRB2Qo1r/kaxWpcLIyEky26OXdlhaG7RHykDH5yvqy 8GM2T8PSjwQ4KcYw9RsBXDvnolCBJ18dPDneY3hnu79hvXKtJjG97irGMSz/Zud87Ko5 oUrByyc+JNwMgRKmh1DyTci5aWWYm/sL1VqsJQtApiFLgBksWjQyEmRDektM1/xO5lBU mPfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774482724; x=1775087524; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ChE/DCAkwjRoMSkqrMLv/NhoJxc6D54T4bw90LEXp/w=; b=qv7PWpziTY2e1Xo1QtuV6g202Ta7zemu1UQ50cA/rVXzfFG0xPOQmNPT8g547RzhNO S5c7Kj9D5AsFj7jqZE4wHrHRHh54vNhS8y6m9qOatrkIjPAr9AgxnB2ymfJDZm1ZvIAG OsZlE9uIdBPunzvE7ebVFL0IPrlKUGVDa0EM7gpwkzcKb1JMWDO7Kxy4n1iMGrovXx6n j+U5sN4ma7pUqdyhirglWUr44WRBS5WoYQ89Cax3KkHX9khr7y2077iM505VdXwFsPi9 WKBYNcqXCXF99fwt8HLtUwtacWxpzYmSQviEmCwboZ87QEowZsOaLamlK94w+iZrCPaH Q3/w== X-Forwarded-Encrypted: i=1; AJvYcCVsV+vtTtZE3jD/xj5yZDmJ6FAARRGFLCK7tV5wo00MHx6yqzegv1o1CQ8XQxWjNiLcT4xzJKZZQKJrJ84=@vger.kernel.org X-Gm-Message-State: AOJu0Yxu2Zsa4n9Vuf+X+6QJUZ3yv2DO6DdpDV03r7gkr+Y04jLe9NJ1 oy7xKg9U8YiyOYk30BgNTt0gR0Kr7acpHHwlmRuorOqtK7GNFi83hA1Z X-Gm-Gg: ATEYQzzkGpq1YlRB8IadRlvMU7lna7tyUGxfLg0pjcxlI7g0vCnaryn2OK1Kp5VhPUt G+IYVcjKARGBxv4/a/XKAaIx3j6ie+dExs5XVsjNN2YrClWd6cDwZtSPspvUWeYaicFHvOJ/CV+ ed5CZlf+g4fcrngdE5bUhUaVAUB4pXOjLvLftY6wYLQzNhR+V72+/M+3G/uMqOtij6lbPRU2RPS 0ERILsmJWCFWOabFHNtywdUli1IXyLOd1/FaLZZkuCAIJ6hX/C2ayQ4S/cQs8tscoURW3l7SLmU 8xsr8t9LpZA751YoTHC4bjmdKxW/x+i1xWJ7hzQDFT0yRivtcTsUcbg/JgebEm/6qv0+FaoDezE VYXPUMIms0q0a1GTOwoxd9dknOa4Khu6mZ92W7gj/O56NtSUQjDVix7G74BJoCRu88b2qVv6Yx4 1w/AtAVHEfthULBHwSOWHe5k6YgVrJxYM3hHoIH0Ai4xLw1zaKiWYBJjbBhT5HELTmRy8uBtNhg QMW9BI= X-Received: by 2002:a17:903:3845:b0:2b0:afad:7ac4 with SMTP id d9443c01a7336-2b0b0ad24ebmr62189835ad.26.1774482723961; Wed, 25 Mar 2026 16:52:03 -0700 (PDT) Received: from deepanshu-kernel-hacker.. ([2405:201:682f:389d:aa3b:c188:588e:e0f2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2b0bc916b73sm11285755ad.83.2026.03.25.16.52.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Mar 2026 16:52:03 -0700 (PDT) From: Deepanshu Kartikey To: agruenba@redhat.com, willy@infradead.org Cc: adas@redhat.com, gfs2@lists.linux.dev, linux-kernel@vger.kernel.org, Deepanshu Kartikey , syzbot+9013411dc43f3582823a@syzkaller.appspotmail.com Subject: [PATCH v2] gfs2: reject journal extents with gaps Date: Thu, 26 Mar 2026 05:21:55 +0530 Message-ID: <20260325235155.9503-1-kartikey406@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A malicious or corrupted GFS2 filesystem image can have a journal extent list with gaps between extents. gfs2_find_jhead() advances blocks_read sequentially through all page indices, but only grabs pages for blocks it actually visits via filemap_grab_folio(). Pages falling in the gaps between extents are never grabbed. When the cleanup loop at out: calls gfs2_jhead_process_page() for these pages, filemap_get_folio() returns ERR_PTR(-ENOENT) which is passed directly to folio_wait_locked() without checking for errors, hanging the kernel task in uninterruptible sleep (state D) forever, triggering the hung task watchdog. Fix this by rejecting journal extents with gaps at mapping time in gfs2_add_jextent(). If the new extent does not start exactly where the previous one ended, return -EINVAL to reject the corrupted journal early, before any I/O is submitted. Fixes: f4686c26ecc3 ("gfs2: read journal in large chunks") Reported-by: syzbot+9013411dc43f3582823a@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D9013411dc43f3582823a Link: https://lore.kernel.org/all/20260324033959.1456418-1-kartikey406@gmai= l.com/T/ [v1] Suggested-by: Andreas Gruenbacher Signed-off-by: Deepanshu Kartikey --- Changes in v2: - Instead of checking ERR_PTR in gfs2_jhead_process_page(), reject the gap at extent mapping time in gfs2_add_jextent() as suggested by Andreas Gruenbacher. --- fs/gfs2/bmap.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c index 1cd8ec0bce83..d3ba37291e4c 100644 --- a/fs/gfs2/bmap.c +++ b/fs/gfs2/bmap.c @@ -2219,6 +2219,8 @@ static int gfs2_add_jextent(struct gfs2_jdesc *jd, u6= 4 lblock, u64 dblock, u64 b =20 if (!list_empty(&jd->extent_list)) { jext =3D list_last_entry(&jd->extent_list, struct gfs2_journal_extent, l= ist); + if (jext->lblock + jext->blocks !=3D lblock) + return -EINVAL; if ((jext->dblock + jext->blocks) =3D=3D dblock) { jext->blocks +=3D blocks; return 0; --=20 2.43.0