fs/nilfs2/segment.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+)
From: Deepanshu Kartikey <kartikey406@gmail.com>
Syzbot reported a hung task in nilfs_transaction_begin() where multiple
tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
waiting to acquire ns_segctor_sem for read:
INFO: task syz.0.17:5918 blocked for more than 143 seconds.
Call Trace:
schedule+0x164/0x360
rwsem_down_read_slowpath+0x6d9/0x940
down_read+0x99/0x2e0
nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
notify_change+0xc1a/0xf40
chmod_common+0x273/0x4a0
do_fchmodat+0x12d/0x230
The writer holding ns_segctor_sem was a concurrent
NILFS_IOCTL_CLEAN_SEGMENTS caller, stuck inside printk while emitting
per-element warnings from nilfs_sufile_updatev():
__nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
nilfs_segctor_do_construct+0x1f55/0x76c0
nilfs_clean_segments+0x3bd/0xa50
nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
nilfs_ioctl+0x261f/0x2780
The root cause is that user-supplied segment numbers are not validated
before nilfs_clean_segments() begins doing work; the range check on
each segnum is performed deep inside the call chain by
nilfs_sufile_updatev(), which emits a nilfs_warn() per invalid entry
while still holding the segctor lock and the sufile mi_sem. Under load
(repeated invocations across multiple mounts saturating the global
printk path), the cumulative printk latency keeps ns_segctor_sem held
long enough to trip the hung_task watchdog, blocking concurrent
operations such as chmod() that need ns_segctor_sem for read.
Fix by validating the contents of kbufs[4] in nilfs_clean_segments()
immediately after acquiring ns_segctor_sem via nilfs_transaction_lock().
Holding ns_segctor_sem serializes the check against
nilfs_ioctl_resize(), which can modify ns_nsegments, so the validation
uses a consistent value. Out-of-range segment numbers are rejected
with -EINVAL before any segment-cleaning work begins, so the bad
entries never reach the per-element diagnostic path inside
nilfs_sufile_updatev().
Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
Tested-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Fixes: 071cb4b81987 ("nilfs2: eliminate removal list of segments")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
---
Hi Viacheslav,
Please queue this patch.
This is a fix by Deepanshu that addresses the problem recently
detected by syzbot, a hang-up that can occur when GC ioctl parameters
are invalid (this time, when a segment number to be freed is
out-of-range).
Thanks,
Ryusuke Konishi
fs/nilfs2/segment.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
index 1491a4d4b1e1..9332f5ac6083 100644
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2512,12 +2512,33 @@ int nilfs_clean_segments(struct super_block *sb, struct nilfs_argv *argv,
struct nilfs_sc_info *sci = nilfs->ns_writer;
struct nilfs_transaction_info ti;
int err;
+ size_t i, nfreesegs = argv[4].v_nmembs;
+ __u64 *segnumv = kbufs[4];
if (unlikely(!sci))
return -EROFS;
nilfs_transaction_lock(sb, &ti, 1);
+ /*
+ * Validate segment numbers under ns_segctor_sem (held for write
+ * by nilfs_transaction_lock above) so the check is serialized
+ * against nilfs_ioctl_resize(), which can modify ns_nsegments.
+ * Rejecting bad input here, before any segment-cleaning work
+ * begins, avoids the per-element diagnostic path inside
+ * nilfs_sufile_updatev() that would otherwise run under this
+ * same lock and stall concurrent readers.
+ */
+ for (i = 0; i < nfreesegs; i++) {
+ if (segnumv[i] >= nilfs->ns_nsegments) {
+ nilfs_err(sb,
+ "Segment number %llu to be freed is out of range",
+ (unsigned long long)segnumv[i]);
+ err = -EINVAL;
+ goto bail_unlock;
+ }
+ }
+
err = nilfs_mdt_save_to_shadow_map(nilfs->ns_dat);
if (unlikely(err))
goto out_unlock;
@@ -2558,6 +2579,7 @@ int nilfs_clean_segments(struct super_block *sb, struct nilfs_argv *argv,
sci->sc_freesegs = NULL;
sci->sc_nfreesegs = 0;
nilfs_mdt_clear_shadow_map(nilfs->ns_dat);
+ bail_unlock:
nilfs_transaction_unlock(sb);
return err;
}
--
2.43.0On Sun, 2026-05-03 at 13:33 +0900, Ryusuke Konishi wrote:
> From: Deepanshu Kartikey <kartikey406@gmail.com>
>
> Syzbot reported a hung task in nilfs_transaction_begin() where multiple
> tasks performing chmod() on a nilfs2 mount blocked for over 143 seconds
> waiting to acquire ns_segctor_sem for read:
>
> INFO: task syz.0.17:5918 blocked for more than 143 seconds.
> Call Trace:
> schedule+0x164/0x360
> rwsem_down_read_slowpath+0x6d9/0x940
> down_read+0x99/0x2e0
> nilfs_transaction_begin+0x364/0x710 fs/nilfs2/segment.c:221
> nilfs_setattr+0x124/0x2c0 fs/nilfs2/inode.c:921
> notify_change+0xc1a/0xf40
> chmod_common+0x273/0x4a0
> do_fchmodat+0x12d/0x230
>
> The writer holding ns_segctor_sem was a concurrent
> NILFS_IOCTL_CLEAN_SEGMENTS caller, stuck inside printk while emitting
> per-element warnings from nilfs_sufile_updatev():
>
> __nilfs_msg+0x373/0x450 fs/nilfs2/super.c:78
> nilfs_sufile_updatev+0x21c/0x6d0 fs/nilfs2/sufile.c:186
> nilfs_sufile_freev fs/nilfs2/sufile.h:93 [inline]
> nilfs_free_segments fs/nilfs2/segment.c:1140 [inline]
> nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1261 [inline]
> nilfs_segctor_do_construct+0x1f55/0x76c0
> nilfs_clean_segments+0x3bd/0xa50
> nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:922 [inline]
> nilfs_ioctl+0x261f/0x2780
>
> The root cause is that user-supplied segment numbers are not validated
> before nilfs_clean_segments() begins doing work; the range check on
> each segnum is performed deep inside the call chain by
> nilfs_sufile_updatev(), which emits a nilfs_warn() per invalid entry
> while still holding the segctor lock and the sufile mi_sem. Under load
> (repeated invocations across multiple mounts saturating the global
> printk path), the cumulative printk latency keeps ns_segctor_sem held
> long enough to trip the hung_task watchdog, blocking concurrent
> operations such as chmod() that need ns_segctor_sem for read.
>
> Fix by validating the contents of kbufs[4] in nilfs_clean_segments()
> immediately after acquiring ns_segctor_sem via nilfs_transaction_lock().
> Holding ns_segctor_sem serializes the check against
> nilfs_ioctl_resize(), which can modify ns_nsegments, so the validation
> uses a consistent value. Out-of-range segment numbers are rejected
> with -EINVAL before any segment-cleaning work begins, so the bad
> entries never reach the per-element diagnostic path inside
> nilfs_sufile_updatev().
>
> Reported-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=62f0f99d2f2bb8e3bbd7
> Tested-by: syzbot+62f0f99d2f2bb8e3bbd7@syzkaller.appspotmail.com
> Cc: stable@vger.kernel.org
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> Fixes: 071cb4b81987 ("nilfs2: eliminate removal list of segments")
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> ---
> Hi Viacheslav,
>
> Please queue this patch.
>
> This is a fix by Deepanshu that addresses the problem recently
> detected by syzbot, a hang-up that can occur when GC ioctl parameters
> are invalid (this time, when a segment number to be freed is
> out-of-range).
>
> Thanks,
> Ryusuke Konishi
>
> fs/nilfs2/segment.c | 22 ++++++++++++++++++++++
> 1 file changed, 22 insertions(+)
>
> diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c
> index 1491a4d4b1e1..9332f5ac6083 100644
> --- a/fs/nilfs2/segment.c
> +++ b/fs/nilfs2/segment.c
> @@ -2512,12 +2512,33 @@ int nilfs_clean_segments(struct super_block *sb, struct nilfs_argv *argv,
> struct nilfs_sc_info *sci = nilfs->ns_writer;
> struct nilfs_transaction_info ti;
> int err;
> + size_t i, nfreesegs = argv[4].v_nmembs;
> + __u64 *segnumv = kbufs[4];
>
> if (unlikely(!sci))
> return -EROFS;
>
> nilfs_transaction_lock(sb, &ti, 1);
>
> + /*
> + * Validate segment numbers under ns_segctor_sem (held for write
> + * by nilfs_transaction_lock above) so the check is serialized
> + * against nilfs_ioctl_resize(), which can modify ns_nsegments.
> + * Rejecting bad input here, before any segment-cleaning work
> + * begins, avoids the per-element diagnostic path inside
> + * nilfs_sufile_updatev() that would otherwise run under this
> + * same lock and stall concurrent readers.
> + */
> + for (i = 0; i < nfreesegs; i++) {
> + if (segnumv[i] >= nilfs->ns_nsegments) {
> + nilfs_err(sb,
> + "Segment number %llu to be freed is out of range",
> + (unsigned long long)segnumv[i]);
> + err = -EINVAL;
> + goto bail_unlock;
> + }
> + }
> +
> err = nilfs_mdt_save_to_shadow_map(nilfs->ns_dat);
> if (unlikely(err))
> goto out_unlock;
> @@ -2558,6 +2579,7 @@ int nilfs_clean_segments(struct super_block *sb, struct nilfs_argv *argv,
> sci->sc_freesegs = NULL;
> sci->sc_nfreesegs = 0;
> nilfs_mdt_clear_shadow_map(nilfs->ns_dat);
> + bail_unlock:
> nilfs_transaction_unlock(sb);
> return err;
> }
Applied.
Thanks,
Slava.
© 2016 - 2026 Red Hat, Inc.