From nobody Mon Jun 15 12:18:10 2026
Received: from mx5.sberdevices.ru (mx5.sberdevices.ru [95.181.183.35])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 71FFB3A5E75
	for <linux-kernel@vger.kernel.org>; Fri, 10 Apr 2026 08:14:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=95.181.183.35
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775808843; cv=none;
 b=BBBd0VwCfKtXk3na91ga4UZ/GC4xbqYOoffYpCJQaX0dKk2B3kJbog3eCEmCo+nO2Z77YAUVFgSafWm9livR/ae673hatyycU6LinyXAxGT/bb4sLEzYYy2tKlWt9uEEINi3Ka0tiuhK6MWvqU1StpjVmZuwDaQBy+d5JQPH0XE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775808843; c=relaxed/simple;
	bh=27wyJ8bq5KskBfgEAHEG4RTLG4wrA49g4MOJbGVowFk=;
	h=Message-ID:Date:MIME-Version:To:CC:From:Subject:Content-Type;
 b=PxQGDXFLTij09PWhalzD5ZHZsW5KdxHs48w+Mo4o0UwcvZXBZTMYYzCcd5MgPQsyHCBLaT6qx6HvGbYFqRMxsTkpf1OQtyvJ7Ce3Um7urfz6mPCOUxNa+XvEW3MX4AeoVcbGD0vbtXRCnxTjRG6FPt4TcA943EJM4RKaES5nVto=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=salutedevices.com;
 spf=pass smtp.mailfrom=salutedevices.com;
 dkim=pass (2048-bit key) header.d=salutedevices.com
 header.i=@salutedevices.com header.b=aikzJT1h;
 arc=none smtp.client-ip=95.181.183.35
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=salutedevices.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=salutedevices.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=salutedevices.com
 header.i=@salutedevices.com header.b="aikzJT1h"
Received: from p-antispam-ksmg-gc-msk01.sberdevices.ru (localhost [127.0.0.1])
	by mx5.sberdevices.ru (Postfix) with ESMTP id D07E1240014;
	Fri, 10 Apr 2026 11:13:51 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx5.sberdevices.ru D07E1240014
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salutedevices.com;
	s=post; t=1775808831;
	bh=3YjvK3khsXo5IRmJJATArtQ7PzxMudXTICvAedp2NLI=;
	h=Message-ID:Date:MIME-Version:To:From:Subject:Content-Type:From;
	b=aikzJT1hfmQKzmOtPSIWB2C/cjLUJmI/j5c1kgxW0ONB40ax83g7LchNMF4LcB07M
	 D0bR8ynLc9djggX4lU8UMH2roz3yVyUt7tV4L76+x9pX15IIjyx6DlwQVE/qLyHTGB
	 SsV7BR6sIHvagPVrsg/NnXetejN7tqC+WvzPBNx/IIxzwQCQM1U9Z3RVLrX/bTmvn5
	 Ww3bRfrOLmPbOZT3qeF2wIeMU7Tp5kl5jTVE5YQlglw+1U2biZNa0y+3vrt22/Q7gm
	 9w6t2SWsZSrGoDrfRytvI1TgbFGBYDYxZ7/WEkbZWj5B9Si9RQXE+Ih/mSFP25WFze
	 agiXUEqM7AIAw==
Received: from smtp.sberdevices.ru (p-exch-cas-a-m1.sberdevices.ru
 [172.24.201.216])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "sberdevices.ru", Issuer "R12" (not verified))
	by mx5.sberdevices.ru (Postfix) with ESMTPS;
	Fri, 10 Apr 2026 11:13:51 +0300 (MSK)
Message-ID: <4a2f3801-fac1-42fe-ae75-da315822e088@salutedevices.com>
Date: Fri, 10 Apr 2026 11:13:46 +0300
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: ru
To: Gao Xiang <xiang@kernel.org>, Chao Yu <chao@kernel.org>, Yue Hu
	<zbestahu@gmail.com>, Jeffle Xu <jefflexu@linux.alibaba.com>, Sandeep Dhavale
	<dhavale@google.com>, Hongbo Li <lihongbo22@huawei.com>, Sheng Yong
	<shengyong1@xiaomi.com>
CC: <oxffffaa@gmail.com>, <linux-erofs@lists.ozlabs.org>,
	<linux-kernel@vger.kernel.org>, <kernel@salutedevices.com>
From: Arseniy Krasnov <avkrasnov@salutedevices.com>
Subject: erofs pointer corruption and kernel crash
Content-Transfer-Encoding: quoted-printable
X-ClientProxiedBy: p-exch-cas-a-m1.sberdevices.ru (172.24.201.216) To
 p-exch-cas-a-m1.sberdevices.ru (172.24.201.216)
X-KSMG-AntiPhishing: NotDetected
X-KSMG-AntiSpam-Auth: dkim=none
X-KSMG-AntiSpam-Envelope-From: avkrasnov@salutedevices.com
X-KSMG-AntiSpam-Info: LuaCore: 98 0.3.98
 ca9d2f3beca9ca2a85e178af9d8e97d5fa2c38a3,
 {Tracking_from_domain_doesnt_match_to},
 smtp.sberdevices.ru:7.1.1,5.0.1;127.0.0.199:7.1.2;salutedevices.com:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1,
 FromAlignment: s
X-KSMG-AntiSpam-Interceptor-Info: scan successful
X-KSMG-AntiSpam-Lua-Profiles: 202160 [Apr 10 2026]
X-KSMG-AntiSpam-Method: none
X-KSMG-AntiSpam-Rate: 0
X-KSMG-AntiSpam-Status: not_detected
X-KSMG-AntiSpam-Version: 6.1.1.22
X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.1.8310,
 bases: 2026/04/09 21:06:00 #28382314
X-KSMG-AntiVirus-Status: NotDetected, skipped
X-KSMG-KATA-Status: Not Scanned
X-KSMG-LinksScanning: NotDetected
X-KSMG-Message-Action: skipped
X-KSMG-Rule-ID: 5
Content-Type: text/plain; charset="utf-8"

Hi,

We found unexpected behaviour of erofs:

There is function in erofs - 'erofs_onlinefolio_end()'. It has pointer to
'struct folio' as first argument, and there is loop inside this function,
which updates 'private' field of provided folio:

  do {
          orig =3D atomic_read((atomic_t *)&folio->private);
          DBG_BUGON(orig <=3D 0);
          v =3D dirty << EROFS_ONLINEFOLIO_DIRTY;
          v |=3D (orig - 1) | (!!err << EROFS_ONLINEFOLIO_EIO);
  } while (atomic_cmpxchg((atomic_t *)&folio->private, orig, v) !=3D orig);

Now, we see that in some rare case, this function processes folio, where
'private' is pointer, and thus this loop will update some bits in this
pointer. Then later kernel dereferences such pointer and crashes.

To catch this, the following small debug patch was used (e.g. we check that=
 'private' field is pointer):

diff --git a/fs/erofs/data.c b/fs/erofs/data.c
index 33cb0a7330d2..b1d8deffec4d 100644
--- a/fs/erofs/data.c
+++ b/fs/erofs/data.c
@@ -238,6 +238,11 @@ void erofs_onlinefolio_end(struct folio *folio, int er=
r, bool dirty)
 {
     int orig, v;
=20
+    if (((uintptr_t)folio->private) & 0xffff000000000000) {
+        pr_emerg("\n[foliodbg] %s:%d EROFS FOLIO %px PRIVATE BEFORE %px\n"=
, __func__, __LINE__, folio, folio->private);
+        dump_stack();
+    }
+
     do {
         orig =3D atomic_read((atomic_t *)&folio->private);
         DBG_BUGON(orig <=3D 0);
@@ -245,6 +250,9 @@ void erofs_onlinefolio_end(struct folio *folio, int err=
, bool dirty)
         v |=3D (orig - 1) | (!!err << EROFS_ONLINEFOLIO_EIO);
     } while (atomic_cmpxchg((atomic_t *)&folio->private, orig, v) !=3D ori=
g);
=20
+    if (((uintptr_t)folio->private) & 0xffff000000000000)
+        pr_emerg("\n[foliodbg] %s:%d EROFS FOLIO %px PRIVATE SET %px\n", _=
_func__, __LINE__, folio, folio->private);
+
     if (v & (BIT(EROFS_ONLINEFOLIO_DIRTY) - 1))
         return;
     folio->private =3D 0;


And it gives result:

[][  T639] [foliodbg] erofs_onlinefolio_end:242 EROFS FOLIO fffffdffc003044=
0 PRIVATE BEFORE ffff000002b32468
[][  T639] CPU: 0 UID: 0 PID: 639 Comm: kworker/0:6H Tainted: G O 6.15.11-s=
dkernel #1 PREEMPT
[][  T639] Tainted: [O]=3DOOT_MODULE
[][  T639] Workqueue: kverityd verity_work
[][  T639] Call trace:
[][  T639]  show_stack+0x18/0x30 (C)
[][  T639]  dump_stack_lvl+0x60/0x80
[][  T639]  dump_stack+0x18/0x24
[][  T639]  erofs_onlinefolio_end+0x124/0x130
[][  T639]  z_erofs_decompress_queue+0x4b0/0x8c0
[][  T639]  z_erofs_decompress_kickoff+0x88/0x150
[][  T639]  z_erofs_endio+0x144/0x250
[][  T639]  bio_endio+0x138/0x150
[][  T639]  __dm_io_complete+0x1e0/0x2b0
[][  T639]  clone_endio+0xd0/0x270
[][  T639]  bio_endio+0x138/0x150
[][  T639]  verity_finish_io+0x64/0xf0
[][  T639]  verity_work+0x30/0x40
[][  T639]  process_one_work+0x180/0x2e0
[][  T639]  worker_thread+0x2c4/0x3f0
[][  T639]  kthread+0x12c/0x210
[][  T639]  ret_from_fork+0x10/0x20
[][  T639]
[][  T639] [foliodbg] erofs_onlinefolio_end:254 EROFS FOLIO fffffdffc003044=
0 PRIVATE SET ffff000022b32467
[][   T39] Unable to handle kernel paging request at virtual address ffff00=
0022b32467
[][   T39] Mem abort info:
[][   T39]   ESR =3D 0x0000000096000006
[][   T39]   EC =3D 0x25: DABT (current EL), IL =3D 32 bits
[][   T39]   SET =3D 0, FnV =3D 0
[][   T39]   EA =3D 0, S1PTW =3D 0
[][   T39]   FSC =3D 0x06: level 2 translation fault
[][   T39] Data abort info:
[][   T39]   ISV =3D 0, ISS =3D 0x00000006, ISS2 =3D 0x00000000
[][   T39]   CM =3D 0, WnR =3D 0, TnD =3D 0, TagAccess =3D 0
[][   T39]   GCS =3D 0, Overlay =3D 0, DirtyBit =3D 0, Xs =3D 0
[][   T39] swapper pgtable: 4k pages, 48-bit VAs, pgdp=3D0000000001e36000
[][   T39] [ffff000022b32467] pgd=3D1800000007fff403, p4d=3D1800000007fff40=
3, pud=3D1800000007ffe403, pmd=3D0000000000000000
[][   T39] Internal error: Oops: 0000000096000006 [#1]  SMP
[][   T39] Modules linked in: vlsicomm(O)
[][   T39] CPU: 1 UID: 0 PID: 39 Comm: kswapd0 Tainted: G O 6.15.11-sdkerne=
l #1 PREEMPT
[][   T39] Tainted: [O]=3DOOT_MODULE
[][   T39] pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=3D--)
[][   T39] pc : drop_buffers.constprop.0+0x34/0x120
[][   T39] lr : try_to_free_buffers+0xd0/0x100
[][   T39] sp : ffff80008105b780
[][   T39] x29: ffff80008105b780 x28: 0000000000000000 x27: fffffdffc0030448
[][   T39] x26: ffff80008105b8a0 x25: ffff80008105b868 x24: 0000000000000001
[][   T39] x23: fffffdffc0030440 x22: ffff80008105b7b0 x21: fffffdffc0030440
[][   T39] x20: ffff000022b32467 x19: ffff000022b32467 x18: 0000000000000000
[][   T39] x17: 0000000000000000 x16: 0000000000000000 x15: 00000000d69f4cc0
[][   T39] x14: ffff0000000c5dc0 x13: 0000000000000000 x12: ffff800080d59b58
[][   T39] x11: 00000000000000c0 x10: 0000000000000000 x9 : 0000000000000000
[][   T39] x8 : ffff80008105b7d0 x7 : 0000000000000000 x6 : 000000000000003f
[][   T39] x5 : 0000000000000000 x4 : fffffdffc0030440 x3 : 1ff0000000004001
[][   T39] x2 : 1ff0000000004001 x1 : ffff80008105b7b0 x0 : fffffdffc0030440
[][   T39] Call trace:
[][   T39]  drop_buffers.constprop.0+0x34/0x120 (P)
[][   T39]  try_to_free_buffers+0xd0/0x100
[][   T39]  filemap_release_folio+0x94/0xc0
[][   T39]  shrink_folio_list+0x8c8/0xc40
[][   T39]  shrink_lruvec+0x740/0xb80
[][   T39]  shrink_node+0x2b8/0x9a0
[][   T39]  balance_pgdat+0x3b8/0x760
[][   T39]  kswapd+0x220/0x3b0
[][   T39]  kthread+0x12c/0x210
[][   T39]  ret_from_fork+0x10/0x20
[][   T39] Code: 14000004 f9400673 eb13029f 54000180 (f9400262)
[][   T39] ---[ end trace 0000000000000000 ]---
[][   T39] Kernel panic - not syncing: Oops: Fatal exception
[][   T39] SMP: stopping secondary CPUs
[][   T39] Kernel Offset: disabled
[][   T39] CPU features: 0x0000,00000000,01000000,0200420b
[][   T39] Memory Limit: none
[][   T39] Rebooting in 5 seconds..

So 'erofs_onlinefolio_end()' takes some folio with 'private' field contains
some pointer (0xffff000002b32468), "corrupts" this pointer (result will be
0xffff000022b32467 - at least we see that 0x20000000 was ORed to original
pointer and this is (1 << EROFS_ONLINEFOLIO_DIRTY)), and then kernel crashe=
s.
We guess it is not valid case when such folio is passed as argument to
'erofs_onlinefolio_end()'.

We have the following erofs configuration in buildroot:

BR2_TARGET_ROOTFS_EROFS=3Dy
BR2_TARGET_ROOTFS_EROFS_CUSTOM_COMPRESSION=3Dy
BR2_TARGET_ROOTFS_EROFS_COMPRESSION_ALGORITHMS=3D"zstd,22 --max-extent-byte=
s 65536 -E48bit"
BR2_TARGET_ROOTFS_EROFS_FRAGMENTS=3Dy
BR2_TARGET_ROOTFS_EROFS_PCLUSTERSIZE=3D65536



May be You know how to fix it or some ideas? Because we are new at erofs an=
d need to discover and
learn its source code.

Thanks