From nobody Fri Dec 19 13:27:49 2025
Received: from mail-ot1-f72.google.com (mail-ot1-f72.google.com
 [209.85.210.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B72AC19F12A
	for <linux-kernel@vger.kernel.org>; Sat,  6 Dec 2025 04:47:12 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.72
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764996434; cv=none;
 b=qgQ0+vif66RYHOpBxvUKnN2k2hXzFCJOAUlupGV5bP6vUzWl3iHWMwINkty7oaJuuQh1WGPyrBWvkKxvbqkmQF8wArsPPCjPRfTeLyRRr6nOPIgK5V8Q4gqZ1HzP/ykr4Fnc3J19+Jg2S1WYDRCN9tBQEMwvVIYqeJnirA9/vxs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764996434; c=relaxed/simple;
	bh=ghbK2f/axLafL408TSV5twbwRelYQxt3fhEhHmQ8EwI=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=rtUD3Hu7EYdrNNPCfsvt//80T6P4MmjrlMsi87FP8p0ESySpN5jIBvEYyi3MkNhgAmgR5mqRbKDRgAX8uoo7zLPQKmQ5NEVvT0ZemzLk6SKEWohbUSJ0zMqcetP41iEb3IowxLqexkAbPkaRpSlXlNR6nEs2j1PwdJnZihkq6s4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.210.72
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-ot1-f72.google.com with SMTP id
 46e09a7af769-7c7595cde21so5197511a34.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 05 Dec 2025 20:47:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1764996432; x=1765601232;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=dPu9v6W7G/nMmToDIqzHNbyO80iXxmSaS6TR1s7kagA=;
        b=gNSFBAGDvWcQfXEWVwRKKanJNzh7cZd67jDIuNhpe8YxwbwfB9M/I/ZBVk4zhF1f+f
         HVcudBF904ZYTOPqVFtniy7J4h5WIOEPRkUK4voIqmSoWNh/fRdZejrHzjHezmYaBUig
         FjRF5JnO93Amjjjxaxb/4cBjxzsryJRD+FyS4MLVL+GhwDGfeIYzweHPa/a+1bJepvzJ
         G2hMwuUAbwrZED9qToWdBxIVquITpRNYSwVa4LX14LNrNB/snZivdhlee1iEv0JEyKSQ
         xIKI74p3lfHJWHXaSNM4GeVz/ZkCZ1L+FVVsO6xQaFpQNDJJvmLlSbPBnIincoAu05OM
         Spiw==
X-Gm-Message-State: AOJu0Yzq6kYyYIT0PfviMztRtDD1y4LOiaedAWn46w+9jP4aBxCHNW0J
	ONi6QM5pofdH9nxeatrR3jrx0zS9LLkpdBwCOwpE5DtZgBRYWboot3eL7iylDOpQ2A9EOxmHyXS
	Yi6GF3ywUzzDuyFp7VFd68htArfjz7bj9KmxlxTpF059+Lu56rOvihw+DpsE=
X-Google-Smtp-Source: 
 AGHT+IEYZ7X8XEUr1YqPyBDJ5WI43Y+dhCktR8RpB5Il8JMRAjp7/vsxRnFxMNunE8AxvTjhA8vIc6DEe/wiphJ/Nq3ZQNaeRrVi
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:f0b:b0:659:9a49:9011 with SMTP id
 006d021491bc7-6599a984641mr689382eaf.62.1764996431853; Fri, 05 Dec 2025
 20:47:11 -0800 (PST)
Date: Fri, 05 Dec 2025 20:47:11 -0800
In-Reply-To: <69332cf9.a70a0220.243dc6.0011.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <6933b54f.a70a0220.38f243.0011.GAE@google.com>
Subject: Forwarded: [PATCH] f2fs: fix hung task in block_operations during
 checkpoint
From: syzbot <syzbot+4235e4d7b6fd75704528@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] f2fs: fix hung task in block_operations during checkpoint
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master

    f2fs_sync_inode_meta() can return 0 (success) even when
    f2fs_update_inode_page() fails and triggers f2fs_stop_checkpoint().
    This happens because the error flag check only occurs at the start
    of each loop iteration, not after f2fs_update_inode_page() returns.

    When I/O errors occur:
    1. f2fs_update_inode_page() retries 8 times then calls
       f2fs_stop_checkpoint(), which sets CP_ERROR_FLAG
    2. f2fs_sync_inode_meta() returns 0 without checking the error flag
    3. block_operations() sees success and loops back to retry_flush_quotas
    4. Dirty inodes remain on list (sync failed), loop repeats forever
    5. Checkpoint never completes, waiters block indefinitely

    This causes hung tasks when operations like unlink wait for checkpoint
    completion while holding locks that other tasks need.

    Fix by checking f2fs_cp_error() after processing each inode in
    f2fs_sync_inode_meta() to detect errors from f2fs_update_inode_page().

    Reported-by: syzbot+4235e4d7b6fd75704528@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=3D4235e4d7b6fd75704528
    Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/f2fs/checkpoint.c | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
index bbe07e3a6c75..05b1495b6fb6 100644
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -1134,12 +1134,19 @@ static int f2fs_sync_inode_meta(struct f2fs_sb_info=
 *sbi)
 	struct inode *inode;
 	struct f2fs_inode_info *fi;
 	s64 total =3D get_pages(sbi, F2FS_DIRTY_IMETA);
+	printk(KERN_ERR "f2fs_sync_inode_meta: total=3D%lld\n", total);
=20
 	while (total--) {
+		printk(KERN_ERR "f2fs_sync_inode_meta: loop iteration, total=3D%lld\n", =
total);
+
 		if (unlikely(f2fs_cp_error(sbi)))
 			return -EIO;
-
+		printk(KERN_ERR "f2fs_sync_inode_meta: before spin_lock\n");
+	=09
 		spin_lock(&sbi->inode_lock[DIRTY_META]);
+		        printk(KERN_ERR "f2fs_sync_inode_meta: after spin_lock\n");
+		printk(KERN_ERR "f2fs_sync_inode_meta: after spin_lock, cp_error=3D%d\n"=
, f2fs_cp_error(sbi));
+
 		if (list_empty(head)) {
 			spin_unlock(&sbi->inode_lock[DIRTY_META]);
 			return 0;
@@ -1152,9 +1159,13 @@ static int f2fs_sync_inode_meta(struct f2fs_sb_info =
*sbi)
 			sync_inode_metadata(inode, 0);
=20
 			/* it's on eviction */
-			if (is_inode_flag_set(inode, FI_DIRTY_INODE))
+			if (is_inode_flag_set(inode, FI_DIRTY_INODE)) {
+				printk(KERN_ERR "I AM DONE \n");
 				f2fs_update_inode_page(inode);
+			}
 			iput(inode);
+			if (unlikely(f2fs_cp_error(sbi)))
+				return -EIO;
 		}
 	}
 	return 0;
@@ -1275,14 +1286,25 @@ static int block_operations(struct f2fs_sb_info *sb=
i)
 		atomic_inc(&sbi->wb_sync_req[NODE]);
 		err =3D f2fs_sync_node_pages(sbi, &wbc, false, FS_CP_NODE_IO);
 		atomic_dec(&sbi->wb_sync_req[NODE]);
+		printk(KERN_ERR "block_operations: f2fs_sync_node_pages returned %d, cp_=
error=3D%d\n",=20
+		       err, f2fs_cp_error(sbi));
 		if (err) {
 			f2fs_up_write(&sbi->node_change);
 			f2fs_unlock_all(sbi);
 			return err;
 		}
+		/* Check if I/O error set CP_ERROR_FLAG */
+		if (unlikely(f2fs_cp_error(sbi))) {
+			printk(KERN_ERR "NOT ALLOWED \n");
+			f2fs_up_write(&sbi->node_change);
+			f2fs_unlock_all(sbi);
+			return -EIO;
+		}
 		cond_resched();
 		goto retry_flush_nodes;
 	}
+	printk(KERN_ERR "block_operations: no more dirty nodes\n");
+
=20
 	/*
 	 * sbi->node_change is used only for AIO write_begin path which produces
--=20
2.43.0