6.18-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 17 Feb 2026 18:42:42 +0000 (19:42 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 17 Feb 2026 18:42:42 +0000 (19:42 +0100)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 17 Feb 2026 18:42:42 +0000 (19:42 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 17 Feb 2026 18:42:42 +0000 (19:42 +0100)
diff --git a/queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-__write_node_folio.patch b/queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-__write_node_folio.patch

new file mode 100644 (file)

index 0000000..1441151
--- /dev/null
+++ b/queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-__write_node_folio.patch
@@ -0,0 +1,39 @@
+From stable+bounces-216868-greg=kroah.com@vger.kernel.org Tue Feb 17 18:42:45 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 12:42:37 -0500
+Subject: f2fs: fix to do sanity check on node footer in __write_node_folio()
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260217174238.3796376-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 0a736109c9d29de0c26567e42cb99b27861aa8ba ]
+
+Add node footer sanity check during node folio's writeback, if sanity
+check fails, let's shutdown filesystem to avoid looping to redirty
+and writeback in .writepages.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -1751,7 +1751,11 @@ static bool __write_node_folio(struct fo
+ 
+       /* get old block addr of this node page */
+       nid = nid_of_node(folio);
+-      f2fs_bug_on(sbi, folio->index != nid);
++
++      if (sanity_check_node_footer(sbi, folio, nid, NODE_TYPE_REGULAR)) {
++              f2fs_handle_critical_error(sbi, STOP_CP_REASON_CORRUPTED_NID);
++              goto redirty_out;
++      }
+ 
+       if (f2fs_get_node_info(sbi, nid, &ni, !do_balance))
+               goto redirty_out;
diff --git a/queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-read-write-_end_io.patch b/queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-read-write-_end_io.patch

new file mode 100644 (file)

index 0000000..e852b06
--- /dev/null
+++ b/queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-read-write-_end_io.patch
@@ -0,0 +1,178 @@
+From stable+bounces-216869-greg=kroah.com@vger.kernel.org Tue Feb 17 18:42:45 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Feb 2026 12:42:38 -0500
+Subject: f2fs: fix to do sanity check on node footer in {read,write}_end_io
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, syzbot+803dd716c4310d16ff3a@syzkaller.appspotmail.com, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260217174238.3796376-2-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4 ]
+
+-----------[ cut here ]------------
+kernel BUG at fs/f2fs/data.c:358!
+Call Trace:
+ <IRQ>
+ blk_update_request+0x5eb/0xe70 block/blk-mq.c:987
+ blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1149
+ blk_complete_reqs block/blk-mq.c:1224 [inline]
+ blk_done_softirq+0x107/0x160 block/blk-mq.c:1229
+ handle_softirqs+0x283/0x870 kernel/softirq.c:579
+ __do_softirq kernel/softirq.c:613 [inline]
+ invoke_softirq kernel/softirq.c:453 [inline]
+ __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
+ irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
+ sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
+ </IRQ>
+
+In f2fs_write_end_io(), it detects there is inconsistency in between
+node page index (nid) and footer.nid of node page.
+
+If footer of node page is corrupted in fuzzed image, then we load corrupted
+node page w/ async method, e.g. f2fs_ra_node_pages() or f2fs_ra_node_page(),
+in where we won't do sanity check on node footer, once node page becomes
+dirty, we will encounter this bug after node page writeback.
+
+Cc: stable@kernel.org
+Reported-by: syzbot+803dd716c4310d16ff3a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=803dd716c4310d16ff3a
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ Context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c |   13 +++++++++++--
+ fs/f2fs/f2fs.h |   12 ++++++++++++
+ fs/f2fs/node.c |   20 +++++++++++---------
+ fs/f2fs/node.h |    8 --------
+ 4 files changed, 34 insertions(+), 19 deletions(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -151,6 +151,12 @@ static void f2fs_finish_read_bio(struct
+               }
+ 
+               dec_page_count(F2FS_F_SB(folio), __read_io_type(folio));
++
++              if (F2FS_F_SB(folio)->node_inode && is_node_folio(folio) &&
++                      f2fs_sanity_check_node_footer(F2FS_F_SB(folio),
++                              folio, folio->index, NODE_TYPE_REGULAR, true))
++                      bio->bi_status = BLK_STS_IOERR;
++
+               folio_end_read(folio, bio->bi_status == BLK_STS_OK);
+       }
+ 
+@@ -352,8 +358,11 @@ static void f2fs_write_end_io(struct bio
+                                               STOP_CP_REASON_WRITE_FAIL);
+               }
+ 
+-              f2fs_bug_on(sbi, is_node_folio(folio) &&
+-                              folio->index != nid_of_node(folio));
++              if (is_node_folio(folio)) {
++                      f2fs_sanity_check_node_footer(sbi, folio,
++                              folio->index, NODE_TYPE_REGULAR, true);
++                      f2fs_bug_on(sbi, folio->index != nid_of_node(folio));
++              }
+ 
+               dec_page_count(sbi, type);
+ 
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1516,6 +1516,15 @@ enum f2fs_lookup_mode {
+       LOOKUP_AUTO,
+ };
+ 
++/* For node type in __get_node_folio() */
++enum node_type {
++      NODE_TYPE_REGULAR,
++      NODE_TYPE_INODE,
++      NODE_TYPE_XATTR,
++      NODE_TYPE_NON_INODE,
++};
++
++
+ static inline int f2fs_test_bit(unsigned int nr, char *addr);
+ static inline void f2fs_set_bit(unsigned int nr, char *addr);
+ static inline void f2fs_clear_bit(unsigned int nr, char *addr);
+@@ -3874,6 +3883,9 @@ struct folio *f2fs_new_node_folio(struct
+ void f2fs_ra_node_page(struct f2fs_sb_info *sbi, nid_t nid);
+ struct folio *f2fs_get_node_folio(struct f2fs_sb_info *sbi, pgoff_t nid,
+                                               enum node_type node_type);
++int f2fs_sanity_check_node_footer(struct f2fs_sb_info *sbi,
++                                      struct folio *folio, pgoff_t nid,
++                                      enum node_type ntype, bool in_irq);
+ struct folio *f2fs_get_inode_folio(struct f2fs_sb_info *sbi, pgoff_t ino);
+ struct folio *f2fs_get_xnode_folio(struct f2fs_sb_info *sbi, pgoff_t xnid);
+ int f2fs_move_node_folio(struct folio *node_folio, int gc_type);
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -1500,9 +1500,9 @@ void f2fs_ra_node_page(struct f2fs_sb_in
+       f2fs_folio_put(afolio, err ? true : false);
+ }
+ 
+-static int sanity_check_node_footer(struct f2fs_sb_info *sbi,
++int f2fs_sanity_check_node_footer(struct f2fs_sb_info *sbi,
+                                       struct folio *folio, pgoff_t nid,
+-                                      enum node_type ntype)
++                                      enum node_type ntype, bool in_irq)
+ {
+       if (unlikely(nid != nid_of_node(folio)))
+               goto out_err;
+@@ -1527,12 +1527,13 @@ static int sanity_check_node_footer(stru
+               goto out_err;
+       return 0;
+ out_err:
+-      f2fs_warn(sbi, "inconsistent node block, node_type:%d, nid:%lu, "
+-                "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]",
+-                ntype, nid, nid_of_node(folio), ino_of_node(folio),
+-                ofs_of_node(folio), cpver_of_node(folio),
+-                next_blkaddr_of_node(folio));
+       set_sbi_flag(sbi, SBI_NEED_FSCK);
++      f2fs_warn_ratelimited(sbi, "inconsistent node block, node_type:%d, nid:%lu, "
++              "node_footer[nid:%u,ino:%u,ofs:%u,cpver:%llu,blkaddr:%u]",
++              ntype, nid, nid_of_node(folio), ino_of_node(folio),
++              ofs_of_node(folio), cpver_of_node(folio),
++              next_blkaddr_of_node(folio));
++
+       f2fs_handle_error(sbi, ERROR_INCONSISTENT_FOOTER);
+       return -EFSCORRUPTED;
+ }
+@@ -1578,7 +1579,7 @@ repeat:
+               goto out_err;
+       }
+ page_hit:
+-      err = sanity_check_node_footer(sbi, folio, nid, ntype);
++      err = f2fs_sanity_check_node_footer(sbi, folio, nid, ntype, false);
+       if (!err)
+               return folio;
+ out_err:
+@@ -1752,7 +1753,8 @@ static bool __write_node_folio(struct fo
+       /* get old block addr of this node page */
+       nid = nid_of_node(folio);
+ 
+-      if (sanity_check_node_footer(sbi, folio, nid, NODE_TYPE_REGULAR)) {
++      if (f2fs_sanity_check_node_footer(sbi, folio, nid,
++                                      NODE_TYPE_REGULAR, false)) {
+               f2fs_handle_critical_error(sbi, STOP_CP_REASON_CORRUPTED_NID);
+               goto redirty_out;
+       }
+--- a/fs/f2fs/node.h
++++ b/fs/f2fs/node.h
+@@ -52,14 +52,6 @@ enum {
+       IS_PREALLOC,            /* nat entry is preallocated */
+ };
+ 
+-/* For node type in __get_node_folio() */
+-enum node_type {
+-      NODE_TYPE_REGULAR,
+-      NODE_TYPE_INODE,
+-      NODE_TYPE_XATTR,
+-      NODE_TYPE_NON_INODE,
+-};
+-
+ /*
+  * For node information
+  */
diff --git a/queue-6.18/series b/queue-6.18/series

index c775a83cfe1f1449efc81230b00f75e5421d3af3..ee18671074333e394fd074155d104c75122d3dc5 100644 (file)
--- a/queue-6.18/series
+++ b/queue-6.18/series
@@ -39,3 +39,5 @@ f2fs-fix-to-avoid-mapping-wrong-physical-block-for-swapfile.patch
  f2fs-optimize-f2fs_overwrite_io-for-f2fs_iomap_begin.patch
  iommu-arm-smmu-qcom-do-not-register-driver-in-probe.patch
  usb-serial-option-add-telit-fn920c04-rndis-compositions.patch
+f2fs-fix-to-do-sanity-check-on-node-footer-in-__write_node_folio.patch
+f2fs-fix-to-do-sanity-check-on-node-footer-in-read-write-_end_io.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 17 Feb 2026 18:42:42 +0000 (19:42 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 17 Feb 2026 18:42:42 +0000 (19:42 +0100)
queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-__write_node_folio.patch	[new file with mode: 0644]	patch \| blob
queue-6.18/f2fs-fix-to-do-sanity-check-on-node-footer-in-read-write-_end_io.patch	[new file with mode: 0644]	patch \| blob
queue-6.18/series		patch \| blob \| blame \| history