kernel/linux.git/fs/erofs, branch v6.1.168

erofs: Fix the slab-out-of-bounds in drop_buffers()

2026-04-11T12:16:37+00:00

commit ce529cc25b184e93397b94a8a322128fc0095cbb upstream. This was accidentally fixed in commit ce529cc25b18, but it's not possible to accept all the changes, due to the lack of large folios support for Linux 6.1 kernels, so this is only the actual bug fix that's needed. [Background] Syzbot reported that a KASAN slab-out-of-bounds bug was discovered in the drop_buffers() function [1]. The root cause is that erofs_raw_access_aops does not define .release_folio and .invalidate_folio. When using iomap-based operations, folio->private may contain iomap-specific data rather than buffer_heads. Without special handlers, the kernel may fall back to generic functions (such as drop_buffers), which incorrectly treat folio->private as a list of buffer_head structures, leading to incorrect memory interpretation and out-of-bounds access. Fix this by explicitly setting .release_folio and .invalidate_folio to the values of iomap_release_folio and iomap_invalidate_folio, respectively. [1] https://syzkaller.appspot.com/x/report.txt?x=12e5a142580000 Fixes: 7479c505b4ab ("fs: Convert iomap_readpage to iomap_read_folio") Reported-by: syzbot+5b886a2e03529dbcef81@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=c6aeabd0c4ad2466f63a274faf2a123103f8fbf7 Signed-off-by: Denis Arefev Reviewed-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: fix PSI memstall accounting

2026-04-11T12:16:37+00:00

commit 1a2180f6859c73c674809f9f82e36c94084682ba upstream. Max Kellermann recently reported psi_group_cpu.tasks[NR_MEMSTALL] is incorrect in the 6.11.9 kernel. The root cause appears to be that, since the problematic commit, bio can be NULL, causing psi_memstall_leave() to be skipped in z_erofs_submit_queue(). Reported-by: Max Kellermann Closes: https://lore.kernel.org/r/CAKPOu+8tvSowiJADW2RuKyofL_CSkm_SuyZA7ME5vMLWmL6pqw@mail.gmail.com Fixes: 9e2f9d34dd12 ("erofs: handle overlapped pclusters out of crafted images properly") Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20241127085236.3538334-1-hsiangkao@linux.alibaba.com Signed-off-by: Alexey Panov Link: https://lore.kernel.org/r/20250304110558.8315-3-apanov@astralinux.ru Link: https://lore.kernel.org/r/20250304110558.8315-1-apanov@astralinux.ru [ Gao Xiang: re-address the previous Alexey's backport. ] CVE: CVE-2024-47736 Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: handle overlapped pclusters out of crafted images properly

2026-04-11T12:16:37+00:00

commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 upstream. syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os. After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below: Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ... Here, extent 0/1 are physically overlapped although it's entirely _impossible_ for normal filesystem images generated by mkfs. First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges z_erofs_fill_bio_vec() and BIO submission which causes unexpected BIO waits. Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness. Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up `struct z_erofs_bvec`") for simplicity although it shouldn't be any difference. [Alexey: This patch follows linux 6.6.y conflict resolution changes of struct folio -> struct page] Reported-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com Reported-by: syzbot+de04e06b28cfecf2281c@syzkaller.appspotmail.com Reported-by: syzbot+c8c8238b394be4a1087d@syzkaller.appspotmail.com Tested-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000002fda01061e334873@google.com Fixes: 8e6c8fa9f2e9 ("erofs: enable big pcluster feature") Link: https://lore.kernel.org/r/20240910070847.3356592-1-hsiangkao@linux.alibaba.com Signed-off-by: Alexey Panov Link: https://lore.kernel.org/r/20250304110558.8315-2-apanov@astralinux.ru Link: https://lore.kernel.org/r/20250304110558.8315-1-apanov@astralinux.ru [ Gao Xiang: re-address the previous Alexey's backport. ] CVE: CVE-2024-47736 Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: add GFP_NOIO in the bio completion if needed

2026-04-11T12:16:14+00:00

commit c23df30915f83e7257c8625b690a1cece94142a0 upstream. The bio completion path in the process context (e.g. dm-verity) will directly call into decompression rather than trigger another workqueue context for minimal scheduling latencies, which can then call vm_map_ram() with GFP_KERNEL. Due to insufficient memory, vm_map_ram() may generate memory swapping I/O, which can cause submit_bio_wait to deadlock in some scenarios. Trimmed down the call stack, as follows: f2fs_submit_read_io submit_bio //bio_list is initialized. mmc_blk_mq_recovery z_erofs_endio vm_map_ram __pte_alloc_kernel __alloc_pages_direct_reclaim shrink_folio_list __swap_writepage submit_bio_wait //bio_list is non-NULL, hang!!! Use memalloc_noio_{save,restore}() to wrap up this path. Reviewed-by: Gao Xiang Signed-off-by: Jiucheng Xu Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: address D-cache aliasing

2025-08-15T10:04:51+00:00

commit 27917e8194f91dffd8b4825350c63cb68e98ce58 upstream. Flush the D-cache before unlocking folios for compressed inodes, as they are dirtied during decompression. Avoid calling flush_dcache_folio() on every CPU write, since it's more like playing whack-a-mole without real benefit. It has no impact on x86 and arm64/risc-v: on x86, flush_dcache_folio() is a no-op, and on arm64/risc-v, PG_dcache_clean (PG_arch_1) is clear for new page cache folios. However, certain ARM boards are affected, as reported. Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") Closes: https://lore.kernel.org/r/c1e51e16-6cc6-49d0-a63e-4e9ff6c4dd53@pengutronix.de Closes: https://lore.kernel.org/r/38d43fae-1182-4155-9c5b-ffc7382d9917@siemens.com Tested-by: Jan Kiszka Tested-by: Stefan Kerkmann Link: https://lore.kernel.org/r/20250709034614.2780117-2-hsiangkao@linux.alibaba.com Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: simplify z_erofs_transform_plain()

2025-08-15T10:04:51+00:00

commit c5539762f32e97c5e16215fa1336e32095b8b0fd upstream. Use memcpy_to_page() instead of open-coding them. In addition, add a missing flush_dcache_page() even though almost all modern architectures clear `PG_dcache_clean` flag for new file cache pages so that it doesn't change anything in practice. Signed-off-by: Gao Xiang Reviewed-by: Yue Hu Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20230627161240.331-2-hsiangkao@linux.alibaba.com Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: drop z_erofs_page_mark_eio()

2025-08-15T10:04:51+00:00

commit 9a05c6a8bc26138d34e87b39e6a815603bc2a66c upstream. It can be folded into z_erofs_onlinepage_endio() to simplify the code. Reviewed-by: Yue Hu Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20230817082813.81180-5-hsiangkao@linux.alibaba.com Signed-off-by: Greg Kroah-Hartman

erofs: sunset erofs_dbg()

2025-08-15T10:04:51+00:00

commit 10656f9ca60ed85f4cfc06bcbe1f240ee310fa8c upstream. Such debug messages are rarely used now. Let's get rid of these, and revert locally if they are needed for debugging. Signed-off-by: Gao Xiang Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20230414083027.12307-1-hsiangkao@linux.alibaba.com Signed-off-by: Greg Kroah-Hartman

erofs: get rid of debug_one_dentry()

2025-08-15T10:04:51+00:00

commit e324eaa9790614577c93e819651e0a83963dac79 upstream. Since erofsdump is available, no need to keep this debugging functionality at all. Also drop a useless comment since it's the VFS behavior. Link: https://lore.kernel.org/r/20230114125746.399253-1-xiang@kernel.org Reviewed-by: Yue Hu Reviewed-by: Jingbo Xu Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman

erofs: fix to add missing tracepoint in erofs_read_folio()

2025-07-17T16:32:12+00:00

[ Upstream commit 99f7619a77a0a2e3e2bcae676d0f301769167754 ] Commit 771c994ea51f ("erofs: convert all uncompressed cases to iomap") converts to use iomap interface, it removed trace_erofs_readpage() tracepoint in the meantime, let's add it back. Fixes: 771c994ea51f ("erofs: convert all uncompressed cases to iomap") Signed-off-by: Chao Yu Reviewed-by: Gao Xiang Link: https://lore.kernel.org/r/20250708111942.3120926-1-chao@kernel.org Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin