<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/fs/f2fs, branch v7.2-rc1</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc1'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-22T19:55:27+00:00</updated>
<entry>
<title>f2fs: fix to round down start offset of fallocate for pin file</title>
<updated>2026-06-22T19:55:27+00:00</updated>
<author>
<name>Sunmin Jeong</name>
<email>s_min.jeong@samsung.com</email>
</author>
<published>2026-06-22T05:28:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=4275b59673eb60b02eec3997816c83f1f4b909c4'/>
<id>urn:sha1:4275b59673eb60b02eec3997816c83f1f4b909c4</id>
<content type='text'>
Currently, the length of fallocate for pin file is section-aligned to
keep allocated sections from being selected as victims of GC. However,
for the case that the start offset of fallocate is not aligned in
section, the allocated sections can't be fully utilized. It's because a
new section is allocated by f2fs_allocate_pinning_section() after using
blks_per_sec blocks regardless of the start offset. As a result, several
unexpected dirty segments may be created, including blocks assigned to
the pinned file.

To address this issue, let's round down the start offset of fallocate
to the length of section.

The reproducing scenario is as below

chunk=$(((2&lt;&lt;20)+4096)) # 2MB + 4KB
touch test
f2fs_io pinfile set test
f2fs_io fallocate 0 0 $chunk test
f2fs_io fallocate 0 $chunk $chunk test
f2fs_io fallocate 0 $((chunk*2)) $chunk test
f2fs_io fiemap 0 $((chunk*3)) test

Fiemap: offset = 0 len = 12288
    logical addr.    physical addr.   length           flags
0   0000000000000000 000000068c600000 0000000000400000 00001088
1   0000000000400000 000000003d400000 0000000000001000 00001088
2   0000000000401000 00000003eb200000 0000000000200000 00001088
3   0000000000601000 00000005e4200000 0000000000001000 00001088
4   0000000000602000 0000000605400000 0000000000200000 00001089

Cc: stable@vger.kernel.org
Fixes: f5a53edcf01e ("f2fs: support aligned pinned file")
Reviewed-by: Yunji Kang &lt;yunji0.kang@samsung.com&gt;
Reviewed-by: Yeongjin Gil &lt;youngjin.gil@samsung.com&gt;
Reviewed-by: Sungjong Seo &lt;sj1557.seo@samsung.com&gt;
Signed-off-by: Sunmin Jeong &lt;s_min.jeong@samsung.com&gt;
Reviewed-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: fix listxattr handling of corrupted xattr entries</title>
<updated>2026-06-22T19:55:27+00:00</updated>
<author>
<name>Keshav Verma</name>
<email>iganschel@gmail.com</email>
</author>
<published>2026-06-22T15:14:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=5ef5bc304f23c3fe255d4936472378dcb74d0e94'/>
<id>urn:sha1:5ef5bc304f23c3fe255d4936472378dcb74d0e94</id>
<content type='text'>
Validate the xattr entry before reading its fields in f2fs_listxattr().
Return -EFSCORRUPTED when the entry is outside the valid xattr storage
area instead of returning a successful partial result.

Fixes: 688078e7f36c ("f2fs: fix to avoid memory leakage in f2fs_listxattr")
Cc: stable@kernel.org
Reviewed-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Keshav Verma &lt;iganschel@gmail.com&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: skip direct I/O iostat context when disabled</title>
<updated>2026-06-22T19:52:38+00:00</updated>
<author>
<name>Wenjie Qi</name>
<email>qwjhust@gmail.com</email>
</author>
<published>2026-06-16T03:06:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=34636c6dcd6f75570c553a4188b5dbe0f758159a'/>
<id>urn:sha1:34636c6dcd6f75570c553a4188b5dbe0f758159a</id>
<content type='text'>
F2FS iostat is optional and is disabled by default.  Direct I/O still
allocates and binds a bio_iostat_ctx, updates the submit timestamp, and
replaces bi_end_io for every DIO bio even when sbi-&gt;iostat_enable is
false.

The byte accounting calls do not need an extra guard because
f2fs_update_iostat() already checks sbi-&gt;iostat_enable.  Only skip the
DIO bio context setup when iostat is disabled.  If iostat is enabled
through sysfs before submission, the existing context allocation and
latency accounting path is still used.

QEMU benchmark on a 1GiB F2FS virtio-blk image, with iostat_enable=0,
4KiB O_DIRECT I/O over a 64MiB file, 50000 iterations per run:

                         baseline     patched
  direct_read median    65264.50 ns  55470.95 ns
  direct_read recheck   65553.75 ns  55470.95 ns
  direct_write median   68054.62 ns  56309.44 ns
  direct_write recheck  66873.51 ns  56309.44 ns

Signed-off-by: Wenjie Qi &lt;qiwenjie@xiaomi.com&gt;
Reviewed-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: remove unneeded f2fs_is_compressed_page()</title>
<updated>2026-06-22T19:52:38+00:00</updated>
<author>
<name>Chao Yu</name>
<email>chao@kernel.org</email>
</author>
<published>2026-06-15T13:08:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=70210492be5ac8e4f42b383b75dfa11810afab86'/>
<id>urn:sha1:70210492be5ac8e4f42b383b75dfa11810afab86</id>
<content type='text'>
We have checked f2fs_is_compressed_page() before f2fs_compress_write_end_io(),
so we don't need to check the status again, remove it.

Signed-off-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: avoid unnecessary fscrypt_finalize_bounce_page()</title>
<updated>2026-06-22T19:52:38+00:00</updated>
<author>
<name>Chao Yu</name>
<email>chao@kernel.org</email>
</author>
<published>2026-06-15T13:08:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=8b938ae6f0766559dfc4ad5acac958b1eff8664d'/>
<id>urn:sha1:8b938ae6f0766559dfc4ad5acac958b1eff8664d</id>
<content type='text'>
fscrypt_finalize_bounce_page() should be called only if we use fs layer
crypto, let's avoid unnecessary fscrypt_finalize_bounce_page() in error
path of f2fs_write_compressed_pages().

BTW, fscrypt_finalize_bounce_page() will check mapping of bounced page
before retrieving original page, so, previously it won't cause any issue
w/ fscrypt_finalize_bounce_page(), but still we'd better avoid coupling
w/ any logic inside fscrypt_finalize_bounce_page().

Signed-off-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: avoid unnecessary sanity check on ckpt_valid_blocks</title>
<updated>2026-06-22T19:52:38+00:00</updated>
<author>
<name>Chao Yu</name>
<email>chao@kernel.org</email>
</author>
<published>2026-06-15T13:08:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=cf716276b0dca934aad5fe3c46df04e1dc596734'/>
<id>urn:sha1:cf716276b0dca934aad5fe3c46df04e1dc596734</id>
<content type='text'>
The calculation of sec-&gt;ckpt_valid_blocks are the same in both
set_ckpt_valid_blocks() and sanity_check_valid_blocks(), so it
doesn't necessary to call sanity_check_valid_blocks() right after
set_ckpt_valid_blocks().

Signed-off-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: misc cleanup in f2fs_record_stop_reason()</title>
<updated>2026-06-22T19:52:38+00:00</updated>
<author>
<name>Chao Yu</name>
<email>chao@kernel.org</email>
</author>
<published>2026-06-15T13:08:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=d27e4431023770249a341aeb94cb40f4ff12b21e'/>
<id>urn:sha1:d27e4431023770249a341aeb94cb40f4ff12b21e</id>
<content type='text'>
Signed-off-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: fix wrong description in printed log</title>
<updated>2026-06-22T19:52:38+00:00</updated>
<author>
<name>Chao Yu</name>
<email>chao@kernel.org</email>
</author>
<published>2026-06-15T13:08:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=98fd20b9cf472d7e0518517ea9e587a9a2b8b311'/>
<id>urn:sha1:98fd20b9cf472d7e0518517ea9e587a9a2b8b311</id>
<content type='text'>
This patch fixes wrong description in printed log:

"SSA and SIT" -&gt; "SIT and SSA"

Signed-off-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: bound i_inline_xattr_size for non-inline-xattr inodes</title>
<updated>2026-06-22T19:52:37+00:00</updated>
<author>
<name>Bryam Vargas</name>
<email>hexlabsecurity@proton.me</email>
</author>
<published>2026-06-12T04:00:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=378acf3cf19b6af6cba55e8dd1154c4e1504bae8'/>
<id>urn:sha1:378acf3cf19b6af6cba55e8dd1154c4e1504bae8</id>
<content type='text'>
When the flexible_inline_xattr feature is enabled, do_read_inode() loads
the on-disk i_inline_xattr_size unconditionally:

	if (f2fs_sb_has_flexible_inline_xattr(sbi))
		fi-&gt;i_inline_xattr_size = le16_to_cpu(ri-&gt;i_inline_xattr_size);

but sanity_check_inode() only range-checks it when the inode also has the
FI_INLINE_XATTR flag set.  An inode that carries an inline dentry or inline
data but not FI_INLINE_XATTR -- the normal layout for an inline
directory -- therefore keeps a fully attacker-controlled
i_inline_xattr_size from a crafted image.

get_inline_xattr_addrs() returns that value with no flag gating, so it
feeds the inode geometry:

	MAX_INLINE_DATA()  = 4 * (CUR_ADDRS_PER_INODE - i_inline_xattr_size - 1)
	NR_INLINE_DENTRY() = MAX_INLINE_DATA() * BITS_PER_BYTE / (...)
	addrs_per_page()   = CUR_ADDRS_PER_INODE - i_inline_xattr_size

A large i_inline_xattr_size drives MAX_INLINE_DATA() and NR_INLINE_DENTRY()
negative, so make_dentry_ptr_inline() sets d-&gt;max (int) to a negative
value.  The inline directory walk then compares an unsigned long bit_pos
against that negative d-&gt;max, which is promoted to a huge unsigned bound,
and reads far past the inline area:

	while (bit_pos &lt; d-&gt;max)		/* fs/f2fs/dir.c */
		... test_bit_le(bit_pos, d-&gt;bitmap) / d-&gt;dentry[bit_pos] ...

Mounting a crafted image and reading such a directory triggers an
out-of-bounds read in f2fs_fill_dentries(); the same underflow also
corrupts ADDRS_PER_INODE for regular files.

Validate i_inline_xattr_size against MAX_INLINE_XATTR_SIZE whenever the
flexible_inline_xattr feature is enabled -- i.e. whenever the value is
loaded from disk and consumed -- and keep the lower MIN_INLINE_XATTR_SIZE
bound gated on inodes that actually carry an inline xattr, so legitimate
inodes with i_inline_xattr_size == 0 are still accepted.

Cc: stable@vger.kernel.org
Fixes: 6afc662e68b5 ("f2fs: support flexible inline xattr size")
Signed-off-by: Bryam Vargas &lt;hexlabsecurity@proton.me&gt;
Reviewed-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
<entry>
<title>f2fs: validate ACL entry sizes in f2fs_acl_from_disk()</title>
<updated>2026-06-22T19:52:37+00:00</updated>
<author>
<name>Zhang Cen</name>
<email>rollkingzzc@gmail.com</email>
</author>
<published>2026-06-15T07:19:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=c4810ada31e80cbe4011467c4f3b1e93f94134f3'/>
<id>urn:sha1:c4810ada31e80cbe4011467c4f3b1e93f94134f3</id>
<content type='text'>
f2fs_acl_count() only validates the aggregate ACL xattr length. A
malformed ACL can still place ACL_USER or ACL_GROUP in a slot that only
contains struct f2fs_acl_entry_short bytes, and f2fs_acl_from_disk()
then reads entry-&gt;e_id before verifying that a full entry fits.

Require a short entry before reading e_tag and e_perm, and require a
full entry before reading e_id for ACL_USER and ACL_GROUP. Return
-EFSCORRUPTED from these new truncated-entry checks, while keeping the
pre-existing -EINVAL paths unchanged.

Validation reproduced this kernel report:
KASAN slab-out-of-bounds in __f2fs_get_acl+0x6fb/0x7e0
RIP: 0033:0x7f4b835ea7aa
The buggy address belongs to the object at ffff888114589960 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of allocated 8-byte
region [ffff888114589960, ffff888114589968)
Read of size 4
Call trace:
  dump_stack_lvl+0x66/0xa0 (?:?)
  print_report+0xce/0x630 (?:?)
  __f2fs_get_acl+0x6fb/0x7e0 (fs/f2fs/acl.c:169)
  srso_alias_return_thunk+0x5/0xfbef5 (?:?)
  __virt_addr_valid+0x224/0x430 (?:?)
  kasan_report+0xe0/0x110 (?:?)
  __f2fs_get_acl+0x5/0x7e0 (fs/f2fs/acl.c:169)
  __get_acl+0x281/0x380 (?:?)
  vfs_get_acl+0x10b/0x190 (?:?)
  do_get_acl+0x2a/0x410 (?:?)
  do_get_acl+0x9/0x410 (?:?)
  do_getxattr+0xe8/0x260 (?:?)
  filename_getxattr+0xd1/0x140 (?:?)
  do_getname+0x2d/0x2d0 (?:?)
  path_getxattrat+0x16c/0x200 (?:?)
  lock_release+0xc8/0x290 (?:?)
  cgroup_update_frozen+0x9d/0x320 (?:?)
  lockdep_hardirqs_on_prepare+0xea/0x1a0 (?:?)
  trace_hardirqs_on+0x1a/0x170 (?:?)
  _raw_spin_unlock_irq+0x28/0x50 (?:?)
  do_syscall_64+0x115/0x6a0 (arch/x86/entry/syscall_64.c:87)
  entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)

Cc: stable@kernel.org
Fixes: af48b85b8cd3 ("f2fs: add xattr and acl functionalities")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen &lt;rollkingzzc@gmail.com&gt;
Reviewed-by: Chao Yu &lt;chao@kernel.org&gt;
Signed-off-by: Jaegeuk Kim &lt;jaegeuk@kernel.org&gt;
</content>
</entry>
</feed>
