| From: Lizhi Xu <lizhi.xu@windriver.com> |
| Subject: ocfs2: reset folio to NULL when get folio fails |
| Date: Mon, 16 Jun 2025 09:31:40 +0800 |
| |
| The reproducer uses FAULT_INJECTION to make memory allocation fail, which |
| causes __filemap_get_folio() to fail, when initializing w_folios[i] in |
| ocfs2_grab_folios_for_write(), it only returns an error code and the value |
| of w_folios[i] is the error code, which causes |
| ocfs2_unlock_and_free_folios() to recycle the invalid w_folios[i] when |
| releasing folios. |
| |
| Link: https://lkml.kernel.org/r/20250616013140.3602219-1-lizhi.xu@windriver.com |
| Reported-by: syzbot+c2ea94ae47cd7e3881ec@syzkaller.appspotmail.com |
| Closes: https://syzkaller.appspot.com/bug?extid=c2ea94ae47cd7e3881ec |
| Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com> |
| Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> |
| Cc: Mark Fasheh <mark@fasheh.com> |
| Cc: Joel Becker <jlbec@evilplan.org> |
| Cc: Junxiao Bi <junxiao.bi@oracle.com> |
| Cc: Changwei Ge <gechangwei@live.cn> |
| Cc: Jun Piao <piaojun@huawei.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| --- |
| |
| fs/ocfs2/aops.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/fs/ocfs2/aops.c~ocfs2-reset-folio-to-null-when-get-folio-fails |
| +++ a/fs/ocfs2/aops.c |
| @@ -1071,6 +1071,7 @@ static int ocfs2_grab_folios_for_write(s |
| if (IS_ERR(wc->w_folios[i])) { |
| ret = PTR_ERR(wc->w_folios[i]); |
| mlog_errno(ret); |
| + wc->w_folios[i] = NULL; |
| goto out; |
| } |
| } |
| _ |
