In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid panic once fallocation fails for pinfile
syzbot reports a f2fs bug as below:
------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2746! CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.13.0-rc2-syzkaller-00018-g7cb1b4663150 #0 RIP: 0010:getnewsegment fs/f2fs/segment.c:2746 [inline] RIP: 0010:newcurseg+0x1f52/0x1f70 fs/f2fs/segment.c:2876 Call Trace: <TASK> _allocatenewsegment+0x1ce/0x940 fs/f2fs/segment.c:3210 f2fsallocatenewsection fs/f2fs/segment.c:3224 [inline] f2fsallocatepinningsection+0xfa/0x4e0 fs/f2fs/segment.c:3238 f2fsexpandinodedata+0x696/0xca0 fs/f2fs/file.c:1830 f2fsfallocate+0x537/0xa10 fs/f2fs/file.c:1940 vfsfallocate+0x569/0x6e0 fs/open.c:327 dovfsioctl+0x258c/0x2e40 fs/ioctl.c:885 _dosysioctl fs/ioctl.c:904 [inline] _sesysioctl+0x80/0x170 fs/ioctl.c:892 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f
Concurrent pinfile allocation may run out of free section, result in panic in getnewsegment(), let's expand pinsem lock coverage to include f2fsgc(), so that we can make sure to reclaim enough free space for following allocation.
In addition, do below changes to enhance error path handling: - call f2fsbugon() only in non-pinfile allocation path in getnewsegment(). - call resetcursegfields() to reset all fields of curseg in new_curseg()