Re: [PATCH] gfs2: fix hung task in gfs2_jhead_process_page

[Matthew Wilcox]

On Tue, Mar 24, 2026 at 09:09:59AM +0530, Deepanshu Kartikey wrote:
> filemap_get_folio() returns an ERR_PTR if the folio is not present
> in the page cache. gfs2_jhead_process_page() does not check the
> return value and passes it directly to folio_wait_locked(), causing
> the kernel task to get stuck in uninterruptible sleep (state D)
> forever, triggering the hung task watchdog.
> 
> This can be triggered by mounting a crafted or corrupted GFS2
> filesystem image.
> 
> Fix this by checking the return value of filemap_get_folio() and
> returning early if the folio is not found.
> 
> Fixes: 240159077d00 ("gfs2: Convert gfs2_jhead_process_page() to use a folio")

No.  That commit only changed the code, it didn't introduce the bug.
f4686c26ecc3 may have introduced it, but I wouldn't swear to it.

I have my doubts that this is the right fix.  If you look at the entire
function, it assumes that the folio was already created and added to
the page cache.  The error should surely be detected earlier, not by
this function.

> Reported-by: syzbot+9013411dc43f3582823a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=9013411dc43f3582823a
> Signed-off-by: Deepanshu Kartikey <Kartikey406@xxxxxxxxx>
> ---
>  fs/gfs2/lops.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
> index 797931eb5845..005584311eff 100644
> --- a/fs/gfs2/lops.c
> +++ b/fs/gfs2/lops.c
> @@ -467,6 +467,9 @@ static void gfs2_jhead_process_page(struct gfs2_jdesc *jd, unsigned long index,
>  
>  	folio = filemap_get_folio(jd->jd_inode->i_mapping, index);
>  
> +	if (IS_ERR(folio))
> +		return;
> +
>  	folio_wait_locked(folio);
>  	if (!folio_test_uptodate(folio))
>  		*done = true;
> -- 
> 2.43.0
>