fs: Handle multiply claimed blocks more gracefully with mmb

When a metadata block is referenced by multiple inodes and tracked by metadata bh infrastructure (which is forbidden and generally indicates filesystem corruption), it can happen that mmb_mark_buffer_dirty() is called for two different mmb structures in parallel. This can lead to a corruption of mmb linked list. Handle that situation gracefully (at least from mmb POV) by serializing on setting bh->b_mmb. Reported-by: Ruikai Peng <ruikai@pwno.io> Signed-off-by: Jan Kara <jack@suse.cz> Link: https://patch.msgid.link/20260423090311.10955-2-jack@suse.cz Signed-off-by: Christian Brauner <brauner@kernel.org>
author: Jan Kara <jack@suse.cz> 2026-04-23 11:03:12 +0200
committer: Christian Brauner <brauner@kernel.org> 2026-04-24 00:34:59 +0200
commit: 9a466382c5e1ab706e155914e5532c80c2f3f76c (patch)
tree: dd6e36ea99429ad506ca1a37b0fc317f71f56778
parent: 43eb354ecb471426e97b0ce6a0c922ec20f82027 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/fs/buffer.c b/fs/buffer.c
index e6980dab1a7f..770a5d89277c 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -719,8 +719,15 @@ void mmb_mark_buffer_dirty(struct buffer_head *bh,
 	mark_buffer_dirty(bh);
 	if (!bh->b_mmb) {
 		spin_lock(&mmb->lock);
+		/*
+		 * For a corrupted filesystem with multiply claimed blocks this
+		 * can fail. Avoid corrupting the linked list in that case.
+		 */
+		if (cmpxchg(&bh->b_mmb, NULL, mmb) != NULL) {
+			spin_unlock(&mmb->lock);
+			return;
+		}
 		list_move_tail(&bh->b_assoc_buffers, &mmb->list);
-		bh->b_mmb = mmb;
 		spin_unlock(&mmb->lock);
 	}
 }
author	Jan Kara <jack@suse.cz>	2026-04-23 11:03:12 +0200
committer	Christian Brauner <brauner@kernel.org>	2026-04-24 00:34:59 +0200
commit	9a466382c5e1ab706e155914e5532c80c2f3f76c (patch)
tree	dd6e36ea99429ad506ca1a37b0fc317f71f56778
parent	43eb354ecb471426e97b0ce6a0c922ec20f82027 (diff)