Forwarded: [PATCH] gfs2: fix duplicate kmem_cache on repeated mount failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9013411dc43f3582823a@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] gfs2: fix duplicate kmem_cache on repeated mount failure
Date: Tue, 24 Mar 2026 02:27:58 -0700	[thread overview]
Message-ID: <69c2591e.050a0220.3bf4de.00ae.GAE@google.com> (raw)
In-Reply-To: <69c19ef0.050a0220.3bf4de.00a9.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] gfs2: fix duplicate kmem_cache on repeated mount failure
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


When gfs2_fill_super() fails after the bufdata cache has been
created, the error path destroys the cache via fail_bufdata but
does not set sd_bufdata to NULL. The VFS then calls gfs2_put_super()
as part of mount cleanup, which destroys the cache a second time,
corrupting the slab state.

On the next mount attempt, kmem_cache_create() finds a ghost entry
with the same name and triggers a WARN, causing a kernel panic.

Fix this by setting sd_bufdata to NULL after destroying it in the
error path. kmem_cache_destroy(NULL) is a no-op, so the subsequent
call in gfs2_put_super() becomes safe.

Reported-by: syzbot+9013411dc43f3582823a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9013411dc43f3582823a
Fixes: f9d6fc9557e6 ("gfs2: per-filesystem bufdata cache")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 fs/gfs2/lops.c       | 3 +++
 fs/gfs2/ops_fstype.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
index 797931eb5845..005584311eff 100644
--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -467,6 +467,9 @@ static void gfs2_jhead_process_page(struct gfs2_jdesc *jd, unsigned long index,
 
 	folio = filemap_get_folio(jd->jd_inode->i_mapping, index);
 
+	if (IS_ERR(folio))
+		return;
+
 	folio_wait_locked(folio);
 	if (!folio_test_uptodate(folio))
 		*done = true;
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index b44adb40635d..4cff08fa3b50 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -1315,6 +1315,7 @@ static int gfs2_fill_super(struct super_block *sb, struct fs_context *fc)
 	gfs2_sys_fs_del(sdp);
 fail_bufdata:
 	kmem_cache_destroy(sdp->sd_bufdata);
+	sdp->sd_bufdata = NULL;
 fail_delete_wq:
 	destroy_workqueue(sdp->sd_delete_wq);
 fail_glock_wq:
-- 
2.43.0

next prev parent reply	other threads:[~2026-03-24  9:27 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-23 20:13 [syzbot] [gfs2?] INFO: task hung in gfs2_recover_journal (4) syzbot
2026-03-24  1:49 ` Forwarded: [PATCH] gfs2: fix hung task in gfs2_jhead_process_page syzbot
2026-03-24  2:30 ` syzbot
2026-03-24  9:27 ` syzbot [this message]
2026-03-25  7:37 ` [syzbot] [gfs2?] INFO: task hung in gfs2_recover_journal (4) Edward Adam Davis
2026-03-25  8:18   ` syzbot
2026-03-25  7:49 ` Edward Adam Davis
2026-03-25  8:30   ` syzbot
2026-03-25  7:50 ` [PATCH] gfs2: prevent corrupt data from entering jextent Edward Adam Davis
2026-03-25 10:25 ` [syzbot] [gfs2?] INFO: task hung in gfs2_recover_journal (4) Edward Adam Davis
2026-03-25 11:24   ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:797931eb584 dfblob:005584311ef dfblob:b44adb40635
dfblob:4cff08fa3b5 )
 OR (
bs:"gfs2: fix duplicate kmem_cache on repeated mount failure" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69c2591e.050a0220.3bf4de.00ae.GAE@google.com \
    --to=syzbot+9013411dc43f3582823a@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.