From: syzbot <syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: Re: [syzbot] kernel BUG in jffs2_del_ino_cache
Date: Sat, 18 Apr 2026 05:56:54 -0700 [thread overview]
Message-ID: <69e37f96.050a0220.24bfd3.0007.GAE@google.com> (raw)
In-Reply-To: <0000000000008bbf19061531d31a@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: Re: [syzbot] kernel BUG in jffs2_del_ino_cache
Author: tristmd@gmail.com
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 7108f321633c0bdfbbab9d305e2e01e7d83c8902 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Sat, 18 Apr 2026 12:55:36 +0000
Subject: [PATCH] jffs2: clean up residual xattr refs in jffs2_del_ino_cache
jffs2_del_ino_cache() uses BUG_ON(old->xref) to assert that all xattr
references have been cleaned up before deleting an inode cache entry.
However, a corrupted filesystem image can lead to inode cache deletion
with xattr references still attached, triggering a kernel panic.
Replace the BUG_ON with a graceful cleanup path that calls
jffs2_xattr_free_inode() to properly release all residual xattr
references before proceeding with the deletion.
Reported-by: syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com
Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version 5)")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jffs2/nodelist.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/nodelist.c b/fs/jffs2/nodelist.c
index b86c78d178c60..498308f741a34 100644
--- a/fs/jffs2/nodelist.c
+++ b/fs/jffs2/nodelist.c
@@ -459,7 +459,10 @@ void jffs2_del_ino_cache(struct jffs2_sb_info *c, struct jffs2_inode_cache *old)
struct jffs2_inode_cache **prev;
#ifdef CONFIG_JFFS2_FS_XATTR
- BUG_ON(old->xref);
+ if (old->xref) {
+ pr_notice("ino #%u: cleaning up residual xattr refs\n", old->ino);
+ jffs2_xattr_free_inode(c, old);
+ }
#endif
dbg_inocache("del %p (ino #%u)\n", old, old->ino);
spin_lock(&c->inocache_lock);
--
2.47.3
prev parent reply other threads:[~2026-04-18 12:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-03 14:13 [syzbot] [jffs2?] kernel BUG in jffs2_del_ino_cache syzbot
2024-04-03 14:13 ` syzbot
2026-04-17 10:12 ` Forwarded: [PATCH] jffs2: replace BUG_ON with warning in syzbot
2026-04-17 16:22 ` Forwarded: Re: [syzbot] kernel BUG in jffs2_del_ino_cache syzbot
2026-04-18 12:56 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e37f96.050a0220.24bfd3.0007.GAE@google.com \
--to=syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.