From: ssrane_b23@ee.vjti.ac.in
To: shaggy@kernel.org
Cc: jfs-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
dsterba@suse.com, david@redhat.com, shivankg@amd.com,
skhan@linuxfoundation.org, linux-kernel-mentees@lists.linux.dev,
david.hunter.linux@gmail.com, khalid@kernel.org,
Shaurya Rane <ssrane_b23@ee.vjti.ac.in>,
syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
Subject: [PATCH] jfs: Initialize synclist in metapage allocation
Date: Sat, 8 Nov 2025 01:36:45 +0530 [thread overview]
Message-ID: <20251107200645.149093-1-ssranevjti@gmail.com> (raw)
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
The synclist field in struct metapage was not being initialized during
allocation in alloc_metapage(), leading to list corruption when the
metapage is later added to a transaction's sync list.
When diUpdatePMap() calls list_add(&mp->synclist, &tblk->synclist), if
the synclist field contains stale data from a previous allocation (such
as LIST_POISON values from a freed list node), the list debugging code
detects the corruption and triggers a stack segment fault.
This issue is intermittent because it only manifests when recycled
memory happens to contain poison values in the synclist field. The bug
was discovered by syzbot, which creates specific filesystem patterns
that reliably trigger this uninitialized memory usage.
Initialize the synclist field with INIT_LIST_HEAD() in alloc_metapage()
to ensure it's in a valid state before being used in list operations.
This is consistent with how the wait queue is initialized in the same
function.
Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
Tested:
- Tested locally with syzbot reproducer, no errors observed
fs/jfs/jfs_metapage.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index 871cf4fb3636..77c512a0a42b 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -269,6 +269,7 @@ static inline struct metapage *alloc_metapage(gfp_t gfp_mask)
mp->data = NULL;
mp->clsn = 0;
mp->log = NULL;
+ INIT_LIST_HEAD(&mp->synclist);
init_waitqueue_head(&mp->wait);
}
return mp;
--
2.34.1
next reply other threads:[~2025-11-07 20:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-07 20:06 ssrane_b23 [this message]
2025-11-08 10:19 ` [PATCH] jfs: Initialize synclist in metapage allocation Tetsuo Handa
-- strict thread matches above, loose matches on Subject: below --
2025-11-08 13:58 ssrane_b23
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251107200645.149093-1-ssranevjti@gmail.com \
--to=ssrane_b23@ee.vjti.ac.in \
--cc=akpm@linux-foundation.org \
--cc=david.hunter.linux@gmail.com \
--cc=david@redhat.com \
--cc=dsterba@suse.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=khalid@kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=shaggy@kernel.org \
--cc=shivankg@amd.com \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox