From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9836A394483 for ; Fri, 1 May 2026 11:02:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777633372; cv=none; b=tLIU62s7jsrX+DFPxyGqLjdHZqmUM49sBdffT/twlk8EfxLtgiE+QXtC1ChJjOp5+rcYYZHe2UZM8fiFY/0iik7fipCJQXe0gOBkkoY1nPEm1yfXwyvr9LlC/g8nUTn887rWTIGHlqFj0RhideLAVebleoDaPG+ZbI4Ca7Lh7aA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777633372; c=relaxed/simple; bh=YfU/zl+6DnYOZ53QANELydK6VE2h9OmRaMWQV8J1veo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EbggdZVDHE0G1D87WFuiwy2oy41/W0WotLeasFs39G0MkL3G9q91KS8cLSRveV2LKv5auYlvOREMvv8VvGSly3YukeWclOOLcmXr4U/Hh90QWm2f2a14CUuCTwvlADmrFjUHZaClR+idMKfsM2DhGJ01Vg0JUV+fzB/yYZAHzbI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UiunrzYs; arc=none smtp.client-ip=209.85.128.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UiunrzYs" Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-488ff90d6c7so18067205e9.2 for ; Fri, 01 May 2026 04:02:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777633369; x=1778238169; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=z+uMPXd4v7RJUPJ6ng6R0zk6Hnw9jnnZw4S2klEd/5k=; b=UiunrzYsaOFdKV5mKMeMB2Ny+akWz55rX0jUYPsADDcPq6XlcnJGhe3dZqeDMkNj3C KAq+fmstq7kWI9lXPwQ/E/0DQ9UMrLQf5WMmhMiCCmmtbUPirQDfXXo+MVWOjkxA8tEv AHzI4Ca1YlOJxWpcRwXg/l8pM0GQEZLRaOO9/F0KERSDS49VP/FEr8XKZIQJKbESZzv1 wrxJUFYl+ngHyX98SHNCu/vHufJZCHka1i2J8dplSzayrXvIY6tUGd671UWWC0LwSj4e MYZVdalJ0hylMTNTuqsqWEtO/NFba8x+XaAw5CcrZbARSCG+aHjfBjD5iBHog470cXLR Uvvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777633369; x=1778238169; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=z+uMPXd4v7RJUPJ6ng6R0zk6Hnw9jnnZw4S2klEd/5k=; b=soIsWGiAUNK3YEsHBWmnTqMhvnEUJ4CGTKjVq0GlEX4KDiUbMXkIDjYxsNSOC1itDD 07yUlsVaVmudgujvpx6IXcBVyGmMjz/AiAKQVOuoVcF95frLuqsaK/ltlbT8Bv1Vqx0x XeYr8Gv+aQxNSVN3k1ajHrDSLhgpNkpmslkxnoQLjyJmlTiHhKZPZWypTt0e4/+Phk06 NxCx3dP2d/2OMjHgj/bidvFRtIc5EE+OmJ1BEsYqzk9Bu4Wd8eNVT4V3LI0gq8E1NAFS +b74quNqfToGAFQdnxQChyayPJJNElA7gsbf4ORMg5o9zhAR/7XwgYeVUoGtnjEw1vqg H3WA== X-Forwarded-Encrypted: i=1; AFNElJ8U0N0d45h36krb0GOl14KUUBoFHtqbO3jU2pq55kb7Pbat+jlVil5a998SqPuJyTd3cgbY2BdpasbOZ8A=@vger.kernel.org X-Gm-Message-State: AOJu0Yw4f2uT3Bwf2VOTlbeDVz/PnWG1HmeVhov3Ew01Uodqt2P+slT8 QvrTgZPRRq5YZ4d9JyyJbOAfCreEAsRw+YE7MPMbz8AXOVXLeM2h9qQ= X-Gm-Gg: AeBDietbAzdlmmu+8VHJmm4GfHmYzImv1kkLDMhU9XzLC0XWc9JmCMs4myoRt8Hzxtc FNexLeRZnKZmr7C4gxYp6YSA0kc9PqSASrOYYQqJn5TA6OJpOLkH/uxUAeNk73H/3dCVW6mVZG6 TFwyiXekiSkshL47j/0qq+jt5ZjuPl3qJ1x/bOYK0tGLJoS9fbYv2WUm4m5x4e8qLmXIwL+XlZM +q1sqFEXYdTuKtkUNMUt5oeqJ1zZLcGxlVcY1/KBphrCQaJiA1frA+TF4qI3E3UxdviMNEX0PHp PL1xRFZjxJhCF0A8gGV+hGSm3xhTiXQOeAqXg43+DssvnnU+7n9bGusjwgYSAs5xQzVRTy0swBt ZNOxWQL41GTsuM0qQ7JIXublnI9y/E/lx2R/hbGU0Z+C2pgPfiRZ+Y/NUQp5FjZvlmff++IwPg7 OFa1w= X-Received: by 2002:a05:600c:4f48:b0:487:59c:2bb8 with SMTP id 5b1f17b1804b1-48a84465c97mr118813595e9.27.1777633368690; Fri, 01 May 2026 04:02:48 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a8eb3427fsm79491905e9.0.2026.05.01.04.02.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 May 2026 04:02:48 -0700 (PDT) From: Tristan Madani To: David Woodhouse , Richard Weinberger Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Tristan Madani , syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com Subject: [PATCH 2/3] jffs2: clean up xattr refs in jffs2_del_ino_cache instead of BUG_ON Date: Fri, 1 May 2026 11:02:45 +0000 Message-ID: <20260501110246.50647-2-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260501110246.50647-1-tristmd@gmail.com> References: <20260501110246.50647-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Tristan Madani jffs2_del_ino_cache() triggers BUG_ON(old->xref) when an inode cache entry still has xattr references. This can happen during unmount: generic_shutdown_super() calls evict_inodes() before put_super(), but jffs2_evict_inode -> jffs2_do_clear_inode -> jffs2_xattr_delete_inode only clears xrefs when pino_nlink == 0. For inodes with nlink > 0 at unmount time, xrefs survive past eviction, and the subsequent jffs2_del_ino_cache() hits the BUG_ON. Replace the BUG_ON with a call to jffs2_xattr_free_inode(), which walks the xref list and frees each entry without writing delete markers to flash. This is appropriate during unmount since the flash state will be reconstructed by the next mount scan anyway. jffs2_xattr_free_inode() already exists for this purpose and is used by jffs2_clear_xattr_subsystem() in the put_super path, but that runs too late -- after jffs2_del_ino_cache has already been called from evict_inode. Reported-by: syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=44664704c1494ad5f7a0 Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version 5)") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani --- fs/jffs2/nodelist.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/jffs2/nodelist.c b/fs/jffs2/nodelist.c index b86c78d178c60..9af269b78b241 100644 --- a/fs/jffs2/nodelist.c +++ b/fs/jffs2/nodelist.c @@ -459,7 +459,8 @@ void jffs2_del_ino_cache(struct jffs2_sb_info *c, struct jffs2_inode_cache *old) struct jffs2_inode_cache **prev; #ifdef CONFIG_JFFS2_FS_XATTR - BUG_ON(old->xref); + if (old->xref) + jffs2_xattr_free_inode(c, old); #endif dbg_inocache("del %p (ino #%u)\n", old, old->ino); spin_lock(&c->inocache_lock); -- 2.47.3