From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 219DF36F434 for ; Tue, 17 Mar 2026 04:25:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773721509; cv=none; b=efzXrNBIVBM9htmATzGAgRV/sCreH1TmiElatNY3WREMxwE4WAe2cdnwyqqE+QP4vC3N55MVmIm/F6fM18IBumpuTGdYImbaDOXAZa9C9n/+6TBJy0jPxo9gHibe3WZvbWQVYm5oNe1sh/7mJz0/9ldhabvAZw+xtZm3UacAv9E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773721509; c=relaxed/simple; bh=aBm2hvs+zpRenqu1iKZDej9H0xxiyP5w48QB0v8J1TA=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=V2ATN2jZMG+ULhw2XFnkAnslmDourkHBd6UhA8hzeYJ3RxsOPCd8hRPAepC+aKIcESsOE7wp2K/reKH/Qr1iWQv7TeeTCTTRiNnr2mFQcvFD8BaqxZrp6BnZZV5c08lyT0O+G5x39EdOLeKKLCMbwsEWnMkkngzWN23hGcGxbJQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-679c5ed0942so63140547eaf.1 for ; Mon, 16 Mar 2026 21:25:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773721506; x=1774326306; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=MdRFyCARiHC3ZyRqnuIDZsjNCUId05eb74EhDIKfTLA=; b=PHeVbPL/ZAXwg5RNbaSIatPH2J3PxW+n5xhVakPfLb9CTSMcEhb07JhqXQapTMefZl 7Njgtv4moKbPKVPcmr97eWl4fT0pXRy3CvaOn0k3QkUZ3VtSXB93Tnsjk3K5kRpuKhQX shgGMq3kHb+rS0KNRvcwuwkFaQkQHzs6YbBIRksqih+3fhxuVVvOzeetVB4NhL6+kogU kG3zwSsoR/ccBXKUeaSxgBOx+PHtsjSZxZD43axxQ0G6KtLRFbfcwMWPiB0rxGExjY0U WVtuj9COJxH9Ts4GYZKO0C2snmNtILDExOZFhkCGcb2kxR5YCXfY+jXbusVOXqfTclNe O1yA== X-Gm-Message-State: AOJu0Yw2AZ0K6BCotRzIEuDOHQV6yOaO4HlsaPUzxc23G2nIfwLaJncp 7RUokrxsx8g8+J1aSvEbDTWZVH/AHB3BNJQ2Tck/ZWoyCHWoJ8+0Yluw29MsbDe/5937hFiJ+XA JR0Tpy8rJsWojleTXKbw9uXwsW+8CTUTMpmD4FwC0fkoDmQtFCQ3gDxFkSlc= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a4a:d012:0:b0:67b:dfa3:aefd with SMTP id 006d021491bc7-67bdfa3b27amr5938263eaf.61.1773721505832; Mon, 16 Mar 2026 21:25:05 -0700 (PDT) Date: Mon, 16 Mar 2026 21:25:05 -0700 In-Reply-To: <69b8c713.a00a0220.3b25d1.0029.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69b8d7a1.a00a0220.3b25d1.002b.GAE@google.com> Subject: Forwarded: [PATCH] nilfs2: fix wrong inode returned from nilfs_iget_for_shadow on cache hit From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] nilfs2: fix wrong inode returned from nilfs_iget_for_shadow on cache hit Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master nilfs_iget_for_shadow() returns the original inode instead of the cached shadow inode when the shadow inode already exists (I_NEW not set). This causes nilfs_mdt_setup_shadow_map() to store the original inode as shadow->inode, so subsequent calls to nilfs_mdt_save_to_shadow_map() dereference the wrong inode's i_assoc_inode, which may be NULL, leading to a general protection fault. This can be triggered by mounting a corrupted NILFS2 image that causes rollback recovery, followed immediately by NILFS_IOCTL_CLEAN_SEGMENTS. During rollback, nilfs_dat_read() is called twice, causing nilfs_iget_for_shadow() to hit the cached path and return the wrong inode. Fix this by returning s_inode instead of inode on the cache hit path. Reported-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37 Signed-off-by: Deepanshu Kartikey --- fs/nilfs2/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c index 51bde45d5865..1f9bc63eb295 100644 --- a/fs/nilfs2/inode.c +++ b/fs/nilfs2/inode.c @@ -687,7 +687,7 @@ struct inode *nilfs_iget_for_shadow(struct inode *inode) if (unlikely(!s_inode)) return ERR_PTR(-ENOMEM); if (!(inode_state_read_once(s_inode) & I_NEW)) - return inode; + return s_inode; NILFS_I(s_inode)->i_flags = 0; memset(NILFS_I(s_inode)->i_bmap, 0, sizeof(struct nilfs_bmap)); -- 2.43.0