* [syzbot] [jfs?] [fat?] general protection fault in txEnd
@ 2026-03-30 21:15 Rafael Alejandro Diaz Cruz
2026-03-30 21:45 ` [syzbot] [jfs] " syzbot
0 siblings, 1 reply; 8+ messages in thread
From: Rafael Alejandro Diaz Cruz @ 2026-03-30 21:15 UTC (permalink / raw)
To: linux-kernel, skhan, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 10 bytes --]
#syz test
[-- Attachment #2: 0001-jfs-prevent-null-log-deference-from-superblock-durin.patch --]
[-- Type: text/x-diff, Size: 972 bytes --]
From f5d32d2cad197e1cd5e335ec85490bda11aec429 Mon Sep 17 00:00:00 2001
From: rafad900 <19312533+rafad900@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:33:13 -0700
Subject: [PATCH] jfs: prevent null log deference from superblock during
read only mode Clearing the inode pointer is necessary to ensure no memory
leaks after txBegin fails to initialize the superblock during read only mode.
Signed-off-by: rafad900 <19312533+rafad900@users.noreply.github.com>
---
fs/jfs/namei.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 25b303276b82..6d5a1f8f72ab 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -99,6 +99,9 @@ static int jfs_create(struct mnt_idmap *idmap, struct inode *dip,
tid = txBegin(dip->i_sb, 0);
if (tid == 0) {
jfs_err("jfs_create: unable to create tblk due to read only filesystem");
+ free_ea_wmap(ip);
+ clear_nlink(ip);
+ discard_new_inode(ip);
return -EROFS;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [syzbot] [jfs?] [fat?] general protection fault in txEnd
@ 2026-03-30 23:32 Rafael Alejandro Diaz Cruz
2026-03-31 0:19 ` [syzbot] [jfs] " syzbot
0 siblings, 1 reply; 8+ messages in thread
From: Rafael Alejandro Diaz Cruz @ 2026-03-30 23:32 UTC (permalink / raw)
To: linux-kernel, skhan, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 10 bytes --]
#syz test
[-- Attachment #2: 0001-jfs-prevent-null-log-deference-from-superblock-durin.patch --]
[-- Type: text/x-diff, Size: 1151 bytes --]
From da93920ddc6ccfe238f98e6e060700566f4052c0 Mon Sep 17 00:00:00 2001
From: rafad900 <19312533+rafad900@users.noreply.github.com>
Date: Mon, 30 Mar 2026 13:33:13 -0700
Subject: [PATCH] jfs: prevent null log deference from superblock during
read only mode
Clearing the inode pointer is necessary to ensure no memory leaks
after txBegin fails to initialize the superblock during read only
mode.
Signed-off-by: rafad900 <19312533+rafad900@users.noreply.github.com>
---
fs/jfs/namei.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 60c4a0e0fca5..3a5f45cdeae0 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -97,7 +97,13 @@ static int jfs_create(struct mnt_idmap *idmap, struct inode *dip,
}
tid = txBegin(dip->i_sb, 0);
-
+ if (tid == 0) {
+ jfs_err("jfs_create: unable to create tblk due to read only filesystem");
+ free_ea_wmap(ip);
+ clear_nlink(ip);
+ discard_new_inode(ip);
+ return -EROFS;
+ }
mutex_lock_nested(&JFS_IP(dip)->commit_mutex, COMMIT_MUTEX_PARENT);
mutex_lock_nested(&JFS_IP(ip)->commit_mutex, COMMIT_MUTEX_CHILD);
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [syzbot] [jfs?] [fat?] general protection fault in txEnd
@ 2026-03-28 2:20 Rafael Alejandro Diaz Cruz
2026-03-29 11:07 ` [syzbot] [jfs] " syzbot
0 siblings, 1 reply; 8+ messages in thread
From: Rafael Alejandro Diaz Cruz @ 2026-03-28 2:20 UTC (permalink / raw)
To: linux-kernel, skhan, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 10 bytes --]
#syz test
[-- Attachment #2: 0001-jfs-prevent-null-log-deference-from-superblock-durin.patch --]
[-- Type: text/x-diff, Size: 1310 bytes --]
From b530db0e1844ca2b8fecf527dd5d5457e329adf0 Mon Sep 17 00:00:00 2001
From: rafad900 <19312533+rafad900@users.noreply.github.com>
Date: Fri, 27 Mar 2026 18:58:45 -0700
Subject: [PATCH] jfs: prevent null log deference from superblock during read
only mode
Its not possible to use jfs_create() while the file system is in read
only mode. However, there is not a way for jfs_create() to handle this case
when txBegin fails. So jfs_create() continues to with the changes to the
filesystem and tries to txCommit() them, but when trying to write the changes
to the ->log of the superblock, we reach an error telling us that system
cannot write and enters panic.
Signed-off-by: rafad900 <19312533+rafad900@users.noreply.github.com>
---
fs/jfs/namei.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/jfs/namei.c b/fs/jfs/namei.c
index 60c4a0e0fca5..25b303276b82 100644
--- a/fs/jfs/namei.c
+++ b/fs/jfs/namei.c
@@ -97,6 +97,10 @@ static int jfs_create(struct mnt_idmap *idmap, struct inode *dip,
}
tid = txBegin(dip->i_sb, 0);
+ if (tid == 0) {
+ jfs_err("jfs_create: unable to create tblk due to read only filesystem");
+ return -EROFS;
+ }
mutex_lock_nested(&JFS_IP(dip)->commit_mutex, COMMIT_MUTEX_PARENT);
mutex_lock_nested(&JFS_IP(ip)->commit_mutex, COMMIT_MUTEX_CHILD);
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* Re: [syzbot] [jfs] general protection fault in txEnd
2026-03-28 2:20 [syzbot] [jfs?] [fat?] " Rafael Alejandro Diaz Cruz
@ 2026-03-29 11:07 ` syzbot
0 siblings, 0 replies; 8+ messages in thread
From: syzbot @ 2026-03-29 11:07 UTC (permalink / raw)
To: linux-kernel, rafad900, skhan, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
VFS: Busy inodes after unmount (use-after-free)
VFS: Busy inodes after unmount of loop0 (jfs)
------------[ cut here ]------------
kernel BUG at fs/super.c:656!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6453 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:generic_shutdown_super+0x2c4/0x2d0 fs/super.c:654
Code: 03 42 80 3c 28 00 74 08 4c 89 f7 e8 06 7b ed ff 49 8b 16 48 81 c3 68 06 00 00 48 c7 c7 60 c1 b9 8b 48 89 de e8 ed 52 e8 fe 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900036c7d00 EFLAGS: 00010246
RAX: 000000000000002d RBX: ffff888030f16668 RCX: fd47a21cb303a300
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffff110061e2cf0 R08: ffffc900036c7a87 R09: 1ffff920006d8f50
R10: dffffc0000000000 R11: fffff520006d8f51 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffffff8e99a160 R15: ffff888030f16780
FS: 0000555583959500(0000) GS:ffff88812576d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffe3d12ff0 CR3: 000000007abd2000 CR4: 0000000000350ef0
Call Trace:
<TASK>
kill_block_super+0x44/0x90 fs/super.c:1725
deactivate_locked_super+0xbc/0x130 fs/super.c:476
cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4217b9c157
Code: a2 c7 05 3c 84 23 00 00 00 00 00 eb 96 e8 e1 12 00 00 90 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 e8 ff ff ff f7 d8 64 89 02 b8
RSP: 002b:00007fffe3d13178 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f4217c2f33b RCX: 00007f4217b9c157
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffe3d13230
RBP: 00007fffe3d13230 R08: 00007fffe3d14230 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffe3d142c0
R13: 00007f4217c2f33b R14: 0000000000021b21 R15: 00007fffe3d14300
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:generic_shutdown_super+0x2c4/0x2d0 fs/super.c:654
Code: 03 42 80 3c 28 00 74 08 4c 89 f7 e8 06 7b ed ff 49 8b 16 48 81 c3 68 06 00 00 48 c7 c7 60 c1 b9 8b 48 89 de e8 ed 52 e8 fe 90 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900036c7d00 EFLAGS: 00010246
RAX: 000000000000002d RBX: ffff888030f16668 RCX: fd47a21cb303a300
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffff110061e2cf0 R08: ffffc900036c7a87 R09: 1ffff920006d8f50
R10: dffffc0000000000 R11: fffff520006d8f51 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffffff8e99a160 R15: ffff888030f16780
FS: 0000555583959500(0000) GS:ffff88812586d000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563cc45995e0 CR3: 000000007abd2000 CR4: 0000000000350ef0
Tested on:
commit: cbfffcca Merge tag 'trace-v7.0-rc5' of git://git.kerne..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=156eceda580000
kernel config: https://syzkaller.appspot.com/x/.config?x=df6930c3610cf79
dashboard link: https://syzkaller.appspot.com/bug?extid=1d096d31de6a0491b55e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1684f1f6580000
^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <CALp66yFze81g4MhLZfqxyqLpH0RRsHfyXcXPjWUY-G-EFWiB2g@mail.gmail.com>]
end of thread, other threads:[~2026-03-31 0:19 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-30 21:15 [syzbot] [jfs?] [fat?] general protection fault in txEnd Rafael Alejandro Diaz Cruz
2026-03-30 21:45 ` [syzbot] [jfs] " syzbot
-- strict thread matches above, loose matches on Subject: below --
2026-03-30 23:32 [syzbot] [jfs?] [fat?] " Rafael Alejandro Diaz Cruz
2026-03-31 0:19 ` [syzbot] [jfs] " syzbot
2026-03-28 2:20 [syzbot] [jfs?] [fat?] " Rafael Alejandro Diaz Cruz
2026-03-29 11:07 ` [syzbot] [jfs] " syzbot
[not found] <CALp66yFze81g4MhLZfqxyqLpH0RRsHfyXcXPjWUY-G-EFWiB2g@mail.gmail.com>
2026-03-28 1:33 ` syzbot
[not found] ` <CALp66yEShffuRpH4CxvanWanShtavxGtZfO0Sj8+QCaj6mO1FQ@mail.gmail.com>
2026-03-28 1:46 ` syzbot
2026-03-28 1:49 ` Rafael Alejandro Díaz Cruz
2026-03-28 1:51 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox