From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 95473285C9D for ; Thu, 30 Apr 2026 23:58:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777593497; cv=none; b=P5/je2BGhVgnhBuWGkndH1iSXtWWmihyyXd3AOEhXuHR73dqsFmJ+03NSlxnbzp0phqAmJ+XEjWnBa/yki52iNn29we1O1hzW1PCR1wdHfOYgXWCANFYdDW5ZK7PSY+EXvMie97TbjJKllqMhOWynVPbfgWCafOYfuAL7+zEwlM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777593497; c=relaxed/simple; bh=j1lNHryPx+ofe5BUfdGbeMxS5NoJRf06Jt84DQFFuIE=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=F9YKLTQevf2CPtUznJaCLQKz+egBQ0c5HCW39i5RIyDG4IuaNjEWyZRUCAYx1u7AVbyfUJZXpLHHCUt2QulQQ0Eevu4jlBgSGnwDwA4g8RZJwraGe7VnQjw8OAhDOjez2yghx/IGQDJUMf4u8XL/VnT7ys6y97vv2dW/jErTzEE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-6967b799acdso2620348eaf.3 for ; Thu, 30 Apr 2026 16:58:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777593494; x=1778198294; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=p/KcnpWvlVCr8xyVujTMYWihDVN7otDjksl6cc1YHMU=; b=p54FFFR253MRfCFVIbPRkuCDwVaEtQQA+Xi+4DHtN4q9nZKTQJYel3wVWIg4wCdXIk iFAUKTLNwz945TLaipbrlT/kuc9Caw+DnJ2tAnk2d3pV9nukhQf8/+AXI8bb/JBUi61/ PT4lDOYzCNwjaBQt0PMDVl8kx8F6RwZuDhYIYSdqgm9oD/7m66aMYiA47lyEjAkHy9Yf buxzuftzyhH0L3uvV2SkR9TJC6oiagdUUknRgT5RE1yHiyDiw8n0EcDiy4PfkGD0Bo9J IvNeyb6ZG8UX1LC0TBRK2T1/nHjPJDzeozzQX1vi2ZxXYjPT7BMz5EtQBTIU+JHsl6Wq xgVw== X-Gm-Message-State: AOJu0YwUrvzsNAhEr3JbuojZpC7O9IFWKCpl22jH8u7HLjrWta2vrJAQ mLKRETu5PrMOHV4Yce3cQT+h0YQnFd/QDtLH6CQQuErFJZJLl9AV8jYywQjwlPuY+Iux00olQNO ovVfaMjile5Y9orq9ELZnKrp9biScI8jNHFs7LcjmB5u74inyWPkTXzTgkoU= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:2226:b0:696:62f6:a029 with SMTP id 006d021491bc7-6967a59cfcemr2693991eaf.32.1777593494623; Thu, 30 Apr 2026 16:58:14 -0700 (PDT) Date: Thu, 30 Apr 2026 16:58:14 -0700 In-Reply-To: <000000000000c7345f06158f331a@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69f3ec96.170a0220.5f1b.000e.GAE@google.com> Subject: Forwarded: #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master Author: tristmd@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >>From 9c3f65e66c3a938b75d165bec0686e05db473070 Mon Sep 17 00:00:00 2001 From: Tristan Madani Date: Thu, 30 Apr 2026 23:57:44 +0000 Subject: [PATCH] jffs2: fix GC thread BUG_ON during reconfigure via fspick jffs2_do_remount_fs() uses fc->sb_flags to decide whether to start the garbage collection thread. However, when called via fspick(2) followed by fsconfig(FSCONFIG_CMD_RECONFIGURE), fc->sb_flags does not reflect the current mount state -- it only contains flags being explicitly changed (as indicated by fc->sb_flags_mask). When fspick() is called with flags=0 on a read-only mount, fc->sb_flags has SB_RDONLY clear (since SB_RDONLY is not in sb_flags_mask). This causes jffs2_start_garbage_collect_thread() to be called even though the filesystem remains read-only. On the second reconfigure, BUG_ON(c->gc_task) fires because the thread from the first call is still running. Fix this by computing the effective read-only state using both fc->sb_flags and fc->sb_flags_mask. Also unconditionally call jffs2_stop_garbage_collect_thread() before potentially restarting it, which is safe when gc_task is NULL and prevents the BUG_ON. Reported-by: syzbot+61a9d95630970eece39d@syzkaller.appspotmail.com Fixes: ec10a24f10c8f ("vfs: Convert jffs2 to use the new mount API") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani --- fs/jffs2/fs.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c index 6ada8369a7622..33574312b7abe 100644 --- a/fs/jffs2/fs.c +++ b/fs/jffs2/fs.c @@ -396,28 +396,28 @@ void jffs2_dirty_inode(struct inode *inode, int flags) int jffs2_do_remount_fs(struct super_block *sb, struct fs_context *fc) { struct jffs2_sb_info *c = JFFS2_SB_INFO(sb); + bool new_ro; if (c->flags & JFFS2_SB_FLAG_RO && !sb_rdonly(sb)) return -EROFS; - /* We stop if it was running, then restart if it needs to. - This also catches the case where it was stopped and this - is just a remount to restart it. - Flush the writebuffer, if necessary, else we loose it */ + new_ro = (fc->sb_flags_mask & SB_RDONLY) ? + (fc->sb_flags & SB_RDONLY) : sb_rdonly(sb); + + jffs2_stop_garbage_collect_thread(c); + if (!sb_rdonly(sb)) { - jffs2_stop_garbage_collect_thread(c); mutex_lock(&c->alloc_sem); jffs2_flush_wbuf_pad(c); mutex_unlock(&c->alloc_sem); } - if (!(fc->sb_flags & SB_RDONLY)) + if (!new_ro) jffs2_start_garbage_collect_thread(c); fc->sb_flags |= SB_NOATIME; return 0; } - /* jffs2_new_inode: allocate a new inode and inocache, add it to the hash, fill in the raw_inode while you're at it. */ struct inode *jffs2_new_inode (struct inode *dir_i, umode_t mode, struct jffs2_raw_inode *ri) -- 2.47.3