From: Tristan Madani <tristmd@gmail.com>
To: David Woodhouse <dwmw2@infradead.org>,
Richard Weinberger <richard@nod.at>
Cc: linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org,
Tristan Madani <tristan@talencesecurity.com>,
syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com
Subject: [PATCH 2/3] jffs2: clean up xattr refs in jffs2_del_ino_cache instead of BUG_ON
Date: Fri, 1 May 2026 11:02:45 +0000 [thread overview]
Message-ID: <20260501110246.50647-2-tristmd@gmail.com> (raw)
In-Reply-To: <20260501110246.50647-1-tristmd@gmail.com>
From: Tristan Madani <tristan@talencesecurity.com>
jffs2_del_ino_cache() triggers BUG_ON(old->xref) when an inode cache
entry still has xattr references. This can happen during unmount:
generic_shutdown_super() calls evict_inodes() before put_super(), but
jffs2_evict_inode -> jffs2_do_clear_inode -> jffs2_xattr_delete_inode
only clears xrefs when pino_nlink == 0. For inodes with nlink > 0
at unmount time, xrefs survive past eviction, and the subsequent
jffs2_del_ino_cache() hits the BUG_ON.
Replace the BUG_ON with a call to jffs2_xattr_free_inode(), which
walks the xref list and frees each entry without writing delete markers
to flash. This is appropriate during unmount since the flash state
will be reconstructed by the next mount scan anyway.
jffs2_xattr_free_inode() already exists for this purpose and is used
by jffs2_clear_xattr_subsystem() in the put_super path, but that
runs too late -- after jffs2_del_ino_cache has already been called
from evict_inode.
Reported-by: syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=44664704c1494ad5f7a0
Fixes: aa98d7cf59b5 ("[JFFS2][XATTR] XATTR support on JFFS2 (version 5)")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
fs/jffs2/nodelist.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/nodelist.c b/fs/jffs2/nodelist.c
index b86c78d178c60..9af269b78b241 100644
--- a/fs/jffs2/nodelist.c
+++ b/fs/jffs2/nodelist.c
@@ -459,7 +459,8 @@ void jffs2_del_ino_cache(struct jffs2_sb_info *c, struct jffs2_inode_cache *old)
struct jffs2_inode_cache **prev;
#ifdef CONFIG_JFFS2_FS_XATTR
- BUG_ON(old->xref);
+ if (old->xref)
+ jffs2_xattr_free_inode(c, old);
#endif
dbg_inocache("del %p (ino #%u)\n", old, old->ino);
spin_lock(&c->inocache_lock);
--
2.47.3
next prev parent reply other threads:[~2026-05-01 11:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-01 11:02 [PATCH 1/3] jffs2: always stop garbage collection thread on unmount Tristan Madani
2026-05-01 11:02 ` Tristan Madani [this message]
2026-05-01 11:02 ` [PATCH 3/3] jffs2: fix GC thread BUG_ON during reconfigure via fspick Tristan Madani
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260501110246.50647-2-tristmd@gmail.com \
--to=tristmd@gmail.com \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=syzbot+44664704c1494ad5f7a0@syzkaller.appspotmail.com \
--cc=tristan@talencesecurity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox