From nobody Sun Feb 8 00:50:25 2026 Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68865218AAD for ; Tue, 2 Dec 2025 15:19:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.198.163.17 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764688796; cv=none; b=uBtlfqhVzjMoHk8s+UC5hNIhgQxdz8uC6Frkqq4o/hiKq3uN+0Pi5zWvgkBibEntA/SzhPdIcSGiUmBUOCf3PbZJUYPk3YZEdA2pNJeyzzqGgy13owisFoI7UQnOoESRSAby8HPtECYrvcSWIYcsxF1KipdXP87OvZffycF3s2s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764688796; c=relaxed/simple; bh=NpLOLz+2MQDtaTLOmSyTPcotuq9gDLQyC/lm2mXA7Fg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ioSZsvx00LR3NEjn208ZXDE83ixh4SN51b7G6P3MTtaTNwTTZfOXAYOsTbkcgByq5kwxhx/p+enms8NxSg08GrGH6O8UxAfHIz5OMt84otCrN25ucf5R6WDdTbyBO4ODsbvw5iTp15rOic5gQJUFY0+/+ISW53dfgUCnlxjPz6A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=h8v0tb7N; arc=none smtp.client-ip=192.198.163.17 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="h8v0tb7N" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1764688794; x=1796224794; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=NpLOLz+2MQDtaTLOmSyTPcotuq9gDLQyC/lm2mXA7Fg=; b=h8v0tb7N0RnMP+p/S8Rj9HQHsbteVGqbwYnZ3kb5AhurfvBJeH0mT9Fd mwjiVjuG08WlFyxhrIz0eFI1mbSN88btIOe69HRyVuxr8XvqnvlbSzHXm YCI2fjKaqOd5oYZ8L3STJFaQmdxs39Pu6L9AZCHOkW7AX+vlZkF0lDmMK aaAgrbgSj25JiIIxVunwu6HlkegjNcr8KNbZluYYBoreaVqKPHWmCUFmv sVUhZhSRPe6K8B8v6fhE49ptB9xHL0umLSIJLe1ezO8wVGtU4OHjLkhsm ERwZ37ZpE3MsLPgVOPjU9RBNuF1mgs3JzWGfon+dV+IexmMsPm3kToSoD Q==; X-CSE-ConnectionGUID: JdJoJGCQSDuLpd5QFhXgpw== X-CSE-MsgGUID: fJ5+bX+oTZOTfodNyFfXmQ== X-IronPort-AV: E=McAfee;i="6800,10657,11630"; a="66546849" X-IronPort-AV: E=Sophos;i="6.20,243,1758610800"; d="scan'208";a="66546849" Received: from fmviesa010.fm.intel.com ([10.60.135.150]) by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2025 07:19:54 -0800 X-CSE-ConnectionGUID: /SRCuPbWS/urFN+TFj33OA== X-CSE-MsgGUID: 7muoy+ghRrmkqGKTnyaZ8g== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.20,243,1758610800"; d="scan'208";a="195205299" Received: from junjie-nuc14rvs.bj.intel.com ([10.238.152.23]) by fmviesa010-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Dec 2025 07:19:51 -0800 From: Junjie Cao To: jfs-discussion@lists.sourceforge.net, shaggy@kernel.org Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, junjie.cao@intel.com, syzbot+9c0c58ea2e4887ab502e@syzkaller.appspotmail.com Subject: [PATCH] jfs: fix kernel BUG in jfs_evict_inode Date: Tue, 2 Dec 2025 23:20:00 +0800 Message-ID: <20251202152000.176731-1-junjie.cao@intel.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a kernel BUG in jfs_evict_inode() triggered by the following check: BUG_ON(!list_empty(&JFS_IP(inode)->anon_inode_list)); When an inode reaches jfs_evict_inode() with outstanding anonymous transactions, the filesystem state is already inconsistent. However, crashing the whole kernel in this situation is too heavy-handed and can be triggered by a corrupted or fuzzed filesystem image. The transaction manager uses anon_inode_list to track inodes that have anonymous tlocks attached. Leaving an evicted inode on this list is wrong as it leaves a dangling pointer behind and risks a use-after-free when the list is walked later. Instead of panicking, log the condition and remove the inode from anon_inode_list under TXN_LOCK using a new helper, jfs_free_anon_inode(). This keeps the internal list consistent while avoiding a user-triggerable kernel BUG. Reported-by: syzbot+9c0c58ea2e4887ab502e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D9c0c58ea2e4887ab502e Tested-by: syzbot+9c0c58ea2e4887ab502e@syzkaller.appspotmail.com Signed-off-by: Junjie Cao --- fs/jfs/inode.c | 2 +- fs/jfs/jfs_txnmgr.c | 14 ++++++++++++++ fs/jfs/jfs_txnmgr.h | 1 + 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c index 4709762713ef..88c046c3c3e3 100644 --- a/fs/jfs/inode.c +++ b/fs/jfs/inode.c @@ -172,7 +172,7 @@ void jfs_evict_inode(struct inode *inode) clear_inode(inode); dquot_drop(inode); =20 - BUG_ON(!list_empty(&ji->anon_inode_list)); + jfs_free_anon_inode(inode); =20 spin_lock_irq(&ji->ag_lock); if (ji->active_ag !=3D -1) { diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index c16578af3a77..00e69f3ab22d 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -3018,3 +3018,17 @@ int jfs_txstats_proc_show(struct seq_file *m, void *= v) return 0; } #endif + +void jfs_free_anon_inode(struct inode *inode) +{ + struct jfs_inode_info *ji =3D JFS_IP(inode); + + TXN_LOCK(); + if (!list_empty(&ji->anon_inode_list)) { + jfs_err("inode %lu evicted with anonymous tlocks", + inode->i_ino); + list_del_init(&ji->anon_inode_list); + } + TXN_UNLOCK(); +} + diff --git a/fs/jfs/jfs_txnmgr.h b/fs/jfs/jfs_txnmgr.h index ba71eb5ced56..64d917ccc4b0 100644 --- a/fs/jfs/jfs_txnmgr.h +++ b/fs/jfs/jfs_txnmgr.h @@ -295,4 +295,5 @@ extern void txResume(struct super_block *); extern void txLazyUnlock(struct tblock *); extern int jfs_lazycommit(void *); extern int jfs_sync(void *); +extern void jfs_free_anon_inode(struct inode *); #endif /* _H_JFS_TXNMGR */ --=20 2.43.0