From nobody Sun Feb  8 18:11:13 2026
Received: from mail-ej1-f50.google.com (mail-ej1-f50.google.com
 [209.85.218.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3068B191F94
	for <linux-kernel@vger.kernel.org>; Wed, 24 Dec 2025 23:31:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.218.50
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1766619104; cv=none;
 b=jNf50d4s+/NPCq6tNE2AWSLi8x/1v+25cD7GLdwq8Gp4LY+0mIEyLNWDE67f4DohNgP4ygNNIa+cODiacEpZw4IyjmmeTrbKhNoE/B3YKdrX2+3ByxrBTY6QeV/xCtQee/t3ueAiFKMJPcwvY2a2XoeohiTun6+HIwsyvKFMSHY=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1766619104; c=relaxed/simple;
	bh=kd/9VkBFN3uOHxStkJlHKKnRvCH+DiwC1VmCd3Rm4bU=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=O/hj8XYAoLi6B+2sCpZVqZf6wkQdX7YhZcEXrnb0f1sd0oVpWXZCIDkjgwjD2cAnJSDKlJXD2sTWLeSLWlhyt7t+EgDdWAEjnX3PkARIY9JSR8Tvpv24/VyzFgv2OpcXPdKLY+A2x0xzqUng9PXtKhTGokHPgQA3szuWrpjcp/o=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=E+xkoJTj; arc=none smtp.client-ip=209.85.218.50
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="E+xkoJTj"
Received: by mail-ej1-f50.google.com with SMTP id
 a640c23a62f3a-b734fcbf1e3so1256674566b.3
        for <linux-kernel@vger.kernel.org>;
 Wed, 24 Dec 2025 15:31:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1766619100; x=1767223900;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=wHq74WuqJUiwTPMFcJJVfq/bvxi+DPHu76wcJGAyppg=;
        b=E+xkoJTjEykcPBYk/Ieqq+5bPSioG948jTgbN4/SHjAlsL1pafYaGRNRKncByDWaqr
         FmW6NURvtEZdhhHboaVNuV764SVVtjdYUpJlK1LxMb/eaJisRlwzu75mxUgKt1bQOFU4
         m91P5YsDKl+TNtGfz5V4H7HH73DUfmrkdbw4LugaRdC77QC3RyyGd6cbm65wbJNpELfb
         E4G12cRLw+cmZIwsOk/YkRtDZPPBIorI1LIv08CeB2wFPBqEiyQkg/GXayNu21yH3wqx
         IBxf/+tHkBl0XyQqXlqY58JNoBjLsDC1h7LeJ1OsBqACQYeOSVll8+xXfISQ7fonMQx+
         YlNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1766619100; x=1767223900;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=wHq74WuqJUiwTPMFcJJVfq/bvxi+DPHu76wcJGAyppg=;
        b=a7vYq6gMcC5GptWb5TxFMnMbpuf5h78h+ArWgJwDNkJ3Zj3PotD8Vo6DnwQlcqIgp6
         E0uif5+IBGQRTY8a9vUHbyXCAsOcq7w+SBOZyMPDfO8vTXFTrFM/GzWOsfZXk849Skg1
         /HBTMSJWmSbbxQUbfZrRMnVLn5eIxWZuPnY94DABqyy9u91wwWfOEXVwPGVhJVRhOrJh
         hkiPb0oZWY+j4kffb7lCuBScTb2Bwpzq1l3K3Wq7cuUcS2ve4TLBHF1iO9pDfEDdIECz
         g7MaDPw7UciEcHR3GeYVwXjotzM/c5Zf1uF7NKP5TIGHhuPTHB08JMfyeTlo65kgMZBM
         1yAw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVzFckVYHXdQKoY/LgQsJLO40TOsmpKV9mhTLC7dormlJOkEw1oEcPeQY78RxWbnn1H994c7qf0H5Kknlg=@vger.kernel.org
X-Gm-Message-State: AOJu0YzkzMnkQoOQT5+d6G2F9ZCsOkatd2E8R9wASKAA08ItSMBNUjIC
	E9rJbcfv4r0FvteEQjyti85tyyYMb5oi2jPOnCN6lsKHP7SdjJTXb8Bx
X-Gm-Gg: AY/fxX4paahok2PQvVHc2eIU5GoS4MG1hIXYLKCJTbkAPedl62HhAnTwjzgPigsVEvC
	N6Hhg2XmsBJ4BbA3Cy01CPNA+PtqjMrZZxByDsyV4R3toHZ4IaMRqzi9Xgr9CDi3vs9m6GU3i/5
	FL87n93SAQZTin4lsJgjLDSTHR9tOv+DKlulfv0hZ6kLSmovESs+DqBux7cDkUuF09KNF+hk07p
	3/OFJzxcx4m5BbiPDOffialoqXcTPzpoKdWdAPodP4wUDvLzOGLlv40mOvNNSCgHlJYPBjbJZcB
	b3V61tv5XzbVZ4ji3xYL1RV4bD+aXSaZYBh/njelmo9uxrh71TeBFswfX5oUMHEKOhKMWt9ICxe
	ef1B9/4RU5YeU0UR5dRnvtGijnGmZMcq5XpueOvJuRO5jSUu9vMGFcl4kJirnBDZlmgnleEahaa
	9sfT1aMZb6KxTHJg==
X-Google-Smtp-Source: 
 AGHT+IEmWnYIOuR5mGDE0Qw5y8iloVeV9v9ti3JTp04SIItnRT7UhSUgJlAXM1t3XjuFqIIfAiYkFg==
X-Received: by 2002:a17:907:7f0d:b0:b80:12f5:f6aa with SMTP id
 a640c23a62f3a-b803722927amr2259017066b.56.1766619100137;
        Wed, 24 Dec 2025 15:31:40 -0800 (PST)
Received: from prometheus ([85.11.110.37])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-b8037a5bdfesm1902882066b.10.2025.12.24.15.31.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 24 Dec 2025 15:31:39 -0800 (PST)
From: Szymon Wilczek <swilczek.lx@gmail.com>
To: Dave Kleikamp <shaggy@kernel.org>
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	syzbot+a63afa301d1258d09267@syzkaller.appspotmail.com,
	Szymon Wilczek <swilczek.lx@gmail.com>
Subject: [PATCH] jfs: add missing tlckBTROOT to txLock calls on inline btree
 roots
Date: Thu, 25 Dec 2025 00:31:33 +0100
Message-ID: <20251224233133.41078-1-swilczek.lx@gmail.com>
X-Mailer: git-send-email 2.52.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

JFS uses "fake" metapages (pointers into the inode's btree root area)
for btree roots that reside inline in the inode. These fake metapages
are identified by the absence of the COMMIT_PAGE flag in xflag.

The txUnlock() and txRelease() functions check for the tlckBTROOT flag
to avoid treating these fake metapages as real disk pages. When txLock()
is called on an inline btree root without tlckBTROOT, txUnlock() later
tries to access mp->nohomeok which doesn't exist in the fake metapage
structure, causing:

  BUG at fs/jfs/jfs_txnmgr.c:932 assert(mp->nohomeok > 0)

This was triggered during directory operations where dtInsert(),
dtDelete(), dtSplitUp(), dtDeleteUp(), xtInsert(), and xtSplitUp()
could operate on inline roots without setting tlckBTROOT.

Fix by adding the tlckBTROOT flag conditionally using BT_IS_ROOT()
check in all txLock() calls that may operate on inline btree roots.
This matches the existing pattern used in dtInitRoot() and
add_missing_indices().

Reported-by: syzbot+a63afa301d1258d09267@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Da63afa301d1258d09267
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
---
 fs/jfs/jfs_dtree.c | 12 ++++++++----
 fs/jfs/jfs_xtree.c |  9 ++++++---
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
index 0ab83bb7bbdf..c35f4b6f4544 100644
--- a/fs/jfs/jfs_dtree.c
+++ b/fs/jfs/jfs_dtree.c
@@ -881,7 +881,8 @@ int dtInsert(tid_t tid, struct inode *ip,
 	/*
 	 * acquire a transaction lock on the leaf page
 	 */
-	tlck =3D txLock(tid, ip, mp, tlckDTREE | tlckENTRY);
+	tlck =3D txLock(tid, ip, mp, tlckDTREE | tlckENTRY |
+		      (BT_IS_ROOT(mp) ? tlckBTROOT : 0));
 	dtlck =3D (struct dt_lock *) & tlck->lock;
 	ASSERT(dtlck->index =3D=3D 0);
 	lv =3D & dtlck->lv[0];
@@ -1258,7 +1259,8 @@ static int dtSplitUp(tid_t tid,
 			/*
 			 * acquire a transaction lock on the parent page
 			 */
-			tlck =3D txLock(tid, ip, smp, tlckDTREE | tlckENTRY);
+			tlck =3D txLock(tid, ip, smp, tlckDTREE | tlckENTRY |
+				      (BT_IS_ROOT(smp) ? tlckBTROOT : 0));
 			dtlck =3D (struct dt_lock *) & tlck->lock;
 			ASSERT(dtlck->index =3D=3D 0);
 			lv =3D & dtlck->lv[0];
@@ -2161,7 +2163,8 @@ int dtDelete(tid_t tid,
 		/*
 		 * acquire a transaction lock on the leaf page
 		 */
-		tlck =3D txLock(tid, ip, mp, tlckDTREE | tlckENTRY);
+		tlck =3D txLock(tid, ip, mp, tlckDTREE | tlckENTRY |
+		      (BT_IS_ROOT(mp) ? tlckBTROOT : 0));
 		dtlck =3D (struct dt_lock *) & tlck->lock;
=20
 		/*
@@ -2383,7 +2386,8 @@ static int dtDeleteUp(tid_t tid, struct inode *ip,
 		 *
 		 * action: router entry deletion
 		 */
-		tlck =3D txLock(tid, ip, mp, tlckDTREE | tlckENTRY);
+		tlck =3D txLock(tid, ip, mp, tlckDTREE | tlckENTRY |
+			      (BT_IS_ROOT(mp) ? tlckBTROOT : 0));
 		dtlck =3D (struct dt_lock *) & tlck->lock;
=20
 		/* linelock header */
diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c
index 28c3cf960c6f..de7d4d5e67a8 100644
--- a/fs/jfs/jfs_xtree.c
+++ b/fs/jfs/jfs_xtree.c
@@ -642,7 +642,8 @@ int xtInsert(tid_t tid,		/* transaction id */
=20
 	/* Don't log it if there are no links to the file */
 	if (!test_cflag(COMMIT_Nolink, ip)) {
-		tlck =3D txLock(tid, ip, mp, tlckXTREE | tlckGROW);
+		tlck =3D txLock(tid, ip, mp, tlckXTREE | tlckGROW |
+			      (BT_IS_ROOT(mp) ? tlckBTROOT : 0));
 		xtlck =3D (struct xtlock *) & tlck->lock;
 		xtlck->lwm.offset =3D
 		    (xtlck->lwm.offset) ? min(index,
@@ -733,7 +734,8 @@ xtSplitUp(tid_t tid,
=20
 		/* Don't log it if there are no links to the file */
 		if (!test_cflag(COMMIT_Nolink, ip)) {
-			tlck =3D txLock(tid, ip, smp, tlckXTREE | tlckGROW);
+			tlck =3D txLock(tid, ip, smp, tlckXTREE | tlckGROW |
+				      tlckBTROOT);
 			xtlck =3D (struct xtlock *) & tlck->lock;
 			xtlck->lwm.offset =3D (xtlck->lwm.offset) ?
 			    min(skip, (int)xtlck->lwm.offset) : skip;
@@ -903,7 +905,8 @@ xtSplitUp(tid_t tid,
 			/* Don't log it if there are no links to the file */
 			if (!test_cflag(COMMIT_Nolink, ip)) {
 				tlck =3D txLock(tid, ip, smp,
-					      tlckXTREE | tlckGROW);
+					      tlckXTREE | tlckGROW |
+					      (BT_IS_ROOT(smp) ? tlckBTROOT : 0));
 				xtlck =3D (struct xtlock *) & tlck->lock;
 				xtlck->lwm.offset =3D (xtlck->lwm.offset) ?
 				    min(skip, (int)xtlck->lwm.offset) : skip;
--=20
2.52.0