fs/ocfs2/journal.h | 3 +++ 1 file changed, 3 insertions(+)
During unmount, ocfs2_journal_shutdown() frees the journal and sets
osb->journal to NULL. Later, when VFS evicts remaining cached inodes,
ocfs2_evict_inode() -> ocfs2_clear_inode() -> ocfs2_checkpoint_inode()
-> ocfs2_ci_fully_checkpointed() dereferences osb->journal, causing a
NULL pointer dereference.
Fix this by adding a NULL check for osb->journal in
ocfs2_checkpoint_inode(). If the journal is NULL, it has already been
fully flushed and destroyed during shutdown, so there is nothing to
checkpoint.
Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Tested-by: Farhad Alemi <farhad.alemi@berkeley.edu>
---
fs/ocfs2/journal.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
index 6397170f302f..f8b3b2a3d630 100644
--- a/fs/ocfs2/journal.h
+++ b/fs/ocfs2/journal.h
@@ -196,6 +196,9 @@ static inline void ocfs2_checkpoint_inode(struct inode *inode)
if (ocfs2_mount_local(osb))
return;
+ if (!osb->journal)
+ return;
+
if (!ocfs2_ci_fully_checkpointed(INODE_CACHE(inode))) {
/* WARNING: This only kicks off a single
* checkpoint. If someone races you and adds more
--
2.39.3On Sun, May 31, 2026 at 09:16:45PM +0800, Joseph Qi wrote:
> During unmount, ocfs2_journal_shutdown() frees the journal and sets
> osb->journal to NULL. Later, when VFS evicts remaining cached inodes,
> ocfs2_evict_inode() -> ocfs2_clear_inode() -> ocfs2_checkpoint_inode()
> -> ocfs2_ci_fully_checkpointed() dereferences osb->journal, causing a
> NULL pointer dereference.
>
> Fix this by adding a NULL check for osb->journal in
> ocfs2_checkpoint_inode(). If the journal is NULL, it has already been
> fully flushed and destroyed during shutdown, so there is nothing to
> checkpoint.
>
> Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
> Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
> Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Tested-by: Farhad Alemi <farhad.alemi@berkeley.edu>
LGTM.
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
> ---
> fs/ocfs2/journal.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
> index 6397170f302f..f8b3b2a3d630 100644
> --- a/fs/ocfs2/journal.h
> +++ b/fs/ocfs2/journal.h
> @@ -196,6 +196,9 @@ static inline void ocfs2_checkpoint_inode(struct inode *inode)
> if (ocfs2_mount_local(osb))
> return;
>
> + if (!osb->journal)
> + return;
> +
> if (!ocfs2_ci_fully_checkpointed(INODE_CACHE(inode))) {
> /* WARNING: This only kicks off a single
> * checkpoint. If someone races you and adds more
> --
> 2.39.3
>
On Sun, May 31, 2026 at 09:16:45PM +0800, Joseph Qi wrote:
> During unmount, ocfs2_journal_shutdown() frees the journal and sets
> osb->journal to NULL. Later, when VFS evicts remaining cached inodes,
> ocfs2_evict_inode() -> ocfs2_clear_inode() -> ocfs2_checkpoint_inode()
> -> ocfs2_ci_fully_checkpointed() dereferences osb->journal, causing a
> NULL pointer dereference.
>
> Fix this by adding a NULL check for osb->journal in
> ocfs2_checkpoint_inode(). If the journal is NULL, it has already been
> fully flushed and destroyed during shutdown, so there is nothing to
> checkpoint.
>
> Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
> Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
> Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> Tested-by: Farhad Alemi <farhad.alemi@berkeley.edu>
> ---
> fs/ocfs2/journal.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
> index 6397170f302f..f8b3b2a3d630 100644
> --- a/fs/ocfs2/journal.h
> +++ b/fs/ocfs2/journal.h
> @@ -196,6 +196,9 @@ static inline void ocfs2_checkpoint_inode(struct inode *inode)
> if (ocfs2_mount_local(osb))
> return;
>
> + if (!osb->journal)
> + return;
> +
In my view, the code is correct for this bug.
However, the if condition is insufficient if ocfs2_journal_shutdown() sets
"journal = NULL" immediately after this line.
Thanks,
Heming
> if (!ocfs2_ci_fully_checkpointed(INODE_CACHE(inode))) {
> /* WARNING: This only kicks off a single
> * checkpoint. If someone races you and adds more
> --
> 2.39.3
>
On 6/1/26 11:32 AM, Heming Zhao wrote:
> On Sun, May 31, 2026 at 09:16:45PM +0800, Joseph Qi wrote:
>> During unmount, ocfs2_journal_shutdown() frees the journal and sets
>> osb->journal to NULL. Later, when VFS evicts remaining cached inodes,
>> ocfs2_evict_inode() -> ocfs2_clear_inode() -> ocfs2_checkpoint_inode()
>> -> ocfs2_ci_fully_checkpointed() dereferences osb->journal, causing a
>> NULL pointer dereference.
>>
>> Fix this by adding a NULL check for osb->journal in
>> ocfs2_checkpoint_inode(). If the journal is NULL, it has already been
>> fully flushed and destroyed during shutdown, so there is nothing to
>> checkpoint.
>>
>> Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
>> Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
>> Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
>> Tested-by: Farhad Alemi <farhad.alemi@berkeley.edu>
>> ---
>> fs/ocfs2/journal.h | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
>> index 6397170f302f..f8b3b2a3d630 100644
>> --- a/fs/ocfs2/journal.h
>> +++ b/fs/ocfs2/journal.h
>> @@ -196,6 +196,9 @@ static inline void ocfs2_checkpoint_inode(struct inode *inode)
>> if (ocfs2_mount_local(osb))
>> return;
>>
>> + if (!osb->journal)
>> + return;
>> +
>
> In my view, the code is correct for this bug.
> However, the if condition is insufficient if ocfs2_journal_shutdown() sets
> "journal = NULL" immediately after this line.
>
During unmount, journal shutdown happens before final inode eviction is
triggered by generic_shutdown_super() -> evict_inodes(). That means they
run sequentially in the unmount path (same thread context).
Thanks,
Joseph
On Mon, Jun 01, 2026 at 02:50:56PM +0800, Joseph Qi wrote:
>
>
> On 6/1/26 11:32 AM, Heming Zhao wrote:
> > On Sun, May 31, 2026 at 09:16:45PM +0800, Joseph Qi wrote:
> >> During unmount, ocfs2_journal_shutdown() frees the journal and sets
> >> osb->journal to NULL. Later, when VFS evicts remaining cached inodes,
> >> ocfs2_evict_inode() -> ocfs2_clear_inode() -> ocfs2_checkpoint_inode()
> >> -> ocfs2_ci_fully_checkpointed() dereferences osb->journal, causing a
> >> NULL pointer dereference.
> >>
> >> Fix this by adding a NULL check for osb->journal in
> >> ocfs2_checkpoint_inode(). If the journal is NULL, it has already been
> >> fully flushed and destroyed during shutdown, so there is nothing to
> >> checkpoint.
> >>
> >> Reported-by: Farhad Alemi <farhad.alemi@berkeley.edu>
> >> Fixes: da5e7c87827e ("ocfs2: cleanup journal init and shutdown")
> >> Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> >> Tested-by: Farhad Alemi <farhad.alemi@berkeley.edu>
> >> ---
> >> fs/ocfs2/journal.h | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
> >> index 6397170f302f..f8b3b2a3d630 100644
> >> --- a/fs/ocfs2/journal.h
> >> +++ b/fs/ocfs2/journal.h
> >> @@ -196,6 +196,9 @@ static inline void ocfs2_checkpoint_inode(struct inode *inode)
> >> if (ocfs2_mount_local(osb))
> >> return;
> >>
> >> + if (!osb->journal)
> >> + return;
> >> +
> >
> > In my view, the code is correct for this bug.
> > However, the if condition is insufficient if ocfs2_journal_shutdown() sets
> > "journal = NULL" immediately after this line.
> >
> During unmount, journal shutdown happens before final inode eviction is
> triggered by generic_shutdown_super() -> evict_inodes(). That means they
> run sequentially in the unmount path (same thread context).
>
> Thanks,
> Joseph
>
Thanks for the explanation. I will provide my Reviewed-by tag.
Based on the call stack in Farhad's email attachment, it seems the test case
triggered the if (osb->slot_num != OCFS2_INVALID_SLOT) condition in
ocfs2_dismount_volume() to skip the released slot_inode.
Thanks,
Heming
© 2016 - 2026 Red Hat, Inc.