From nobody Tue Apr 7 01:01:14 2026 Received: from mail-ot1-f70.google.com (mail-ot1-f70.google.com [209.85.210.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C61D0307AD5 for ; Tue, 17 Mar 2026 03:40:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.70 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773718834; cv=none; b=TRq3Q3wGWCb/WxSGbdskBWi3VI2rP+itfnbe5h+IW6tbC0CKW0atemNL4h9Vgytyu7nLJXIAcjSajEOAlF45/qBsIcuFjXYhRSgqTqLBfA1ByR2Ha0frCb/WJFZfr1mKUAdv/TSYW6pYXNZwJTu33OGEd+8HYXIkBPXOqbBEuOU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773718834; c=relaxed/simple; bh=bo8loiaHl+J+KfGCFV8MMlKaekiZExD64DlQPS4Jgbo=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=LO7RTBKIyQTgG7O8o2AP2W76p0NPghcRhCfWkSooijta08UXovRW9nclJqH1wMLMIEFDBu0Sa0u/4d0tFHWJZU0Vynti3895LW7IWjfvYMWPxRqr8+LrHkz4EfpI7b49ocJeq77Jlci73UiuThNEIw3wXNDgLm6S41RKAvC9nWg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f70.google.com with SMTP id 46e09a7af769-7d74ab502b0so22464808a34.1 for ; Mon, 16 Mar 2026 20:40:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773718832; x=1774323632; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hkoDRfZFS0Ni8oR4NoNbc17N4QPUqNlmR+4bZWzBhMI=; b=erYoDj+VdEwnnZq8eM+i0qGbNV+qLn9db8vg1BYvf2hUcBTvQINVCmUYLmSdV3DVB6 /s+AUPAjXy+xjE+pnpBbBIkLoFdLtWhD3WSweoebav0OXqzwPi7VIWz5vn3/t1qaX20L ntA3Kt1rQLicEoxnxU0OWSJVoagKZLk2Rk9zGnh6GKYnOfVq01TO5S3M04OCDsEtyA8u p0QqHnIQFjzWte6Cgf3ji/kQDpsuAUODGIXTcOL9yE2kInupZne8Z1jG94Eictgt5z8s oI97uBWPzYWwV2kt4qga1WfBj82uzOq70eQgzkxmuCJ/qgqtJHvNk+cOEqLmP8DODlW7 HMPQ== X-Gm-Message-State: AOJu0Ywa9x4kAUGuCzxPWKpTOpmGSU88APyuh/0KWKunn12WWC3wap2Z 6eIMLm8nTGpfcilE+/X12tSREN6jzujr6gS0cg3qufdRrO+VB2i6VoBksKkKbscLw9kldNBTQHp SDdtuhKjaMZdk4C10jKT/XuXSZX8Ce4fNVl+NZ3BbhCA/OG0OgV1zZf8vocg= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a4a:c810:0:b0:67b:dc7d:8142 with SMTP id 006d021491bc7-67bdc7d84demr6826085eaf.44.1773718831744; Mon, 16 Mar 2026 20:40:31 -0700 (PDT) Date: Mon, 16 Mar 2026 20:40:31 -0700 In-Reply-To: <69b8c713.a00a0220.3b25d1.0029.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69b8cd2f.050a0220.12d28.0167.GAE@google.com> Subject: Forwarded: [PATCH] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_sa= ve_to_shadow_map Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.gi= t master When nilfs_dat_read() is called a second time during rollback recovery from a corrupted segment (checksum error), nilfs_iget_locked() returns a cached DAT inode that is not I_NEW, causing the function to skip nilfs_mdt_setup_shadow_map(). This leaves i_assoc_inode as NULL in the DAT inode, which later causes a general protection fault in nilfs_mdt_save_to_shadow_map() when NILFS_IOCTL_CLEAN_SEGMENTS is invoked immediately after mount. Fix this by redirecting the non-I_NEW path to a new reinit_shadow label that calls nilfs_mdt_setup_shadow_map() if the shadow map has not been initialized yet, ensuring i_assoc_inode is always valid before the segment cleaner uses it. Reported-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D4b4093b1f24ad789bf37 Signed-off-by: Deepanshu Kartikey --- fs/nilfs2/dat.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c index 674380837ab9..c0b656e1c4ef 100644 --- a/fs/nilfs2/dat.c +++ b/fs/nilfs2/dat.c @@ -507,7 +507,7 @@ int nilfs_dat_read(struct super_block *sb, size_t entry= _size, if (unlikely(!dat)) return -ENOMEM; if (!(inode_state_read_once(dat) & I_NEW)) - goto out; + goto reinit_shadow; =20 err =3D nilfs_mdt_init(dat, NILFS_MDT_GFP, sizeof(*di)); if (err) @@ -529,6 +529,14 @@ int nilfs_dat_read(struct super_block *sb, size_t entr= y_size, goto failed; =20 unlock_new_inode(dat); + goto out; +reinit_shadow: + di =3D NILFS_DAT_I(dat); + if (!di->mi.mi_shadow) { + err =3D nilfs_mdt_setup_shadow_map(dat, &di->shadow); + if (err) + goto failed; + } out: *inodep =3D dat; return 0; --=20 2.43.0