From nobody Mon Feb  9 07:26:17 2026
Received: from out162-62-57-137.mail.qq.com (out162-62-57-137.mail.qq.com
 [162.62.57.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BFB7414A099
	for <linux-kernel@vger.kernel.org>; Tue, 24 Dec 2024 08:27:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=162.62.57.137
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735028882; cv=none;
 b=ibFdRioUJXz1+3AWf2rhocB7iRcYu6LPKMrVidSh7drSjdEPX3x7Etfc+e3Fm0QMqfZsMYnpVJv6KWZIHwpTYPp6tL8qmUPWpPYQbqDNV8ePs1fjy5VAshNNBF4ux1z84rDTUqAcVzluoIFIQK3nV19Ul5jP66yFLjon7TgA0V8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735028882; c=relaxed/simple;
	bh=ZCjkvBYXuKgec6e80NkjGdDRMu/5Az+ZcuBDknjnmqQ=;
	h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References:
	 MIME-Version;
 b=hycQEEWQhlXmIJLDlbWILl2PzQpyf4xFQvgTrEyQ/2oJbCuWYdXRoHXciGSjTIZg4Fp/eyEm0suJmomC17tcSTBEveqRXhjL1DIooCyFAde2UG0gMcRI2qcnr2oCQCkL/dAgZwgqepC0muKLnlPcre+XXMN/UapJr295G/MFY28=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com;
 spf=pass smtp.mailfrom=qq.com;
 dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=QtzZZVV4;
 arc=none smtp.client-ip=162.62.57.137
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=qq.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=qq.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="QtzZZVV4"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512;
	t=1735028867; bh=OENROdS91U3MaRFQWf1vp2tgnQhTDtvIlRV417kF+l4=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References;
	b=QtzZZVV4V0oFEQTGX76Qme2+O1ZE2LfMYY+Kj8JZLct4zoR6B0OGZtRShR8DfTU5q
	 wJH+UnREAUxI7jZ6W9a4Uz/S3GdqznytmbWo+dAxqW+JmVv3IHuRhPRhI7QcLH2Qa8
	 IWRNGo7FulygyGE8Jto2E7eKueBb4tFRpGs43Smc=
Received: from pek-lxu-l1.wrs.com ([114.244.57.34])
	by newxmesmtplogicsvrszb21-0.qq.com (NewEsmtp) with SMTP
	id 4540BCBE; Tue, 24 Dec 2024 16:17:20 +0800
X-QQ-mid: xmsmtpt1735028240tsfvcsy7k
Message-ID: <tencent_2E3A9E9B1B664BE21BCD2541BA63BB6E3308@qq.com>
X-QQ-XMAILINFO: NyTsQ4JOu2J2O9KT6n6/13avCetYvEZm+8BUOXnOIHaZ6NcvBzHZ8butcen3Rx
	 8kIZTqnK7/vraUzv6/kCu3aHnb30WU+SWe9PZdtVB6tuOGLT/HrbgLf+TTg+BIf/JoDz1R+h5d66
	 HO5n4S+C1tJXIi0TNDh4gquT7weGq7WeBznoO6Oa9BdVXIUNFmEAZo+pjGgEcBbKMpSAta62VU8P
	 VRIKUZoiHiaxhGcCbMVQlswt9SJsLKetIeykdffXNk9H7+Kk/KgTUtZjvUoe/k9teG3wH/fqN1l1
	 LPJP5aha/wzOkH0gd8vqI4kwhPs3NiHuIEowD0Cku9P3uYDrdsOmeeLMml2JTDOTHzMAQDOoNsVw
	 ELpP+aZZXdbHL2XVMWstJusLZl4BxRGjvB+bPhr0kIJ+838hS+7EcVfV/ARrskxg64RIuJ4DFMDe
	 VNNTQc1bSE83ReeBLOwEii6dx1C2FiE9a2eMSd87cSawTpZ+Y6ICKI3+q9qkFtfnBGqxTyRMGdip
	 rm3QeWNRmoMdZL0Fx24xTnzEa3jWHWYai3q3erqOQUsqtFnOvib73Nv2WJL/Rprw7kL/BGt962Ip
	 7K+DF6Fd9kbucZ9Q5SVpfkTqyU7OFJba7omPpTesCavo+2YabE52bOLf1XymZWnlvQWO69G+AHsi
	 y50cd17w9oQrHpJXpzuNYFBX1qDF/JzA60oYjMlBhHKFbvlnNCTZ/CJf2yQQEfURWcvCkS9hjBDr
	 4fNipxI4oYtM9q4IhnISP14zSXNuWTvpqpCMwXoBfweHeCehYTFUjPPRAr0x9w21w8ZBc6+RSk/1
	 qAvJ+uQ8ONGBWybyP0iOPrGlsamVnMVA6poDQq/kQUovQaSNKPKd/ayfW4nCKLJR47R3B4zUseV6
	 iMwClFK981o7a7qe8T6vkC0CUGVMNdaTsRBjjcBWd/IDYzb8IQRyn5E68XXGeJJuDoqvcGUlFh
X-QQ-XMRINFO: OD9hHCdaPRBwq3WW+NvGbIU=
From: Edward Adam Davis <eadavis@qq.com>
To: eadavis@qq.com
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	shaggy@kernel.org,
	syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH V2] jfs: Prevent copying of nlink with value 0 from disk inode
Date: Tue, 24 Dec 2024 16:17:20 +0800
X-OQ-MSGID: <20241224081719.2610500-2-eadavis@qq.com>
X-Mailer: git-send-email 2.47.0
In-Reply-To: <tencent_9D234F848D9AA5F68DB912075DB4DDDC1907@qq.com>
References: <tencent_9D234F848D9AA5F68DB912075DB4DDDC1907@qq.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

syzbot report a deadlock in diFree. [1]

When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
which does not match the mounted loop device, causing the mapping of the
mounted loop device to be invalidated.

When creating the directory and creating the inode of iag in diReadSpecial(=
),
read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
metapage data it returns is corrupted, which causes the nlink value of 0 to=
 be
assigned to the iag inode when executing copy_from_dinode(), which ultimate=
ly
causes a deadlock when entering diFree().

To avoid this, first check the nlink value of dinode before setting iag ino=
de.

[1]
WARNING: possible recursive locking detected
6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
--------------------------------------------
syz-executor301/5309 is trying to acquire lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/=
0x2fb0 fs/jfs/jfs_imap.c:889

but task is already holding lock:
ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6=
/0x1630

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(imap->im_aglock[index]));
  lock(&(imap->im_aglock[index]));

 *** DEADLOCK ***

 May be due to missing lock nesting notation

5 locks held by syz-executor301/5309:
 #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0=
x90 fs/namespace.c:515
 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_l=
ock_nested include/linux/fs.h:850 [inline]
 #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filenam=
e_create+0x260/0x540 fs/namei.c:4026
 #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+=
0x1b6/0x1630
 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs=
/jfs_imap.c:2460 [inline]
 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/j=
fs/jfs_imap.c:1905 [inline]
 #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7=
/0x1e50 fs/jfs/jfs_imap.c:1669
 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jf=
s/jfs_imap.c:2477 [inline]
 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/=
jfs/jfs_imap.c:1905 [inline]
 #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x86=
9/0x1e50 fs/jfs/jfs_imap.c:1669

stack backtrace:
CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkal=
ler-00212-g4a5df3796467 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16=
.3-2~bpo12+1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
 check_deadlock kernel/locking/lockdep.c:3089 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
 __mutex_lock_common kernel/locking/mutex.c:608 [inline]
 __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
 diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
 jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
 evict+0x4e8/0x9b0 fs/inode.c:725
 diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
 duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
 diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
 diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
 diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
 diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
 ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
 jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
 do_mkdirat+0x264/0x3a0 fs/namei.c:4280
 __do_sys_mkdirat fs/namei.c:4295 [inline]
 __se_sys_mkdirat fs/namei.c:4293 [inline]
 __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3D355da3b3a74881008e8f
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: if the nlink of disk inode is 0 return -EIO

 fs/jfs/jfs_imap.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index a360b24ed320..b3146e335782 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -3035,6 +3035,7 @@ static int copy_from_dinode(struct dinode * dip, stru=
ct inode *ip)
 {
 	struct jfs_inode_info *jfs_ip =3D JFS_IP(ip);
 	struct jfs_sb_info *sbi =3D JFS_SBI(ip->i_sb);
+	u32 di_nlink;
=20
 	jfs_ip->fileset =3D le32_to_cpu(dip->di_fileset);
 	jfs_ip->mode2 =3D le32_to_cpu(dip->di_mode);
@@ -3053,7 +3054,12 @@ static int copy_from_dinode(struct dinode * dip, str=
uct inode *ip)
 				ip->i_mode |=3D 0001;
 		}
 	}
-	set_nlink(ip, le32_to_cpu(dip->di_nlink));
+
+	di_nlink =3D le32_to_cpu(dip->di_nlink);
+	if (!di_nlink)
+		return -EIO;
+
+	set_nlink(ip, di_nlink);
=20
 	jfs_ip->saved_uid =3D make_kuid(&init_user_ns, le32_to_cpu(dip->di_uid));
 	if (!uid_valid(sbi->uid))
--=20
2.47.0