1. Patchew
  2. linux
  3. View series

[PATCH] ocfs2: prevent release journal inode after journal shutdown

Edward Adam Davis posted 1 patch 1 month, 2 weeks ago
There is a newer version of this series
fs/ocfs2/inode.c | 3 +++
1 file changed, 3 insertions(+)
[PATCH] ocfs2: prevent release journal inode after journal shutdown
Posted by Edward Adam Davis 1 month, 2 weeks ago 
Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
Therefore, the following calltrace will inevitably fail when it reaches
jbd2_journal_release_jbd_inode().

ocfs2_dismount_volume()->
  ocfs2_delete_osb()->
    ocfs2_free_slot_info()->
      __ocfs2_free_slot_info()->
        evict()->
          ocfs2_evict_inode()->
            ocfs2_clear_inode()->
	      jbd2_journal_release_jbd_inode(osb->journal->j_journal,

Adding osb->journal checks will prevent UAF during the above execution path.

Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
Closest: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a
Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/ocfs2/inode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index 14bf440ea4df..6c4f78f473fb 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1281,6 +1281,9 @@ static void ocfs2_clear_inode(struct inode *inode)
 	 * the journal is flushed before journal shutdown. Thus it is safe to
 	 * have inodes get cleaned up after journal shutdown.
 	 */
+	if (!osb->journal)
+		return;
+
 	jbd2_journal_release_jbd_inode(osb->journal->j_journal,
 				       &oi->ip_jinode);
 }
-- 
2.43.0
[PATCH V2] ocfs2: prevent release journal inode after journal shutdown
Posted by Edward Adam Davis 1 month, 2 weeks ago 
Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
Therefore, the following calltrace will inevitably fail when it reaches
jbd2_journal_release_jbd_inode().

ocfs2_dismount_volume()->
  ocfs2_delete_osb()->
    ocfs2_free_slot_info()->
      __ocfs2_free_slot_info()->
        evict()->
          ocfs2_evict_inode()->
            ocfs2_clear_inode()->
	      jbd2_journal_release_jbd_inode(osb->journal->j_journal,

Adding osb->journal checks will prevent null-ptr-deref during the above
execution path.

Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a
Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
V1 -> V2: Corrected typos and comments.

 fs/ocfs2/inode.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
index 14bf440ea4df..6c4f78f473fb 100644
--- a/fs/ocfs2/inode.c
+++ b/fs/ocfs2/inode.c
@@ -1281,6 +1281,9 @@ static void ocfs2_clear_inode(struct inode *inode)
 	 * the journal is flushed before journal shutdown. Thus it is safe to
 	 * have inodes get cleaned up after journal shutdown.
 	 */
+	if (!osb->journal)
+		return;
+
 	jbd2_journal_release_jbd_inode(osb->journal->j_journal,
 				       &oi->ip_jinode);
 }
-- 
2.43.0
Re: [PATCH V2] ocfs2: prevent release journal inode after journal shutdown
Posted by Joseph Qi 1 month, 2 weeks ago 

On 2025/8/19 21:41, Edward Adam Davis wrote:
> Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
> been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
> Therefore, the following calltrace will inevitably fail when it reaches
> jbd2_journal_release_jbd_inode().
> 
> ocfs2_dismount_volume()->
>   ocfs2_delete_osb()->
>     ocfs2_free_slot_info()->
>       __ocfs2_free_slot_info()->
>         evict()->
>           ocfs2_evict_inode()->
>             ocfs2_clear_inode()->
> 	      jbd2_journal_release_jbd_inode(osb->journal->j_journal,
> 
> Adding osb->journal checks will prevent null-ptr-deref during the above
> execution path.
> 
> Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a
> Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>

Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
> ---
> V1 -> V2: Corrected typos and comments.
> 
>  fs/ocfs2/inode.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
> index 14bf440ea4df..6c4f78f473fb 100644
> --- a/fs/ocfs2/inode.c
> +++ b/fs/ocfs2/inode.c
> @@ -1281,6 +1281,9 @@ static void ocfs2_clear_inode(struct inode *inode)
>  	 * the journal is flushed before journal shutdown. Thus it is safe to
>  	 * have inodes get cleaned up after journal shutdown.
>  	 */
> +	if (!osb->journal)
> +		return;
> +
>  	jbd2_journal_release_jbd_inode(osb->journal->j_journal,
>  				       &oi->ip_jinode);
>  }
Re: [External] : [PATCH V2] ocfs2: prevent release journal inode after journal shutdown
Posted by Mark Tinguely 1 month, 2 weeks ago 
On 8/19/25 8:41 AM, Edward Adam Davis wrote:
> Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already
> been executed in ocfs2_dismount_volume(), so osb->journal must be NULL.
> Therefore, the following calltrace will inevitably fail when it reaches
> jbd2_journal_release_jbd_inode().
> 
> ocfs2_dismount_volume()->
>    ocfs2_delete_osb()->
>      ocfs2_free_slot_info()->
>        __ocfs2_free_slot_info()->
>          evict()->
>            ocfs2_evict_inode()->
>              ocfs2_clear_inode()->
> 	      jbd2_journal_release_jbd_inode(osb->journal->j_journal,
> 
> Adding osb->journal checks will prevent null-ptr-deref during the above
> execution path.
> 
> Reported-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
> Closes: https://urldefense.com/v3/__https://syzkaller.appspot.com/bug?extid=47d8cb2f2cc1517e515a__;!!ACWV5N9M2RV99hQ!IR4Z9VG7eJItxQAEk4-F5EMvtDaSRSvdmdcMeFjajaLLqAc2Vk9HICGKkI-geAk8gYlrJzH-UEfJuaJ2kw$
> Tested-by: syzbot+47d8cb2f2cc1517e515a@syzkaller.appspotmail.com
> Signed-off-by: Edward Adam Davis <eadavis@qq.com>
> ---
> V1 -> V2: Corrected typos and comments.
> 
>   fs/ocfs2/inode.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/fs/ocfs2/inode.c b/fs/ocfs2/inode.c
> index 14bf440ea4df..6c4f78f473fb 100644
> --- a/fs/ocfs2/inode.c
> +++ b/fs/ocfs2/inode.c
> @@ -1281,6 +1281,9 @@ static void ocfs2_clear_inode(struct inode *inode)
>   	 * the journal is flushed before journal shutdown. Thus it is safe to
>   	 * have inodes get cleaned up after journal shutdown.
>   	 */
> +	if (!osb->journal)
> +		return;
> +
>   	jbd2_journal_release_jbd_inode(osb->journal->j_journal,
>   				       &oi->ip_jinode);
>   }


fixes commit da5e7c87827e8caa6a1eeec6d95dcf74ab592a01 
(v5.15-5-gda5e7c87827). Also for the stable branch?

Reviewed-by: Mark Tinguely <mark.tinguely@oracle.com>
Re: [External] : [PATCH V2] ocfs2: prevent release journal inode after journal shutdown
Posted by Edward Adam Davis 1 month, 2 weeks ago 
On Tue, 19 Aug 2025 09:17:40 -0500, Mark Tinguely wrote:
> fixes commit da5e7c87827e8caa6a1eeec6d95dcf74ab592a01
> (v5.15-5-gda5e7c87827). Also for the stable branch?
I think the patch is suitable for all stable branches containing
da5e7c87827e8caa6a1eeec6d95dcf74ab592a01.

BR,
Edward

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.