Forwarded: [PATCH] nilfs2: fix missing i_assoc_inode initialization in nilfs_iget_for_shadow
From: syzbot
Date: Tue Mar 17 2026 - 02:25:28 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] nilfs2: fix missing i_assoc_inode initialization in nilfs_iget_for_shadow
Author: kartikey406@xxxxxxxxx
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
When nilfs_iget_for_shadow() finds a cached shadow inode (I_NEW not
set), it returns the original inode instead of the cached shadow inode.
This causes nilfs_mdt_setup_shadow_map() to store the wrong inode as
shadow->inode, so subsequent calls to nilfs_mdt_save_to_shadow_map()
dereference the wrong inode's i_assoc_inode which may be NULL, leading
to a general protection fault.
Fix this by returning s_inode instead of inode on the cache hit path.
Reported-by: syzbot+4b4093b1f24ad789bf37@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
Signed-off-by: Deepanshu Kartikey <Kartikey406@xxxxxxxxx>
---
fs/nilfs2/inode.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index 51bde45d5865..60cfcc209cf7 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -686,6 +686,10 @@ struct inode *nilfs_iget_for_shadow(struct inode *inode)
nilfs_iget_set, &args);
if (unlikely(!s_inode))
return ERR_PTR(-ENOMEM);
+ pr_err("NILFS DEBUG: s_inode=%px I_NEW=%d i_assoc=%px\n",
+ s_inode,
+ !!(inode_state_read_once(s_inode) & I_NEW),
+ NILFS_I(s_inode)->i_assoc_inode);
if (!(inode_state_read_once(s_inode) & I_NEW))
return inode;
--
2.43.0