[syzbot] [nilfs?] general protection fault in nilfs_mdt_save_to_shadow_map

1 view

Skip to first unread message

syzbot

unread,

Mar 16, 2026, 11:14:31 PM (3 hours ago) Mar 16

to konishi...@gmail.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, sl...@dubeyko.com, syzkall...@googlegroups.com

Hello,

syzbot found the following issue on:

HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=115098ba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=d079c776411aaf59
dashboard link: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15e844da580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11775d52580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ed9cdd5f6ba1/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/856b866a24e9/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b1d5ecff5545/bzImage-b84a0ebe.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/66467c518306/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4b4093...@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 4096
NILFS (loop0): invalid segment: Checksum error in segment payload
NILFS (loop0): trying rollback from an earlier position
NILFS (loop0): recovery complete
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 0 UID: 0 PID: 6003 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:nilfs_mdt_save_to_shadow_map+0x141/0x1c0 fs/nilfs2/mdt.c:559
Code: 3f 4c 8d 63 d8 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 2e 0b 83 fe 4d 8b 24 24 49 83 c4 30 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 10 0b 83 fe 49 8b 34 24 4c 89 ff
RSP: 0018:ffffc90002767708 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffff8880605d4560 RCX: 0000000000000000
RDX: ffff88802cde8000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88802cde8000 R09: 0000000000000003
R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000030
R13: dffffc0000000000 R14: ffff8880764a6538 R15: ffff8880605d3b18
FS: 000055556403c500(0000) GS:ffff888125436000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30263fff CR3: 0000000074cae000 CR4: 00000000003526f0
Call Trace:
<TASK>
nilfs_clean_segments+0x162/0xa50 fs/nilfs2/segment.c:2521
nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:916 [inline]
nilfs_ioctl+0x261f/0x2780 fs/nilfs2/ioctl.c:1346
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd2a5f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd6d77cd18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd2a6215fa0 RCX: 00007fd2a5f9c799
RDX: 0000200000000640 RSI: 0000000040786e88 RDI: 0000000000000004
RBP: 00007fd2a6032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd2a6215fac R14: 00007fd2a6215fa0 R15: 00007fd2a6215fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:nilfs_mdt_save_to_shadow_map+0x141/0x1c0 fs/nilfs2/mdt.c:559
Code: 3f 4c 8d 63 d8 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 2e 0b 83 fe 4d 8b 24 24 49 83 c4 30 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 10 0b 83 fe 49 8b 34 24 4c 89 ff
RSP: 0018:ffffc90002767708 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffff8880605d4560 RCX: 0000000000000000
RDX: ffff88802cde8000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff88802cde8000 R09: 0000000000000003
R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000030
R13: dffffc0000000000 R14: ffff8880764a6538 R15: ffff8880605d3b18
FS: 000055556403c500(0000) GS:ffff888125536000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1536619000 CR3: 0000000074cae000 CR4: 00000000003526f0
----------------
Code disassembly (best guess), 1 bytes skipped:
0: 4c 8d 63 d8 lea -0x28(%rbx),%r12
4: 4c 89 e0 mov %r12,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
10: 74 08 je 0x1a
12: 4c 89 e7 mov %r12,%rdi
15: e8 2e 0b 83 fe call 0xfe830b48
1a: 4d 8b 24 24 mov (%r12),%r12
1e: 49 83 c4 30 add $0x30,%r12
22: 4c 89 e0 mov %r12,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 e7 mov %r12,%rdi
33: e8 10 0b 83 fe call 0xfe830b48
38: 49 8b 34 24 mov (%r12),%rsi
3c: 4c 89 ff mov %r15,%rdi

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,

Mar 16, 2026, 11:40:34 PM (2 hours ago) Mar 16

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

When nilfs_dat_read() is called a second time during rollback recovery
from a corrupted segment (checksum error), nilfs_iget_locked() returns
a cached DAT inode that is not I_NEW, causing the function to skip
nilfs_mdt_setup_shadow_map(). This leaves i_assoc_inode as NULL in the
DAT inode, which later causes a general protection fault in
nilfs_mdt_save_to_shadow_map() when NILFS_IOCTL_CLEAN_SEGMENTS is
invoked immediately after mount.

Fix this by redirecting the non-I_NEW path to a new reinit_shadow label
that calls nilfs_mdt_setup_shadow_map() if the shadow map has not been
initialized yet, ensuring i_assoc_inode is always valid before the
segment cleaner uses it.

Reported-by: syzbot+4b4093...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---
fs/nilfs2/dat.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/nilfs2/dat.c b/fs/nilfs2/dat.c
index 674380837ab9..c0b656e1c4ef 100644
--- a/fs/nilfs2/dat.c
+++ b/fs/nilfs2/dat.c
@@ -507,7 +507,7 @@ int nilfs_dat_read(struct super_block *sb, size_t entry_size,
if (unlikely(!dat))
return -ENOMEM;
if (!(inode_state_read_once(dat) & I_NEW))
- goto out;
+ goto reinit_shadow;

err = nilfs_mdt_init(dat, NILFS_MDT_GFP, sizeof(*di));
if (err)
@@ -529,6 +529,14 @@ int nilfs_dat_read(struct super_block *sb, size_t entry_size,
goto failed;

unlock_new_inode(dat);
+ goto out;
+reinit_shadow:
+ di = NILFS_DAT_I(dat);
+ if (!di->mi.mi_shadow) {
+ err = nilfs_mdt_setup_shadow_map(dat, &di->shadow);
+ if (err)
+ goto failed;
+ }
out:
*inodep = dat;
return 0;
--
2.43.0

syzbot

unread,

12:06 AM (2 hours ago) 12:06 AM

to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in nilfs_mdt_save_to_shadow_map

loop0: detected capacity change from 0 to 4096
NILFS (loop0): invalid segment: Checksum error in segment payload
NILFS (loop0): trying rollback from an earlier position
NILFS (loop0): recovery complete
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]

CPU: 1 UID: 0 PID: 6533 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:nilfs_mdt_save_to_shadow_map+0x141/0x1c0 fs/nilfs2/mdt.c:559

Code: 3f 4c 8d 63 d8 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 de c8 82 fe 4d 8b 24 24 49 83 c4 30 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 c0 c8 82 fe 49 8b 34 24 4c 89 ff
RSP: 0018:ffffc90003467708 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffff888058b3c560 RCX: 0000000000000000
RDX: ffff888031629e80 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff888031629e80 R09: 0000000000000003

R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000030

R13: dffffc0000000000 R14: ffff88801cadd138 R15: ffff888058b3bb18
FS: 00007f88139416c0(0000) GS:ffff888125537000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000001b2e963fff CR3: 0000000023756000 CR4: 00000000003526f0

Call Trace:
<TASK>
nilfs_clean_segments+0x162/0xa50 fs/nilfs2/segment.c:2521
nilfs_ioctl_clean_segments fs/nilfs2/ioctl.c:916 [inline]
nilfs_ioctl+0x261f/0x2780 fs/nilfs2/ioctl.c:1346
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f881299c799

Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f8813941028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8812c15fa0 RCX: 00007f881299c799

RDX: 0000200000000640 RSI: 0000000040786e88 RDI: 0000000000000004

RBP: 00007f8812a32c99 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f8812c16038 R14: 00007f8812c15fa0 R15: 00007fff51656638

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:nilfs_mdt_save_to_shadow_map+0x141/0x1c0 fs/nilfs2/mdt.c:559

R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000030

R13: dffffc0000000000 R14: ffff88801cadd138 R15: ffff888058b3bb18
FS: 00007f88139416c0(0000) GS:ffff888125437000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f88129e9e80 CR3: 0000000023756000 CR4: 00000000003526f0

----------------
Code disassembly (best guess), 1 bytes skipped:
0: 4c 8d 63 d8 lea -0x28(%rbx),%r12
4: 4c 89 e0 mov %r12,%rax
7: 48 c1 e8 03 shr $0x3,%rax
b: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1)
10: 74 08 je 0x1a
12: 4c 89 e7 mov %r12,%rdi

15: e8 de c8 82 fe call 0xfe82c8f8

1a: 4d 8b 24 24 mov (%r12),%r12
1e: 49 83 c4 30 add $0x30,%r12
22: 4c 89 e0 mov %r12,%rax
25: 48 c1 e8 03 shr $0x3,%rax
* 29: 42 80 3c 28 00 cmpb $0x0,(%rax,%r13,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 e7 mov %r12,%rdi

33: e8 c0 c8 82 fe call 0xfe82c8f8

38: 49 8b 34 24 mov (%r12),%rsi
3c: 4c 89 ff mov %r15,%rdi

Tested on:

commit: 95c541dd Add linux-next specific files for 20260316
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12f93d52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=ed431987028345c6

dashboard link: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1650a8da580000

syzbot

unread,

12:25 AM (2 hours ago) 12:25 AM

to linux-...@vger.kernel.org, syzkall...@googlegroups.com

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: [PATCH] nilfs2: fix wrong inode returned from nilfs_iget_for_shadow on cache hit

Author: karti...@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

nilfs_iget_for_shadow() returns the original inode instead of the
cached shadow inode when the shadow inode already exists (I_NEW not
set). This causes nilfs_mdt_setup_shadow_map() to store the original
inode as shadow->inode, so subsequent calls to
nilfs_mdt_save_to_shadow_map() dereference the wrong inode's
i_assoc_inode, which may be NULL, leading to a general protection
fault.

This can be triggered by mounting a corrupted NILFS2 image that causes
rollback recovery, followed immediately by NILFS_IOCTL_CLEAN_SEGMENTS.
During rollback, nilfs_dat_read() is called twice, causing
nilfs_iget_for_shadow() to hit the cached path and return the wrong
inode.

Fix this by returning s_inode instead of inode on the cache hit path.

Reported-by: syzbot+4b4093...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
Signed-off-by: Deepanshu Kartikey <Karti...@gmail.com>
---

fs/nilfs2/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nilfs2/inode.c b/fs/nilfs2/inode.c
index 51bde45d5865..1f9bc63eb295 100644
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -687,7 +687,7 @@ struct inode *nilfs_iget_for_shadow(struct inode *inode)
if (unlikely(!s_inode))
return ERR_PTR(-ENOMEM);
if (!(inode_state_read_once(s_inode) & I_NEW))
- return inode;
+ return s_inode;

NILFS_I(s_inode)->i_flags = 0;
memset(NILFS_I(s_inode)->i_bmap, 0, sizeof(struct nilfs_bmap));
--
2.43.0

syzbot

unread,

1:34 AM (25 minutes ago) 1:34 AM

to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in nilfs_mdt_save_to_shadow_map

loop0: detected capacity change from 0 to 4096
NILFS (loop0): invalid segment: Checksum error in segment payload
NILFS (loop0): trying rollback from an earlier position
NILFS (loop0): recovery complete
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]

CPU: 0 UID: 0 PID: 6523 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:nilfs_mdt_save_to_shadow_map+0x141/0x1c0 fs/nilfs2/mdt.c:559

Code: 3f 4c 8d 63 d8 4c 89 e0 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89 e7 e8 2e c9 82 fe 4d 8b 24 24 49 83 c4 30 4c 89 e0 48 c1 e8 03 <42> 80 3c 28 00 74 08 4c 89 e7 e8 10 c9 82 fe 49 8b 34 24 4c 89 ff
RSP: 0018:ffffc90003277708 EFLAGS: 00010206
RAX: 0000000000000006 RBX: ffff88807317c560 RCX: 0000000000000000
RDX: ffff888035688000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffff888035688000 R09: 0000000000000003

R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000030

R13: dffffc0000000000 R14: ffff8880207a1938 R15: ffff88807317bb18
FS: 00007f2a5c0606c0(0000) GS:ffff888125437000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000001b2f663fff CR3: 000000005f52c000 CR4: 00000000003526f0

RIP: 0033:0x7f2a5b19c799

Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f2a5c060028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2a5b415fa0 RCX: 00007f2a5b19c799

RDX: 0000200000000640 RSI: 0000000040786e88 RDI: 0000000000000004

RBP: 00007f2a5b232c99 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 00007f2a5b416038 R14: 00007f2a5b415fa0 R15: 00007ffc84e2c978

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:nilfs_mdt_save_to_shadow_map+0x141/0x1c0 fs/nilfs2/mdt.c:559

R10: 0000000000000406 R11: 0000000000000000 R12: 0000000000000030

R13: dffffc0000000000 R14: ffff8880207a1938 R15: ffff88807317bb18
FS: 00007f2a5c0606c0(0000) GS:ffff888125437000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f2a5b1e9e80 CR3: 000000005f52c000 CR4: 00000000003526f0

15: e8 2e c9 82 fe call 0xfe82c948

33: e8 10 c9 82 fe call 0xfe82c948

38: 49 8b 34 24 mov (%r12),%rsi
3c: 4c 89 ff mov %r15,%rdi

Tested on:

commit: 95c541dd Add linux-next specific files for 20260316
git tree: linux-next

console output: https://syzkaller.appspot.com/x/log.txt?x=177f5602580000

kernel config: https://syzkaller.appspot.com/x/.config?x=ed431987028345c6
dashboard link: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8