Commit 4a4e0328 authored Mar 31, 2026 by Deepanshu Kartikey Committed by Viacheslav Dubeyko Mar 30, 2026

nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map



The DAT inode's btree node cache (i_assoc_inode) is initialized lazily
during btree operations. However, nilfs_mdt_save_to_shadow_map()
assumes i_assoc_inode is already initialized when copying dirty pages
to the shadow map during GC.

If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before
any btree operation has occurred on the DAT inode, i_assoc_inode is
NULL leading to a general protection fault.

Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode
in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always
initialized before any GC operation can use it.

Reported-by:  <syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37


Tested-by:  <syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com>
Fixes: e897be17 ("nilfs2: fix lockdep warnings in page operations for btree nodes")
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>

parent 6de23f81

fs/nilfs2/dat.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -524,6 +524,9 @@ int nilfs_dat_read(struct super_block *sb, size_t entry_size,
		if (err)
		goto failed;

		err = nilfs_attach_btree_node_cache(dat);
		if (err)
		goto failed;
		err = nilfs_read_inode_common(dat, raw_inode);
		if (err)
		goto failed;