Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2220875/?format=api
{ "id": 2220875, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2220875/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/patch/20260408103127.22218-1-Dmitry.Chumachenko@cyberprotect.ru/", "project": { "id": 3, "url": "http://patchwork.ozlabs.org/api/1.1/projects/3/?format=api", "name": "Linux MTD development", "link_name": "linux-mtd", "list_id": "linux-mtd.lists.infradead.org", "list_email": "linux-mtd@lists.infradead.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260408103127.22218-1-Dmitry.Chumachenko@cyberprotect.ru>", "date": "2026-04-08T10:31:27", "name": "[v2] jffs2: fix use-after-free in jffs2_garbage_collect_thread()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "0e1d7f1a6271aeffc65608d6b4eb4d378ef6e82e", "submitter": { "id": 92943, "url": "http://patchwork.ozlabs.org/api/1.1/people/92943/?format=api", "name": "Dmitriy Chumachenko", "email": "Dmitry.Chumachenko@cyberprotect.ru" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-mtd/patch/20260408103127.22218-1-Dmitry.Chumachenko@cyberprotect.ru/mbox/", "series": [ { "id": 499116, "url": "http://patchwork.ozlabs.org/api/1.1/series/499116/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-mtd/list/?series=499116", "date": "2026-04-08T10:31:27", "name": "[v2] jffs2: fix use-after-free in jffs2_garbage_collect_thread()", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/499116/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2220875/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2220875/checks/", "tags": {}, "headers": { "Return-Path": "\n <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=vcdU044B;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=cyberprotect.ru header.i=@cyberprotect.ru\n header.a=rsa-sha256 header.s=dkim-r header.b=lTkRcwFf;\n\tdkim=fail reason=\"signature verification failed\" header.d=cyberprotect.ru\n header.i=@cyberprotect.ru header.a=ed25519-sha256 header.s=dkim\n header.b=TthtbO/f;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frKBd261Vz1xv0\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 08 Apr 2026 20:32:20 +1000 (AEST)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wAQCY-00000008gkm-3e8H;\n\tWed, 08 Apr 2026 10:32:02 +0000", "from mx2.cyberprotect.ru ([176.10.93.31])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wAQCV-00000008gjy-1yaQ\n\tfor linux-mtd@lists.infradead.org;\n\tWed, 08 Apr 2026 10:32:01 +0000" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Date:Subject:CC\n\t:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:\n\tResent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:\n\tList-Owner; bh=wE0H7nEqjVse32PoRaCoHZ3YIzEW5R8opVW5skHeEyY=; b=vcdU044BT8keb5\n\tTm3n3Gl+FBATJyjVHtUlNRetJ216Ynet5h0nf5McgIwwaD0bSvinuzEnRHf5ERwLVnxO615DEDFnM\n\tKUzMAltnz0AO64GPvwx3L3C9qq+ymayOv1nr2fntVPFe1MQi4Yci4SvEuuK2inqj7S0ur+t4h52Qr\n\tkiMx0Bcg0jRzx2/2nz0SgXj9ss72L6QBZ+endKzJdXv0GBED7eN7/Y8vFt7REUi6PCGiNJyZ/ykI1\n\trMPUr2kDRfFcFFT27y5Wx00GFTn4RrPyyPwvCB5YK+eWb3zaMw28W02cW5TLUnHh8SsrKcADzc1x9\n\td06PYQAXSVjR+Oig73oA==;", "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=cyberprotect.ru; s=dkim-r; h=MIME-Version:Date:From:Sender:Reply-To;\n\tbh=68jUZvXWunVeoQkkWi7hSN7won0FQkNVFRmyntCsBik=; b=lTkRcwFf+sCVdHbpJtec8fE06e\n\toa9g4pnFmuucwBGGsRyLryAYssspJltQ+xrwHyf00GPx7uyx+PUOHDX8qyl6gmBI+WarmS7SK3xMp\n\tUAm14+pgbHbEEblBfyHTsQEmSoUq7POufCVWDEcUHoQbeZ0CIi6aILk5+f3ilrQKEWDJSxw2lnFsl\n\tVkK868zJi7rJ+O0RA3sehSkkBSF+tOImDXNjuIp4s1tR3q1S8EYdSdprXOQWlG5ifqQIKkVwBJiMX\n\tyTFtLb8YyAEmSgelTISFvsUMoINVLjaZoE6XXno0CMEZcyecivxfMte/29QC4gc3eUm7BZNsVkUf9\n\tcYu1p4qQ==;", "v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=cyberprotect.ru; s=dkim; h=MIME-Version:Date:From:Sender:Reply-To;\n\tbh=68jUZvXWunVeoQkkWi7hSN7won0FQkNVFRmyntCsBik=; b=TthtbO/fR9kjj40hq1L5bVe2rA\n\tbY2BuvhSTRPjlz8k+xhTj0TAfuCvxvP3xAfEXCmWVIjjDb8iyfJWMkERIYDw==;" ], "From": "Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>", "To": "David Woodhouse <dwmw2@infradead.org>", "CC": "Richard Weinberger <richard@nod.at>, Thomas Gleixner <tglx@linutronix.de>,\n\t<linux-mtd@lists.infradead.org>, <linux-kernel@vger.kernel.org>,\n\t<lvc-project@linuxtesting.org>", "Subject": "[PATCH v2] jffs2: fix use-after-free in\n jffs2_garbage_collect_thread()", "Date": "Wed, 8 Apr 2026 13:31:27 +0300", "Message-ID": "<20260408103127.22218-1-Dmitry.Chumachenko@cyberprotect.ru>", "X-Mailer": "git-send-email 2.49.0", "MIME-Version": "1.0", "X-Originating-IP": "[10.80.0.30]", "X-ClientProxiedBy": "AIP-EXCH-2.aip.ooo (10.77.28.102) To AIP-EXCH-2.aip.ooo\n (10.77.28.102)", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260408_033200_015929_AD120921 ", "X-CRM114-Status": "GOOD ( 15.36 )", "X-Spam-Score": "-2.1 (--)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: During fuzz testing,\n the following issue was discovered. BUG:\n KASAN: use-after-free in __lock_acquire+0x3f22/0x53c0\n kernel/locking/lockdep.c:4825\n Read of size 8 at addr ffff888053cfa098 by task jffs2_gcd_mtd0/11093\n Content analysis details: (-2.1 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [176.10.93.31 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [176.10.93.31 listed in sa-accredit.habeas.com]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [176.10.93.31 listed in bl.score.senderscore.com]\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.0 SPF_HELO_PASS SPF: HELO matches SPF record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]", "X-BeenThere": "linux-mtd@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "Linux MTD discussion mailing list <linux-mtd.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/linux-mtd/>", "List-Post": "<mailto:linux-mtd@lists.infradead.org>", "List-Help": "<mailto:linux-mtd-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/linux-mtd>,\n <mailto:linux-mtd-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"linux-mtd\" <linux-mtd-bounces@lists.infradead.org>", "Errors-To": "linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "During fuzz testing, the following issue was discovered.\n\nBUG: KASAN: use-after-free in __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825\nRead of size 8 at addr ffff888053cfa098 by task jffs2_gcd_mtd0/11093\n\nCPU: 1 PID: 11093 Comm: jffs2_gcd_mtd0 Not tainted 5.10.232-syzkaller #0\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x107/0x167 lib/dump_stack.c:118\n print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:377\n __kasan_report mm/kasan/report.c:537 [inline]\n kasan_report.cold+0x1f/0x37 mm/kasan/report.c:554\n __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825\n lock_acquire kernel/locking/lockdep.c:5566 [inline]\n lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5531\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]\n _raw_spin_lock_irqsave+0x36/0x60 kernel/locking/spinlock.c:159\n complete+0x13/0x60 kernel/sched/completion.c:32\n complete_and_exit+0x20/0x40 kernel/exit.c:943\n jffs2_garbage_collect_thread+0x554/0x750 fs/jffs2/background.c:164\n kthread+0x3a9/0x490 kernel/kthread.c:328\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298\n\nAllocated by task 11091:\n kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48\n kasan_set_track mm/kasan/common.c:56 [inline]\n __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461\n kmalloc include/linux/slab.h:552 [inline]\n kzalloc include/linux/slab.h:664 [inline]\n jffs2_init_fs_context+0x41/0xd0 fs/jffs2/super.c:314\n alloc_fs_context+0x4f9/0x840 fs/fs_context.c:267\n do_new_mount fs/namespace.c:2896 [inline]\n path_mount+0xb99/0x2140 fs/namespace.c:3247\n do_mount fs/namespace.c:3260 [inline]\n __do_sys_mount fs/namespace.c:3468 [inline]\n __se_sys_mount fs/namespace.c:3445 [inline]\n __x64_sys_mount+0x283/0x300 fs/namespace.c:3445\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nFreed by task 28546:\n kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48\n kasan_set_track+0x1c/0x30 mm/kasan/common.c:56\n kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355\n __kasan_slab_free+0x112/0x170 mm/kasan/common.c:422\n slab_free_hook mm/slub.c:1542 [inline]\n slab_free_freelist_hook+0xb8/0x1b0 mm/slub.c:1576\n slab_free mm/slub.c:3149 [inline]\n kfree+0xd9/0x360 mm/slub.c:4125\n deactivate_locked_super+0x96/0x170 fs/super.c:335\n deactivate_super+0xb2/0xd0 fs/super.c:366\n cleanup_mnt+0x3a3/0x530 fs/namespace.c:1118\n task_work_run+0xdf/0x1a0 kernel/task_work.c:185\n tracehook_notify_resume include/linux/tracehook.h:188 [inline]\n exit_to_user_mode_loop kernel/entry/common.c:172 [inline]\n exit_to_user_mode_prepare+0x1de/0x1f0 kernel/entry/common.c:199\n syscall_exit_to_user_mode+0x38/0x1e0 kernel/entry/common.c:274\n\nIn jffs2_garbage_collect_thread() gc_task is set to NULL and then\nkthread_complete_and_exit() calls complete() on gc_thread_exit. These\noperations are not atomic: stop path can see gc_task == NULL, skip\nwait_for_completion(), and the caller frees jffs2_sb_info while the GC\nthread still accesses gc_thread_exit in complete().\n\nMoreover, spin_unlock() itself accesses c after complete() has woken the\nstop path:\n\njffs2_kill_sb jffs2_garbage_collect_thread\n jffs2_stop_garbage_collect_thread\n spin_lock\n send_sig(SIGKILL)\n wait = 1\n spin_unlock\n goto die\n spin_lock\n c->gc_task = NULL\n spin_unlock\n kthread_complete_and_exit()\n complete(&c->gc_thread_exit)\n wait_for_completion()\n kfree(c)\n\nFix by adding a gc_thread_started flag that is set when the GC thread is \nsuccessfully started. Use this flag instead of gc_task to decide whether \nto wait. The flag is never cleared by the GC thread, so \nwait_for_completion() is always called when start() succeeded, regardless \nof the current value of gc_task.\n \nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.\n\nFixes: e2d48b1a98bb (\"[JFFS2] Fix cleanup in case of GC-Task not started\")\nSigned-off-by: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>\n---\nv1->v2: Use gc_thread_started flag as a reliable indicator instead\n of gc_task. Drop complete() under erase_completion_lock \n (thanks, Zhihao Cheng).\n\n fs/jffs2/background.c | 7 ++++---\n fs/jffs2/jffs2_fs_sb.h | 1 +\n 2 files changed, 5 insertions(+), 3 deletions(-)", "diff": "diff --git a/fs/jffs2/background.c b/fs/jffs2/background.c\nindex bb0ee1a59e71..5e5ed9053326 100644\n--- a/fs/jffs2/background.c\n+++ b/fs/jffs2/background.c\n@@ -52,6 +52,7 @@ int jffs2_start_garbage_collect_thread(struct jffs2_sb_info *c)\n \t\t/* Wait for it... */\n \t\tjffs2_dbg(1, \"Garbage collect thread is pid %d\\n\", tsk->pid);\n \t\twait_for_completion(&c->gc_thread_start);\n+\t\tc->gc_thread_started = true;\n \t\tret = tsk->pid;\n \t}\n \n@@ -60,16 +61,16 @@ int jffs2_start_garbage_collect_thread(struct jffs2_sb_info *c)\n \n void jffs2_stop_garbage_collect_thread(struct jffs2_sb_info *c)\n {\n-\tint wait = 0;\n \tspin_lock(&c->erase_completion_lock);\n \tif (c->gc_task) {\n \t\tjffs2_dbg(1, \"Killing GC task %d\\n\", c->gc_task->pid);\n \t\tsend_sig(SIGKILL, c->gc_task, 1);\n-\t\twait = 1;\n \t}\n \tspin_unlock(&c->erase_completion_lock);\n-\tif (wait)\n+\tif (c->gc_thread_started) {\n \t\twait_for_completion(&c->gc_thread_exit);\n+\t\tc->gc_thread_started = false;\n+\t}\n }\n \n static int jffs2_garbage_collect_thread(void *_c)\ndiff --git a/fs/jffs2/jffs2_fs_sb.h b/fs/jffs2/jffs2_fs_sb.h\nindex 5a7091746f68..4c833e0ff03c 100644\n--- a/fs/jffs2/jffs2_fs_sb.h\n+++ b/fs/jffs2/jffs2_fs_sb.h\n@@ -55,6 +55,7 @@ struct jffs2_sb_info {\n \tunsigned int flags;\n \n \tstruct task_struct *gc_task;\t/* GC task struct */\n+\tbool gc_thread_started; /* GC thread was successfully started */\n \tstruct completion gc_thread_start; /* GC thread start completion */\n \tstruct completion gc_thread_exit; /* GC thread exit completion port */\n \n", "prefixes": [ "v2" ] }