From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
[ Upstream commit 7a5aa54fba2bd591b22b9b624e6baa9037276986 ]
The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does.
Reported-by: syzbot syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
YES - The change bounds the special-file path in `jfs_iget()` to the four valid special inode classes (`S_ISCHR/S_ISBLK/S_ISFIFO/S_ISSOCK`) before calling `init_special_inode()` (`fs/jfs/inode.c:62-65`). That prevents invalid on-disk modes from silently flowing into `init_special_inode()`, which otherwise only emits a debug message and leaves `i_fop` unset (`fs/inode.c:2560-2583`), making later VFS operations trip over a `NULL` method table. Syzkaller already hit that crash scenario on corrupted metadata, so this is a real bug fix, not just hardening. - When the mode is outside every legal class, the new branch logs the anomaly and fails the iget (`fs/jfs/inode.c:67-70`). Returning `ERR_PTR(-EIO)` is the standard idiom already used a few lines above for other `diRead()` failures (`fs/jfs/inode.c:34-38`), so callers such as `jfs_read_super()` and `jfs_lookup()` already expect and handle it. That turns a kernel crash into an I/O error, matching the stable tree goal of “don’t panic on corrupted media.” - The patch is minimal and self-contained: it touches a single function, adds no new APIs, and mirrors the already-upstreamed isofs fix for the same syzbot report. Normal workloads (regular files, directories, symlinks, and well-formed special files) stay on their existing paths, so regression risk is negligible while the payoff is preventing a user-triggerable crash on damaged volumes—squarely within stable backport policy. Potential next step: queue it for all supported stable series that still carry the vulnerable code path.
fs/jfs/inode.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/inode.c b/fs/jfs/inode.c index fcedeb514e14a..21f3d029da7dd 100644 --- a/fs/jfs/inode.c +++ b/fs/jfs/inode.c @@ -59,9 +59,15 @@ struct inode *jfs_iget(struct super_block *sb, unsigned long ino) */ inode->i_link[inode->i_size] = '\0'; } - } else { + } else if (S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode) || + S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) { inode->i_op = &jfs_file_inode_operations; init_special_inode(inode, inode->i_mode, inode->i_rdev); + } else { + printk(KERN_DEBUG "JFS: Invalid file type 0%04o for inode %lu.\n", + inode->i_mode, inode->i_ino); + iget_failed(inode); + return ERR_PTR(-EIO); } unlock_new_inode(inode); return inode;