This is a note to let you know that I've just added the patch titled jfs: fix GPF in diFree to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: jfs-fix-gpf-in-difree.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 9d574f985fe33efd6911f4d752de6f485a1ea732 Mon Sep 17 00:00:00 2001 From: Pavel Skripkin <paskripkin@xxxxxxxxx> Date: Sun, 6 Jun 2021 17:24:05 +0300 Subject: jfs: fix GPF in diFree From: Pavel Skripkin <paskripkin@xxxxxxxxx> commit 9d574f985fe33efd6911f4d752de6f485a1ea732 upstream. Avoid passing inode with JFS_SBI(inode->i_sb)->ipimap == NULL to diFree()[1]. GFP will appear: struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap; struct inomap *imap = JFS_IP(ipimap)->i_imap; JFS_IP() will return invalid pointer when ipimap == NULL Call Trace: diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1] jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154 evict+0x2ed/0x750 fs/inode.c:578 iput_final fs/inode.c:1654 [inline] iput.part.0+0x3fe/0x820 fs/inode.c:1680 iput+0x58/0x70 fs/inode.c:1670 Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx> Signed-off-by: Dave Kleikamp <dave.kleikamp@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/jfs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/jfs/inode.c +++ b/fs/jfs/inode.c @@ -161,7 +161,8 @@ void jfs_evict_inode(struct inode *inode if (test_cflag(COMMIT_Freewmap, inode)) jfs_free_zero_link(inode); - diFree(inode); + if (JFS_SBI(inode->i_sb)->ipimap) + diFree(inode); /* * Free the inode from the quota allocation. Patches currently in stable-queue which might be from paskripkin@xxxxxxxxx are queue-4.14/net-sched-fix-warning-in-tcindex_alloc_perfect_hash.patch queue-4.14/reiserfs-add-check-for-invalid-1st-journal-block.patch queue-4.14/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch queue-4.14/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch queue-4.14/net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch queue-4.14/jfs-fix-gpf-in-difree.patch queue-4.14/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch queue-4.14/net-ethernet-ezchip-fix-error-handling.patch queue-4.14/media-dvb-usb-fix-wrong-definition.patch queue-4.14/media-zr364xx-fix-memory-leak-in-zr364xx_start_readpipe.patch