Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

Next message: Ekansh Gupta via B4 Relay: "[PATCH] arm64: dts: qcom: talos: Add memory-region for audio PD"
Previous message: syzbot: "Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone"
In reply to: syzbot: "Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone"
Next in thread: syzbot: "Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Sat Apr 18 2026 - 01:44:23 EST

#syz test

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 5f31c12f4607..f795f19d24bb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
submit_bio(bio);
}

- wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE));
+ wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));

return 0;
}
@@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio)
if (bp->l_flag & lbmREAD) {
bp->l_flag &= ~lbmREAD;

- LCACHE_UNLOCK(flags);
- /* wakeup I/O initiator */
- LCACHE_WAKEUP(&bp->l_ioevent);
- LCACHE_LOCK(flags); /* disable+lock */
-
goto out;
}

@@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio)
log = bp->l_log;
log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;

- if (bp->l_flag & lbmDIRECT) {
- LCACHE_WAKEUP(&bp->l_ioevent);
+ if (bp->l_flag & lbmDIRECT)
goto out;
- }

tail = log->wqueue;

@@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio)
* leave buffer for i/o initiator to dispose
*/
if (bp->l_flag & lbmSYNC) {
- LCACHE_UNLOCK(flags);
- /* wakeup I/O initiator */
- LCACHE_WAKEUP(&bp->l_ioevent);
- LCACHE_LOCK(flags); /* disable+lock */
+ goto out;
}

/*
@@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio)

out:
bp->l_flag |= lbmDONE;
+ /* wakeup I/O initiator */
+ LCACHE_WAKEUP(&bp->l_ioevent);
LCACHE_UNLOCK(flags);
}