Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone
From: Edward Adam Davis
Date: Sat Apr 18 2026 - 01:55:16 EST
#syz test: upstream master
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index ada00d5bc214..729baf49a048 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1986,7 +1986,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
submit_bio(bio);
}
- wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+ wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
return 0;
}
@@ -2180,7 +2180,6 @@ static void lbmIODone(struct bio *bio)
LCACHE_LOCK(flags); /* disable+lock */
- bp->l_flag |= lbmDONE;
if (bio->bi_status) {
bp->l_flag |= lbmERROR;
@@ -2196,12 +2195,7 @@ static void lbmIODone(struct bio *bio)
if (bp->l_flag & lbmREAD) {
bp->l_flag &= ~lbmREAD;
- LCACHE_UNLOCK(flags); /* unlock+enable */
-
- /* wakeup I/O initiator */
- LCACHE_WAKEUP(&bp->l_ioevent);
-
- return;
+ goto out;
}
/*
@@ -2224,9 +2218,7 @@ static void lbmIODone(struct bio *bio)
log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
if (bp->l_flag & lbmDIRECT) {
- LCACHE_WAKEUP(&bp->l_ioevent);
- LCACHE_UNLOCK(flags);
- return;
+ goto out;
}
tail = log->wqueue;
@@ -2278,10 +2270,7 @@ static void lbmIODone(struct bio *bio)
* leave buffer for i/o initiator to dispose
*/
if (bp->l_flag & lbmSYNC) {
- LCACHE_UNLOCK(flags); /* unlock+enable */
-
- /* wakeup I/O initiator */
- LCACHE_WAKEUP(&bp->l_ioevent);
+ goto out;
}
/*
@@ -2290,6 +2279,7 @@ static void lbmIODone(struct bio *bio)
else if (bp->l_flag & lbmGC) {
LCACHE_UNLOCK(flags);
lmPostGC(bp);
+ LCACHE_LOCK(flags); /* disable+lock */
}
/*
@@ -2302,9 +2292,12 @@ static void lbmIODone(struct bio *bio)
assert(bp->l_flag & lbmRELEASE);
assert(bp->l_flag & lbmFREE);
lbmfree(bp);
-
- LCACHE_UNLOCK(flags); /* unlock+enable */
}
+out:
+ bp->l_flag |= lbmDONE;
+ /* wakeup I/O initiator */
+ LCACHE_WAKEUP(&bp->l_ioevent);
+ LCACHE_UNLOCK(flags); /* unlock+enable */
}
int jfsIOWait(void *arg)