Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

Next message: Luka Gejak: "Re: [PATCH] staging: rtl8723bs: fix alignment issue in rtw_xmit.c"
Previous message: syzbot: "Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone"
In reply to: syzbot: "Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone"
Next in thread: syzbot: "Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Edward Adam Davis

Date: Sat Apr 18 2026 - 02:40:53 EST

#syz test: upstream master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438..cbe3878ff886 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
submit_bio(bio);
}

- wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+ wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));

return 0;
}
@@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio)
if (bp->l_flag & lbmREAD) {
bp->l_flag &= ~lbmREAD;

- /* wakeup I/O initiator */
- LCACHE_WAKEUP(&bp->l_ioevent);
-
goto out;
}

@@ -2218,7 +2215,6 @@ static void lbmIODone(struct bio *bio)
log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;

if (bp->l_flag & lbmDIRECT) {
- LCACHE_WAKEUP(&bp->l_ioevent);
goto out;
}

@@ -2271,8 +2267,7 @@ static void lbmIODone(struct bio *bio)
* leave buffer for i/o initiator to dispose
*/
if (bp->l_flag & lbmSYNC) {
- /* wakeup I/O initiator */
- LCACHE_WAKEUP(&bp->l_ioevent);
+ goto out;
}

/*
@@ -2298,6 +2293,8 @@ static void lbmIODone(struct bio *bio)

out:
bp->l_flag |= lbmDONE;
+ /* wakeup I/O initiator */
+ LCACHE_WAKEUP(&bp->l_ioevent);
LCACHE_UNLOCK(flags);
}