Re: [PATCH AUTOSEL 7.0-5.10] jfs: Set the lbmDone flag at the end of lbmIODone

From: Edward Adam Davis

Date: Mon Apr 20 2026 - 11:24:08 EST

On Mon, 20 Apr 2026 09:08:12 -0400, Sasha Levin wrote:
> From: Edward Adam Davis <eadavis@xxxxxx>
>
> [ Upstream commit b15e4310633f90072d66cc9b6692acbf6b4d7d00 ]
>
> In lbmRead(), the I/O event waited for by wait_event() finishes before
> it goes to sleep, and the lbmIODone() prematurely sets the flag to
> lbmDONE, thus ending the wait. This causes wait_event() to return before
> lbmREAD is cleared (because lbmDONE was set first), the premature return
> of wait_event() leads to the release of lbuf before lbmIODone() returns,
> thus triggering the use-after-free vulnerability reported in [1].
>
> Moving the operation of setting the lbmDONE flag to after clearing lbmREAD
> in lbmIODone() avoids the use-after-free vulnerability reported in [1].
>
> [1]
> BUG: KASAN: slab-use-after-free in rt_spin_lock+0x88/0x3e0 kernel/locking/spinlock_rt.c:56
> Call Trace:
> blk_update_request+0x57e/0xe60 block/blk-mq.c:1007
> blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1169
> blk_complete_reqs block/blk-mq.c:1244 [inline]
> blk_done_softirq+0x10a/0x160 block/blk-mq.c:1249
>
> Allocated by task 6101:
> lbmLogInit fs/jfs/jfs_logmgr.c:1821 [inline]
> lmLogInit+0x3d0/0x19e0 fs/jfs/jfs_logmgr.c:1269
> open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
> lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
> jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
> jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
>
> Freed by task 6101:
> kfree+0x1bd/0x900 mm/slub.c:6876
> lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
> lmLogInit+0x1137/0x19e0 fs/jfs/jfs_logmgr.c:1415
> open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
> lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
> jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
> jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
>
> Reported-by: syzbot+1d38eedcb25a3b5686a7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=1d38eedcb25a3b5686a7
> Signed-off-by: Edward Adam Davis <eadavis@xxxxxx>
> Signed-off-by: Dave Kleikamp <dave.kleikamp@xxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
>
> LLM Generated explanations, may be completely bogus:
>
> Now I have all the information needed to complete the full analysis. Let
> me compile the results.
I fixed this issue a couple of days ago. Please see:
https://lore.kernel.org/all/tencent_3AEEC18CAA27D286CE92DAC674C9B02EEC06@xxxxxx

Edward
BR