* [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone
@ 2025-09-29 13:20 syzbot
2026-04-15 6:59 ` syzbot
` (4 more replies)
0 siblings, 5 replies; 26+ messages in thread
From: syzbot @ 2025-09-29 13:20 UTC (permalink / raw)
To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 0f3be52b8e37 Merge branch 'for-next/core' into for-kernelci
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17509ce2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=714d45b6135c308e
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a2c3b345c3da/disk-0f3be52b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/54368457365a/vmlinux-0f3be52b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3544cf9b3f24/Image-0f3be52b.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in lbmIODone+0xf68/0x12e8 fs/jfs/jfs_logmgr.c:2184
Read of size 4 at addr ffff0000fa465408 by task ksoftirqd/1/23
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xa8/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0xb0/0x110 mm/kasan/report.c:595
__asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
lbmIODone+0xf68/0x12e8 fs/jfs/jfs_logmgr.c:2184
bio_endio+0x858/0x894 block/bio.c:1651
blk_update_request+0x474/0xba8 block/blk-mq.c:989
blk_mq_end_request+0x54/0x88 block/blk-mq.c:1151
lo_complete_rq+0x124/0x274 drivers/block/loop.c:314
blk_complete_reqs block/blk-mq.c:1226 [inline]
blk_done_softirq+0x11c/0x168 block/blk-mq.c:1231
handle_softirqs+0x328/0xc88 kernel/softirq.c:579
run_ksoftirqd+0x70/0xc0 kernel/softirq.c:968
smpboot_thread_fn+0x4d8/0x9cc kernel/smpboot.c:160
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
Allocated by task 6893:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x2a4/0x3fc mm/slub.c:4407
kmalloc_noprof include/linux/slab.h:905 [inline]
lbmLogInit fs/jfs/jfs_logmgr.c:1822 [inline]
lmLogInit+0x690/0x1a9c fs/jfs/jfs_logmgr.c:1270
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x41c/0xd5c fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe4/0x548 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x5d4/0xb6c fs/jfs/super.c:532
get_tree_bdev_flags+0x360/0x414 fs/super.c:1692
get_tree_bdev+0x2c/0x3c fs/super.c:1715
jfs_get_tree+0x28/0x38 fs/jfs/super.c:635
vfs_get_tree+0x90/0x28c fs/super.c:1815
do_new_mount+0x278/0x7f4 fs/namespace.c:3808
path_mount+0x5b4/0xde0 fs/namespace.c:4123
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount fs/namespace.c:4324 [inline]
__arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4324
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
Freed by task 6536:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:68
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x74/0x98 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x17c/0x474 mm/slub.c:4894
lbmLogShutdown fs/jfs/jfs_logmgr.c:1865 [inline]
lmLogShutdown+0x36c/0x700 fs/jfs/jfs_logmgr.c:1684
lmLogClose+0x244/0x4c4 fs/jfs/jfs_logmgr.c:1460
jfs_umount+0x26c/0x350 fs/jfs/jfs_umount.c:114
jfs_put_super+0x90/0x188 fs/jfs/super.c:194
generic_shutdown_super+0x12c/0x2b8 fs/super.c:643
kill_block_super+0x44/0x90 fs/super.c:1766
deactivate_locked_super+0xc4/0x12c fs/super.c:474
deactivate_super+0xe0/0x100 fs/super.c:507
cleanup_mnt+0x31c/0x3ac fs/namespace.c:1375
__cleanup_mnt+0x20/0x30 fs/namespace.c:1382
task_work_run+0x1dc/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xfc/0x168 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:103 [inline]
el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:745
el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
The buggy address belongs to the object at ffff0000fa465400
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 8 bytes inside of
freed 192-byte region [ffff0000fa465400, ffff0000fa4654c0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13a465
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000000 ffff0000c00013c0 fffffdffc3070180 0000000000000004
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000fa465300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000fa465380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff0000fa465400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000fa465480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff0000fa465500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 26+ messages in thread* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2025-09-29 13:20 [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone syzbot @ 2026-04-15 6:59 ` syzbot 2026-04-15 9:06 ` syzbot ` (3 subsequent siblings) 4 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-15 6:59 UTC (permalink / raw) To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs syzbot has found a reproducer for the following issue on: HEAD commit: e6efabc0afca Add linux-next specific files for 20260414 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=161a18ce580000 kernel config: https://syzkaller.appspot.com/x/.config?x=56c2b36de3316f1b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=107784ce580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/e7099cbf73e4/disk-e6efabc0.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/439c402df1b9/vmlinux-e6efabc0.xz kernel image: https://storage.googleapis.com/syzbot-assets/fc0c0175fc76/bzImage-e6efabc0.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/01761e564f3f/mount_0.gz fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=168401ba580000) IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com ================================================================== BUG: KASAN: slab-use-after-free in lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192 Read of size 4 at addr ffff888032de1208 by task ksoftirqd/1/31 CPU: 1 UID: 0 PID: 31 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178 blk_complete_reqs block/blk-mq.c:1253 [inline] blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 run_ksoftirqd+0x52/0x180 kernel/softirq.c:1076 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6248: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] lbmLogInit fs/jfs/jfs_logmgr.c:1819 [inline] lmLogInit+0x3e5/0x1a00 fs/jfs/jfs_logmgr.c:1267 open_inline_log fs/jfs/jfs_logmgr.c:1173 [inline] lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1067 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3758 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3834 do_mount fs/namespace.c:4167 [inline] __do_sys_mount fs/namespace.c:4399 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4376 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5959: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6246 [inline] kfree+0x1c5/0x6c0 mm/slub.c:6561 lbmLogShutdown fs/jfs/jfs_logmgr.c:1862 [inline] lmLogShutdown+0x456/0x850 fs/jfs/jfs_logmgr.c:1681 lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1457 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646 kill_block_super+0x44/0x90 fs/super.c:1725 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888032de1200 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 8 bytes inside of freed 256-byte region [ffff888032de1200, ffff888032de1300) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32de0 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122 head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5948, tgid 5948 (syz-executor), ts 136932809553, free_ts 131716582127 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858 prep_new_page mm/page_alloc.c:1866 [inline] get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x33c/0x3d0 mm/slub.c:7251 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] __do_kmalloc_node mm/slub.c:5294 [inline] __kmalloc_noprof+0x530/0x7b0 mm/slub.c:5307 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] fib_create_info+0x1723/0x31f0 net/ipv4/fib_semantics.c:1400 fib_table_insert+0xc8/0x1b50 net/ipv4/fib_trie.c:1212 fib_magic+0x434/0x510 net/ipv4/fib_frontend.c:1134 fib_add_ifaddr+0x38d/0x5f0 net/ipv4/fib_frontend.c:1171 fib_netdev_event+0x382/0x490 net/ipv4/fib_frontend.c:1516 notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline] call_netdevice_notifiers net/core/dev.c:2301 [inline] __dev_notify_flags+0x1a9/0x310 net/core/dev.c:9849 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9878 do_setlink+0xf82/0x4590 net/core/rtnetlink.c:3180 page last free pid 5958 tgid 5958 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1402 [inline] __free_frozen_pages+0xf9b/0x10f0 mm/page_alloc.c:2943 __slab_free+0x252/0x2a0 mm/slub.c:5608 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4569 [inline] slab_alloc_node mm/slub.c:4898 [inline] kmem_cache_alloc_node_noprof+0x22a/0x6e0 mm/slub.c:4950 __alloc_skb+0x1d0/0x7d0 net/core/skbuff.c:702 alloc_skb include/linux/skbuff.h:1383 [inline] nlmsg_new include/net/netlink.h:1055 [inline] netlink_ack+0x146/0xa50 net/netlink/af_netlink.c:2487 netlink_rcv_skb+0x2b6/0x4b0 net/netlink/af_netlink.c:2556 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x780/0x920 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg net/socket.c:802 [inline] __sys_sendto+0x67f/0x710 net/socket.c:2265 __do_sys_sendto net/socket.c:2272 [inline] __se_sys_sendto net/socket.c:2268 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2268 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888032de1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888032de1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888032de1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888032de1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888032de1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2025-09-29 13:20 [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone syzbot 2026-04-15 6:59 ` syzbot @ 2026-04-15 9:06 ` syzbot 2026-04-17 12:41 ` Edward Adam Davis ` (8 more replies) 2026-04-17 14:20 ` Forwarded: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O syzbot ` (2 subsequent siblings) 4 siblings, 9 replies; 26+ messages in thread From: syzbot @ 2026-04-15 9:06 UTC (permalink / raw) To: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs syzbot has found a reproducer for the following issue on: HEAD commit: e6efabc0afca Add linux-next specific files for 20260414 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=17ee18ce580000 kernel config: https://syzkaller.appspot.com/x/.config?x=56c2b36de3316f1b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11dc01ba580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=173bfb02580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/e7099cbf73e4/disk-e6efabc0.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/439c402df1b9/vmlinux-e6efabc0.xz kernel image: https://storage.googleapis.com/syzbot-assets/fc0c0175fc76/bzImage-e6efabc0.xz mounted in repro: https://storage.googleapis.com/syzbot-assets/81df22d6836d/mount_0.gz fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=107dfcd2580000) IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com ================================================================== BUG: KASAN: slab-use-after-free in lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192 Read of size 4 at addr ffff88802a45a608 by task ksoftirqd/1/31 CPU: 1 UID: 0 PID: 31 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178 blk_complete_reqs block/blk-mq.c:1253 [inline] blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 run_ksoftirqd+0x52/0x180 kernel/softirq.c:1076 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 6106: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] lbmLogInit fs/jfs/jfs_logmgr.c:1819 [inline] lmLogInit+0x3e5/0x1a00 fs/jfs/jfs_logmgr.c:1267 open_inline_log fs/jfs/jfs_logmgr.c:1173 [inline] lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1067 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3758 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3834 do_mount fs/namespace.c:4167 [inline] __do_sys_mount fs/namespace.c:4399 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4376 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5969: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6246 [inline] kfree+0x1c5/0x6c0 mm/slub.c:6561 lbmLogShutdown fs/jfs/jfs_logmgr.c:1862 [inline] lmLogShutdown+0x456/0x850 fs/jfs/jfs_logmgr.c:1681 lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1457 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646 kill_block_super+0x44/0x90 fs/super.c:1725 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802a45a600 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 8 bytes inside of freed 256-byte region [ffff88802a45a600, ffff88802a45a700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a45a head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122 raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122 head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 155, tgid 155 (kworker/u8:6), ts 12504727555, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858 prep_new_page mm/page_alloc.c:1866 [inline] get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x33c/0x3d0 mm/slub.c:7251 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5410 kmalloc_noprof include/linux/slab.h:950 [inline] scsi_probe_and_add_lun+0x2f8/0x48e0 drivers/scsi/scsi_scan.c:1225 __scsi_scan_target+0x1f0/0xe10 drivers/scsi/scsi_scan.c:1786 scsi_scan_channel drivers/scsi/scsi_scan.c:1874 [inline] scsi_scan_host_selected+0x3d3/0x780 drivers/scsi/scsi_scan.c:1903 do_scsi_scan_host drivers/scsi/scsi_scan.c:2036 [inline] do_scan_async+0x124/0x6f0 drivers/scsi/scsi_scan.c:2046 async_run_entry_fn+0xa8/0x440 kernel/async.c:129 process_one_work kernel/workqueue.c:3308 [inline] process_scheduled_works+0xb68/0x1910 kernel/workqueue.c:3399 worker_thread+0xa90/0x1040 kernel/workqueue.c:3485 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 page_owner free stack trace missing Memory state around the buggy address: ffff88802a45a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802a45a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802a45a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802a45a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802a45a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot @ 2026-04-17 12:41 ` Edward Adam Davis 2026-04-17 12:59 ` syzbot 2026-04-18 3:56 ` Edward Adam Davis ` (7 subsequent siblings) 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-17 12:41 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test: upstream master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e61438..054cc01e4579 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD)); + wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE)); return 0; } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-17 12:41 ` Edward Adam Davis @ 2026-04-17 12:59 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 12:59 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in lbmRead INFO: task syz.0.17:6554 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.17 state:D stack:24224 pid:6554 tgid:6552 ppid:6447 task_flags:0x400140 flags:0x00080002 Call Trace: <TASK> context_switch kernel/sched/core.c:5387 [inline] __schedule+0x1681/0x54c0 kernel/sched/core.c:7188 __schedule_loop kernel/sched/core.c:7267 [inline] schedule+0x164/0x360 kernel/sched/core.c:7282 lbmRead+0x41d/0x620 fs/jfs/jfs_logmgr.c:1987 lmLogInit+0xc31/0x1a00 fs/jfs/jfs_logmgr.c:1332 open_inline_log fs/jfs/jfs_logmgr.c:1173 [inline] lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1067 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3758 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3834 do_mount fs/namespace.c:4167 [inline] __do_sys_mount fs/namespace.c:4383 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4360 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa8f8bfda8a RSP: 002b:00007fa8f8255e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007fa8f8255ee0 RCX: 00007fa8f8bfda8a RDX: 0000200000000400 RSI: 00002000000000c0 RDI: 00007fa8f8255ea0 RBP: 0000200000000400 R08: 00007fa8f8255ee0 R09: 000000000001c802 R10: 000000000001c802 R11: 0000000000000246 R12: 00002000000000c0 R13: 00007fa8f8255ea0 R14: 0000000000005f9a R15: 0000200000002740 </TASK> Showing all locks held in the system: 1 lock held by khungtaskd/38: #0: ffffffff8dfc7f00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline] #0: ffffffff8dfc7f00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline] #0: ffffffff8dfc7f00 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775 3 locks held by kworker/u9:0/59: #0: ffff88802a705138 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3277 [inline] #0: ffff88802a705138 ((wq_completion)hci2){+.+.}-{0:0}, at: process_scheduled_works+0xa35/0x1860 kernel/workqueue.c:3385 #1: ffffc9000125fc40 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3278 [inline] #1: ffffc9000125fc40 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa70/0x1860 kernel/workqueue.c:3385 #2: ffff888038d10f80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d3/0x400 net/bluetooth/hci_sync.c:331 9 locks held by kworker/u8:11/2867: 2 locks held by getty/5561: #0: ffff8880389230a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc90003cbe2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x462/0x13a0 drivers/tty/n_tty.c:2211 1 lock held by syz.0.17/6554: #0: ffff8880395e20d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345 1 lock held by syz.1.19/6613: #0: ffff88804e5d00d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345 1 lock held by syz.2.28/6658: #0: ffff88805bffc0d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345 2 locks held by syz-executor/6660: #0: ffff8880587a60d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline] #0: ffff8880587a60d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline] #0: ffff8880587a60d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441 2 locks held by syz-executor/6692: #0: ffff888035d4e0d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline] #0: ffff888035d4e0d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline] #0: ffff888035d4e0d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441 2 locks held by syz-executor/6720: #0: ffff88805a2500d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline] #0: ffff88805a2500d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline] #0: ffff88805a2500d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441 2 locks held by syz-executor/6754: #0: ffff88803f6220d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline] #0: ffff88803f6220d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline] #0: ffff88803f6220d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441 1 lock held by syz.7.41/6809: #0: ffff8880365f80d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345 1 lock held by syz.8.42/6838: #0: ffff8880399d60d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345 ============================================= NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] __sys_info lib/sys_info.c:157 [inline] sys_info+0x135/0x170 lib/sys_info.c:165 check_hung_uninterruptible_tasks kernel/hung_task.c:353 [inline] watchdog+0xfd3/0x1030 kernel/hung_task.c:561 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 2867 Comm: kworker/u8:11 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Workqueue: events_unbound cfg80211_wiphy_work RIP: 0010:reacquire_held_locks+0xf6/0x190 kernel/locking/lockdep.c:5385 Code: e2 01 89 c1 c1 e9 10 83 e1 03 41 89 c0 41 c1 e8 12 41 83 e0 01 41 89 c1 41 c1 e9 13 41 83 e1 01 c1 e8 15 45 8b 16 6a 00 41 52 <50> 41 ff 76 e4 41 ff 76 f4 e8 8c 9f ff ff 48 83 c4 28 83 f8 01 0f RSP: 0018:ffffc9000e707820 EFLAGS: 00000046 RAX: 0000000000000000 RBX: ffffc9000e707884 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8dfc7f00 RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: fffffbfff1f16d97 R12: 0000000000000004 R13: 0000000000000004 R14: ffff8880324968fc R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88812610f000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055555dbfc4e8 CR3: 000000000ddb6000 CR4: 00000000003526f0 Call Trace: <TASK> __lock_release kernel/locking/lockdep.c:5574 [inline] lock_release+0x199/0x3c0 kernel/locking/lockdep.c:5889 __local_bh_enable_ip+0x98/0x2b0 kernel/softirq.c:268 local_bh_enable include/linux/bottom_half.h:33 [inline] spin_unlock_bh include/linux/spinlock_rt.h:116 [inline] ieee80211_ibss_work+0x344/0x10d0 net/mac80211/ibss.c:1656 cfg80211_wiphy_work+0x2cf/0x460 net/wireless/core.c:513 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Tested on: commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11621906580000 kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1732d8ce580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot 2026-04-17 12:41 ` Edward Adam Davis @ 2026-04-18 3:56 ` Edward Adam Davis 2026-04-18 5:37 ` syzbot 2026-04-18 4:35 ` Edward Adam Davis ` (6 subsequent siblings) 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 3:56 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test: upstream master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 5f31c12f4607..69b9d161b783 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 3:56 ` Edward Adam Davis @ 2026-04-18 5:37 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 5:37 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file fs/jfs/jfs_logmgr.c Hunk #1 FAILED at 1984. 1 out of 1 hunk FAILED Tested on: commit: 8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=16580836580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot 2026-04-17 12:41 ` Edward Adam Davis 2026-04-18 3:56 ` Edward Adam Davis @ 2026-04-18 4:35 ` Edward Adam Davis 2026-04-18 5:43 ` syzbot 2026-04-18 5:42 ` Edward Adam Davis ` (5 subsequent siblings) 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 4:35 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test: upstream master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 5f31c12f4607..f795f19d24bb 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - LCACHE_UNLOCK(flags); - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_LOCK(flags); /* disable+lock */ - goto out; } @@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio) log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; - if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); + if (bp->l_flag & lbmDIRECT) goto out; - } tail = log->wqueue; @@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - LCACHE_UNLOCK(flags); - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_LOCK(flags); /* disable+lock */ + goto out; } /* @@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); LCACHE_UNLOCK(flags); } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 4:35 ` Edward Adam Davis @ 2026-04-18 5:43 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 5:43 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file fs/jfs/jfs_logmgr.c Hunk #1 FAILED at 1984. Hunk #2 FAILED at 2192. Hunk #3 succeeded at 2217 (offset -2 lines). Hunk #4 FAILED at 2271. Hunk #5 succeeded at 2296 (offset -4 lines). 3 out of 5 hunks FAILED Tested on: commit: 8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=16f80836580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot ` (2 preceding siblings ...) 2026-04-18 4:35 ` Edward Adam Davis @ 2026-04-18 5:42 ` Edward Adam Davis 2026-04-18 5:50 ` syzbot 2026-04-18 5:49 ` Edward Adam Davis ` (4 subsequent siblings) 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 5:42 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 5f31c12f4607..f795f19d24bb 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - LCACHE_UNLOCK(flags); - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_LOCK(flags); /* disable+lock */ - goto out; } @@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio) log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; - if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); + if (bp->l_flag & lbmDIRECT) goto out; - } tail = log->wqueue; @@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - LCACHE_UNLOCK(flags); - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_LOCK(flags); /* disable+lock */ + goto out; } /* @@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); LCACHE_UNLOCK(flags); } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 5:42 ` Edward Adam Davis @ 2026-04-18 5:50 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 5:50 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file fs/jfs/jfs_logmgr.c Hunk #1 FAILED at 1984. Hunk #2 FAILED at 2192. Hunk #3 succeeded at 2217 (offset -2 lines). Hunk #4 FAILED at 2271. Hunk #5 succeeded at 2296 (offset -4 lines). 3 out of 5 hunks FAILED Tested on: commit: 8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=108f24ce580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot ` (3 preceding siblings ...) 2026-04-18 5:42 ` Edward Adam Davis @ 2026-04-18 5:49 ` Edward Adam Davis 2026-04-18 5:56 ` syzbot 2026-04-18 5:55 ` Edward Adam Davis ` (3 subsequent siblings) 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 5:49 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 5f31c12f4607..f795f19d24bb 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - LCACHE_UNLOCK(flags); - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_LOCK(flags); /* disable+lock */ - goto out; } @@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio) log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; - if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); + if (bp->l_flag & lbmDIRECT) goto out; - } tail = log->wqueue; @@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - LCACHE_UNLOCK(flags); - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_LOCK(flags); /* disable+lock */ + goto out; } /* @@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); LCACHE_UNLOCK(flags); } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 5:49 ` Edward Adam Davis @ 2026-04-18 5:56 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 5:56 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file fs/jfs/jfs_logmgr.c Hunk #1 FAILED at 1984. Hunk #2 FAILED at 2192. Hunk #3 succeeded at 2217 (offset -2 lines). Hunk #4 FAILED at 2271. Hunk #5 succeeded at 2296 (offset -4 lines). 3 out of 5 hunks FAILED Tested on: commit: c7275b05 Add linux-next specific files for 20260417 git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=174f24ce580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot ` (4 preceding siblings ...) 2026-04-18 5:49 ` Edward Adam Davis @ 2026-04-18 5:55 ` Edward Adam Davis 2026-04-18 6:10 ` syzbot 2026-04-18 6:07 ` Edward Adam Davis ` (2 subsequent siblings) 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 5:55 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test: upstream master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index ada00d5bc214..729baf49a048 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1986,7 +1986,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2180,7 +2180,6 @@ static void lbmIODone(struct bio *bio) LCACHE_LOCK(flags); /* disable+lock */ - bp->l_flag |= lbmDONE; if (bio->bi_status) { bp->l_flag |= lbmERROR; @@ -2196,12 +2195,7 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - LCACHE_UNLOCK(flags); /* unlock+enable */ - - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - - return; + goto out; } /* @@ -2224,9 +2218,7 @@ static void lbmIODone(struct bio *bio) log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); - LCACHE_UNLOCK(flags); - return; + goto out; } tail = log->wqueue; @@ -2278,10 +2270,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - LCACHE_UNLOCK(flags); /* unlock+enable */ - - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); + goto out; } /* @@ -2290,6 +2279,7 @@ static void lbmIODone(struct bio *bio) else if (bp->l_flag & lbmGC) { LCACHE_UNLOCK(flags); lmPostGC(bp); + LCACHE_LOCK(flags); /* disable+lock */ } /* @@ -2302,9 +2292,12 @@ static void lbmIODone(struct bio *bio) assert(bp->l_flag & lbmRELEASE); assert(bp->l_flag & lbmFREE); lbmfree(bp); - - LCACHE_UNLOCK(flags); /* unlock+enable */ } +out: + bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); + LCACHE_UNLOCK(flags); /* unlock+enable */ } int jfsIOWait(void *arg) ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 5:55 ` Edward Adam Davis @ 2026-04-18 6:10 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 6:10 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file fs/jfs/jfs_logmgr.c Hunk #1 succeeded at 1984 (offset -2 lines). Hunk #2 FAILED at 2180. Hunk #3 FAILED at 2196. Hunk #4 FAILED at 2224. Hunk #5 FAILED at 2278. Hunk #6 FAILED at 2290. Hunk #7 FAILED at 2302. 6 out of 7 hunks FAILED Tested on: commit: 8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o.. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=142f24ce580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot ` (5 preceding siblings ...) 2026-04-18 5:55 ` Edward Adam Davis @ 2026-04-18 6:07 ` Edward Adam Davis 2026-04-18 6:37 ` syzbot 2026-04-18 6:39 ` Edward Adam Davis 2026-04-18 9:05 ` [PATCH] jfs: Read returns only when the bio is done Edward Adam Davis 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 6:07 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e61438..f795f19d24bb 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - goto out; } @@ -2217,10 +2214,8 @@ static void lbmIODone(struct bio *bio) log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; - if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); + if (bp->l_flag & lbmDIRECT) goto out; - } tail = log->wqueue; @@ -2271,8 +2266,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); + goto out; } /* @@ -2298,6 +2292,8 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); LCACHE_UNLOCK(flags); } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 6:07 ` Edward Adam Davis @ 2026-04-18 6:37 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 6:37 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Tested on: commit: c7275b05 Add linux-next specific files for 20260417 git tree: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master console output: https://syzkaller.appspot.com/x/log.txt?x=145842d2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=8d583ddcf2981d2a dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1604c1ba580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-15 9:06 ` syzbot ` (6 preceding siblings ...) 2026-04-18 6:07 ` Edward Adam Davis @ 2026-04-18 6:39 ` Edward Adam Davis 2026-04-18 8:53 ` syzbot 2026-04-18 9:05 ` [PATCH] jfs: Read returns only when the bio is done Edward Adam Davis 8 siblings, 1 reply; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 6:39 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c; +Cc: linux-kernel, syzkaller-bugs #syz test: upstream master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e61438..cbe3878ff886 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - goto out; } @@ -2218,7 +2215,6 @@ static void lbmIODone(struct bio *bio) log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); goto out; } @@ -2271,8 +2267,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); + goto out; } /* @@ -2298,6 +2293,8 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); LCACHE_UNLOCK(flags); } ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2026-04-18 6:39 ` Edward Adam Davis @ 2026-04-18 8:53 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-18 8:53 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Tested on: commit: 8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12a8a4ce580000 kernel config: https://syzkaller.appspot.com/x/.config?x=ecb532db4f89a3a6 dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=14936f16580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 26+ messages in thread
* [PATCH] jfs: Read returns only when the bio is done 2026-04-15 9:06 ` syzbot ` (7 preceding siblings ...) 2026-04-18 6:39 ` Edward Adam Davis @ 2026-04-18 9:05 ` Edward Adam Davis 8 siblings, 0 replies; 26+ messages in thread From: Edward Adam Davis @ 2026-04-18 9:05 UTC (permalink / raw) To: syzbot+ecf51a7ccb6b1394e90c Cc: jfs-discussion, linux-kernel, shaggy, syzkaller-bugs Fixed the sequencing of setting the DONE flag and waking up the ioevent. The ioevent wakeup must occur after the DONE flag has been set, and while under the protection of the jfsLCacheLock. This ensures that when the thread associated with wait_event() resumes execution (e.g., in lbmRead/ Write/IOWait, etc.), it will strictly avoid accessing any content related to the bio, simultaneously, this guarantees the stable and proper shutdown of subsequent log I/O operations. Fixes: b15e4310633f ("jfs: Set the lbmDone flag at the end of lbmIODone") Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- fs/jfs/jfs_logmgr.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e61438..f795f19d24bb 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) submit_bio(bio); } - wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD)); + wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE)); return 0; } @@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio) if (bp->l_flag & lbmREAD) { bp->l_flag &= ~lbmREAD; - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); - goto out; } @@ -2217,10 +2214,8 @@ static void lbmIODone(struct bio *bio) log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; - if (bp->l_flag & lbmDIRECT) { - LCACHE_WAKEUP(&bp->l_ioevent); + if (bp->l_flag & lbmDIRECT) goto out; - } tail = log->wqueue; @@ -2271,8 +2266,7 @@ static void lbmIODone(struct bio *bio) * leave buffer for i/o initiator to dispose */ if (bp->l_flag & lbmSYNC) { - /* wakeup I/O initiator */ - LCACHE_WAKEUP(&bp->l_ioevent); + goto out; } /* @@ -2298,6 +2292,8 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; + /* wakeup I/O initiator */ + LCACHE_WAKEUP(&bp->l_ioevent); LCACHE_UNLOCK(flags); } -- 2.43.0 ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Forwarded: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O 2025-09-29 13:20 [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone syzbot 2026-04-15 6:59 ` syzbot 2026-04-15 9:06 ` syzbot @ 2026-04-17 14:20 ` syzbot 2026-04-17 16:22 ` Forwarded: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone syzbot 2026-04-17 19:26 ` Forwarded: Re: [syzbot] [jfs?] " syzbot 4 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 14:20 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O Author: tristmd@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master From b8abd9772daa211b13c6db417c5c09495e688c61 Mon Sep 17 00:00:00 2001 From: Tristan Madani <tristan@talencesecurity.com> Date: Fri, 17 Apr 2026 14:19:45 +0000 Subject: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O lbmLogShutdown() frees all log buffer heads from the freelist, but does not wait for outstanding block I/O completions. When a log buffer write is submitted via lbmStartIO() and the filesystem is unmounted before the bio completes, lbmIODone() runs against a freed lbuf, causing a use-after-free read. Add an atomic I/O counter (io_count) to struct jfs_log. Increment it in lbmStartIO() before submit_bio(), decrement it in lbmIODone() after processing. In lbmLogShutdown(), wait for io_count to reach zero before freeing buffer heads, ensuring no in-flight I/O references freed memory. Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Tristan Madani <tristan@talencesecurity.com> --- fs/jfs/jfs_logmgr.c | 15 ++++++++++++++- fs/jfs/jfs_logmgr.h | 3 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e61..e309e1bbb 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1805,6 +1805,9 @@ static int lbmLogInit(struct jfs_log * log) */ init_waitqueue_head(&log->free_wait); + atomic_set(&log->io_count, 0); + init_waitqueue_head(&log->io_wait); + log->lbuf_free = NULL; for (i = 0; i < LOGPAGES;) { @@ -1855,6 +1858,8 @@ static void lbmLogShutdown(struct jfs_log * log) jfs_info("lbmLogShutdown: log:0x%p", log); + wait_event(log->io_wait, atomic_read(&log->io_count) == 0); + lbuf = log->lbuf_free; while (lbuf) { struct lbuf *next = lbuf->l_freelist; @@ -2128,6 +2133,7 @@ static void lbmStartIO(struct lbuf * bp) bio->bi_iter.bi_size = 0; lbmIODone(bio); } else { + atomic_inc(&log->io_count); submit_bio(bio); INCREMENT(lmStat.submitted); } @@ -2170,12 +2176,16 @@ static void lbmIODone(struct bio *bio) struct lbuf *nextbp, *tail; struct jfs_log *log; unsigned long flags; + int is_write; /* * get back jfs buffer bound to the i/o buffer */ jfs_info("lbmIODone: bp:0x%p flag:0x%x", bp, bp->l_flag); + log = bp->l_log; + is_write = !(bp->l_flag & lbmREAD); + LCACHE_LOCK(flags); /* disable+lock */ if (bio->bi_status) { @@ -2214,7 +2224,6 @@ static void lbmIODone(struct bio *bio) INCREMENT(lmStat.pagedone); /* update committed lsn */ - log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; if (bp->l_flag & lbmDIRECT) { @@ -2299,6 +2308,10 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; LCACHE_UNLOCK(flags); + + if (is_write && !log->no_integrity) + if (atomic_dec_and_test(&log->io_count)) + wake_up(&log->io_wait); } int jfsIOWait(void *arg) diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h index 09e0ef6ae..50388562b 100644 --- a/fs/jfs/jfs_logmgr.h +++ b/fs/jfs/jfs_logmgr.h @@ -400,6 +400,9 @@ struct jfs_log { uuid_t uuid; /* 16: 128-bit uuid of log device */ int no_integrity; /* 3: flag to disable journaling to disk */ + + atomic_t io_count; /* outstanding I/O count */ + wait_queue_head_t io_wait; /* wait for all I/O to complete */ }; /* -- 2.47.3 ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Forwarded: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone 2025-09-29 13:20 [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone syzbot ` (2 preceding siblings ...) 2026-04-17 14:20 ` Forwarded: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O syzbot @ 2026-04-17 16:22 ` syzbot 2026-04-17 19:26 ` Forwarded: Re: [syzbot] [jfs?] " syzbot 4 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 16:22 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone Author: tristmd@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master >From 9fd2228641cd56d9e735211ce0d2decfd03aaaa9 Mon Sep 17 00:00:00 2001 From: Tristan Madani <tristan@talencesecurity.com> Date: Fri, 17 Apr 2026 16:15:16 +0000 Subject: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O lbmLogShutdown() frees all log buffer heads without waiting for outstanding block I/O completions. When a write bio submitted via lbmStartIO() completes after the buffers are freed, lbmIODone() dereferences the freed struct lbuf via bio->bi_private. Add an atomic io_count and wait_queue_head_t to struct jfs_log. Increment before submit_bio(), decrement after processing in lbmIODone(), and wait in lbmLogShutdown() for io_count == 0 before freeing. Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c Signed-off-by: Tristan Madani <tristan@talencesecurity.com> --- fs/jfs/jfs_logmgr.c | 15 ++++++++++++++- fs/jfs/jfs_logmgr.h | 3 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e..e309e1b 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1805,6 +1805,9 @@ static int lbmLogInit(struct jfs_log * log) */ init_waitqueue_head(&log->free_wait); + atomic_set(&log->io_count, 0); + init_waitqueue_head(&log->io_wait); + log->lbuf_free = NULL; for (i = 0; i < LOGPAGES;) { @@ -1855,6 +1858,8 @@ static void lbmLogShutdown(struct jfs_log * log) jfs_info("lbmLogShutdown: log:0x%p", log); + wait_event(log->io_wait, atomic_read(&log->io_count) == 0); + lbuf = log->lbuf_free; while (lbuf) { struct lbuf *next = lbuf->l_freelist; @@ -2128,6 +2133,7 @@ static void lbmStartIO(struct lbuf * bp) bio->bi_iter.bi_size = 0; lbmIODone(bio); } else { + atomic_inc(&log->io_count); submit_bio(bio); INCREMENT(lmStat.submitted); } @@ -2170,12 +2176,16 @@ static void lbmIODone(struct bio *bio) struct lbuf *nextbp, *tail; struct jfs_log *log; unsigned long flags; + int is_write; /* * get back jfs buffer bound to the i/o buffer */ jfs_info("lbmIODone: bp:0x%p flag:0x%x", bp, bp->l_flag); + log = bp->l_log; + is_write = !(bp->l_flag & lbmREAD); + LCACHE_LOCK(flags); /* disable+lock */ if (bio->bi_status) { @@ -2214,7 +2224,6 @@ static void lbmIODone(struct bio *bio) INCREMENT(lmStat.pagedone); /* update committed lsn */ - log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; if (bp->l_flag & lbmDIRECT) { @@ -2299,6 +2308,10 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; LCACHE_UNLOCK(flags); + + if (is_write && !log->no_integrity) + if (atomic_dec_and_test(&log->io_count)) + wake_up(&log->io_wait); } int jfsIOWait(void *arg) diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h index 09e0ef6..6fa7d9f 100644 --- a/fs/jfs/jfs_logmgr.h +++ b/fs/jfs/jfs_logmgr.h @@ -400,6 +400,9 @@ struct jfs_log { uuid_t uuid; /* 16: 128-bit uuid of log device */ int no_integrity; /* 3: flag to disable journaling to disk */ + + atomic_t io_count; /* outstanding I/O count */ + wait_queue_head_t io_wait; /* wait for all I/O to complete */ }; /* -- 2.47.3 ^ permalink raw reply related [flat|nested] 26+ messages in thread
* Forwarded: Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone 2025-09-29 13:20 [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone syzbot ` (3 preceding siblings ...) 2026-04-17 16:22 ` Forwarded: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone syzbot @ 2026-04-17 19:26 ` syzbot 4 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 19:26 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone Author: tristmd@gmail.com #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index XXXXXXX..XXXXXXX 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1805,6 +1805,8 @@ static int lbmLogInit(struct jfs_log * log) */ init_waitqueue_head(&log->free_wait); + atomic_set(&log->io_count, 0); + log->lbuf_free = NULL; for (i = 0; i < LOGPAGES;) { @@ -1855,6 +1857,8 @@ static void lbmLogShutdown(struct jfs_log * log) jfs_info("lbmLogShutdown: log:0x%p", log); + wait_var_event(&log->io_count, atomic_read(&log->io_count) == 0); + lbuf = log->lbuf_free; while (lbuf) { struct lbuf *next = lbuf->l_freelist; @@ -2128,6 +2132,7 @@ static void lbmStartIO(struct lbuf * bp) bio->bi_iter.bi_size = 0; lbmIODone(bio); } else { + atomic_inc(&log->io_count); submit_bio(bio); INCREMENT(lmStat.submitted); } @@ -2170,12 +2175,16 @@ static void lbmIODone(struct bio *bio) struct lbuf *nextbp, *tail; struct jfs_log *log; unsigned long flags; + int is_write; /* * get back jfs buffer bound to the i/o buffer */ jfs_info("lbmIODone: bp:0x%p flag:0x%x", bp, bp->l_flag); + log = bp->l_log; + is_write = !(bp->l_flag & lbmREAD); + LCACHE_LOCK(flags); /* disable+lock */ if (bio->bi_status) { @@ -2214,7 +2223,6 @@ static void lbmIODone(struct bio *bio) INCREMENT(lmStat.pagedone); /* update committed lsn */ - log = bp->l_log; log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor; if (bp->l_flag & lbmDIRECT) { @@ -2299,6 +2307,10 @@ static void lbmIODone(struct bio *bio) out: bp->l_flag |= lbmDONE; LCACHE_UNLOCK(flags); + + if (is_write && !log->no_integrity) + if (atomic_dec_and_test(&log->io_count)) + wake_up_var(&log->io_count); } int jfsIOWait(void *arg) diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h index XXXXXXX..XXXXXXX 100644 --- a/fs/jfs/jfs_logmgr.h +++ b/fs/jfs/jfs_logmgr.h @@ -400,6 +400,8 @@ struct jfs_log { uuid_t uuid; /* 16: 128-bit uuid of log device */ int no_integrity; /* 3: flag to disable journaling to disk */ + + atomic_t io_count; /* outstanding I/O count for shutdown drain */ }; /* ^ permalink raw reply [flat|nested] 26+ messages in thread
[parent not found: <20260417142003.3369860-1-tristmd@gmail.com>]
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone [not found] <20260417142003.3369860-1-tristmd@gmail.com> @ 2026-04-17 16:37 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 16:37 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs, tristmd Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in blk_update_request ================================================================== BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 Read of size 1 at addr ffff888029ea23a8 by task syz-execprog/6206 CPU: 1 UID: 0 PID: 6206 Comm: syz-execprog Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline] _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166 rtlock_slowlock kernel/locking/rtmutex.c:1910 [inline] rtlock_lock kernel/locking/spinlock_rt.c:43 [inline] __rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline] rt_spin_lock+0x157/0x400 kernel/locking/spinlock_rt.c:57 spin_lock include/linux/spinlock_rt.h:45 [inline] __wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178 blk_complete_reqs block/blk-mq.c:1253 [inline] blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] __local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302 lock_sock include/net/sock.h:1713 [inline] tcp_recvmsg+0xdb/0x530 net/ipv4/tcp.c:2947 sock_recvmsg_nosec net/socket.c:1137 [inline] sock_recvmsg+0xfa/0x1b0 net/socket.c:1159 sock_read_iter+0x25a/0x330 net/socket.c:1229 new_sync_read fs/read_write.c:493 [inline] vfs_read+0x58b/0xa80 fs/read_write.c:574 ksys_read+0x156/0x270 fs/read_write.c:717 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x40d3ce Code: ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48 RSP: 002b:00002b0cf6eef3d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000040d3ce RDX: 0000000001e71274 RSI: 00002b0cf7180000 RDI: 0000000000000006 RBP: 00002b0cf6eef418 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffed587ed60 R13: 0000000000000001 R14: 00002b0cf6d672c0 R15: 0000000000000001 </TASK> Allocated by task 6803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] open_inline_log fs/jfs/jfs_logmgr.c:1157 [inline] lmLogOpen+0x2d1/0xfa0 fs/jfs/jfs_logmgr.c:1067 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3758 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3834 do_mount fs/namespace.c:4167 [inline] __do_sys_mount fs/namespace.c:4383 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4360 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6544: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6246 [inline] kfree+0x1c5/0x6c0 mm/slub.c:6561 lmLogClose+0x297/0x520 fs/jfs/jfs_logmgr.c:-1 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646 kill_block_super+0x44/0x90 fs/super.c:1725 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888029ea2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 936 bytes inside of freed 2048-byte region [ffff888029ea2000, ffff888029ea2800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888029ea1000 pfn:0x29ea0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000240(workingset|head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000240 ffff88801a01f000 ffffea0000e8dc10 ffffea0000cb5810 raw: ffff888029ea1000 0000000800080006 00000000f5000000 0000000000000000 head: 0080000000000240 ffff88801a01f000 ffffea0000e8dc10 ffffea0000cb5810 head: ffff888029ea1000 0000000800080006 00000000f5000000 0000000000000000 head: 0080000000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3872, tgid 3872 (kworker/u8:15), ts 89329858437, free_ts 89297441219 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1860 prep_new_page mm/page_alloc.c:1868 [inline] get_page_from_freelist+0x27c8/0x2840 mm/page_alloc.c:3948 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5228 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x33c/0x3d0 mm/slub.c:7251 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] __do_kmalloc_node mm/slub.c:5294 [inline] __kmalloc_node_track_caller_noprof+0x60b/0x7e0 mm/slub.c:5403 kmalloc_reserve net/core/skbuff.c:635 [inline] pskb_expand_head+0x230/0x1390 net/core/skbuff.c:2302 netlink_trim+0x1b3/0x2c0 net/netlink/af_netlink.c:1299 netlink_broadcast_filtered+0x80/0xea0 net/netlink/af_netlink.c:1512 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline] nlmsg_multicast include/net/netlink.h:1184 [inline] nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2593 netif_state_change+0x297/0x3a0 net/core/dev.c:1605 __linkwatch_run_queue+0x575/0x850 net/core/link_watch.c:240 linkwatch_event+0x4c/0x60 net/core/link_watch.c:314 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466 page last free pid 5861 tgid 5861 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1404 [inline] __free_frozen_pages+0xfa6/0x10f0 mm/page_alloc.c:2945 __slab_free+0x252/0x2a0 mm/slub.c:5608 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4569 [inline] slab_alloc_node mm/slub.c:4898 [inline] kmem_cache_alloc_lru_noprof+0x33c/0x680 mm/slub.c:4917 sock_alloc_inode+0x2c/0x190 net/socket.c:328 alloc_inode+0x6a/0x1b0 fs/inode.c:345 new_inode_pseudo include/linux/fs.h:3022 [inline] sock_alloc net/socket.c:697 [inline] __sock_create+0x12d/0x9d0 net/socket.c:1628 sock_create net/socket.c:1722 [inline] __sys_socket_create net/socket.c:1759 [inline] __sys_socket+0xd6/0x1b0 net/socket.c:1806 __do_sys_socket net/socket.c:1820 [inline] __se_sys_socket net/socket.c:1818 [inline] __x64_sys_socket+0x7a/0x90 net/socket.c:1818 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888029ea2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888029ea2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888029ea2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888029ea2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888029ea2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master console output: https://syzkaller.appspot.com/x/log.txt?x=16d3f036580000 kernel config: https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=11c4a4ce580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
[parent not found: <177644292572.3792638.6921571003846559600@talencesecurity.com>]
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone [not found] <177644292572.3792638.6921571003846559600@talencesecurity.com> @ 2026-04-17 18:36 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 18:36 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs, tristmd Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in rtlock_slowlock_locked ================================================================== BUG: KASAN: slab-use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:142 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irq+0x3d/0x50 kernel/locking/spinlock.c:174 Read of size 1 at addr ffff8880391af3a8 by task ksoftirqd/1/30 CPU: 1 UID: 0 PID: 30 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock_irq+0x3d/0x50 kernel/locking/spinlock.c:174 rtlock_slowlock_locked+0x3640/0x3c80 kernel/locking/rtmutex.c:1887 rtlock_slowlock kernel/locking/rtmutex.c:1911 [inline] rtlock_lock kernel/locking/spinlock_rt.c:43 [inline] __rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline] rt_spin_lock+0x165/0x400 kernel/locking/spinlock_rt.c:57 spin_lock include/linux/spinlock_rt.h:45 [inline] __wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178 blk_complete_reqs block/blk-mq.c:1253 [inline] blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 run_ksoftirqd+0x52/0x180 kernel/softirq.c:1076 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 7581: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415 kmalloc_noprof include/linux/slab.h:950 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] open_inline_log fs/jfs/jfs_logmgr.c:1157 [inline] lmLogOpen+0x2d1/0xfa0 fs/jfs/jfs_logmgr.c:1067 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694 vfs_get_tree+0x92/0x2a0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3758 [inline] do_new_mount+0x341/0xd30 fs/namespace.c:3834 do_mount fs/namespace.c:4167 [inline] __do_sys_mount fs/namespace.c:4383 [inline] __se_sys_mount+0x31d/0x420 fs/namespace.c:4360 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6578: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6246 [inline] kfree+0x1c5/0x6c0 mm/slub.c:6561 lmLogClose+0x297/0x520 fs/jfs/jfs_logmgr.c:-1 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646 kill_block_super+0x44/0x90 fs/super.c:1725 deactivate_locked_super+0xbc/0x130 fs/super.c:476 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline] do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880391af000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 936 bytes inside of freed 2048-byte region [ffff8880391af000, ffff8880391af800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880391a8000 pfn:0x391a8 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000240(workingset|head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000240 ffff88801a01f000 ffffea000081f610 ffffea0000ad4010 raw: ffff8880391a8000 0000000800080006 00000000f5000000 0000000000000000 head: 0080000000000240 ffff88801a01f000 ffffea000081f610 ffffea0000ad4010 head: ffff8880391a8000 0000000800080006 00000000f5000000 0000000000000000 head: 0080000000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1246, tgid 1246 (kworker/0:3), ts 92650036638, free_ts 65245208477 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1860 prep_new_page mm/page_alloc.c:1868 [inline] get_page_from_freelist+0x27c8/0x2840 mm/page_alloc.c:3948 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5228 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x33c/0x3d0 mm/slub.c:7251 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] __do_kmalloc_node mm/slub.c:5294 [inline] __kmalloc_node_track_caller_noprof+0x60b/0x7e0 mm/slub.c:5403 kmalloc_reserve net/core/skbuff.c:635 [inline] __alloc_skb+0x2c1/0x7d0 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1383 [inline] mld_newpack+0x14c/0xc90 net/ipv6/mcast.c:1775 add_grhead+0x5a/0x2a0 net/ipv6/mcast.c:1886 add_grec+0x1452/0x1740 net/ipv6/mcast.c:2025 mld_send_cr net/ipv6/mcast.c:2148 [inline] mld_ifc_work+0x6e6/0xe70 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 page last free pid 5740 tgid 5740 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1404 [inline] __free_frozen_pages+0xfa6/0x10f0 mm/page_alloc.c:2945 __slab_free+0x252/0x2a0 mm/slub.c:5608 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4569 [inline] slab_alloc_node mm/slub.c:4898 [inline] kmem_cache_alloc_noprof+0x33b/0x680 mm/slub.c:4905 mt_alloc_one lib/maple_tree.c:139 [inline] mas_alloc_nodes+0x291/0x350 lib/maple_tree.c:1089 mas_preallocate+0x2d6/0x640 lib/maple_tree.c:4961 vma_iter_prealloc mm/vma.h:577 [inline] commit_merge+0x21a/0x660 mm/vma.c:754 vma_expand+0x87d/0xfa0 mm/vma.c:1219 relocate_vma_down+0x375/0x590 mm/vma_exec.c:59 setup_arg_pages+0x70a/0xbd0 fs/exec.c:690 load_elf_binary+0xc67/0x29b0 fs/binfmt_elf.c:1028 search_binary_handler fs/exec.c:1664 [inline] exec_binprm fs/exec.c:1696 [inline] bprm_execve+0x94a/0x1440 fs/exec.c:1748 do_execveat_common+0x50d/0x690 fs/exec.c:1846 __do_sys_execve fs/exec.c:1930 [inline] __se_sys_execve fs/exec.c:1924 [inline] __x64_sys_execve+0x97/0xc0 fs/exec.c:1924 Memory state around the buggy address: ffff8880391af280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880391af300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880391af380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880391af400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880391af480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: d662a710 Merge tag 'dmaengine-7.1-rc1' of git://git.ke.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master console output: https://syzkaller.appspot.com/x/log.txt?x=146541ba580000 kernel config: https://syzkaller.appspot.com/x/.config?x=26671aec07bf6cc dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=12e24702580000 ^ permalink raw reply [flat|nested] 26+ messages in thread
[parent not found: <177645401243.291533.1310891472323715606@gmail.com>]
* Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone [not found] <177645401243.291533.1310891472323715606@gmail.com> @ 2026-04-17 19:58 ` syzbot 0 siblings, 0 replies; 26+ messages in thread From: syzbot @ 2026-04-17 19:58 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs, tristmd Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com Tested on: commit: 59bd5ae0 Merge tag 'for-v7.1' of git://git.kernel.org/.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master console output: https://syzkaller.appspot.com/x/log.txt?x=17748fca580000 kernel config: https://syzkaller.appspot.com/x/.config?x=b44c9b54cc2c4033 dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=17864702580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 26+ messages in thread
end of thread, other threads:[~2026-04-18 9:06 UTC | newest]
Thread overview: 26+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-29 13:20 [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone syzbot
2026-04-15 6:59 ` syzbot
2026-04-15 9:06 ` syzbot
2026-04-17 12:41 ` Edward Adam Davis
2026-04-17 12:59 ` syzbot
2026-04-18 3:56 ` Edward Adam Davis
2026-04-18 5:37 ` syzbot
2026-04-18 4:35 ` Edward Adam Davis
2026-04-18 5:43 ` syzbot
2026-04-18 5:42 ` Edward Adam Davis
2026-04-18 5:50 ` syzbot
2026-04-18 5:49 ` Edward Adam Davis
2026-04-18 5:56 ` syzbot
2026-04-18 5:55 ` Edward Adam Davis
2026-04-18 6:10 ` syzbot
2026-04-18 6:07 ` Edward Adam Davis
2026-04-18 6:37 ` syzbot
2026-04-18 6:39 ` Edward Adam Davis
2026-04-18 8:53 ` syzbot
2026-04-18 9:05 ` [PATCH] jfs: Read returns only when the bio is done Edward Adam Davis
2026-04-17 14:20 ` Forwarded: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O syzbot
2026-04-17 16:22 ` Forwarded: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone syzbot
2026-04-17 19:26 ` Forwarded: Re: [syzbot] [jfs?] " syzbot
[not found] <20260417142003.3369860-1-tristmd@gmail.com>
2026-04-17 16:37 ` syzbot
[not found] <177644292572.3792638.6921571003846559600@talencesecurity.com>
2026-04-17 18:36 ` syzbot
[not found] <177645401243.291533.1310891472323715606@gmail.com>
2026-04-17 19:58 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox