[syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    0f3be52b8e37 Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17509ce2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=714d45b6135c308e
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
userspace arch: arm64

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a2c3b345c3da/disk-0f3be52b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/54368457365a/vmlinux-0f3be52b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3544cf9b3f24/Image-0f3be52b.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in lbmIODone+0xf68/0x12e8 fs/jfs/jfs_logmgr.c:2184
Read of size 4 at addr ffff0000fa465408 by task ksoftirqd/1/23

CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
 lbmIODone+0xf68/0x12e8 fs/jfs/jfs_logmgr.c:2184
 bio_endio+0x858/0x894 block/bio.c:1651
 blk_update_request+0x474/0xba8 block/blk-mq.c:989
 blk_mq_end_request+0x54/0x88 block/blk-mq.c:1151
 lo_complete_rq+0x124/0x274 drivers/block/loop.c:314
 blk_complete_reqs block/blk-mq.c:1226 [inline]
 blk_done_softirq+0x11c/0x168 block/blk-mq.c:1231
 handle_softirqs+0x328/0xc88 kernel/softirq.c:579
 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:968
 smpboot_thread_fn+0x4d8/0x9cc kernel/smpboot.c:160
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

Allocated by task 6893:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:405
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x2a4/0x3fc mm/slub.c:4407
 kmalloc_noprof include/linux/slab.h:905 [inline]
 lbmLogInit fs/jfs/jfs_logmgr.c:1822 [inline]
 lmLogInit+0x690/0x1a9c fs/jfs/jfs_logmgr.c:1270
 open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
 lmLogOpen+0x41c/0xd5c fs/jfs/jfs_logmgr.c:1069
 jfs_mount_rw+0xe4/0x548 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x5d4/0xb6c fs/jfs/super.c:532
 get_tree_bdev_flags+0x360/0x414 fs/super.c:1692
 get_tree_bdev+0x2c/0x3c fs/super.c:1715
 jfs_get_tree+0x28/0x38 fs/jfs/super.c:635
 vfs_get_tree+0x90/0x28c fs/super.c:1815
 do_new_mount+0x278/0x7f4 fs/namespace.c:3808
 path_mount+0x5b4/0xde0 fs/namespace.c:4123
 do_mount fs/namespace.c:4136 [inline]
 __do_sys_mount fs/namespace.c:4347 [inline]
 __se_sys_mount fs/namespace.c:4324 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4324
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x254 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Freed by task 6536:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x74/0x98 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x17c/0x474 mm/slub.c:4894
 lbmLogShutdown fs/jfs/jfs_logmgr.c:1865 [inline]
 lmLogShutdown+0x36c/0x700 fs/jfs/jfs_logmgr.c:1684
 lmLogClose+0x244/0x4c4 fs/jfs/jfs_logmgr.c:1460
 jfs_umount+0x26c/0x350 fs/jfs/jfs_umount.c:114
 jfs_put_super+0x90/0x188 fs/jfs/super.c:194
 generic_shutdown_super+0x12c/0x2b8 fs/super.c:643
 kill_block_super+0x44/0x90 fs/super.c:1766
 deactivate_locked_super+0xc4/0x12c fs/super.c:474
 deactivate_super+0xe0/0x100 fs/super.c:507
 cleanup_mnt+0x31c/0x3ac fs/namespace.c:1375
 __cleanup_mnt+0x20/0x30 fs/namespace.c:1382
 task_work_run+0x1dc/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xfc/0x168 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 arm64_exit_to_user_mode arch/arm64/kernel/entry-common.c:103 [inline]
 el0_svc+0x170/0x254 arch/arm64/kernel/entry-common.c:745
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:763
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

The buggy address belongs to the object at ffff0000fa465400
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 8 bytes inside of
 freed 192-byte region [ffff0000fa465400, ffff0000fa4654c0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13a465
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000000 ffff0000c00013c0 fffffdffc3070180 0000000000000004
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000fa465300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000fa465380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff0000fa465400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000fa465480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff0000fa465500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    e6efabc0afca Add linux-next specific files for 20260414
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=161a18ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=56c2b36de3316f1b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=107784ce580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e7099cbf73e4/disk-e6efabc0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/439c402df1b9/vmlinux-e6efabc0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc0c0175fc76/bzImage-e6efabc0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/01761e564f3f/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=168401ba580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192
Read of size 4 at addr ffff888032de1208 by task ksoftirqd/1/31

CPU: 1 UID: 0 PID: 31 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178
 blk_complete_reqs block/blk-mq.c:1253 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258
 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622
 run_ksoftirqd+0x52/0x180 kernel/softirq.c:1076
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6248:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 lbmLogInit fs/jfs/jfs_logmgr.c:1819 [inline]
 lmLogInit+0x3e5/0x1a00 fs/jfs/jfs_logmgr.c:1267
 open_inline_log fs/jfs/jfs_logmgr.c:1173 [inline]
 lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1067
 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3834
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4399 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4376
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5959:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x1c5/0x6c0 mm/slub.c:6561
 lbmLogShutdown fs/jfs/jfs_logmgr.c:1862 [inline]
 lmLogShutdown+0x456/0x850 fs/jfs/jfs_logmgr.c:1681
 lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1457
 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646
 kill_block_super+0x44/0x90 fs/super.c:1725
 deactivate_locked_super+0xbc/0x130 fs/super.c:476
 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline]
 do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888032de1200
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 8 bytes inside of
 freed 256-byte region [ffff888032de1200, ffff888032de1300)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32de0
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5948, tgid 5948 (syz-executor), ts 136932809553, free_ts 131716582127
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
 prep_new_page mm/page_alloc.c:1866 [inline]
 get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3467
 new_slab mm/slub.c:3525 [inline]
 refill_objects+0x33c/0x3d0 mm/slub.c:7251
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __do_kmalloc_node mm/slub.c:5294 [inline]
 __kmalloc_noprof+0x530/0x7b0 mm/slub.c:5307
 kmalloc_noprof include/linux/slab.h:954 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 fib_create_info+0x1723/0x31f0 net/ipv4/fib_semantics.c:1400
 fib_table_insert+0xc8/0x1b50 net/ipv4/fib_trie.c:1212
 fib_magic+0x434/0x510 net/ipv4/fib_frontend.c:1134
 fib_add_ifaddr+0x38d/0x5f0 net/ipv4/fib_frontend.c:1171
 fib_netdev_event+0x382/0x490 net/ipv4/fib_frontend.c:1516
 notifier_call_chain+0x1ad/0x3d0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2287 [inline]
 call_netdevice_notifiers net/core/dev.c:2301 [inline]
 __dev_notify_flags+0x1a9/0x310 net/core/dev.c:9849
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9878
 do_setlink+0xf82/0x4590 net/core/rtnetlink.c:3180
page last free pid 5958 tgid 5958 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1402 [inline]
 __free_frozen_pages+0xf9b/0x10f0 mm/page_alloc.c:2943
 __slab_free+0x252/0x2a0 mm/slub.c:5608
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4569 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_node_noprof+0x22a/0x6e0 mm/slub.c:4950
 __alloc_skb+0x1d0/0x7d0 net/core/skbuff.c:702
 alloc_skb include/linux/skbuff.h:1383 [inline]
 nlmsg_new include/net/netlink.h:1055 [inline]
 netlink_ack+0x146/0xa50 net/netlink/af_netlink.c:2487
 netlink_rcv_skb+0x2b6/0x4b0 net/netlink/af_netlink.c:2556
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x780/0x920 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 __sys_sendto+0x67f/0x710 net/socket.c:2265
 __do_sys_sendto net/socket.c:2272 [inline]
 __se_sys_sendto net/socket.c:2268 [inline]
 __x64_sys_sendto+0xde/0x100 net/socket.c:2268
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888032de1100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888032de1180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888032de1200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888032de1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888032de1300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    e6efabc0afca Add linux-next specific files for 20260414
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17ee18ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=56c2b36de3316f1b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11dc01ba580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173bfb02580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e7099cbf73e4/disk-e6efabc0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/439c402df1b9/vmlinux-e6efabc0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/fc0c0175fc76/bzImage-e6efabc0.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/81df22d6836d/mount_0.gz
  fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=107dfcd2580000)

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192
Read of size 4 at addr ffff88802a45a608 by task ksoftirqd/1/31

CPU: 1 UID: 0 PID: 31 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 lbmIODone+0x1312/0x16c0 fs/jfs/jfs_logmgr.c:2192
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178
 blk_complete_reqs block/blk-mq.c:1253 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258
 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622
 run_ksoftirqd+0x52/0x180 kernel/softirq.c:1076
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6106:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 lbmLogInit fs/jfs/jfs_logmgr.c:1819 [inline]
 lmLogInit+0x3e5/0x1a00 fs/jfs/jfs_logmgr.c:1267
 open_inline_log fs/jfs/jfs_logmgr.c:1173 [inline]
 lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1067
 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3834
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4399 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4376
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5969:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x1c5/0x6c0 mm/slub.c:6561
 lbmLogShutdown fs/jfs/jfs_logmgr.c:1862 [inline]
 lmLogShutdown+0x456/0x850 fs/jfs/jfs_logmgr.c:1681
 lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1457
 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646
 kill_block_super+0x44/0x90 fs/super.c:1725
 deactivate_locked_super+0xbc/0x130 fs/super.c:476
 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline]
 do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802a45a600
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 8 bytes inside of
 freed 256-byte region [ffff88802a45a600, ffff88802a45a700)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a45a
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88801a02cb40 dead000000000100 dead000000000122
head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
head: 0080000000000001 ffffffffffffff81 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 155, tgid 155 (kworker/u8:6), ts 12504727555, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1858
 prep_new_page mm/page_alloc.c:1866 [inline]
 get_page_from_freelist+0x27d6/0x2850 mm/page_alloc.c:3946
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5226
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3467
 new_slab mm/slub.c:3525 [inline]
 refill_objects+0x33c/0x3d0 mm/slub.c:7251
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5410
 kmalloc_noprof include/linux/slab.h:950 [inline]
 scsi_probe_and_add_lun+0x2f8/0x48e0 drivers/scsi/scsi_scan.c:1225
 __scsi_scan_target+0x1f0/0xe10 drivers/scsi/scsi_scan.c:1786
 scsi_scan_channel drivers/scsi/scsi_scan.c:1874 [inline]
 scsi_scan_host_selected+0x3d3/0x780 drivers/scsi/scsi_scan.c:1903
 do_scsi_scan_host drivers/scsi/scsi_scan.c:2036 [inline]
 do_scan_async+0x124/0x6f0 drivers/scsi/scsi_scan.c:2046
 async_run_entry_fn+0xa8/0x440 kernel/async.c:129
 process_one_work kernel/workqueue.c:3308 [inline]
 process_scheduled_works+0xb68/0x1910 kernel/workqueue.c:3399
 worker_thread+0xa90/0x1040 kernel/workqueue.c:3485
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88802a45a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88802a45a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802a45a600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88802a45a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802a45a700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test: upstream master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438..054cc01e4579 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE));
 
 	return 0;
 }

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in lbmRead

INFO: task syz.0.17:6554 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17        state:D stack:24224 pid:6554  tgid:6552  ppid:6447   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5387 [inline]
 __schedule+0x1681/0x54c0 kernel/sched/core.c:7188
 __schedule_loop kernel/sched/core.c:7267 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7282
 lbmRead+0x41d/0x620 fs/jfs/jfs_logmgr.c:1987
 lmLogInit+0xc31/0x1a00 fs/jfs/jfs_logmgr.c:1332
 open_inline_log fs/jfs/jfs_logmgr.c:1173 [inline]
 lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1067
 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3834
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4360
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa8f8bfda8a
RSP: 002b:00007fa8f8255e58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fa8f8255ee0 RCX: 00007fa8f8bfda8a
RDX: 0000200000000400 RSI: 00002000000000c0 RDI: 00007fa8f8255ea0
RBP: 0000200000000400 R08: 00007fa8f8255ee0 R09: 000000000001c802
R10: 000000000001c802 R11: 0000000000000246 R12: 00002000000000c0
R13: 00007fa8f8255ea0 R14: 0000000000005f9a R15: 0000200000002740
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/38:
 #0: ffffffff8dfc7f00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #0: ffffffff8dfc7f00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #0: ffffffff8dfc7f00 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
3 locks held by kworker/u9:0/59:
 #0: ffff88802a705138 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3277 [inline]
 #0: ffff88802a705138 ((wq_completion)hci2){+.+.}-{0:0}, at: process_scheduled_works+0xa35/0x1860 kernel/workqueue.c:3385
 #1: ffffc9000125fc40 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3278 [inline]
 #1: ffffc9000125fc40 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa70/0x1860 kernel/workqueue.c:3385
 #2: ffff888038d10f80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d3/0x400 net/bluetooth/hci_sync.c:331
9 locks held by kworker/u8:11/2867:
2 locks held by getty/5561:
 #0: ffff8880389230a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90003cbe2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x462/0x13a0 drivers/tty/n_tty.c:2211
1 lock held by syz.0.17/6554:
 #0: ffff8880395e20d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345
1 lock held by syz.1.19/6613:
 #0: ffff88804e5d00d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345
1 lock held by syz.2.28/6658:
 #0: ffff88805bffc0d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345
2 locks held by syz-executor/6660:
 #0: ffff8880587a60d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff8880587a60d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff8880587a60d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441
2 locks held by syz-executor/6692:
 #0: ffff888035d4e0d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff888035d4e0d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff888035d4e0d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441
2 locks held by syz-executor/6720:
 #0: ffff88805a2500d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805a2500d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805a2500d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441
2 locks held by syz-executor/6754:
 #0: ffff88803f6220d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88803f6220d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88803f6220d0 (&type->s_umount_key#56){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffffffff8e4545d8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1441
1 lock held by syz.7.41/6809:
 #0: ffff8880365f80d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345
1 lock held by syz.8.42/6838:
 #0: ffff8880399d60d0 (&type->s_umount_key#55/1){+.+.}-{4:4}, at: alloc_super+0x28c/0xac0 fs/super.c:345

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:353 [inline]
 watchdog+0xfd3/0x1030 kernel/hung_task.c:561
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 2867 Comm: kworker/u8:11 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:reacquire_held_locks+0xf6/0x190 kernel/locking/lockdep.c:5385
Code: e2 01 89 c1 c1 e9 10 83 e1 03 41 89 c0 41 c1 e8 12 41 83 e0 01 41 89 c1 41 c1 e9 13 41 83 e1 01 c1 e8 15 45 8b 16 6a 00 41 52 <50> 41 ff 76 e4 41 ff 76 f4 e8 8c 9f ff ff 48 83 c4 28 83 f8 01 0f
RSP: 0018:ffffc9000e707820 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffffc9000e707884 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8dfc7f00
RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: fffffbfff1f16d97 R12: 0000000000000004
R13: 0000000000000004 R14: ffff8880324968fc R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88812610f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555dbfc4e8 CR3: 000000000ddb6000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __lock_release kernel/locking/lockdep.c:5574 [inline]
 lock_release+0x199/0x3c0 kernel/locking/lockdep.c:5889
 __local_bh_enable_ip+0x98/0x2b0 kernel/softirq.c:268
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 spin_unlock_bh include/linux/spinlock_rt.h:116 [inline]
 ieee80211_ibss_work+0x344/0x10d0 net/mac80211/ibss.c:1656
 cfg80211_wiphy_work+0x2cf/0x460 net/wireless/core.c:513
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


Tested on:

commit:         43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11621906580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1732d8ce580000

Forwarded: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight I/O
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

From b8abd9772daa211b13c6db417c5c09495e688c61 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 14:19:45 +0000
Subject: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight
 I/O

lbmLogShutdown() frees all log buffer heads from the freelist, but does
not wait for outstanding block I/O completions. When a log buffer write
is submitted via lbmStartIO() and the filesystem is unmounted before the
bio completes, lbmIODone() runs against a freed lbuf, causing a
use-after-free read.

Add an atomic I/O counter (io_count) to struct jfs_log. Increment it
in lbmStartIO() before submit_bio(), decrement it in lbmIODone() after
processing. In lbmLogShutdown(), wait for io_count to reach zero before
freeing buffer heads, ensuring no in-flight I/O references freed memory.

Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_logmgr.c | 15 ++++++++++++++-
 fs/jfs/jfs_logmgr.h |  3 +++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61..e309e1bbb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1805,6 +1805,9 @@ static int lbmLogInit(struct jfs_log * log)
 	 */
 	init_waitqueue_head(&log->free_wait);
 
+	atomic_set(&log->io_count, 0);
+	init_waitqueue_head(&log->io_wait);
+
 	log->lbuf_free = NULL;
 
 	for (i = 0; i < LOGPAGES;) {
@@ -1855,6 +1858,8 @@ static void lbmLogShutdown(struct jfs_log * log)
 
 	jfs_info("lbmLogShutdown: log:0x%p", log);
 
+	wait_event(log->io_wait, atomic_read(&log->io_count) == 0);
+
 	lbuf = log->lbuf_free;
 	while (lbuf) {
 		struct lbuf *next = lbuf->l_freelist;
@@ -2128,6 +2133,7 @@ static void lbmStartIO(struct lbuf * bp)
 		bio->bi_iter.bi_size = 0;
 		lbmIODone(bio);
 	} else {
+		atomic_inc(&log->io_count);
 		submit_bio(bio);
 		INCREMENT(lmStat.submitted);
 	}
@@ -2170,12 +2176,16 @@ static void lbmIODone(struct bio *bio)
 	struct lbuf *nextbp, *tail;
 	struct jfs_log *log;
 	unsigned long flags;
+	int is_write;
 
 	/*
 	 * get back jfs buffer bound to the i/o buffer
 	 */
 	jfs_info("lbmIODone: bp:0x%p flag:0x%x", bp, bp->l_flag);
 
+	log = bp->l_log;
+	is_write = !(bp->l_flag & lbmREAD);
+
 	LCACHE_LOCK(flags);		/* disable+lock */
 
 	if (bio->bi_status) {
@@ -2214,7 +2224,6 @@ static void lbmIODone(struct bio *bio)
 	INCREMENT(lmStat.pagedone);
 
 	/* update committed lsn */
-	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
 	if (bp->l_flag & lbmDIRECT) {
@@ -2299,6 +2308,10 @@ static void lbmIODone(struct bio *bio)
 out:
 	bp->l_flag |= lbmDONE;
 	LCACHE_UNLOCK(flags);
+
+	if (is_write && !log->no_integrity)
+		if (atomic_dec_and_test(&log->io_count))
+			wake_up(&log->io_wait);
 }
 
 int jfsIOWait(void *arg)
diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h
index 09e0ef6ae..50388562b 100644
--- a/fs/jfs/jfs_logmgr.h
+++ b/fs/jfs/jfs_logmgr.h
@@ -400,6 +400,9 @@ struct jfs_log {
 	uuid_t uuid;		/* 16: 128-bit uuid of log device */
 
 	int no_integrity;	/* 3: flag to disable journaling to disk */
+
+	atomic_t io_count;	/* outstanding I/O count */
+	wait_queue_head_t io_wait;	/* wait for all I/O to complete */
 };
 
 /*
-- 
2.47.3

Forwarded: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] KASAN: slab-use-after-free Read in lbmIODone
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
>From 9fd2228641cd56d9e735211ce0d2decfd03aaaa9 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Fri, 17 Apr 2026 16:15:16 +0000
Subject: [PATCH] jfs: fix use-after-free in lbmIODone by waiting for in-flight
 I/O
lbmLogShutdown() frees all log buffer heads without waiting for
outstanding block I/O completions. When a write bio submitted via
lbmStartIO() completes after the buffers are freed, lbmIODone()
dereferences the freed struct lbuf via bio->bi_private.
Add an atomic io_count and wait_queue_head_t to struct jfs_log.
Increment before submit_bio(), decrement after processing in
lbmIODone(), and wait in lbmLogShutdown() for io_count == 0
before freeing.
Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_logmgr.c | 15 ++++++++++++++-
 fs/jfs/jfs_logmgr.h |  3 +++
 2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e..e309e1b 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1805,6 +1805,9 @@ static int lbmLogInit(struct jfs_log * log)
 	 */
 	init_waitqueue_head(&log->free_wait);
 
+	atomic_set(&log->io_count, 0);
+	init_waitqueue_head(&log->io_wait);
+
 	log->lbuf_free = NULL;
 
 	for (i = 0; i < LOGPAGES;) {
@@ -1855,6 +1858,8 @@ static void lbmLogShutdown(struct jfs_log * log)
 
 	jfs_info("lbmLogShutdown: log:0x%p", log);
 
+	wait_event(log->io_wait, atomic_read(&log->io_count) == 0);
+
 	lbuf = log->lbuf_free;
 	while (lbuf) {
 		struct lbuf *next = lbuf->l_freelist;
@@ -2128,6 +2133,7 @@ static void lbmStartIO(struct lbuf * bp)
 		bio->bi_iter.bi_size = 0;
 		lbmIODone(bio);
 	} else {
+		atomic_inc(&log->io_count);
 		submit_bio(bio);
 		INCREMENT(lmStat.submitted);
 	}
@@ -2170,12 +2176,16 @@ static void lbmIODone(struct bio *bio)
 	struct lbuf *nextbp, *tail;
 	struct jfs_log *log;
 	unsigned long flags;
+	int is_write;
 
 	/*
 	 * get back jfs buffer bound to the i/o buffer
 	 */
 	jfs_info("lbmIODone: bp:0x%p flag:0x%x", bp, bp->l_flag);
 
+	log = bp->l_log;
+	is_write = !(bp->l_flag & lbmREAD);
+
 	LCACHE_LOCK(flags);		/* disable+lock */
 
 	if (bio->bi_status) {
@@ -2214,7 +2224,6 @@ static void lbmIODone(struct bio *bio)
 	INCREMENT(lmStat.pagedone);
 
 	/* update committed lsn */
-	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
 	if (bp->l_flag & lbmDIRECT) {
@@ -2299,6 +2308,10 @@ static void lbmIODone(struct bio *bio)
 out:
 	bp->l_flag |= lbmDONE;
 	LCACHE_UNLOCK(flags);
+
+	if (is_write && !log->no_integrity)
+		if (atomic_dec_and_test(&log->io_count))
+			wake_up(&log->io_wait);
 }
 
 int jfsIOWait(void *arg)
diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h
index 09e0ef6..6fa7d9f 100644
--- a/fs/jfs/jfs_logmgr.h
+++ b/fs/jfs/jfs_logmgr.h
@@ -400,6 +400,9 @@ struct jfs_log {
 	uuid_t uuid;		/* 16: 128-bit uuid of log device */
 
 	int no_integrity;	/* 3: flag to disable journaling to disk */
+
+	atomic_t io_count;		/* outstanding I/O count */
+	wait_queue_head_t io_wait;	/* wait for all I/O to complete */
 };
 
 /*
-- 
2.47.3

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in blk_update_request

==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
Read of size 1 at addr ffff888029ea23a8 by task syz-execprog/6206

CPU: 1 UID: 0 PID: 6206 Comm: syz-execprog Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
 _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:166
 rtlock_slowlock kernel/locking/rtmutex.c:1910 [inline]
 rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
 __rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
 rt_spin_lock+0x157/0x400 kernel/locking/spinlock_rt.c:57
 spin_lock include/linux/spinlock_rt.h:45 [inline]
 __wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178
 blk_complete_reqs block/blk-mq.c:1253 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258
 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 __local_bh_enable_ip+0x170/0x2b0 kernel/softirq.c:302
 lock_sock include/net/sock.h:1713 [inline]
 tcp_recvmsg+0xdb/0x530 net/ipv4/tcp.c:2947
 sock_recvmsg_nosec net/socket.c:1137 [inline]
 sock_recvmsg+0xfa/0x1b0 net/socket.c:1159
 sock_read_iter+0x25a/0x330 net/socket.c:1229
 new_sync_read fs/read_write.c:493 [inline]
 vfs_read+0x58b/0xa80 fs/read_write.c:574
 ksys_read+0x156/0x270 fs/read_write.c:717
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x40d3ce
Code: ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 49 89 f2 48 89 fa 48 89 ce 48 89 df 0f 05 <48> 3d 01 f0 ff ff 76 15 48 f7 d8 48 89 c1 48 c7 c0 ff ff ff ff 48
RSP: 002b:00002b0cf6eef3d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000040d3ce
RDX: 0000000001e71274 RSI: 00002b0cf7180000 RDI: 0000000000000006
RBP: 00002b0cf6eef418 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffed587ed60
R13: 0000000000000001 R14: 00002b0cf6d672c0 R15: 0000000000000001
 </TASK>

Allocated by task 6803:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 open_inline_log fs/jfs/jfs_logmgr.c:1157 [inline]
 lmLogOpen+0x2d1/0xfa0 fs/jfs/jfs_logmgr.c:1067
 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3834
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4360
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6544:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x1c5/0x6c0 mm/slub.c:6561
 lmLogClose+0x297/0x520 fs/jfs/jfs_logmgr.c:-1
 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646
 kill_block_super+0x44/0x90 fs/super.c:1725
 deactivate_locked_super+0xbc/0x130 fs/super.c:476
 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline]
 do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888029ea2000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 936 bytes inside of
 freed 2048-byte region [ffff888029ea2000, ffff888029ea2800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888029ea1000 pfn:0x29ea0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000240(workingset|head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000240 ffff88801a01f000 ffffea0000e8dc10 ffffea0000cb5810
raw: ffff888029ea1000 0000000800080006 00000000f5000000 0000000000000000
head: 0080000000000240 ffff88801a01f000 ffffea0000e8dc10 ffffea0000cb5810
head: ffff888029ea1000 0000000800080006 00000000f5000000 0000000000000000
head: 0080000000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3872, tgid 3872 (kworker/u8:15), ts 89329858437, free_ts 89297441219
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1860
 prep_new_page mm/page_alloc.c:1868 [inline]
 get_page_from_freelist+0x27c8/0x2840 mm/page_alloc.c:3948
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5228
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3467
 new_slab mm/slub.c:3525 [inline]
 refill_objects+0x33c/0x3d0 mm/slub.c:7251
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __do_kmalloc_node mm/slub.c:5294 [inline]
 __kmalloc_node_track_caller_noprof+0x60b/0x7e0 mm/slub.c:5403
 kmalloc_reserve net/core/skbuff.c:635 [inline]
 pskb_expand_head+0x230/0x1390 net/core/skbuff.c:2302
 netlink_trim+0x1b3/0x2c0 net/netlink/af_netlink.c:1299
 netlink_broadcast_filtered+0x80/0xea0 net/netlink/af_netlink.c:1512
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2593
 netif_state_change+0x297/0x3a0 net/core/dev.c:1605
 __linkwatch_run_queue+0x575/0x850 net/core/link_watch.c:240
 linkwatch_event+0x4c/0x60 net/core/link_watch.c:314
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
page last free pid 5861 tgid 5861 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1404 [inline]
 __free_frozen_pages+0xfa6/0x10f0 mm/page_alloc.c:2945
 __slab_free+0x252/0x2a0 mm/slub.c:5608
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4569 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_lru_noprof+0x33c/0x680 mm/slub.c:4917
 sock_alloc_inode+0x2c/0x190 net/socket.c:328
 alloc_inode+0x6a/0x1b0 fs/inode.c:345
 new_inode_pseudo include/linux/fs.h:3022 [inline]
 sock_alloc net/socket.c:697 [inline]
 __sock_create+0x12d/0x9d0 net/socket.c:1628
 sock_create net/socket.c:1722 [inline]
 __sys_socket_create net/socket.c:1759 [inline]
 __sys_socket+0xd6/0x1b0 net/socket.c:1806
 __do_sys_socket net/socket.c:1820 [inline]
 __se_sys_socket net/socket.c:1818 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1818
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888029ea2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888029ea2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888029ea2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff888029ea2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888029ea2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=16d3f036580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11c4a4ce580000

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in rtlock_slowlock_locked

==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:142 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irq+0x3d/0x50 kernel/locking/spinlock.c:174
Read of size 1 at addr ffff8880391af3a8 by task ksoftirqd/1/30

CPU: 1 UID: 0 PID: 30 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842
 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock_irq+0x3d/0x50 kernel/locking/spinlock.c:174
 rtlock_slowlock_locked+0x3640/0x3c80 kernel/locking/rtmutex.c:1887
 rtlock_slowlock kernel/locking/rtmutex.c:1911 [inline]
 rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
 __rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
 rt_spin_lock+0x165/0x400 kernel/locking/spinlock_rt.c:57
 spin_lock include/linux/spinlock_rt.h:45 [inline]
 __wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1016
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1178
 blk_complete_reqs block/blk-mq.c:1253 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1258
 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622
 run_ksoftirqd+0x52/0x180 kernel/softirq.c:1076
 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 7581:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5415
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 open_inline_log fs/jfs/jfs_logmgr.c:1157 [inline]
 lmLogOpen+0x2d1/0xfa0 fs/jfs/jfs_logmgr.c:1067
 jfs_mount_rw+0xee/0x670 fs/jfs/jfs_mount.c:257
 jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
 get_tree_bdev_flags+0x431/0x4f0 fs/super.c:1694
 vfs_get_tree+0x92/0x2a0 fs/super.c:1754
 fc_mount fs/namespace.c:1193 [inline]
 do_new_mount_fc fs/namespace.c:3758 [inline]
 do_new_mount+0x341/0xd30 fs/namespace.c:3834
 do_mount fs/namespace.c:4167 [inline]
 __do_sys_mount fs/namespace.c:4383 [inline]
 __se_sys_mount+0x31d/0x420 fs/namespace.c:4360
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6578:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x1c5/0x6c0 mm/slub.c:6561
 lmLogClose+0x297/0x520 fs/jfs/jfs_logmgr.c:-1
 jfs_umount+0x2fb/0x3d0 fs/jfs/jfs_umount.c:124
 jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
 generic_shutdown_super+0x13d/0x2d0 fs/super.c:646
 kill_block_super+0x44/0x90 fs/super.c:1725
 deactivate_locked_super+0xbc/0x130 fs/super.c:476
 cleanup_mnt+0x437/0x4d0 fs/namespace.c:1312
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:328 [inline]
 do_syscall_64+0x33e/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880391af000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 936 bytes inside of
 freed 2048-byte region [ffff8880391af000, ffff8880391af800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880391a8000 pfn:0x391a8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000240(workingset|head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000240 ffff88801a01f000 ffffea000081f610 ffffea0000ad4010
raw: ffff8880391a8000 0000000800080006 00000000f5000000 0000000000000000
head: 0080000000000240 ffff88801a01f000 ffffea000081f610 ffffea0000ad4010
head: ffff8880391a8000 0000000800080006 00000000f5000000 0000000000000000
head: 0080000000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1246, tgid 1246 (kworker/0:3), ts 92650036638, free_ts 65245208477
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1860
 prep_new_page mm/page_alloc.c:1868 [inline]
 get_page_from_freelist+0x27c8/0x2840 mm/page_alloc.c:3948
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5228
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3467
 new_slab mm/slub.c:3525 [inline]
 refill_objects+0x33c/0x3d0 mm/slub.c:7251
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x373/0x720 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __do_kmalloc_node mm/slub.c:5294 [inline]
 __kmalloc_node_track_caller_noprof+0x60b/0x7e0 mm/slub.c:5403
 kmalloc_reserve net/core/skbuff.c:635 [inline]
 __alloc_skb+0x2c1/0x7d0 net/core/skbuff.c:713
 alloc_skb include/linux/skbuff.h:1383 [inline]
 mld_newpack+0x14c/0xc90 net/ipv6/mcast.c:1775
 add_grhead+0x5a/0x2a0 net/ipv6/mcast.c:1886
 add_grec+0x1452/0x1740 net/ipv6/mcast.c:2025
 mld_send_cr net/ipv6/mcast.c:2148 [inline]
 mld_ifc_work+0x6e6/0xe70 net/ipv6/mcast.c:2693
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
page last free pid 5740 tgid 5740 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1404 [inline]
 __free_frozen_pages+0xfa6/0x10f0 mm/page_alloc.c:2945
 __slab_free+0x252/0x2a0 mm/slub.c:5608
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4569 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_noprof+0x33b/0x680 mm/slub.c:4905
 mt_alloc_one lib/maple_tree.c:139 [inline]
 mas_alloc_nodes+0x291/0x350 lib/maple_tree.c:1089
 mas_preallocate+0x2d6/0x640 lib/maple_tree.c:4961
 vma_iter_prealloc mm/vma.h:577 [inline]
 commit_merge+0x21a/0x660 mm/vma.c:754
 vma_expand+0x87d/0xfa0 mm/vma.c:1219
 relocate_vma_down+0x375/0x590 mm/vma_exec.c:59
 setup_arg_pages+0x70a/0xbd0 fs/exec.c:690
 load_elf_binary+0xc67/0x29b0 fs/binfmt_elf.c:1028
 search_binary_handler fs/exec.c:1664 [inline]
 exec_binprm fs/exec.c:1696 [inline]
 bprm_execve+0x94a/0x1440 fs/exec.c:1748
 do_execveat_common+0x50d/0x690 fs/exec.c:1846
 __do_sys_execve fs/exec.c:1930 [inline]
 __se_sys_execve fs/exec.c:1924 [inline]
 __x64_sys_execve+0x97/0xc0 fs/exec.c:1924

Memory state around the buggy address:
 ffff8880391af280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880391af300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880391af380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                  ^
 ffff8880391af400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880391af480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         d662a710 Merge tag 'dmaengine-7.1-rc1' of git://git.ke..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=146541ba580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=26671aec07bf6cc
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12e24702580000

Forwarded: Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone
Author: tristmd@gmail.com

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1805,6 +1805,8 @@ static int lbmLogInit(struct jfs_log * log)
 	 */
 	init_waitqueue_head(&log->free_wait);
 
+	atomic_set(&log->io_count, 0);
+
 	log->lbuf_free = NULL;
 
 	for (i = 0; i < LOGPAGES;) {
@@ -1855,6 +1857,8 @@ static void lbmLogShutdown(struct jfs_log * log)
 
 	jfs_info("lbmLogShutdown: log:0x%p", log);
 
+	wait_var_event(&log->io_count, atomic_read(&log->io_count) == 0);
+
 	lbuf = log->lbuf_free;
 	while (lbuf) {
 		struct lbuf *next = lbuf->l_freelist;
@@ -2128,6 +2132,7 @@ static void lbmStartIO(struct lbuf * bp)
 		bio->bi_iter.bi_size = 0;
 		lbmIODone(bio);
 	} else {
+		atomic_inc(&log->io_count);
 		submit_bio(bio);
 		INCREMENT(lmStat.submitted);
 	}
@@ -2170,12 +2175,16 @@ static void lbmIODone(struct bio *bio)
 	struct lbuf *nextbp, *tail;
 	struct jfs_log *log;
 	unsigned long flags;
+	int is_write;
 
 	/*
 	 * get back jfs buffer bound to the i/o buffer
 	 */
 	jfs_info("lbmIODone: bp:0x%p flag:0x%x", bp, bp->l_flag);
 
+	log = bp->l_log;
+	is_write = !(bp->l_flag & lbmREAD);
+
 	LCACHE_LOCK(flags);		/* disable+lock */
 
 	if (bio->bi_status) {
@@ -2214,7 +2223,6 @@ static void lbmIODone(struct bio *bio)
 	INCREMENT(lmStat.pagedone);
 
 	/* update committed lsn */
-	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
 	if (bp->l_flag & lbmDIRECT) {
@@ -2299,6 +2307,10 @@ static void lbmIODone(struct bio *bio)
 out:
 	bp->l_flag |= lbmDONE;
 	LCACHE_UNLOCK(flags);
+
+	if (is_write && !log->no_integrity)
+		if (atomic_dec_and_test(&log->io_count))
+			wake_up_var(&log->io_count);
 }
 
 int jfsIOWait(void *arg)
diff --git a/fs/jfs/jfs_logmgr.h b/fs/jfs/jfs_logmgr.h
index XXXXXXX..XXXXXXX 100644
--- a/fs/jfs/jfs_logmgr.h
+++ b/fs/jfs/jfs_logmgr.h
@@ -400,6 +400,8 @@ struct jfs_log {
 	uuid_t uuid;		/* 16: 128-bit uuid of log device */
 
 	int no_integrity;	/* 3: flag to disable journaling to disk */
+
+	atomic_t io_count;	/* outstanding I/O count for shutdown drain */
 };
 
 /*

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com

Tested on:

commit:         59bd5ae0 Merge tag 'for-v7.1' of git://git.kernel.org/..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=17748fca580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b44c9b54cc2c4033
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17864702580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test: upstream master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 5f31c12f4607..69b9d161b783 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test: upstream master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 5f31c12f4607..f795f19d24bb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		LCACHE_UNLOCK(flags);
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_LOCK(flags);		/* disable+lock */
-
 		goto out;
 	}
 
@@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio)
 	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
-	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
+	if (bp->l_flag & lbmDIRECT)
 		goto out;
-	}
 
 	tail = log->wqueue;
 
@@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		LCACHE_UNLOCK(flags);
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_LOCK(flags);		/* disable+lock */
+		goto out;
 	}
 
 	/*
@@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/jfs/jfs_logmgr.c
Hunk #1 FAILED at 1984.
1 out of 1 hunk FAILED



Tested on:

commit:         8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16580836580000

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 5f31c12f4607..f795f19d24bb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		LCACHE_UNLOCK(flags);
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_LOCK(flags);		/* disable+lock */
-
 		goto out;
 	}
 
@@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio)
 	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
-	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
+	if (bp->l_flag & lbmDIRECT)
 		goto out;
-	}
 
 	tail = log->wqueue;
 
@@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		LCACHE_UNLOCK(flags);
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_LOCK(flags);		/* disable+lock */
+		goto out;
 	}
 
 	/*
@@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/jfs/jfs_logmgr.c
Hunk #1 FAILED at 1984.
Hunk #2 FAILED at 2192.
Hunk #3 succeeded at 2217 (offset -2 lines).
Hunk #4 FAILED at 2271.
Hunk #5 succeeded at 2296 (offset -4 lines).
3 out of 5 hunks FAILED



Tested on:

commit:         8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16f80836580000

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 5f31c12f4607..f795f19d24bb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag == lbmDONE));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,11 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		LCACHE_UNLOCK(flags);
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_LOCK(flags);		/* disable+lock */
-
 		goto out;
 	}
 
@@ -2219,10 +2214,8 @@ static void lbmIODone(struct bio *bio)
 	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
-	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
+	if (bp->l_flag & lbmDIRECT)
 		goto out;
-	}
 
 	tail = log->wqueue;
 
@@ -2273,10 +2266,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		LCACHE_UNLOCK(flags);
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_LOCK(flags);		/* disable+lock */
+		goto out;
 	}
 
 	/*
@@ -2302,6 +2292,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/jfs/jfs_logmgr.c
Hunk #1 FAILED at 1984.
Hunk #2 FAILED at 2192.
Hunk #3 succeeded at 2217 (offset -2 lines).
Hunk #4 FAILED at 2271.
Hunk #5 succeeded at 2296 (offset -4 lines).
3 out of 5 hunks FAILED



Tested on:

commit:         8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=108f24ce580000

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test: upstream master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index ada00d5bc214..729baf49a048 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1986,7 +1986,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2180,7 +2180,6 @@ static void lbmIODone(struct bio *bio)
 
 	LCACHE_LOCK(flags);		/* disable+lock */
 
-	bp->l_flag |= lbmDONE;
 
 	if (bio->bi_status) {
 		bp->l_flag |= lbmERROR;
@@ -2196,12 +2195,7 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		LCACHE_UNLOCK(flags);	/* unlock+enable */
-
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-
-		return;
+		goto out;
 	}
 
 	/*
@@ -2224,9 +2218,7 @@ static void lbmIODone(struct bio *bio)
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
 	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
-		LCACHE_UNLOCK(flags);
-		return;
+		goto out;
 	}
 
 	tail = log->wqueue;
@@ -2278,10 +2270,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		LCACHE_UNLOCK(flags);	/* unlock+enable */
-
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
+		goto out;
 	}
 
 	/*
@@ -2290,6 +2279,7 @@ static void lbmIODone(struct bio *bio)
 	else if (bp->l_flag & lbmGC) {
 		LCACHE_UNLOCK(flags);
 		lmPostGC(bp);
+		LCACHE_LOCK(flags);		/* disable+lock */
 	}
 
 	/*
@@ -2302,9 +2292,12 @@ static void lbmIODone(struct bio *bio)
 		assert(bp->l_flag & lbmRELEASE);
 		assert(bp->l_flag & lbmFREE);
 		lbmfree(bp);
-
-		LCACHE_UNLOCK(flags);	/* unlock+enable */
 	}
+out:
+	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
+	LCACHE_UNLOCK(flags);	/* unlock+enable */
 }
 
 int jfsIOWait(void *arg)

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/jfs/jfs_logmgr.c
Hunk #1 FAILED at 1984.
Hunk #2 FAILED at 2192.
Hunk #3 succeeded at 2217 (offset -2 lines).
Hunk #4 FAILED at 2271.
Hunk #5 succeeded at 2296 (offset -4 lines).
3 out of 5 hunks FAILED



Tested on:

commit:         c7275b05 Add linux-next specific files for 20260417
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=174f24ce580000

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438..f795f19d24bb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-
 		goto out;
 	}
 
@@ -2217,10 +2214,8 @@ static void lbmIODone(struct bio *bio)
 	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
-	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
+	if (bp->l_flag & lbmDIRECT)
 		goto out;
-	}
 
 	tail = log->wqueue;
 
@@ -2271,8 +2266,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
+		goto out;
 	}
 
 	/*
@@ -2298,6 +2292,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file fs/jfs/jfs_logmgr.c
Hunk #1 succeeded at 1984 (offset -2 lines).
Hunk #2 FAILED at 2180.
Hunk #3 FAILED at 2196.
Hunk #4 FAILED at 2224.
Hunk #5 FAILED at 2278.
Hunk #6 FAILED at 2290.
Hunk #7 FAILED at 2302.
6 out of 7 hunks FAILED



Tested on:

commit:         8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4660d1ff2985517b
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       
patch:          https://syzkaller.appspot.com/x/patch.diff?x=142f24ce580000

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com

Tested on:

commit:         c7275b05 Add linux-next specific files for 20260417
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=145842d2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8d583ddcf2981d2a
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1604c1ba580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[Edward Adam Davis]

#syz test: upstream master

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438..cbe3878ff886 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-
 		goto out;
 	}
 
@@ -2218,7 +2215,6 @@ static void lbmIODone(struct bio *bio)
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
 	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
 		goto out;
 	}
 
@@ -2271,8 +2267,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
+		goto out;
 	}
 
 	/*
@@ -2298,6 +2293,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 

Re: [syzbot] [jfs?] KASAN: slab-use-after-free Read in lbmIODone

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com

Tested on:

commit:         8541d8f7 Merge tag 'mtd/for-7.1' of git://git.kernel.o..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12a8a4ce580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ecb532db4f89a3a6
dashboard link: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14936f16580000

Note: testing is done by a robot and is best-effort only.

[PATCH] jfs: Read returns only when the bio is done

[Edward Adam Davis]

Fixed the sequencing of setting the DONE flag and waking up the ioevent.
The ioevent wakeup must occur after the DONE flag has been set, and while
under the protection of the jfsLCacheLock. This ensures that when the
thread associated with wait_event() resumes execution (e.g., in lbmRead/
Write/IOWait, etc.), it will strictly avoid accessing any content related
to the bio, simultaneously, this guarantees the stable and proper shutdown
of subsequent log I/O operations.

Fixes: b15e4310633f ("jfs: Set the lbmDone flag at the end of lbmIODone")
Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ecf51a7ccb6b1394e90c
Tested-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/jfs/jfs_logmgr.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438..f795f19d24bb 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-
 		goto out;
 	}
 
@@ -2217,10 +2214,8 @@ static void lbmIODone(struct bio *bio)
 	log = bp->l_log;
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
-	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
+	if (bp->l_flag & lbmDIRECT)
 		goto out;
-	}
 
 	tail = log->wqueue;
 
@@ -2271,8 +2266,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
+		goto out;
 	}
 
 	/*
@@ -2298,6 +2292,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 
-- 
2.43.0