Forwarded: Re: [PATCH v2 2/2] jfs: wait for in-flight log I/O before freeing lbufs in lbmLogShutdown

[syzbot <syzbot+885a4f3281b8d99c48d8@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [PATCH v2 2/2] jfs: wait for in-flight log I/O before freeing lbufs in lbmLogShutdown
Author: tristmd@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

>From f8c2cc086d8f3f38d3a30402d093d7be05fb7397 Mon Sep 17 00:00:00 2001
From: Tristan Madani <tristan@talencesecurity.com>
Date: Wed, 6 May 2026 08:27:02 +0000
Subject: [PATCH] jfs: fix lbmLogShutdown race with redriven log buffers

lbmRedrive() adds a log buffer to the global log_redrive_list and wakes
jfsIOthread, but does not increment the log io_count.  This creates a
window where io_count reaches zero while redriven buffers are still
pending on the list.  If lbmLogShutdown() observes io_count == 0 in
this window, it proceeds to free all lbufs while jfsIOWait() later
dequeues and dereferences them, causing a use-after-free:

    lbmIODone(bp)
      lbmRedrive(nextbp)      <-- nextbp added to list, io_count not bumped
      atomic_dec(io_count)     <-- io_count drops to 0
    lbmLogShutdown()
      wait_event(io_count==0)  <-- satisfied, frees all lbufs
    jfsIOWait()
      bp = log_redrive_list    <-- UAF: bp already freed

Fix this by incrementing io_count in lbmRedrive() before adding the
buffer to the redrive list, and cancelling the reference in jfsIOWait()
after lbmStartIO() has taken its own.  This keeps io_count elevated for
the entire time a buffer sits on the redrive list.

Fixes: 69cbc1419b1a ("jfs: wait for in-flight log I/O before freeing lbufs in lbmLogShutdown")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_logmgr.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 95e95f71ec0fa..fa3de31d9c682 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1949,6 +1949,9 @@ static inline void lbmRedrive(struct lbuf *bp)
 {
 	unsigned long flags;
 
+	/* keep io_count elevated while bp is on the redrive list */
+	atomic_inc(&bp->l_log->io_count);
+
 	spin_lock_irqsave(&log_redrive_lock, flags);
 	bp->l_redrive_next = log_redrive_list;
 	log_redrive_list = bp;
@@ -2324,7 +2327,14 @@ int jfsIOWait(void *arg)
 			log_redrive_list = bp->l_redrive_next;
 			bp->l_redrive_next = NULL;
 			spin_unlock_irq(&log_redrive_lock);
-			lbmStartIO(bp);
+			{
+				struct jfs_log *log = bp->l_log;
+
+				lbmStartIO(bp);
+				/* cancel redrive ref; lbmStartIO took its own */
+				if (atomic_dec_and_test(&log->io_count))
+					wake_up(&log->io_done_wait);
+			}
 			spin_lock_irq(&log_redrive_lock);
 		}
 
-- 
2.47.3