From: Tristan Madani <tristan@talencesecurity.com>

lbmIODone() wakes up the I/O initiator in multiple paths before it has
finished accessing the lbuf structure. The initiator can then free the
lbuf while lbmIODone() is still running, leading to a use-after-free.

Fix by deferring all wakeups to the common exit path after the lbmDONE
flag is set. Change the wait condition to check for lbmDONE rather than
!lbmREAD, so the waiter only proceeds after lbmIODone() has completely
finished with the buffer.

Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_logmgr.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438c..cbe3878ff8867 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp)
 		submit_bio(bio);
 	}
 
-	wait_event(bp->l_ioevent, (bp->l_flag != lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
 
 	return 0;
 }
@@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &= ~lbmREAD;
 
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-
 		goto out;
 	}
 
@@ -2218,7 +2215,6 @@ static void lbmIODone(struct bio *bio)
 	log->clsn = (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
 
 	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
 		goto out;
 	}
 
@@ -2271,8 +2267,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
+		goto out;
 	}
 
 	/*
@@ -2298,6 +2293,8 @@ static void lbmIODone(struct bio *bio)
 
 out:
 	bp->l_flag |= lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
 
-- 
2.47.3