From nobody Tue Jun 16 09:59:23 2026
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com
 [209.85.221.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4BA265D8F0
	for <linux-kernel@vger.kernel.org>; Sat, 18 Apr 2026 13:07:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.44
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1776517661; cv=none;
 b=NOD+wvEV0fB2DNGtpbPPhfUg8sno8n8WwgK8CGY/mgr1TN21XDX1Oce5bEjMDIXaDZQCrsdhMVzgSzKCyHy2N9k0XAbYKVM9/MrkxbEECGdtlWp9Zom434cPFAyarikpyqFUFYnfkRsGMXUWQ32uNKT9TLNGi6B+RvnnzdStRCQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1776517661; c=relaxed/simple;
	bh=os6uPpa+UJe0LktNx0o5NsCwWJyHuvbvDQeb6qY7d54=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=AFwcoa5tebxiPHOIPNuB91Q8JCx/YJ6tCVQc719U1W60eSMAaw3ru3W66amVJGg5CT6X5jDS582NskfStO9Cjghtbffov4hJwFoCNGKwmqRKOQMDWr2EvjiINnfMqr4Q7QJrgDLyxH0+ErlWXnfHopDU1SmjRBL6PVv1+pD8jJg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=SOfBzuJC; arc=none smtp.client-ip=209.85.221.44
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="SOfBzuJC"
Received: by mail-wr1-f44.google.com with SMTP id
 ffacd0b85a97d-43d6fbd0954so1250314f8f.1
        for <linux-kernel@vger.kernel.org>;
 Sat, 18 Apr 2026 06:07:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776517659; x=1777122459;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=mxBIbiunhUfXvj/KvvpSPC48J3SwHsW9LGF12dd+c7g=;
        b=SOfBzuJCmmZvZIAZzozb7WkQAiDVDxTGH99Lq1AD71dtKHM91IwWDpPx5HJCFSXAhv
         T2VBHoAMSEuXzC2f+tiJr+AgnWJrEhQLct5Kn9HDe/kyInUciZZmbIG5iqCIbMTiRd90
         DlkPGA4LO0Bg4YrWciNaE1X2fYvbFeA8VnmqkfPYjrJidxMJYzI0/Rj8ZCNPfkYdc2Ps
         dTyJMBL7sFz+p4OmOeszFukJYhuyunqWjcKHShI0nuwJSNFb6gUAVvMh5JDmmZMaYKzX
         OHK806jVOBqX8TJaJbbMH2G1x6rjyxa/xcRJag2947D7/Wo47BdT+C7EFSnHc//ubWDF
         1Kvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776517659; x=1777122459;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=mxBIbiunhUfXvj/KvvpSPC48J3SwHsW9LGF12dd+c7g=;
        b=ZTuIW/d8Rn47h0T9fMZD0UgpI+4ItQC4mTsXPxTAffvufreln6FkT4fehPyNoP66eu
         MhdU1N2/7/KS8J4bhVQ3kR9GPtSgc5DrJjJkhxrxxfaT6on4rC2dqjKK3mnZhSw8JKKj
         ZOjhhdAH6httKptWQ9MnNtHQS4bulbXr4pMRhc74utVKnhSh/ls54NHe0gg0lxoLxK3T
         cGhwSsXGO+jsuXoAJxQUOljKqDvFRG2OYXrRGbtBRzBckZmhEHDLfHyp6DSxp3tyquMX
         6/Ifqvs6n0008LzhuyJoOnuvRsjoSpwhvrp+j50CALqt1Jqq1p6OwNKcfRp499KnWrUI
         YoKw==
X-Forwarded-Encrypted: i=1;
 AFNElJ83l07i4ZhCgo5uWbigA/ZNTFxQpGMq86K5hE1i3b4rOAYhU7P74XhLPoQ5GH2fcpXbD6ZNFBmFVwjBaMM=@vger.kernel.org
X-Gm-Message-State: AOJu0YwZmMYjJqsXNF+gCdPP8080QkV2+HODZO3QBn1o+5rMN905OhJ2
	gYGxcHIa0ecmESWknugxKZLsxrYaF5uXHR9cHqenacMkO7fPihRD7Dg=
X-Gm-Gg: AeBDietE6D2qPp4+03JodaHSiwFXOjigMCsJBPT1rGBNSgIcYegDT5x2AfYC+VmHNHu
	hf6CI/tubf59NxgWX59M6qjZTIqdiolwKXdJMKFXJOJkun4ygTNFN6p48p6kV2w4ts9c81Odfld
	dQPJPw8PonQEgEPuNWmaVDVi/KbqaNCwq7GYAGrZvcVteWT/t+7uOHA+hwrsRYlOwvcx3nCSL+q
	AdA8HuUz+S/FkAJjU+aIqqybPIX3+JfdrEqDMeD7+9uVHc64z155XtqWeAIOWOnIt8KJUlhC9af
	EKhn9WAFd1Z5SBu21acQsjfOWz5djFjWHN7KHhEZS8vKgDYL53b3ld3Rlq0FYxav/lqs+E61nrP
	abog8wo3BKqY/gLJl4fhAAcxbfqsMgv7osnm0hsKL/Ev2cFigkADMiBYf641XWxz5ha57qcI4aW
	tXFjU=
X-Received: by 2002:a05:6000:4201:b0:43e:a72e:ec5a with SMTP id
 ffacd0b85a97d-43fe3dc62f3mr9973205f8f.20.1776517658493;
        Sat, 18 Apr 2026 06:07:38 -0700 (PDT)
Received: from debian.. ([2001:41d0:303:db6b::])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-43fe4e4d6casm11936396f8f.32.2026.04.18.06.07.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 18 Apr 2026 06:07:36 -0700 (PDT)
From: Tristan Madani <tristmd@gmail.com>
To: shaggy@kernel.org
Cc: jfs-discussion@lists.sourceforge.net,
	linux-kernel@vger.kernel.org,
	syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Subject: [PATCH] jfs: fix use-after-free in lbmIODone
Date: Sat, 18 Apr 2026 13:07:35 +0000
Message-ID: <20260418130735.979106-1-tristmd@gmail.com>
X-Mailer: git-send-email 2.47.3
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Tristan Madani <tristan@talencesecurity.com>

lbmIODone() wakes up the I/O initiator in multiple paths before it has
finished accessing the lbuf structure. The initiator can then free the
lbuf while lbmIODone() is still running, leading to a use-after-free.

Fix by deferring all wakeups to the common exit path after the lbmDONE
flag is set. Change the wait condition to check for lbmDONE rather than
!lbmREAD, so the waiter only proceeds after lbmIODone() has completely
finished with the buffer.

Reported-by: syzbot+ecf51a7ccb6b1394e90c@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
 fs/jfs/jfs_logmgr.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438c..cbe3878ff8867 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1984,7 +1984,7 @@ static int lbmRead(struct jfs_log * log, int pn, stru=
ct lbuf ** bpp)
 		submit_bio(bio);
 	}
=20
-	wait_event(bp->l_ioevent, (bp->l_flag !=3D lbmREAD));
+	wait_event(bp->l_ioevent, (bp->l_flag & lbmDONE));
=20
 	return 0;
 }
@@ -2192,9 +2192,6 @@ static void lbmIODone(struct bio *bio)
 	if (bp->l_flag & lbmREAD) {
 		bp->l_flag &=3D ~lbmREAD;
=20
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
-
 		goto out;
 	}
=20
@@ -2218,7 +2215,6 @@ static void lbmIODone(struct bio *bio)
 	log->clsn =3D (bp->l_pn << L2LOGPSIZE) + bp->l_ceor;
=20
 	if (bp->l_flag & lbmDIRECT) {
-		LCACHE_WAKEUP(&bp->l_ioevent);
 		goto out;
 	}
=20
@@ -2271,8 +2267,7 @@ static void lbmIODone(struct bio *bio)
 	 * leave buffer for i/o initiator to dispose
 	 */
 	if (bp->l_flag & lbmSYNC) {
-		/* wakeup I/O initiator */
-		LCACHE_WAKEUP(&bp->l_ioevent);
+		goto out;
 	}
=20
 	/*
@@ -2298,6 +2293,8 @@ static void lbmIODone(struct bio *bio)
=20
 out:
 	bp->l_flag |=3D lbmDONE;
+	/* wakeup I/O initiator */
+	LCACHE_WAKEUP(&bp->l_ioevent);
 	LCACHE_UNLOCK(flags);
 }
=20
--=20
2.47.3