1. Patchew
  2. linux
  3. View series

[PATCH] jfs: fix use-after-free in jfs_lazycommit

l1za0.sec@gmail.com posted 1 patch 1 month ago 
fs/jfs/jfs_txnmgr.c | 29 +++++++++++++++++++++++++++++
fs/jfs/jfs_txnmgr.h |  1 +
fs/jfs/jfs_umount.c |  9 +++++++++
3 files changed, 39 insertions(+)
[PATCH] jfs: fix use-after-free in jfs_lazycommit
Posted by l1za0.sec@gmail.com 1 month ago 
From: Haocheng Yu <l1za0.sec@gmail.com>

A KASAN: slab-use-after-free Read in jfs_lazycommit is found
by a modified Syzkaller-based kernel fuzzing tool that we developed.

This issue is caused by a race condition between
fs/jfs/jfs_txnmgr.c:jfs_lazycommit() and
fs/jfs/super.c:jfs_put_super(). In jfs_lazycommit(), the commit
thread reads struct jfs_sb_info from tblk->sb and accesses
sbi->commit_state. At the same time, if another thread unmounts the
file system and frees the corresponding sbi, then jfs_lazycommit()
might access a freed sbi and trigger a use-after-free read.

To fix this vulnerability, call txQuiesce() and txDrain() in
jfs_umount() and jfs_umount_rw() before freeing JFS state.

Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
 fs/jfs/jfs_txnmgr.c | 29 +++++++++++++++++++++++++++++
 fs/jfs/jfs_txnmgr.h |  1 +
 fs/jfs/jfs_umount.c |  9 +++++++++
 3 files changed, 39 insertions(+)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c326..3aa7f5787688 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -2874,6 +2874,35 @@ void txResume(struct super_block *sb)
 	TXN_WAKEUP(&log->syncwait);
 }
 
+void txDrain(struct super_block *sb)
+{
+	struct jfs_sb_info *sbi = JFS_SBI(sb);
+	struct tblock *tblk;
+	unsigned long flags;
+	bool pending;
+
+	for (;;) {
+		pending = false;
+		LAZY_LOCK(flags);
+		if (sbi->commit_state & IN_LAZYCOMMIT) {
+			pending = true;
+		} else {
+			list_for_each_entry(tblk, &TxAnchor.unlock_queue, cqueue) {
+				if (tblk->sb == sb) {
+					pending = true;
+					break;
+				}
+			}
+		}
+		LAZY_UNLOCK(flags);
+
+		if (!pending)
+			return;
+
+		schedule_timeout_uninterruptible(1);
+	}
+}
+
 /*
  *	jfs_sync(void)
  *
diff --git a/fs/jfs/jfs_txnmgr.h b/fs/jfs/jfs_txnmgr.h
index ba71eb5ced56..55cda4aa3691 100644
--- a/fs/jfs/jfs_txnmgr.h
+++ b/fs/jfs/jfs_txnmgr.h
@@ -293,6 +293,7 @@ extern int lmLog(struct jfs_log *, struct tblock *, struct lrd *,
 extern void txQuiesce(struct super_block *);
 extern void txResume(struct super_block *);
 extern void txLazyUnlock(struct tblock *);
+extern void txDrain(struct super_block *sb);
 extern int jfs_lazycommit(void *);
 extern int jfs_sync(void *);
 #endif				/* _H_JFS_TXNMGR */
diff --git a/fs/jfs/jfs_umount.c b/fs/jfs/jfs_umount.c
index 18569f1eaabd..6d332c8b85be 100644
--- a/fs/jfs/jfs_umount.c
+++ b/fs/jfs/jfs_umount.c
@@ -23,6 +23,7 @@
 #include "jfs_logmgr.h"
 #include "jfs_metapage.h"
 #include "jfs_debug.h"
+#include "jfs_txnmgr.h"
 
 /*
  * NAME:	jfs_umount(vfsp, flags, crp)
@@ -52,11 +53,17 @@ int jfs_umount(struct super_block *sb)
 	 *
 	 * if mounted read-write and log based recovery was enabled
 	 */
+
 	if ((log = sbi->log))
+		txQuiesce(sb);
+
+	if (log)
 		/*
 		 * Wait for outstanding transactions to be written to log:
 		 */
 		jfs_flush_journal(log, 2);
+
+	txDrain(sb);
 
 	/*
 	 * Hold log lock so write_special_inodes (lmLogSync) cannot see
@@ -141,7 +148,9 @@ int jfs_umount_rw(struct super_block *sb)
 	 *
 	 * remove file system from log active file system list.
 	 */
+	txQuiesce(sb);
 	jfs_flush_journal(log, 2);
+	txDrain(sb);
 
 	/*
 	 * Make sure all metadata makes it to disk

base-commit: f1a5e78a55ebf2b05777fd5eb738038ddae609d6
-- 
2.51.0
Re: [PATCH] jfs: fix use-after-free in jfs_lazycommit
Posted by Li Zao 4 weeks ago 
Hello,

I'm just following up on this patch to see if you've had a chance to review it,
or if there is any additional information I should provide.

Thank you for your time and help.

Best regards,
Haocheng

On Sat, May 9, 2026 at 8:36 PM <l1za0.sec@gmail.com> wrote:
>
> From: Haocheng Yu <l1za0.sec@gmail.com>
>
> A KASAN: slab-use-after-free Read in jfs_lazycommit is found
> by a modified Syzkaller-based kernel fuzzing tool that we developed.
>
> This issue is caused by a race condition between
> fs/jfs/jfs_txnmgr.c:jfs_lazycommit() and
> fs/jfs/super.c:jfs_put_super(). In jfs_lazycommit(), the commit
> thread reads struct jfs_sb_info from tblk->sb and accesses
> sbi->commit_state. At the same time, if another thread unmounts the
> file system and frees the corresponding sbi, then jfs_lazycommit()
> might access a freed sbi and trigger a use-after-free read.
>
> To fix this vulnerability, call txQuiesce() and txDrain() in
> jfs_umount() and jfs_umount_rw() before freeing JFS state.
>
> Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
> ---
>  fs/jfs/jfs_txnmgr.c | 29 +++++++++++++++++++++++++++++
>  fs/jfs/jfs_txnmgr.h |  1 +
>  fs/jfs/jfs_umount.c |  9 +++++++++
>  3 files changed, 39 insertions(+)
>
> diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
> index 083dbbb0c326..3aa7f5787688 100644
> --- a/fs/jfs/jfs_txnmgr.c
> +++ b/fs/jfs/jfs_txnmgr.c
> @@ -2874,6 +2874,35 @@ void txResume(struct super_block *sb)
>         TXN_WAKEUP(&log->syncwait);
>  }
>
> +void txDrain(struct super_block *sb)
> +{
> +       struct jfs_sb_info *sbi = JFS_SBI(sb);
> +       struct tblock *tblk;
> +       unsigned long flags;
> +       bool pending;
> +
> +       for (;;) {
> +               pending = false;
> +               LAZY_LOCK(flags);
> +               if (sbi->commit_state & IN_LAZYCOMMIT) {
> +                       pending = true;
> +               } else {
> +                       list_for_each_entry(tblk, &TxAnchor.unlock_queue, cqueue) {
> +                               if (tblk->sb == sb) {
> +                                       pending = true;
> +                                       break;
> +                               }
> +                       }
> +               }
> +               LAZY_UNLOCK(flags);
> +
> +               if (!pending)
> +                       return;
> +
> +               schedule_timeout_uninterruptible(1);
> +       }
> +}
> +
>  /*
>   *     jfs_sync(void)
>   *
> diff --git a/fs/jfs/jfs_txnmgr.h b/fs/jfs/jfs_txnmgr.h
> index ba71eb5ced56..55cda4aa3691 100644
> --- a/fs/jfs/jfs_txnmgr.h
> +++ b/fs/jfs/jfs_txnmgr.h
> @@ -293,6 +293,7 @@ extern int lmLog(struct jfs_log *, struct tblock *, struct lrd *,
>  extern void txQuiesce(struct super_block *);
>  extern void txResume(struct super_block *);
>  extern void txLazyUnlock(struct tblock *);
> +extern void txDrain(struct super_block *sb);
>  extern int jfs_lazycommit(void *);
>  extern int jfs_sync(void *);
>  #endif                         /* _H_JFS_TXNMGR */
> diff --git a/fs/jfs/jfs_umount.c b/fs/jfs/jfs_umount.c
> index 18569f1eaabd..6d332c8b85be 100644
> --- a/fs/jfs/jfs_umount.c
> +++ b/fs/jfs/jfs_umount.c
> @@ -23,6 +23,7 @@
>  #include "jfs_logmgr.h"
>  #include "jfs_metapage.h"
>  #include "jfs_debug.h"
> +#include "jfs_txnmgr.h"
>
>  /*
>   * NAME:       jfs_umount(vfsp, flags, crp)
> @@ -52,11 +53,17 @@ int jfs_umount(struct super_block *sb)
>          *
>          * if mounted read-write and log based recovery was enabled
>          */
> +
>         if ((log = sbi->log))
> +               txQuiesce(sb);
> +
> +       if (log)
>                 /*
>                  * Wait for outstanding transactions to be written to log:
>                  */
>                 jfs_flush_journal(log, 2);
> +
> +       txDrain(sb);
>
>         /*
>          * Hold log lock so write_special_inodes (lmLogSync) cannot see
> @@ -141,7 +148,9 @@ int jfs_umount_rw(struct super_block *sb)
>          *
>          * remove file system from log active file system list.
>          */
> +       txQuiesce(sb);
>         jfs_flush_journal(log, 2);
> +       txDrain(sb);
>
>         /*
>          * Make sure all metadata makes it to disk
>
> base-commit: f1a5e78a55ebf2b05777fd5eb738038ddae609d6
> --
> 2.51.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.