jfs_flush_journal(log, 2) waits for log->cqueue and log->synclist to
drain, but lazy commit transactions already moved to the global
TxAnchor.unlock_queue are not accounted for. The jfsCommit thread may
still be processing these through txEnd -> jfs_syncpt -> lmLogSync
after lmLogClose frees the log structure.

Fix by adding wait_event() in lmLogClose before kfree(log) to ensure
log->active has dropped to zero and log_SYNCBARRIER is clear. Add a
corresponding wakeup in txEnd when log->active reaches zero.

Reported-by: syzbot+ea7ed3bb2f444cb4dfeb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ea7ed3bb2f444cb4dfeb
Signed-off-by: Jie Wang <jie.wang@intel.com>
---
 fs/jfs/jfs_logmgr.c | 6 ++++++
 fs/jfs/jfs_txnmgr.c | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index 306165e61438..9977c1359dbc 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1454,6 +1454,9 @@ int lmLogClose(struct super_block *sb)
 		/*
 		 *	in-line log in host file system
 		 */
+		/* wait for lazy commit thread to finish txEnd() */
+		wait_event(log->syncwait, !log->active &&
+			   !test_bit(log_SYNCBARRIER, &log->flag));
 		rc = lmLogShutdown(log);
 		kfree(log);
 		goto out;
@@ -1478,6 +1481,9 @@ int lmLogClose(struct super_block *sb)
 	/*
 	 *	external log as separate logical volume
 	 */
+	/* wait for lazy commit thread to finish txEnd() */
+	wait_event(log->syncwait, !log->active &&
+		   !test_bit(log_SYNCBARRIER, &log->flag));
 	list_del(&log->journal_list);
 	bdev_file = log->bdev_file;
 	rc = lmLogShutdown(log);
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c326..75d5c2a10600 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -560,6 +560,9 @@ void txEnd(tid_t tid)
 
 			goto wakeup;
 		}
+
+		/* wakeup lmLogClose waiting for all txn completion */
+		TXN_WAKEUP(&log->syncwait);
 	}
 
 	TXN_UNLOCK();
-- 
2.34.1