From nobody Mon Jun 8 08:52:46 2026 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14A83374195 for ; Wed, 3 Jun 2026 09:29:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.175.65.9 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780478969; cv=none; b=BhnfyLSLefRnVMNaZ3fXJDPHFuFu30uBj1bYwHcU7WQpTUkVsindVYp5O+wxnXWQBu/noTyxwwgs8PQuWW6iE2wLbcuX3VFcKA3Iv3MLdUHjKvg8zTOttvjnOQ56c+LBl193s14C/LLKVNfqF535EaXCdBuLNlSLz8abfdegcvY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780478969; c=relaxed/simple; bh=ihZqIX9RcK9TJughCfYnDORhSvOkl3+cCYoFGNw2OC0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KvkmEeAEyi/M1yRMdHwtYim7hpIbRGZVAg4C49iPr2lDl7rsv9XW2wkCo6gT5ql9mSnjav76t+9TTJQtwaIYy/v2yS5NfrhBmsWdKygxvXviGM52JaX8nSrdVJkozU9t9M4uY7u58YAu5bX0K5U6EYztUmHjszpeVAjFgQNDC7w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com; spf=pass smtp.mailfrom=intel.com; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b=bar8vNG7; arc=none smtp.client-ip=198.175.65.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=intel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=intel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com header.b="bar8vNG7" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1780478968; x=1812014968; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=ihZqIX9RcK9TJughCfYnDORhSvOkl3+cCYoFGNw2OC0=; b=bar8vNG7n2K4ltcGK5TC0zFl7wIG5FqUVKoV/lafrIjKZ1HQgtFK3N7J 3CvT6iJ4tb+pNncoDJeDWFh13UQibvr/wKRKzqFS6USK7lNZ7LOvcLEq0 iA9kXDEI4luBZRf67i3CvE4XXUJO/qALMyliGbrxzbkS1y+RTgJ3agaTL xD05sHft3KqfDZePmA+945G9AsI6aJ0MMxF0ODhzEG4eIWDVohO8diyQx zw/w66rI9M48Jo3bQiJnY9Ucw1aVJFR5YPqZas/hvKVZ7AKcRxO4cuirY pd1Vm+MZRC+BhnWnryaazosQicnWWJEJD6GD/rbNlUeg09OGRWVfFekPI w==; X-CSE-ConnectionGUID: T4UFX/a6R+uB9o9vApb7OQ== X-CSE-MsgGUID: VBthsDllS96ZjJ6mWLgpDg== X-IronPort-AV: E=McAfee;i="6800,10657,11805"; a="103941679" X-IronPort-AV: E=Sophos;i="6.24,184,1774335600"; d="scan'208";a="103941679" Received: from orviesa005.jf.intel.com ([10.64.159.145]) by orvoesa101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Jun 2026 02:29:27 -0700 X-CSE-ConnectionGUID: RoJq2XfnSU+VkaZqugazDA== X-CSE-MsgGUID: rfiVmBwkQgGOv6TSX4/LKg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.24,184,1774335600"; d="scan'208";a="249092859" Received: from qat-server-366.sh.intel.com ([10.67.116.162]) by orviesa005.jf.intel.com with ESMTP; 03 Jun 2026 02:29:25 -0700 From: Jie Wang To: shaggy@kernel.org Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, syzbot+ea7ed3bb2f444cb4dfeb@syzkaller.appspotmail.com, Jie Wang Subject: [PATCH] jfs: fix use-after-free in lmLogSync during unmount Date: Wed, 3 Jun 2026 17:16:20 +0000 Message-Id: <20260603171620.2532527-1-jie.wang@intel.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <6a1eb319.c1435f33.112120.0156.GAE@google.com> References: <6a1eb319.c1435f33.112120.0156.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" jfs_flush_journal(log, 2) waits for log->cqueue and log->synclist to drain, but lazy commit transactions already moved to the global TxAnchor.unlock_queue are not accounted for. The jfsCommit thread may still be processing these through txEnd -> jfs_syncpt -> lmLogSync after lmLogClose frees the log structure. Fix by adding wait_event() in lmLogClose before kfree(log) to ensure log->active has dropped to zero and log_SYNCBARRIER is clear. Add a corresponding wakeup in txEnd when log->active reaches zero. Reported-by: syzbot+ea7ed3bb2f444cb4dfeb@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dea7ed3bb2f444cb4dfeb Signed-off-by: Jie Wang --- fs/jfs/jfs_logmgr.c | 6 ++++++ fs/jfs/jfs_txnmgr.c | 3 +++ 2 files changed, 9 insertions(+) diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c index 306165e61438..9977c1359dbc 100644 --- a/fs/jfs/jfs_logmgr.c +++ b/fs/jfs/jfs_logmgr.c @@ -1454,6 +1454,9 @@ int lmLogClose(struct super_block *sb) /* * in-line log in host file system */ + /* wait for lazy commit thread to finish txEnd() */ + wait_event(log->syncwait, !log->active && + !test_bit(log_SYNCBARRIER, &log->flag)); rc =3D lmLogShutdown(log); kfree(log); goto out; @@ -1478,6 +1481,9 @@ int lmLogClose(struct super_block *sb) /* * external log as separate logical volume */ + /* wait for lazy commit thread to finish txEnd() */ + wait_event(log->syncwait, !log->active && + !test_bit(log_SYNCBARRIER, &log->flag)); list_del(&log->journal_list); bdev_file =3D log->bdev_file; rc =3D lmLogShutdown(log); diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index 083dbbb0c326..75d5c2a10600 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -560,6 +560,9 @@ void txEnd(tid_t tid) =20 goto wakeup; } + + /* wakeup lmLogClose waiting for all txn completion */ + TXN_WAKEUP(&log->syncwait); } =20 TXN_UNLOCK(); --=20 2.34.1