Forwarded: Re: [syzbot] [jfs?] BUG: corrupted list in dbUpdatePMap

Posted by syzbot 1 month, 1 week ago
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [jfs?] BUG: corrupted list in dbUpdatePMap
Author: yun.zhou@windriver.com

#syz test

diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index 871cf4fb3636..0d6c40e7e551 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -270,6 +270,7 @@ static inline struct metapage *alloc_metapage(gfp_t
gfp_mask)
                  mp->clsn = 0;
                  mp->log = NULL;
                  init_waitqueue_head(&mp->wait);
+               INIT_LIST_HEAD(&mp->synclist);
          }
          return mp;
   }
@@ -379,7 +380,7 @@ static void remove_from_logsync(struct metapage *mp)
                  mp->lsn = 0;
                  mp->clsn = 0;
                  log->count--;
-               list_del(&mp->synclist);
+               list_del_init(&mp->synclist);
          }
          LOGSYNC_UNLOCK(log, flags);
   }
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 7840a03e5bcb..a5a5bc0a266d 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -275,6 +275,7 @@ int txInit(void)
          for (k = 0; k < nTxBlock; k++) {
                  init_waitqueue_head(&TxBlock[k].gcwait);
                  init_waitqueue_head(&TxBlock[k].waitor);
+               INIT_LIST_HEAD(&TxBlock[k].synclist);
          }

          for (k = 1; k < nTxBlock - 1; k++) {
@@ -974,7 +975,7 @@ static void txUnlock(struct tblock * tblk)
          if (tblk->lsn) {
                  LOGSYNC_LOCK(log, flags);
                  log->count--;
-               list_del(&tblk->synclist);
+               list_del_init(&tblk->synclist);
                  LOGSYNC_UNLOCK(log, flags);
          }
   }