From: Simon Glass <simon.glass@canonical.com> When running filesystem tests back-to-back, buffer_heads could be freed while journal_heads still reference them. This causes use-after-free crashes when the journal code later accesses the stale b_bh pointer. Add protection in free_buffer_head() to skip buffers with JBD attached, since the journal owns a reference and will clean them up properly. Also add protection in brelse() to prevent the ref count from dropping to zero while JBD is still attached. Update comments in ext4l_close_internal() to clarify why cache cleanup is critical even during skip_io mode. Fixes crashes when test_fs13 runs after test_fs11 in the same session. Co-developed-by: Claude <noreply@anthropic.com> Signed-off-by: Simon Glass <simon.glass@canonical.com> --- fs/ext4l/support.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/fs/ext4l/support.c b/fs/ext4l/support.c index aaaf89092eb..3be40b6fca2 100644 --- a/fs/ext4l/support.c +++ b/fs/ext4l/support.c @@ -466,6 +466,15 @@ void free_buffer_head(struct buffer_head *bh) if (!bh) return; + /* + * Never free a buffer_head that has a journal_head attached. + * This would cause use-after-free when the journal tries to access it. + * The journal owns a reference and the buffer will be cleaned up when + * the journal_head is properly released. + */ + if (buffer_jbd(bh)) + return; + /* * Shadow buffers (b_private != NULL) share their folio with the * original buffer. Don't free the shared folio. -- 2.43.0