[PATCH v3 0/4] xfs: fix AIL push use-after-free during shutdown

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yuto Ohnuki <ytohnuki@amazon.com>
To: Carlos Maiolino <cem@kernel.org>, Dave Chinner <dchinner@redhat.com>
Cc: "Darrick J . Wong" <darrick.wong@oracle.com>,
	Brian Foster <bfoster@redhat.com>, <linux-xfs@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, Yuto Ohnuki <ytohnuki@amazon.com>
Subject: [PATCH v3 0/4] xfs: fix AIL push use-after-free during shutdown
Date: Sun, 8 Mar 2026 18:28:05 +0000	[thread overview]
Message-ID: <20260308182804.33127-6-ytohnuki@amazon.com> (raw)

When a filesystem is shut down, background inode reclaim and the xfsaild
can race to abort and free dirty inodes. Since commit 90c60e164012
("xfs: xfs_iflush() is no longer necessary"), xfs_inode_item_push() no
longer holds ILOCK_SHARED while flushing, removing the protection that
prevented the inode from being reclaimed during the flush.

This results in use-after-free when dereferencing log items after
iop_push() returns, or when reacquiring the AIL lock via lip->li_ailp.

This series fixes the issue by:
1. Reordering unmount to stop reclaim before pushing the AIL
2. Factoring the push loop into a helper for readability
3. Capturing log item fields before push callbacks for tracepoints
4. Saving the ailp pointer before dropping the AIL lock

Changes in v3:
- Split into 4 patches as suggested by Dave Chinner
- Moved UAF-unsafe point comments to after xfs_buf_relse()
- Passed ailp instead of dev to tracepoints
- Moved xfs_ail_push_class definition after xfs_log_item_class events
- Factored xfsaild_push() loop body into xfsaild_process_logitem()
- Added xfsaild_push_item() header comment describing post-return lifetime
- Link to v2: https://lore.kernel.org/all/20260305185836.56478-2-ytohnuki@amazon.com/

Changes in v2:
- Reordered xfs_unmount_flush_inodes() to stop reclaim before pushing
  AIL suggested by Dave Chinner
- Introduced xfs_ail_push_class trace event to avoid dereferencing
  freed log items in tracepoints
- Added comments documenting that log items must not be referenced
  after iop_push() returns
- Saved ailp pointer in local variables in push functions
- Link to v1: https://lore.kernel.org/all/20260304162405.58017-2-ytohnuki@amazon.com/

Yuto Ohnuki (4):
  xfs: stop reclaim before pushing AIL during unmount
  xfs: refactor xfsaild_push loop into helper
  xfs: avoid dereferencing log items after push callbacks
  xfs: save ailp before dropping the AIL lock in push callbacks

 fs/xfs/xfs_dquot_item.c |   9 ++-
 fs/xfs/xfs_inode_item.c |   9 ++-
 fs/xfs/xfs_mount.c      |   4 +-
 fs/xfs/xfs_trace.h      |  36 ++++++++++--
 fs/xfs/xfs_trans_ail.c  | 124 +++++++++++++++++++++++-----------------
 5 files changed, 120 insertions(+), 62 deletions(-)

-- 
2.50.1




Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705

next             reply	other threads:[~2026-03-08 18:28 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-08 18:28 Yuto Ohnuki [this message]
2026-03-08 18:28 ` [PATCH v3 1/4] xfs: stop reclaim before pushing AIL during unmount Yuto Ohnuki
2026-03-09 16:02   ` Darrick J. Wong
2026-03-10 17:33     ` Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 2/4] xfs: refactor xfsaild_push loop into helper Yuto Ohnuki
2026-03-09 16:14   ` Darrick J. Wong
2026-03-10 17:38     ` Yuto Ohnuki
2026-03-10  5:26   ` Dave Chinner
2026-03-10 17:46     ` Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks Yuto Ohnuki
2026-03-09 16:27   ` Darrick J. Wong
2026-03-10  5:25     ` Dave Chinner
2026-03-10 17:51     ` Yuto Ohnuki
2026-03-10  5:27   ` Dave Chinner
2026-03-10 17:56     ` Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in " Yuto Ohnuki
2026-03-09 16:28   ` Darrick J. Wong
2026-03-10  5:27   ` Dave Chinner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260308182804.33127-6-ytohnuki@amazon.com \
    --to=ytohnuki@amazon.com \
    --cc=bfoster@redhat.com \
    --cc=cem@kernel.org \
    --cc=darrick.wong@oracle.com \
    --cc=dchinner@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-xfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.