From: Andreas Gruenbacher <agruenba@redhat.com>
To: gfs2@lists.linux.dev
Cc: Andreas Gruenbacher <agruenba@redhat.com>,
syzbot+046b605f01802054bff0@syzkaller.appspotmail.com
Subject: [PATCH 13/13] gfs2: Fix slab-use-after-free in qd_put
Date: Fri, 23 Jan 2026 16:31:03 +0100 [thread overview]
Message-ID: <20260123153105.797382-14-agruenba@redhat.com> (raw)
In-Reply-To: <20260123153105.797382-1-agruenba@redhat.com>
Commit a475c5dd16e5 ("gfs2: Free quota data objects synchronously")
started freeing quota data objects during filesystem shutdown instead of
putting them back onto the LRU list, but it failed to remove these
objects from the LRU list, causing LRU list corruption. This caused
use-after-free when the shrinker (gfs2_qd_shrink_scan) tried to access
already-freed objects on the LRU list.
Fix this by removing qd objects from the LRU list before freeing them in
qd_put().
Initial fix from Deepanshu Kartikey <kartikey406@gmail.com>.
Fixes: a475c5dd16e5 ("gfs2: Free quota data objects synchronously")
Reported-by: syzbot+046b605f01802054bff0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=046b605f01802054bff0
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
fs/gfs2/quota.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 21dfe1e48da6..1c3455093ae8 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -334,6 +334,7 @@ static void qd_put(struct gfs2_quota_data *qd)
lockref_mark_dead(&qd->qd_lockref);
spin_unlock(&qd->qd_lockref.lock);
+ list_lru_del_obj(&gfs2_qd_lru, &qd->qd_lru);
gfs2_qd_dispose(qd);
return;
}
--
2.52.0
prev parent reply other threads:[~2026-01-23 15:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-23 15:30 [PATCH 00/13] gfs2 patches on for-next Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 01/13] gfs2: glock cancelation flag fix Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 02/13] gfs2: Retries missing in gfs2_{rename,exchange} Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 03/13] gfs2: run_queue cleanup Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 04/13] gfs2: Do not cancel internal demote requests Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 05/13] Revert "gfs2: Fix use of bio_chain" Andreas Gruenbacher
2026-01-26 14:25 ` Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 06/13] gfs2: Rename gfs2_log_submit_{bio -> write} Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 07/13] gfs2: Initialize bio->bi_opf early Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 08/13] gfs2: gfs2_chain_bio start sector fix Andreas Gruenbacher
2026-01-23 15:30 ` [PATCH 09/13] gfs2: Fix gfs2_log_get_bio argument type Andreas Gruenbacher
2026-01-23 15:31 ` [PATCH 10/13] gfs: Use fixed GL_GLOCK_MIN_HOLD time Andreas Gruenbacher
2026-01-23 15:31 ` [PATCH 11/13] gfs2: gfs2_glock_hold cleanup Andreas Gruenbacher
2026-01-23 15:31 ` [PATCH 12/13] gfs2: Introduce glock_{type,number,sbd} helpers Andreas Gruenbacher
2026-01-23 15:31 ` Andreas Gruenbacher [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260123153105.797382-14-agruenba@redhat.com \
--to=agruenba@redhat.com \
--cc=gfs2@lists.linux.dev \
--cc=syzbot+046b605f01802054bff0@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox