[PATCH] fs/mbcache: cancel shrink work before destroying the cache

[PATCH] fs/mbcache: cancel shrink work before destroying the cache

[Hyungjung Joo]

From: HyungJung Joo <jhj140711@gmail.com>

mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.

Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
---
 fs/mbcache.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/mbcache.c b/fs/mbcache.c
index 480d02d6ebf0..2a6319b4072c 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -406,6 +406,7 @@ void mb_cache_destroy(struct mb_cache *cache)
 {
 	struct mb_cache_entry *entry, *next;
 
+	cancel_work_sync(&cache->c_shrink_work);
 	shrinker_free(cache->c_shrink);
 
 	/*
-- 
2.34.1

Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache

[Christian Brauner]

On Tue, 17 Mar 2026 14:45:56 +0900, Hyungjung Joo wrote:
> mb_cache_destroy() calls shrinker_free() and then frees all cache
> entries and the cache itself, but it does not cancel the pending
> c_shrink_work work item first.
> 
> If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
> and the work item is still pending or running when mb_cache_destroy()
> runs, mb_cache_shrink_worker() will access the cache after its memory
> has been freed, causing a use-after-free.
> 
> [...]


Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
correct.

---

Applied to the vfs-7.1.misc branch of the vfs/vfs.git tree.
Patches in the vfs-7.1.misc branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.1.misc

[1/1] fs/mbcache: cancel shrink work before destroying the cache
      https://git.kernel.org/vfs/vfs/c/d227786ab111

Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache

[Hyungjung Joo]

2026년 3월 17일 (화) PM 11:38, Christian Brauner <brauner@kernel.org>님이 작성:

> Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
> correct.

I'm sorry, forgot the fixes tag.
Below is the correct fixes: tag.
Fixes: c2f3140fe2ec
Cc: stable@vger.kernel.org

Thanks.

Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache

[Christian Brauner]

On Wed, Mar 18, 2026 at 12:43:19AM +0900, Hyungjung Joo wrote:
> 2026년 3월 17일 (화) PM 11:38, Christian Brauner <brauner@kernel.org>님이 작성:
> 
> > Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
> > correct.
> 
> I'm sorry, forgot the fixes tag.
> Below is the correct fixes: tag.
> Fixes: c2f3140fe2ec
> Cc: stable@vger.kernel.org

I had already added that.

Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache

[Jan Kara]

On Tue 17-03-26 14:45:56, Hyungjung Joo wrote:
> From: HyungJung Joo <jhj140711@gmail.com>
> 
> mb_cache_destroy() calls shrinker_free() and then frees all cache
> entries and the cache itself, but it does not cancel the pending
> c_shrink_work work item first.
> 
> If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
> and the work item is still pending or running when mb_cache_destroy()
> runs, mb_cache_shrink_worker() will access the cache after its memory
> has been freed, causing a use-after-free.
> 
> This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
> who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.
> 
> Cancel the work item with cancel_work_sync() before calling
> shrinker_free(), ensuring the worker has finished and will not be
> rescheduled before the cache is torn down.
> 
> Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>

Thanks! The patch looks good to me. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza


> ---
>  fs/mbcache.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/mbcache.c b/fs/mbcache.c
> index 480d02d6ebf0..2a6319b4072c 100644
> --- a/fs/mbcache.c
> +++ b/fs/mbcache.c
> @@ -406,6 +406,7 @@ void mb_cache_destroy(struct mb_cache *cache)
>  {
>  	struct mb_cache_entry *entry, *next;
>  
> +	cancel_work_sync(&cache->c_shrink_work);
>  	shrinker_free(cache->c_shrink);
>  
>  	/*
> -- 
> 2.34.1
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR