From: Dave Chinner <dgc@kernel.org>
To: Yuto Ohnuki <ytohnuki@amazon.com>
Cc: Carlos Maiolino <cem@kernel.org>,
Dave Chinner <dchinner@redhat.com>,
"Darrick J . Wong" <darrick.wong@oracle.com>,
Brian Foster <bfoster@redhat.com>,
linux-xfs@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in push callbacks
Date: Tue, 10 Mar 2026 16:27:46 +1100 [thread overview]
Message-ID: <aa-r0lbQbh6YzKfg@dread> (raw)
In-Reply-To: <20260308182804.33127-10-ytohnuki@amazon.com>
On Sun, Mar 08, 2026 at 06:28:09PM +0000, Yuto Ohnuki wrote:
> In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
> is dropped to perform buffer IO. Once the cluster buffer no longer
> protects the log item from reclaim, the log item may be freed by
> background reclaim or the dquot shrinker. The subsequent spin_lock()
> call dereferences lip->li_ailp, which is a use-after-free.
>
> Fix this by saving the ailp pointer in a local variable while the AIL
> lock is held and the log item is guaranteed to be valid.
>
> Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
> Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
> Cc: <stable@vger.kernel.org> # v5.9
> Signed-off-by: Yuto Ohnuki <ytohnuki@amazon.com>
looks good to me.
Reviewed-by: Dave Chinner <dchinner@redhat.com>
--
Dave Chinner
dgc@kernel.org
prev parent reply other threads:[~2026-03-10 5:27 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-08 18:28 [PATCH v3 0/4] xfs: fix AIL push use-after-free during shutdown Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 1/4] xfs: stop reclaim before pushing AIL during unmount Yuto Ohnuki
2026-03-09 16:02 ` Darrick J. Wong
2026-03-10 17:33 ` Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 2/4] xfs: refactor xfsaild_push loop into helper Yuto Ohnuki
2026-03-09 16:14 ` Darrick J. Wong
2026-03-10 17:38 ` Yuto Ohnuki
2026-03-10 5:26 ` Dave Chinner
2026-03-10 17:46 ` Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks Yuto Ohnuki
2026-03-09 16:27 ` Darrick J. Wong
2026-03-10 5:25 ` Dave Chinner
2026-03-10 17:51 ` Yuto Ohnuki
2026-03-10 5:27 ` Dave Chinner
2026-03-10 17:56 ` Yuto Ohnuki
2026-03-08 18:28 ` [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in " Yuto Ohnuki
2026-03-09 16:28 ` Darrick J. Wong
2026-03-10 5:27 ` Dave Chinner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aa-r0lbQbh6YzKfg@dread \
--to=dgc@kernel.org \
--cc=bfoster@redhat.com \
--cc=cem@kernel.org \
--cc=darrick.wong@oracle.com \
--cc=dchinner@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com \
--cc=ytohnuki@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox