From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68C5D3D16FB for ; Thu, 2 Apr 2026 09:44:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775123060; cv=none; b=aecRBNgBoJgV93ByFNfnIJZ6yl/AFJl/XzEjHGTnWowMTXyHf8pZFOxACdsDjABCjqqNL6mNC+90VV9ryZCoNu4MolhMRUpTBBDiLjbgGGdwAmOdu7XZ8+Q+WHO+mNSqCl7dyzmTA/I2kS4brqIkACXtiDSGE7Rg7OLQJi7QGhs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775123060; c=relaxed/simple; bh=n9v6p6NOTbgbdyYmQUhOvO+aCdE8AUkTKYmWrUIJp44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=dlnUTYg5Q+09+joagnwxsBfTcktnNzD3ml7TY5xQq8E2AAK8mhtF4FdKxsslJI0AQY/yQsm0ctuNdrRqs95rP+Ma5jZwxTyT53U2PLQNH6tOrnSWljYvTNc8CbDWfIg77ODBDcDKOGN3/tbQsZ6MMeG+AR8J7z2tuqfYDSfuBbM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=glkHUTaw; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="glkHUTaw" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0FCF4C2BC9E; Thu, 2 Apr 2026 09:44:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1775123059; bh=n9v6p6NOTbgbdyYmQUhOvO+aCdE8AUkTKYmWrUIJp44=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=glkHUTawNJo1N3beOmr1C/23vt8AVQDwIRjCJdWVwdjKNmHCOh4SIW9mKoJ+/47Nd fy4xGZdl4dzDYZxFKqWJk18dRRyFhWrcMgpmHedZVAXnX6JSD+juiJk3yQXjS3ZKK0 oUy2l4f8nc6NgjJjwJdC5hZBOX50ypELjvn1LRHlDXnC5TUBdwPBrsRc8JxCk8fH36 Q/FQ41JPIl5iMc/rrO2ryDrjcHhuc9EiPWiSLw294Qz1JJdeFzhoDR5d+k+IVPx4FF lwvpinSxlGXOTEgWbyfw1Zl3f7tF8QCb9FyYqdXQNSopDegbWpVKOwaTIllx3E9YZw SIrgLWbxSk0tg== From: Sasha Levin To: stable@vger.kernel.org Cc: Yuto Ohnuki , syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com, "Darrick J. Wong" , Dave Chinner , Carlos Maiolino , Sasha Levin Subject: [PATCH 5.10.y] xfs: save ailp before dropping the AIL lock in push callbacks Date: Thu, 2 Apr 2026 05:44:17 -0400 Message-ID: <20260402094417.718088-1-sashal@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <2026033014-speak-undiluted-7499@gregkh> References: <2026033014-speak-undiluted-7499@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Yuto Ohnuki [ Upstream commit 394d70b86fae9fe865e7e6d9540b7696f73aa9b6 ] In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: stable@vger.kernel.org # v5.9 Reviewed-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Yuto Ohnuki Signed-off-by: Carlos Maiolino Signed-off-by: Sasha Levin --- fs/xfs/xfs_dquot_item.c | 9 +++++++-- fs/xfs/xfs_inode_item.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/fs/xfs/xfs_dquot_item.c b/fs/xfs/xfs_dquot_item.c index 8ed47b739b6cc..f2cef1470373c 100644 --- a/fs/xfs/xfs_dquot_item.c +++ b/fs/xfs/xfs_dquot_item.c @@ -124,6 +124,7 @@ xfs_qm_dquot_logitem_push( { struct xfs_dquot *dqp = DQUOT_ITEM(lip)->qli_dquot; struct xfs_buf *bp = lip->li_buf; + struct xfs_ail *ailp = lip->li_ailp; uint rval = XFS_ITEM_SUCCESS; int error; @@ -152,7 +153,7 @@ xfs_qm_dquot_logitem_push( goto out_unlock; } - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); error = xfs_qm_dqflush(dqp, &bp); if (!error) { @@ -162,7 +163,11 @@ xfs_qm_dquot_logitem_push( } else if (error == -EAGAIN) rval = XFS_ITEM_LOCKED; - spin_lock(&lip->li_ailp->ail_lock); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ + spin_lock(&ailp->ail_lock); out_unlock: xfs_dqunlock(dqp); return rval; diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c index 3aba4559469f1..38b59e8070acc 100644 --- a/fs/xfs/xfs_inode_item.c +++ b/fs/xfs/xfs_inode_item.c @@ -514,6 +514,7 @@ xfs_inode_item_push( struct xfs_inode_log_item *iip = INODE_ITEM(lip); struct xfs_inode *ip = iip->ili_inode; struct xfs_buf *bp = lip->li_buf; + struct xfs_ail *ailp = lip->li_ailp; uint rval = XFS_ITEM_SUCCESS; int error; @@ -529,7 +530,7 @@ xfs_inode_item_push( if (!xfs_buf_trylock(bp)) return XFS_ITEM_LOCKED; - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); /* * We need to hold a reference for flushing the cluster buffer as it may @@ -553,7 +554,11 @@ xfs_inode_item_push( rval = XFS_ITEM_LOCKED; } - spin_lock(&lip->li_ailp->ail_lock); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ + spin_lock(&ailp->ail_lock); return rval; } -- 2.53.0