From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 84869299929; Mon, 13 Apr 2026 17:02:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776099767; cv=none; b=Yzb1IMw22uGciV38BtOoLuIlmk9ZYx24nxAMVAXirQtemtxqJcWrhYlpg0u3sU4KrjizdMAmNRZA3iVTwks5iK39qIFrDNAWUyqe/Q4028GvyAbGT0J7hf4yuoRqV19AFiDiyrK86G0+pGeKaLtiTyDmTb3pTpZMjG0Kx64erVo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776099767; c=relaxed/simple; bh=Jq9clcAVBZ2G/qjFakzhdTdReFr/xN1uPfivJsig+n8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=F7TqlDiH1TZPHNKdBjVSTw1oIO6HU2r+iLoC6AYzDGzQAYd7eZK2+Y4buCy5HdaxBQ56wC02dYJ5g+He/fMG8K8iYfTj/aelde0vgnQ1skAyUYybMhh0b5t1upFOSrROFWFLWj8pEJLCWCtZauSGu/bzt+t5zHGuUzrnS78DMIc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=E3MALOmk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="E3MALOmk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 07E84C2BCAF; Mon, 13 Apr 2026 17:02:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1776099767; bh=Jq9clcAVBZ2G/qjFakzhdTdReFr/xN1uPfivJsig+n8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E3MALOmk3HMKM4T2jXbSGyFFS0I6Fs6N+K/YtEqQrUbY8HcYDwbYqWSzj1wYzhtLm 0HfQyGitravxsX1juwTeOJJnCTaBsxnM/HcVKBqJbJhjIvjbiIjz1x0ZFTKU05rIJw lYNZ0nBM7Q7JDzrnwDfokdP5LoBDzmnRjy3fBRVA= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com, "Darrick J. Wong" , Dave Chinner , Yuto Ohnuki , Carlos Maiolino , Sasha Levin Subject: [PATCH 5.10 467/491] xfs: save ailp before dropping the AIL lock in push callbacks Date: Mon, 13 Apr 2026 18:01:52 +0200 Message-ID: <20260413155836.524464184@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260413155819.042779211@linuxfoundation.org> References: <20260413155819.042779211@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yuto Ohnuki [ Upstream commit 394d70b86fae9fe865e7e6d9540b7696f73aa9b6 ] In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: stable@vger.kernel.org # v5.9 Reviewed-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Yuto Ohnuki Signed-off-by: Carlos Maiolino Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/xfs/xfs_dquot_item.c | 9 +++++++-- fs/xfs/xfs_inode_item.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) --- a/fs/xfs/xfs_dquot_item.c +++ b/fs/xfs/xfs_dquot_item.c @@ -124,6 +124,7 @@ xfs_qm_dquot_logitem_push( { struct xfs_dquot *dqp = DQUOT_ITEM(lip)->qli_dquot; struct xfs_buf *bp = lip->li_buf; + struct xfs_ail *ailp = lip->li_ailp; uint rval = XFS_ITEM_SUCCESS; int error; @@ -152,7 +153,7 @@ xfs_qm_dquot_logitem_push( goto out_unlock; } - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); error = xfs_qm_dqflush(dqp, &bp); if (!error) { @@ -162,7 +163,11 @@ xfs_qm_dquot_logitem_push( } else if (error == -EAGAIN) rval = XFS_ITEM_LOCKED; - spin_lock(&lip->li_ailp->ail_lock); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ + spin_lock(&ailp->ail_lock); out_unlock: xfs_dqunlock(dqp); return rval; --- a/fs/xfs/xfs_inode_item.c +++ b/fs/xfs/xfs_inode_item.c @@ -514,6 +514,7 @@ xfs_inode_item_push( struct xfs_inode_log_item *iip = INODE_ITEM(lip); struct xfs_inode *ip = iip->ili_inode; struct xfs_buf *bp = lip->li_buf; + struct xfs_ail *ailp = lip->li_ailp; uint rval = XFS_ITEM_SUCCESS; int error; @@ -529,7 +530,7 @@ xfs_inode_item_push( if (!xfs_buf_trylock(bp)) return XFS_ITEM_LOCKED; - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); /* * We need to hold a reference for flushing the cluster buffer as it may @@ -553,7 +554,11 @@ xfs_inode_item_push( rval = XFS_ITEM_LOCKED; } - spin_lock(&lip->li_ailp->ail_lock); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ + spin_lock(&ailp->ail_lock); return rval; }