[PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Guo Xuenan]

commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 upstream.

xfs log io error will trigger xlog shut down, and end_io worker call
xlog_state_shutdown_callbacks to unpin and release the buf log item.
The race condition is that when there are some thread doing transaction
commit and happened not to be intercepted by xlog_is_shutdown, then,
these log item will be insert into CIL, when unpin and release these
buf log item, UAF will occur. BTW, add delay before `xlog_cil_commit`
can increase recurrence probability.

The following call graph actually encountered this bad situation.
fsstress                    io end worker kworker/0:1H-216
                            xlog_ioend_work
                              ->xlog_force_shutdown
                                ->xlog_state_shutdown_callbacks
                                  ->xlog_cil_process_committed
                                    ->xlog_cil_committed
                                      ->xfs_trans_committed_bulk
->xfs_trans_apply_sb_deltas             ->li_ops->iop_unpin(lip, 1);
  ->xfs_trans_getsb
    ->_xfs_trans_bjoin
      ->xfs_buf_item_init
        ->if (bip) { return 0;} //relog
->xlog_cil_commit
  ->xlog_cil_insert_items //insert into CIL
                                           ->xfs_buf_ioend_fail(bp);
                                             ->xfs_buf_ioend
                                               ->xfs_buf_item_done
                                                 ->xfs_buf_item_relse
                                                   ->xfs_buf_item_free

when cil push worker gather percpu cil and insert super block buf log item
into ctx->log_items then uaf occurs.

==================================================================
BUG: KASAN: use-after-free in xlog_cil_push_work+0x1c8f/0x22f0
Write of size 8 at addr ffff88801800f3f0 by task kworker/u4:4/105

CPU: 0 PID: 105 Comm: kworker/u4:4 Tainted: G W
6.1.0-rc1-00001-g274115149b42 #136
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: xfs-cil/sda xlog_cil_push_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x4d/0x66
 print_report+0x171/0x4a6
 kasan_report+0xb3/0x130
 xlog_cil_push_work+0x1c8f/0x22f0
 process_one_work+0x6f9/0xf70
 worker_thread+0x578/0xf30
 kthread+0x28c/0x330
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 2145:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_slab_alloc+0x54/0x60
 kmem_cache_alloc+0x14a/0x510
 xfs_buf_item_init+0x160/0x6d0
 _xfs_trans_bjoin+0x7f/0x2e0
 xfs_trans_getsb+0xb6/0x3f0
 xfs_trans_apply_sb_deltas+0x1f/0x8c0
 __xfs_trans_commit+0xa25/0xe10
 xfs_symlink+0xe23/0x1660
 xfs_vn_symlink+0x157/0x280
 vfs_symlink+0x491/0x790
 do_symlinkat+0x128/0x220
 __x64_sys_symlink+0x7a/0x90
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 216:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x2a/0x40
 __kasan_slab_free+0x105/0x1a0
 kmem_cache_free+0xb6/0x460
 xfs_buf_ioend+0x1e9/0x11f0
 xfs_buf_item_unpin+0x3d6/0x840
 xfs_trans_committed_bulk+0x4c2/0x7c0
 xlog_cil_committed+0xab6/0xfb0
 xlog_cil_process_committed+0x117/0x1e0
 xlog_state_shutdown_callbacks+0x208/0x440
 xlog_force_shutdown+0x1b3/0x3a0
 xlog_ioend_work+0xef/0x1d0
 process_one_work+0x6f9/0xf70
 worker_thread+0x578/0xf30
 kthread+0x28c/0x330
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff88801800f388
 which belongs to the cache xfs_buf_item of size 272
The buggy address is located 104 bytes inside of
 272-byte region [ffff88801800f388, ffff88801800f498)

The buggy address belongs to the physical page:
page:ffffea0000600380 refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff88801800f208 pfn:0x1800e
head:ffffea0000600380 order:1 compound_mapcount:0 compound_pincount:0
flags: 0x1fffff80010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 001fffff80010200 ffffea0000699788 ffff88801319db50 ffff88800fb50640
raw: ffff88801800f208 000000000015000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88801800f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801800f300: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801800f380: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88801800f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801800f480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint

Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Chang Yu <marcus.yu.56@gmail.com>
---

The fix 575689fc0ffa ("xfs: fix super block buf log item UAF
during force shutdown") was first introduced in v6.2-rc1. Syzkaller
reports that the UAF bug is still present in linux-5.15.y
(https://syzkaller.appspot.com/bug?extid=4d9a694803b65e21655b).
I think a backport should be beneficial here.

---

 fs/xfs/xfs_buf_item.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index b1ab100c09e1..ffe318eb897f 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -1017,6 +1017,8 @@ xfs_buf_item_relse(
 	trace_xfs_buf_item_relse(bp, _RET_IP_);
 	ASSERT(!test_bit(XFS_LI_IN_AIL, &bip->bli_item.li_flags));
 
+	if (atomic_read(&bip->bli_refcount))
+		return;
 	bp->b_log_item = NULL;
 	xfs_buf_rele(bp);
 	xfs_buf_item_free(bip);
-- 
2.46.2

[PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Pranav Tyagi]

From: Guo Xuenan <guoxuenan@huawei.com>

[ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]

xfs log io error will trigger xlog shut down, and end_io worker call
xlog_state_shutdown_callbacks to unpin and release the buf log item.
The race condition is that when there are some thread doing transaction
commit and happened not to be intercepted by xlog_is_shutdown, then,
these log item will be insert into CIL, when unpin and release these
buf log item, UAF will occur. BTW, add delay before `xlog_cil_commit`
can increase recurrence probability.

The following call graph actually encountered this bad situation.
fsstress                    io end worker kworker/0:1H-216
                            xlog_ioend_work
                              ->xlog_force_shutdown
                                ->xlog_state_shutdown_callbacks
                                  ->xlog_cil_process_committed
                                    ->xlog_cil_committed
                                      ->xfs_trans_committed_bulk
->xfs_trans_apply_sb_deltas             ->li_ops->iop_unpin(lip, 1);
  ->xfs_trans_getsb
    ->_xfs_trans_bjoin
      ->xfs_buf_item_init
        ->if (bip) { return 0;} //relog
->xlog_cil_commit
  ->xlog_cil_insert_items //insert into CIL
                                           ->xfs_buf_ioend_fail(bp);
                                             ->xfs_buf_ioend
                                               ->xfs_buf_item_done
                                                 ->xfs_buf_item_relse
                                                   ->xfs_buf_item_free

when cil push worker gather percpu cil and insert super block buf log item
into ctx->log_items then uaf occurs.

==================================================================
BUG: KASAN: use-after-free in xlog_cil_push_work+0x1c8f/0x22f0
Write of size 8 at addr ffff88801800f3f0 by task kworker/u4:4/105

CPU: 0 PID: 105 Comm: kworker/u4:4 Tainted: G W
6.1.0-rc1-00001-g274115149b42 #136
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: xfs-cil/sda xlog_cil_push_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x4d/0x66
 print_report+0x171/0x4a6
 kasan_report+0xb3/0x130
 xlog_cil_push_work+0x1c8f/0x22f0
 process_one_work+0x6f9/0xf70
 worker_thread+0x578/0xf30
 kthread+0x28c/0x330
 ret_from_fork+0x1f/0x30
 </TASK>

Allocated by task 2145:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_slab_alloc+0x54/0x60
 kmem_cache_alloc+0x14a/0x510
 xfs_buf_item_init+0x160/0x6d0
 _xfs_trans_bjoin+0x7f/0x2e0
 xfs_trans_getsb+0xb6/0x3f0
 xfs_trans_apply_sb_deltas+0x1f/0x8c0
 __xfs_trans_commit+0xa25/0xe10
 xfs_symlink+0xe23/0x1660
 xfs_vn_symlink+0x157/0x280
 vfs_symlink+0x491/0x790
 do_symlinkat+0x128/0x220
 __x64_sys_symlink+0x7a/0x90
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 216:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x2a/0x40
 __kasan_slab_free+0x105/0x1a0
 kmem_cache_free+0xb6/0x460
 xfs_buf_ioend+0x1e9/0x11f0
 xfs_buf_item_unpin+0x3d6/0x840
 xfs_trans_committed_bulk+0x4c2/0x7c0
 xlog_cil_committed+0xab6/0xfb0
 xlog_cil_process_committed+0x117/0x1e0
 xlog_state_shutdown_callbacks+0x208/0x440
 xlog_force_shutdown+0x1b3/0x3a0
 xlog_ioend_work+0xef/0x1d0
 process_one_work+0x6f9/0xf70
 worker_thread+0x578/0xf30
 kthread+0x28c/0x330
 ret_from_fork+0x1f/0x30

The buggy address belongs to the object at ffff88801800f388
 which belongs to the cache xfs_buf_item of size 272
The buggy address is located 104 bytes inside of
 272-byte region [ffff88801800f388, ffff88801800f498)

The buggy address belongs to the physical page:
page:ffffea0000600380 refcount:1 mapcount:0 mapping:0000000000000000
index:0xffff88801800f208 pfn:0x1800e
head:ffffea0000600380 order:1 compound_mapcount:0 compound_pincount:0
flags: 0x1fffff80010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 001fffff80010200 ffffea0000699788 ffff88801319db50 ffff88800fb50640
raw: ffff88801800f208 000000000015000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88801800f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801800f300: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801800f380: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff88801800f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801800f480: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Disabling lock debugging due to kernel taint

[ Backport to 5.15: context cleanly applied with no semantic changes.
Build-tested. ]

Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
---
 fs/xfs/xfs_buf_item.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index b1ab100c09e1..ffe318eb897f 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -1017,6 +1017,8 @@ xfs_buf_item_relse(
 	trace_xfs_buf_item_relse(bp, _RET_IP_);
 	ASSERT(!test_bit(XFS_LI_IN_AIL, &bip->bli_item.li_flags));
 
+	if (atomic_read(&bip->bli_refcount))
+		return;
 	bp->b_log_item = NULL;
 	xfs_buf_rele(bp);
 	xfs_buf_item_free(bip);
-- 
2.49.0

Re: [PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0

WARNING: Author mismatch between patch and upstream commit:
Backport author: Pranav Tyagi<pranav.tyagi03@gmail.com>
Commit author: Guo Xuenan<guoxuenan@huawei.com>

Status in newer kernel trees:
6.15.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (different SHA1: 0d889ae85fcf)

Note: The patch differs from the upstream commit:
---
1:  575689fc0ffa6 ! 1:  9876b048d8f68 xfs: fix super block buf log item UAF during force shutdown
    @@ Metadata
      ## Commit message ##
         xfs: fix super block buf log item UAF during force shutdown
     
    +    [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]
    +
         xfs log io error will trigger xlog shut down, and end_io worker call
         xlog_state_shutdown_callbacks to unpin and release the buf log item.
         The race condition is that when there are some thread doing transaction
    @@ Commit message
         ==================================================================
         Disabling lock debugging due to kernel taint
     
    +    [ Backport to 5.15: context cleanly applied with no semantic changes.
    +    Build-tested. ]
    +
         Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
         Reviewed-by: Darrick J. Wong <djwong@kernel.org>
         Signed-off-by: Darrick J. Wong <djwong@kernel.org>
    +    Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
     
      ## fs/xfs/xfs_buf_item.c ##
     @@ fs/xfs/xfs_buf_item.c: xfs_buf_item_relse(
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.15.y       |  Success    |  Success   |

Re: [PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Pranav Tyagi]

On Wed, Jun 25, 2025 at 7:39 PM Sasha Levin <sashal@kernel.org> wrote:
>
> [ Sasha's backport helper bot ]
>
> Hi,
>
> ✅ All tests passed successfully. No issues detected.
> No action required from the submitter.
>
> The upstream commit SHA1 provided is correct: 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0
>
> WARNING: Author mismatch between patch and upstream commit:
> Backport author: Pranav Tyagi<pranav.tyagi03@gmail.com>
> Commit author: Guo Xuenan<guoxuenan@huawei.com>
>
> Status in newer kernel trees:
> 6.15.y | Present (exact SHA1)
> 6.12.y | Present (exact SHA1)
> 6.6.y | Present (exact SHA1)
> 6.1.y | Present (different SHA1: 0d889ae85fcf)
>
> Note: The patch differs from the upstream commit:
> ---
> 1:  575689fc0ffa6 ! 1:  9876b048d8f68 xfs: fix super block buf log item UAF during force shutdown
>     @@ Metadata
>       ## Commit message ##
>          xfs: fix super block buf log item UAF during force shutdown
>
>     +    [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]
>     +
>          xfs log io error will trigger xlog shut down, and end_io worker call
>          xlog_state_shutdown_callbacks to unpin and release the buf log item.
>          The race condition is that when there are some thread doing transaction
>     @@ Commit message
>          ==================================================================
>          Disabling lock debugging due to kernel taint
>
>     +    [ Backport to 5.15: context cleanly applied with no semantic changes.
>     +    Build-tested. ]
>     +
>          Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
>          Reviewed-by: Darrick J. Wong <djwong@kernel.org>
>          Signed-off-by: Darrick J. Wong <djwong@kernel.org>
>     +    Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
>
>       ## fs/xfs/xfs_buf_item.c ##
>      @@ fs/xfs/xfs_buf_item.c: xfs_buf_item_relse(
> ---
>
> Results of testing on various branches:
>
> | Branch                    | Patch Apply | Build Test |
> |---------------------------|-------------|------------|
> | stable/linux-5.15.y       |  Success    |  Success   |

Hi,

Just following up on this 5.15.y backport.
Please let me know if anything else is needed from my side.

Regards
Pranav Tyagi

Re: [PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Greg KH]

On Fri, Jul 04, 2025 at 01:16:01PM +0530, Pranav Tyagi wrote:
> On Wed, Jun 25, 2025 at 7:39 PM Sasha Levin <sashal@kernel.org> wrote:
> >
> > [ Sasha's backport helper bot ]
> >
> > Hi,
> >
> > ✅ All tests passed successfully. No issues detected.
> > No action required from the submitter.
> >
> > The upstream commit SHA1 provided is correct: 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0
> >
> > WARNING: Author mismatch between patch and upstream commit:
> > Backport author: Pranav Tyagi<pranav.tyagi03@gmail.com>
> > Commit author: Guo Xuenan<guoxuenan@huawei.com>
> >
> > Status in newer kernel trees:
> > 6.15.y | Present (exact SHA1)
> > 6.12.y | Present (exact SHA1)
> > 6.6.y | Present (exact SHA1)
> > 6.1.y | Present (different SHA1: 0d889ae85fcf)
> >
> > Note: The patch differs from the upstream commit:
> > ---
> > 1:  575689fc0ffa6 ! 1:  9876b048d8f68 xfs: fix super block buf log item UAF during force shutdown
> >     @@ Metadata
> >       ## Commit message ##
> >          xfs: fix super block buf log item UAF during force shutdown
> >
> >     +    [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]
> >     +
> >          xfs log io error will trigger xlog shut down, and end_io worker call
> >          xlog_state_shutdown_callbacks to unpin and release the buf log item.
> >          The race condition is that when there are some thread doing transaction
> >     @@ Commit message
> >          ==================================================================
> >          Disabling lock debugging due to kernel taint
> >
> >     +    [ Backport to 5.15: context cleanly applied with no semantic changes.
> >     +    Build-tested. ]
> >     +
> >          Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
> >          Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> >          Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> >     +    Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> >
> >       ## fs/xfs/xfs_buf_item.c ##
> >      @@ fs/xfs/xfs_buf_item.c: xfs_buf_item_relse(
> > ---
> >
> > Results of testing on various branches:
> >
> > | Branch                    | Patch Apply | Build Test |
> > |---------------------------|-------------|------------|
> > | stable/linux-5.15.y       |  Success    |  Success   |
> 
> Hi,
> 
> Just following up on this 5.15.y backport.
> Please let me know if anything else is needed from my side.

xfs patches need to go through the xfs maintainers for their approval.
"build tested" just doesn't cut it at all, you MUST actually test this
at runtime.  Otherwise, why would you even want this patch applied if
you don't have xfs systems that you care about?

thanks,

greg k-h

Re: [PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Pranav Tyagi]

On Fri, Jul 4, 2025 at 1:58 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Fri, Jul 04, 2025 at 01:16:01PM +0530, Pranav Tyagi wrote:
> > On Wed, Jun 25, 2025 at 7:39 PM Sasha Levin <sashal@kernel.org> wrote:
> > >
> > > [ Sasha's backport helper bot ]
> > >
> > > Hi,
> > >
> > > ✅ All tests passed successfully. No issues detected.
> > > No action required from the submitter.
> > >
> > > The upstream commit SHA1 provided is correct: 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0
> > >
> > > WARNING: Author mismatch between patch and upstream commit:
> > > Backport author: Pranav Tyagi<pranav.tyagi03@gmail.com>
> > > Commit author: Guo Xuenan<guoxuenan@huawei.com>
> > >
> > > Status in newer kernel trees:
> > > 6.15.y | Present (exact SHA1)
> > > 6.12.y | Present (exact SHA1)
> > > 6.6.y | Present (exact SHA1)
> > > 6.1.y | Present (different SHA1: 0d889ae85fcf)
> > >
> > > Note: The patch differs from the upstream commit:
> > > ---
> > > 1:  575689fc0ffa6 ! 1:  9876b048d8f68 xfs: fix super block buf log item UAF during force shutdown
> > >     @@ Metadata
> > >       ## Commit message ##
> > >          xfs: fix super block buf log item UAF during force shutdown
> > >
> > >     +    [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]
> > >     +
> > >          xfs log io error will trigger xlog shut down, and end_io worker call
> > >          xlog_state_shutdown_callbacks to unpin and release the buf log item.
> > >          The race condition is that when there are some thread doing transaction
> > >     @@ Commit message
> > >          ==================================================================
> > >          Disabling lock debugging due to kernel taint
> > >
> > >     +    [ Backport to 5.15: context cleanly applied with no semantic changes.
> > >     +    Build-tested. ]
> > >     +
> > >          Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
> > >          Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> > >          Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > >     +    Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> > >
> > >       ## fs/xfs/xfs_buf_item.c ##
> > >      @@ fs/xfs/xfs_buf_item.c: xfs_buf_item_relse(
> > > ---
> > >
> > > Results of testing on various branches:
> > >
> > > | Branch                    | Patch Apply | Build Test |
> > > |---------------------------|-------------|------------|
> > > | stable/linux-5.15.y       |  Success    |  Success   |
> >
> > Hi,
> >
> > Just following up on this 5.15.y backport.
> > Please let me know if anything else is needed from my side.
>
> xfs patches need to go through the xfs maintainers for their approval.
> "build tested" just doesn't cut it at all, you MUST actually test this
> at runtime.  Otherwise, why would you even want this patch applied if
> you don't have xfs systems that you care about?
>
> thanks,
>
> greg k-h

Hi Greg,

Apologies for the oversight. I had assumed that a build test would
suffice for a backport since the patch is already merged upstream. I now
understand the importance of runtime testing, even for backports. I’ll
test it on the XFS setup and resend the patch.

Thanks for the clarification.

Regards
Pranav Tyagi

Re: [PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Greg KH]

On Fri, Jul 04, 2025 at 02:15:46PM +0530, Pranav Tyagi wrote:
> On Fri, Jul 4, 2025 at 1:58 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Fri, Jul 04, 2025 at 01:16:01PM +0530, Pranav Tyagi wrote:
> > > On Wed, Jun 25, 2025 at 7:39 PM Sasha Levin <sashal@kernel.org> wrote:
> > > >
> > > > [ Sasha's backport helper bot ]
> > > >
> > > > Hi,
> > > >
> > > > ✅ All tests passed successfully. No issues detected.
> > > > No action required from the submitter.
> > > >
> > > > The upstream commit SHA1 provided is correct: 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0
> > > >
> > > > WARNING: Author mismatch between patch and upstream commit:
> > > > Backport author: Pranav Tyagi<pranav.tyagi03@gmail.com>
> > > > Commit author: Guo Xuenan<guoxuenan@huawei.com>
> > > >
> > > > Status in newer kernel trees:
> > > > 6.15.y | Present (exact SHA1)
> > > > 6.12.y | Present (exact SHA1)
> > > > 6.6.y | Present (exact SHA1)
> > > > 6.1.y | Present (different SHA1: 0d889ae85fcf)
> > > >
> > > > Note: The patch differs from the upstream commit:
> > > > ---
> > > > 1:  575689fc0ffa6 ! 1:  9876b048d8f68 xfs: fix super block buf log item UAF during force shutdown
> > > >     @@ Metadata
> > > >       ## Commit message ##
> > > >          xfs: fix super block buf log item UAF during force shutdown
> > > >
> > > >     +    [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]
> > > >     +
> > > >          xfs log io error will trigger xlog shut down, and end_io worker call
> > > >          xlog_state_shutdown_callbacks to unpin and release the buf log item.
> > > >          The race condition is that when there are some thread doing transaction
> > > >     @@ Commit message
> > > >          ==================================================================
> > > >          Disabling lock debugging due to kernel taint
> > > >
> > > >     +    [ Backport to 5.15: context cleanly applied with no semantic changes.
> > > >     +    Build-tested. ]
> > > >     +
> > > >          Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
> > > >          Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> > > >          Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > > >     +    Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> > > >
> > > >       ## fs/xfs/xfs_buf_item.c ##
> > > >      @@ fs/xfs/xfs_buf_item.c: xfs_buf_item_relse(
> > > > ---
> > > >
> > > > Results of testing on various branches:
> > > >
> > > > | Branch                    | Patch Apply | Build Test |
> > > > |---------------------------|-------------|------------|
> > > > | stable/linux-5.15.y       |  Success    |  Success   |
> > >
> > > Hi,
> > >
> > > Just following up on this 5.15.y backport.
> > > Please let me know if anything else is needed from my side.
> >
> > xfs patches need to go through the xfs maintainers for their approval.
> > "build tested" just doesn't cut it at all, you MUST actually test this
> > at runtime.  Otherwise, why would you even want this patch applied if
> > you don't have xfs systems that you care about?
> >
> > thanks,
> >
> > greg k-h
> 
> Hi Greg,
> 
> Apologies for the oversight. I had assumed that a build test would
> suffice for a backport since the patch is already merged upstream. I now
> understand the importance of runtime testing, even for backports. I’ll
> test it on the XFS setup and resend the patch.

Why do you want/need this backported if it wasn't even tested?  Why do
the backport at all?

confused,

greg k-h

Re: [PATCH 5.15.y] xfs: fix super block buf log item UAF during force shutdown

[Pranav Tyagi]

On Fri, Jul 4, 2025 at 2:22 PM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Fri, Jul 04, 2025 at 02:15:46PM +0530, Pranav Tyagi wrote:
> > On Fri, Jul 4, 2025 at 1:58 PM Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Fri, Jul 04, 2025 at 01:16:01PM +0530, Pranav Tyagi wrote:
> > > > On Wed, Jun 25, 2025 at 7:39 PM Sasha Levin <sashal@kernel.org> wrote:
> > > > >
> > > > > [ Sasha's backport helper bot ]
> > > > >
> > > > > Hi,
> > > > >
> > > > > ✅ All tests passed successfully. No issues detected.
> > > > > No action required from the submitter.
> > > > >
> > > > > The upstream commit SHA1 provided is correct: 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0
> > > > >
> > > > > WARNING: Author mismatch between patch and upstream commit:
> > > > > Backport author: Pranav Tyagi<pranav.tyagi03@gmail.com>
> > > > > Commit author: Guo Xuenan<guoxuenan@huawei.com>
> > > > >
> > > > > Status in newer kernel trees:
> > > > > 6.15.y | Present (exact SHA1)
> > > > > 6.12.y | Present (exact SHA1)
> > > > > 6.6.y | Present (exact SHA1)
> > > > > 6.1.y | Present (different SHA1: 0d889ae85fcf)
> > > > >
> > > > > Note: The patch differs from the upstream commit:
> > > > > ---
> > > > > 1:  575689fc0ffa6 ! 1:  9876b048d8f68 xfs: fix super block buf log item UAF during force shutdown
> > > > >     @@ Metadata
> > > > >       ## Commit message ##
> > > > >          xfs: fix super block buf log item UAF during force shutdown
> > > > >
> > > > >     +    [ Upstream commit 575689fc0ffa6c4bb4e72fd18e31a6525a6124e0 ]
> > > > >     +
> > > > >          xfs log io error will trigger xlog shut down, and end_io worker call
> > > > >          xlog_state_shutdown_callbacks to unpin and release the buf log item.
> > > > >          The race condition is that when there are some thread doing transaction
> > > > >     @@ Commit message
> > > > >          ==================================================================
> > > > >          Disabling lock debugging due to kernel taint
> > > > >
> > > > >     +    [ Backport to 5.15: context cleanly applied with no semantic changes.
> > > > >     +    Build-tested. ]
> > > > >     +
> > > > >          Signed-off-by: Guo Xuenan <guoxuenan@huawei.com>
> > > > >          Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> > > > >          Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> > > > >     +    Signed-off-by: Pranav Tyagi <pranav.tyagi03@gmail.com>
> > > > >
> > > > >       ## fs/xfs/xfs_buf_item.c ##
> > > > >      @@ fs/xfs/xfs_buf_item.c: xfs_buf_item_relse(
> > > > > ---
> > > > >
> > > > > Results of testing on various branches:
> > > > >
> > > > > | Branch                    | Patch Apply | Build Test |
> > > > > |---------------------------|-------------|------------|
> > > > > | stable/linux-5.15.y       |  Success    |  Success   |
> > > >
> > > > Hi,
> > > >
> > > > Just following up on this 5.15.y backport.
> > > > Please let me know if anything else is needed from my side.
> > >
> > > xfs patches need to go through the xfs maintainers for their approval.
> > > "build tested" just doesn't cut it at all, you MUST actually test this
> > > at runtime.  Otherwise, why would you even want this patch applied if
> > > you don't have xfs systems that you care about?
> > >
> > > thanks,
> > >
> > > greg k-h
> >
> > Hi Greg,
> >
> > Apologies for the oversight. I had assumed that a build test would
> > suffice for a backport since the patch is already merged upstream. I now
> > understand the importance of runtime testing, even for backports. I’ll
> > test it on the XFS setup and resend the patch.
>
> Why do you want/need this backported if it wasn't even tested?  Why do
> the backport at all?
>
> confused,
>
> greg k-h

I understand your concern. I came across the upstream patch while
reviewing stable-eligible commits and noticed it hadn’t been backported.
I’ve also been going through the XFS code recently
and this seemed like a good opportunity to
get involved. This was the first time I attempted a backport and was not
aware of the workflow.

I realize I should have tested it more thoroughly. Thanks for the
push. I’ll test it properly on XFS and resend it if at all required.

Regards
Pranav Tyagi