Re: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks

Next message: Dave Chinner: "Re: [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in push callbacks"
Previous message: Dave Chinner: "Re: [PATCH v3 2/4] xfs: refactor xfsaild_push loop into helper"
In reply to: Yuto Ohnuki: "Re: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks"
Next in thread: Yuto Ohnuki: "Re: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Chinner

Date: Tue Mar 10 2026 - 01:27:20 EST

On Sun, Mar 08, 2026 at 06:28:08PM +0000, Yuto Ohnuki wrote:
> After xfsaild_push_item() calls iop_push(), the log item may have been
> freed if the AIL lock was dropped during the push. The tracepoints in
> the switch statement dereference the log item after iop_push() returns,
> which can result in a use-after-free.
>
> Fix this by capturing the log item type, flags, and LSN before calling
> xfsaild_push_item(), and introducing a new xfs_ail_push_class trace
> event class that takes these pre-captured values and the ailp pointer
> instead of the log item pointer.
>
> Reported-by: syzbot+652af2b3c5569c4ab63c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
> Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.9
> Signed-off-by: Yuto Ohnuki <ytohnuki@xxxxxxxxxx>

Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
--
Dave Chinner
dgc@xxxxxxxxxx