Re: [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in push callbacks

Next message: Jiayuan Chen: "Re: [PATCH] tcp: use WRITE_ONCE() for tsoffset in tcp_v6_connect()"
Previous message: Dave Chinner: "Re: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks"
In reply to: Darrick J. Wong: "Re: [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in push callbacks"
Next in thread: Yuto Ohnuki: "[PATCH v3 1/4] xfs: stop reclaim before pushing AIL during unmount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Chinner

Date: Tue Mar 10 2026 - 01:28:09 EST

On Sun, Mar 08, 2026 at 06:28:09PM +0000, Yuto Ohnuki wrote:
> In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
> is dropped to perform buffer IO. Once the cluster buffer no longer
> protects the log item from reclaim, the log item may be freed by
> background reclaim or the dquot shrinker. The subsequent spin_lock()
> call dereferences lip->li_ailp, which is a use-after-free.
>
> Fix this by saving the ailp pointer in a local variable while the AIL
> lock is held and the log item is guaranteed to be valid.
>
> Reported-by: syzbot+652af2b3c5569c4ab63c@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
> Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.9
> Signed-off-by: Yuto Ohnuki <ytohnuki@xxxxxxxxxx>

looks good to me.

Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
--
Dave Chinner
dgc@xxxxxxxxxx