Re: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks

Next message: Hannes Reinecke: "Re: [PATCH 5/8] scsi: scsi-multipath: Add basic ALUA support"
Previous message: Maciej Wieczor-Retman: "[PATCH v11 11/15] x86/mm: Initialize LAM_SUP"
In reply to: Dave Chinner: "Re: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yuto Ohnuki

Date: Tue Mar 10 2026 - 14:00:39 EST

> > After xfsaild_push_item() calls iop_push(), the log item may have been
> > freed if the AIL lock was dropped during the push. The tracepoints in
> > the switch statement dereference the log item after iop_push() returns,
> > which can result in a use-after-free.
> >
> > Fix this by capturing the log item type, flags, and LSN before calling
> > xfsaild_push_item(), and introducing a new xfs_ail_push_class trace
> > event class that takes these pre-captured values and the ailp pointer
> > instead of the log item pointer.
> >
> > Reported-by: syzbot+652af2b3c5569c4ab63c@xxxxxxxxxxxxxxxxxxxxxxxxx
> > Closes: https://syzkaller.appspot.com/bug?extid=652af2b3c5569c4ab63c
> > Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary")
> > Cc: <stable@xxxxxxxxxxxxxxx> # v5.9
> > Signed-off-by: Yuto Ohnuki <ytohnuki@xxxxxxxxxx>
>
> Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx>
> --
> Dave Chinner
> dgc@xxxxxxxxxx

Thanks for the review, Dave.

In v4, I reworked the patch ordering so that the bugfix patches come
before the refactoring.

Since the context has changed, I've dropped your Reviewed-by from
this patch in v4 just to be safe. I would appreciate another look
when you get a chance.

Yuto

Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg, R.C.S. Luxembourg B186284

Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlington Road, Dublin 4, Ireland, branch registration number 908705