[PATCH v2 1/2] xfs: fix inode ref leak in attr intent recovery

Next message: Tuo Li: "Re: [PATCH] fbdev:modedb: fix a possible UAF in fb_find_mode()"
Previous message: Yingjie Gao: "[PATCH v2 0/2] xfs: fix inode leak and clean up attr intent recovery"
In reply to: Yingjie Gao: "[PATCH v2 0/2] xfs: fix inode leak and clean up attr intent recovery"
Next in thread: Darrick J. Wong: "Re: [PATCH v2 1/2] xfs: fix inode ref leak in attr intent recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yingjie Gao

Date: Tue Jun 09 2026 - 22:23:31 EST

xfs_attri_recover_work() grabs the target inode, attaches it to the
reconstructed attr work item, and adds that work item to the defer
pending list.

If xfs_attr_recover_work() fails to allocate the recovery transaction,
it returns immediately without dropping the inode reference. The later
cancel path only frees the attr work item state, so the inode reference
leaks.

Send the failure through the existing cleanup path so the inode
reference is dropped before the function returns the error.

Fixes: e70fb328d527 ("xfs: recreate work items when recovering intent items")
Cc: <stable@xxxxxxxxxxxxxxx> # v6.8
Signed-off-by: Yingjie Gao <gaoyingjie@xxxxxxxxxxxxx>
---
fs/xfs/xfs_attr_item.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/xfs/xfs_attr_item.c b/fs/xfs/xfs_attr_item.c
index deab14f31b38..841838bc1d0f 100644
--- a/fs/xfs/xfs_attr_item.c
+++ b/fs/xfs/xfs_attr_item.c
@@ -774,7 +774,7 @@ xfs_attr_recover_work(
resv = xlog_recover_resv(&resv);
error = xfs_trans_alloc(mp, &resv, total, 0, XFS_TRANS_RESERVE, &tp);
if (error)
- return error;
+ goto out_rele;
args->trans = tp;

xfs_ilock(ip, XFS_ILOCK_EXCL);
@@ -791,6 +791,7 @@ xfs_attr_recover_work(
error = xfs_defer_ops_capture_and_commit(tp, capture_list);
out_unlock:
xfs_iunlock(ip, XFS_ILOCK_EXCL);
+out_rele:
xfs_irele(ip);
return error;
out_cancel:
--
2.20.1