From nobody Mon Apr 13 13:11:34 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C8F81C433FE
	for <linux-kernel@archiver.kernel.org>; Sun, 13 Nov 2022 15:25:00 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235201AbiKMPY7 (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Sun, 13 Nov 2022 10:24:59 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41050 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233029AbiKMPYy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 13 Nov 2022 10:24:54 -0500
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com
 [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06D91958F
        for <linux-kernel@vger.kernel.org>;
 Sun, 13 Nov 2022 07:24:54 -0800 (PST)
Received: by mail-yb1-xb49.google.com with SMTP id
 j73-20020a25d24c000000b006dca101748bso8547844ybg.14
        for <linux-kernel@vger.kernel.org>;
 Sun, 13 Nov 2022 07:24:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=wESqFKb7C5s2QIMr5hhjMl9Ig7evvOrmD1dhNzXIW7o=;
        b=oHeNec/6hDQHpPziy+sFHVcQQepLBtNOeV+UpNDq9YuXKjTOI3Y6ngmG3Je5yl55kT
         FgJD2CLza9PiZ9r4XK2zVoFdb/ANe77FPSHUDW5+CkVC2QTH46KjkqH1DNYGAd3ZyXbM
         OwsWSiagrMQfBdwIP7GC7rz2WKxRpfzmviURhryTUq8VrKGB/vIZS6dwwUpSAzhYIDXv
         V5wfuOL2c7fOxxjadOie4ysNlI8wFITKa8iuyJjk9hjoDexlntBADRcwLZGGVCLZffcr
         uePdi5e3c3i8948Jcz2WWluMckOs+cdF45cXtiJ2nK+mjOUHe1lxOrb20yTXtvNy7OHe
         ddRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=wESqFKb7C5s2QIMr5hhjMl9Ig7evvOrmD1dhNzXIW7o=;
        b=OjoDtRFoYidAAB1+QRYbw53EgH5a7+1HC3J+NW3awskqyPHWcymIejVsu0Sx3qZiem
         TQ041tbhEnvJiTwcSJQyAFZhMj3MinV8Z4/vUozZjlPINNtd30scu1qHd7OuXJfMHmer
         XXIEjxwAQu5eTsR8i6oOYI5p4EhO8d0KUUZGbWa2XB45PrGZ0rSoAOr8jkBwzUfliLRA
         X1OrcqWT6/8DgLjcTejKCXyuaiKUqInaljSazVV0nUY1b/I8LksaHSChJNhazihIdT1o
         g+kmOHO6/vIogkqXdhiTVvjVLm8j91sKw185vttSoxCzCas4dR6wroCOyRfNro2S1Kn5
         bM+A==
X-Gm-Message-State: ACrzQf0RDFWXrvUBp77BiJJVid93HzpXJni5wOB+u5HTUNfIOsOkrQQ8
        rnPBS08pARJ+LLsG9+TXfpJ/MvVfQ8Jutr1n
X-Google-Smtp-Source: 
 AMsMyM6U7914bEE9NdmqS50DHAsU7/CmOSVNlQ3fW9yfV9JpHfzsUNM8rdhgoCPLeXLaOGx1Vy50NA5yKWmiOM/U
X-Received: from feldsherov-ws1.tlv.corp.google.com
 ([2620:0:1045:10:7dda:435d:701d:5257])
 (user=feldsherov job=sendgmr) by 2002:a0d:fcc6:0:b0:349:7d12:7255 with SMTP
 id m189-20020a0dfcc6000000b003497d127255mr64188333ywf.427.1668353092929; Sun,
 13 Nov 2022 07:24:52 -0800 (PST)
Date: Sun, 13 Nov 2022 17:24:39 +0200
Mime-Version: 1.0
X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog
Message-ID: <20221113152439.2821942-1-feldsherov@google.com>
Subject: [PATCH] fs: do not push freeing inode to b_dirty_time list
From: Svyatoslav Feldsherov <feldsherov@google.com>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
        Lukas Czerner <lczerner@redhat.com>,
        "Theodore Ts'o" <tytso@mit.edu>, Jan Kara <jack@suse.cz>
Cc: syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com,
        oferz@google.com, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Svyatoslav Feldsherov <feldsherov@google.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

After commit cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode
already has I_DIRTY_INODE") writeiback_single_inode can push inode with
I_DIRTY_TIME set to b_dirty_time list. In case of freeing inode with
I_DIRTY_TIME set this can happened after deletion of inode io_list at
evict. Stack trace is following.

evict
fat_evict_inode
fat_truncate_blocks
fat_flush_inodes
writeback_inode
sync_inode_metadata
writeback_single_inode

This will lead to use after free in flusher thread.

Fixes: cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode already has I_D=
IRTY_INODE")
Reported-by: syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com
Signed-off-by: Svyatoslav Feldsherov <feldsherov@google.com>
---
 fs/fs-writeback.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 443f83382b9b..31c93cbdb3fe 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -1718,7 +1718,7 @@ static int writeback_single_inode(struct inode *inode,
 	 */
 	if (!(inode->i_state & I_DIRTY_ALL))
 		inode_cgwb_move_to_attached(inode, wb);
-	else if (!(inode->i_state & I_SYNC_QUEUED)) {
+	else if (!(inode->i_state & (I_SYNC_QUEUED | I_FREEING))) {
 		if ((inode->i_state & I_DIRTY))
 			redirty_tail_locked(inode, wb);
 		else if (inode->i_state & I_DIRTY_TIME) {
--=20
2.38.1.431.g37b22c650d-goog