From nobody Mon Dec 1 22:06:05 2025 Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA75E22A4EB for ; Fri, 28 Nov 2025 14:41:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764340870; cv=none; b=WBXsaC8p/mKNHfMAeExjGfg/SXPzokmwNubR7DAYKXwoJN28fkPjuV5OcuSx1de+NIsC80hKpw6MaHgBFp9a8o6BCgo1+TasE4LpaLa1oHoulC3Og1FDaaLRK6gAyiXO4d7ukDNMP/mr2roqm3Iv7N765eUAGmDbGl6tYcipek0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764340870; c=relaxed/simple; bh=YiCXa/gTWlwoFZYY7VWOXyNDoQMkwRyt2rAHvg9j0ck=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=fWOIJlnLJYtVwmhB1NcRgIcMlXD/QE7j/vSPOmdyotki7mPpZCE7wq5QP2kI3g0kDTdjvjVggauXnpigD71pWxkPud9Y8CYrEmwQYoseK4gZ6XfWuCqxeQ484KbAlfeYhUkszLlb9owMFDUJ3oBze6k3iXtyBx1+rzEE5XqG1d4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=X+81eIja; arc=none smtp.client-ip=209.85.167.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="X+81eIja" Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-596a055b1b8so2186489e87.0 for ; Fri, 28 Nov 2025 06:41:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764340867; x=1764945667; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=x9ZJ0WABz8zA/HIRl6+j40HXO4xcZdxgPrJAX3BYADI=; b=X+81eIjamMEpCpZlBkIes5OzGFtZjBoJDKU8zdhbK06si844PWKz4hKwHtLqNe0O32 jR/sRe4qxLOPVjV6pmrAEvNRAuZvCBkqVjz4Intv91zyrjWM6qAGWCC5ZmnCIxMEzUCW JDfKRjpkGYgTUudQz2Txam+hyuYYzVDh0za4Lp9IipmBt4+4y3CNFq/cR2dDyuQkJZ5a K7lsA7wVrTquBJBOT29ZTXYxXwmsDT+8nwjolPqYPHMdVMarBqUZpKxEjLtyb5H+TlTo YTtC9Azfy/fqGZEZcl6wAVUF+6cidRRWcaIFK9cxiIRB4VY1WIO+XTO5EdscNOOz4DOT OmyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764340867; x=1764945667; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=x9ZJ0WABz8zA/HIRl6+j40HXO4xcZdxgPrJAX3BYADI=; b=PCug3ngmcVFUznFSn6fBZ6wFK3BoqdrFSKfmQabwg+9q0ZBXSLYOdFUouMKGKUXUl5 yLcG7D8vk0GRHiE1+0xeQ5D+Nn2l9GyAcl73GuHkQd4MOZzyJYnEzxMY90utXL88ul64 6Qwdb73TP3Q1fm1WkJLhlQfWjsaeP4JNgftM1bN95EkyKkTveojTdb5+4dJfmz/n4atL WKFoPl/NNoV8mTEYoYmwD95UyLYwXYjffjO7SxL8bmmQ3kHlxsLwOiMjtyT5eJX6rVgt Tl7RadHlYppqAufvpHX9mTs6KaMzqbZww5FJGVKOV0+Le99j4wQFxfNAKz00zyCM3THT ONNw== X-Forwarded-Encrypted: i=1; AJvYcCUAXwIeDRZfJx1yoiAdk1tQ6hSoEDESFd98lT4vQTKPIDb5I2O4FAb/j2x25t1IMSZ9dxBEx1mrGOT/PaY=@vger.kernel.org X-Gm-Message-State: AOJu0YxFAy7ERX0jWhiQfRHCHWOHvrvch5ETeHcZdoXEsgNcCdqkHeN+ dkr8orPYWrFWhu/3jtc44+JwaEfi7RY/GH8tT8FapEn66ZpoKcD/Y0NY X-Gm-Gg: ASbGncu9+537GvX4vHj72iBKxQI7/+Puhhx8ca8nY6wo3QwFYQtx0JWROZot5JwfmPx VqXMhyuP2MsoaIHMKDPMctZR7gpM+h16VK4QHzXZmsiPKoD7nRmOx4Q7FSpz9p7iG4MM5eL+X9p 1hx7IB2CiaFvZZwBdQthal1XEvSjmy+R3Gz6ZDOeswzxpE7lpiXyl+yZn1Ho0IGtGCx7EhRa1aw 8GPwvqSMcOqK1aONzQ9fEhWqdD6LfA+3pw5/W8ZX/K3jJ6j9CMqntU6h93u+EP6S4fqR8x6S86a qsON1Yq1X+C8PFB3HemBSgS4TP549cIxDwfFD6mxRrOc2Hi96P5ozBIkej+3p8vNvGBeCsB8a0a AuFLzd4i2MwHyZCVd/vthpt804zWH/+rlFFnl868X2MAyxqU/MxGCsUY0DRfMlKVFyaQzUYcmIe 8hNvZYtT+dJDa5hEnLNKOtpVh4oPcVI9ww+vyUOBxqRnNj1oXQBxTb+q/5 X-Google-Smtp-Source: AGHT+IFgRxZMbnvG2mlcetIpPcII12g0inja9crdJSO7s3MSPIALUt1z3bE01YIbhTc2jfOsDHzEWg== X-Received: by 2002:a05:6512:3d22:b0:594:2d64:bd0f with SMTP id 2adb3069b0e04-596a3ebf31bmr10723863e87.16.1764340866523; Fri, 28 Nov 2025 06:41:06 -0800 (PST) Received: from cherrypc.astracloud.ru (109-252-18-135.nat.spd-mgts.ru. [109.252.18.135]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-596bfa43efcsm1269527e87.63.2025.11.28.06.41.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 06:41:06 -0800 (PST) From: Nazar Kalashnikov To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: Nazar Kalashnikov , Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Jiufei Xue , Jan Kara , Christian Brauner Subject: [PATCH 5.10] fs: writeback: fix use-after-free in __mark_inode_dirty() Date: Fri, 28 Nov 2025 17:41:19 +0300 Message-ID: <20251128144121.54603-1-sivartiwe@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Jiufei Xue [ Upstream commit d02d2c98d25793902f65803ab853b592c7a96b29 ] An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=3D--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark_inode_dirty+0x124/0x418 generic_update_time+0x4c/0x60 file_modified+0xcc/0xd0 ext4_buffered_write_iter+0x58/0x124 ext4_file_write_iter+0x54/0x704 vfs_write+0x1c0/0x308 ksys_write+0x74/0x10c __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x40/0xe4 el0t_64_sync_handler+0x120/0x12c el0t_64_sync+0x194/0x198 Root cause is: systemd-random-seed kworker Reviewed-by: Jan Kara ---------------------------------------------------------------------- ___mark_inode_dirty inode_switch_wbs_work_fn spin_lock(&inode->i_lock); inode_attach_wb locked_inode_to_wb_and_lock_list get inode->i_wb spin_unlock(&inode->i_lock); spin_lock(&wb->list_lock) spin_lock(&inode->i_lock) inode_io_list_move_locked spin_unlock(&wb->list_lock) spin_unlock(&inode->i_lock) spin_lock(&old_wb->list_lock) inode_do_switch_wbs spin_lock(&inode->i_lock) inode->i_wb =3D new_wb spin_unlock(&inode->i_lock) spin_unlock(&old_wb->list_lock) wb_put_many(old_wb, nr_switched) cgwb_release old wb released wb_wakeup_delayed() accesses wb, then trigger the use-after-free issue Fix this race condition by holding inode spinlock until wb_wakeup_delayed() finished. Signed-off-by: Jiufei Xue Link: https://lore.kernel.org/20250728100715.3863241-1-jiufei.xue@samsung.c= om Reviewed-by: Jan Kara Signed-off-by: Christian Brauner Signed-off-by: Nazar Kalashnikov --- Backport fix for CVE-2025-39866 fs/fs-writeback.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c index 045a3bd520ca..ba70508b405d 100644 --- a/fs/fs-writeback.c +++ b/fs/fs-writeback.c @@ -2326,9 +2326,6 @@ void __mark_inode_dirty(struct inode *inode, int flag= s) wakeup_bdi =3D inode_io_list_move_locked(inode, wb, dirty_list); =20 - spin_unlock(&wb->list_lock); - trace_writeback_dirty_inode_enqueue(inode); - /* * If this is the first dirty inode for this bdi, * we have to wake-up the corresponding bdi thread @@ -2338,6 +2335,10 @@ void __mark_inode_dirty(struct inode *inode, int fla= gs) if (wakeup_bdi && (wb->bdi->capabilities & BDI_CAP_WRITEBACK)) wb_wakeup_delayed(wb); + + spin_unlock(&wb->list_lock); + trace_writeback_dirty_inode_enqueue(inode); + return; } } --=20 2.43.0