From nobody Sun Feb  8 05:28:50 2026
Received: from mail-pg1-f178.google.com (mail-pg1-f178.google.com
 [209.85.215.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A859632863E
	for <linux-kernel@vger.kernel.org>; Fri, 30 Jan 2026 09:21:42 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.215.178
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769764903; cv=none;
 b=kO2JwiT1rnLn91WHzJqVD1mYxWBpu3fiXBzdXz9a/R3ZTEm6SWXEasYgoEJjsc11E/oAOOIinPrQus7GRG8SQFvQ2kAkGZTvFTa7gVQFP5tUdTvKaJ83EZYA+a7i5N1Mh9gqmLA6c8QcmO3ZHO/cgM2ZrVaBdyE1T/EPd2v3yWE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769764903; c=relaxed/simple;
	bh=Lela0ry8siNc7hGk4/vu1l+LVXOLLqVweXBOwVjgNU8=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=g9iZPDM6nnWvUSrqAxq0XLUhTU1nIeSWK2eelIZjerFQuK/guaxRaOueF7i/Vi3BQTRx1kBOza016CEJuVWRxwkFImxAyIeXhC3DJGzB9wd/wYgM+EMvg5OdHs6Xhbo77tzTOaacBOI13DRcjMLxJLptOjKOm8hUSrBB+S8IvJw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=UIQIgXnK; arc=none smtp.client-ip=209.85.215.178
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="UIQIgXnK"
Received: by mail-pg1-f178.google.com with SMTP id
 41be03b00d2f7-c61342a69b9so746404a12.0
        for <linux-kernel@vger.kernel.org>;
 Fri, 30 Jan 2026 01:21:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769764902; x=1770369702;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=t+b+o8h8vodG0ADVK4B8Fa23C+lDACI7ZUVBlKr7S8U=;
        b=UIQIgXnKp0OfchoTpZqrI/YVXwefBeEd1IHUNgFCxp50fCsd5M6tW/4deIobtyM6d+
         JyYXrl7cwhsmJlx9xCy4w7G9surJbJ1JkhIw1ks5nBEIK+4UAOBm8ADpclhQQyOlm/xr
         iECOn1v7pFPbxmYvIOlahffABglnBLFvfXSnzsMTF4jHAcR34sTlZFwEpsufCmzPCtXx
         kbpiCpocwmQTlvHPQqNh6v1w+se2/NYW95ry1KmbbQeXDQKZJjh3OoGEuGnC0xM2kqKS
         w6oFCIKCaOacMeTWKjze9zy3lW1N+d4schawXPHxipOlr956ii2n8smMlaUtCTFxVmWo
         BBtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769764902; x=1770369702;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=t+b+o8h8vodG0ADVK4B8Fa23C+lDACI7ZUVBlKr7S8U=;
        b=JWV8C+Ehmf0jp4pe3ue7Wl2U4g1b56JwRJoBunZ0mRfc+a6NOA4qlUYcxvsCq2uwPZ
         7ynmKI84fdU0rPjNUcwMdO6bs7IIJUOHRTcK9E2AkAN74bwDZkr+OhhQHk73a3rX+mDR
         haCrfT/BrcOt/bRLP74O91ckmLC6fN1F6Z7hVCUhR+BxrrvgnLFtrJgKjuXbhAtu6iKJ
         yQGLUxX3O0W2bwyQszpgQfmopzyk+0zDC1SKFPTJyKpCDXzX06e5jUgdbrSgDpNHsHyp
         nyX/GrAZV8rfqUhGOMTs02YlKq04hDN9+ZMGhmrl7KMRSouGsW6JWj3S3ysYh+rBBS0w
         rhWQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWdbSUhWCmfeXkIKgJnSqUsXnCkROMTLk5kutPgNbjMjoYapQk6SQnTMiT9Y6SSLqV654Ilv2RJjz2Fvkg=@vger.kernel.org
X-Gm-Message-State: AOJu0YwIMtzv3hbzsZLY1vUGcGRK9MM8Pf2PgaQMg60qwMejUxrAHCD8
	iUoYqVad0lpqDeotw3KjVusT4rFCAFF5/qnXAV/O5aUdHcihAl4UqpCukjMSCw==
X-Gm-Gg: AZuq6aK+AJPRJB1glH7e+yMUyYV5h5xaWbkvOgpdozItuC1RWSlLcMtbkDIQmL2VVpV
	SR1HQAZNRucgaH2TSfaASAaBXOAcFCcw5dA2MsaNEVp289l5fSDikzBy3S6L4UtR++M9mrPMCNK
	WX+pLPemj7F9D9DMbqR/2hr8IrOv+4ifIFm9EXyLKJ/pz/o92d8WMMiLJIHYW05gtV31wrOJqnc
	e20QJ9rPdarxqx+uySeWxvCieHO83n9xKAGUNfAXZG6UfvhBLOxlgmNAE2+GybxsBUejg+9xY2L
	Q/W3OWWmVStyzLUFq69gJ8UA3dlX83mlVDrkePbmHT8YZvRf5UNMI48t5CrauwHV6sdFBmJHSof
	cyxsOdBwssTV20z5aC3Ov2hiAtSzYzQ6iarrzUY1/CI0Vn2EJo03EaanVMVUQspxTxhGKCANOfL
	Z+7Hcc0vvYLwJep7jC60U9cUh+V6+taaqrYiGlIRFN43NxImQ7897/lW/L6JxZKmbDRQ==
X-Received: by 2002:a17:90b:3e48:b0:33f:eca0:47c6 with SMTP id
 98e67ed59e1d1-3543b3acfdbmr2031178a91.30.1769764901949;
        Fri, 30 Jan 2026 01:21:41 -0800 (PST)
Received: from deepanshu-kernel-hacker..
 ([2405:201:682f:389d:46b0:a00:42ac:8b2c])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-3543d5afb5dsm569271a91.8.2026.01.30.01.21.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 30 Jan 2026 01:21:41 -0800 (PST)
From: Deepanshu Kartikey <kartikey406@gmail.com>
To: agruenba@redhat.com
Cc: gfs2@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Deepanshu Kartikey <kartikey406@gmail.com>,
	syzbot+ea1cd4aa4d1e98458a55@syzkaller.appspotmail.com
Subject: [PATCH] gfs2: Fix use-after-free in iomap inline data write path
Date: Fri, 30 Jan 2026 14:51:34 +0530
Message-ID: <20260130092134.62407-1-kartikey406@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The inline data buffer head (dibh) is being released prematurely in
gfs2_iomap_begin() via release_metapath(), while iomap->inline_data
still points to dibh->b_data. This causes a use-after-free when
iomap_write_end_inline() later attempts to write to the inline data
area.

The bug sequence:
1. gfs2_iomap_begin() calls gfs2_meta_inode_buffer() to read inode
   metadata into dibh
2. Sets iomap->inline_data =3D dibh->b_data + sizeof(struct gfs2_dinode)
3. Calls release_metapath() which calls brelse(dibh), dropping refcount
   to 0
4. kswapd reclaims the page (~39ms later in the syzbot report)
5. iomap_write_end_inline() tries to memcpy() to iomap->inline_data
6. KASAN detects use-after-free write to freed memory

Fix by storing dibh in iomap->private and incrementing its refcount
with get_bh() in gfs2_iomap_begin(). The buffer is then properly
released in gfs2_iomap_end() after the inline write completes,
ensuring the page stays alive for the entire iomap operation.

Note: A C reproducer is not available for this issue. The fix is based
on analysis of the KASAN report and code review showing the buffer head
is freed before use.

Reported-by: syzbot+ea1cd4aa4d1e98458a55@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3Dea1cd4aa4d1e98458a55
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 fs/gfs2/bmap.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
index 131091520de6..e70095809e4a 100644
--- a/fs/gfs2/bmap.c
+++ b/fs/gfs2/bmap.c
@@ -887,6 +887,8 @@ static int __gfs2_iomap_get(struct inode *inode, loff_t=
 pos, loff_t length,
 			      sizeof(struct gfs2_dinode);
 		iomap->type =3D IOMAP_INLINE;
 		iomap->inline_data =3D dibh->b_data + sizeof(struct gfs2_dinode);
+		iomap->private =3D dibh;
+		get_bh(dibh);
 		goto out;
 	}
=20
@@ -1144,6 +1146,12 @@ static int gfs2_iomap_end(struct inode *inode, loff_=
t pos, loff_t length,
 	struct gfs2_inode *ip =3D GFS2_I(inode);
 	struct gfs2_sbd *sdp =3D GFS2_SB(inode);
=20
+	/* Release buffer head for inline data */
+	if (iomap->type =3D=3D IOMAP_INLINE && iomap->private) {
+		brelse(iomap->private);
+		iomap->private =3D NULL;
+	}
+
 	switch (flags & (IOMAP_WRITE | IOMAP_ZERO)) {
 	case IOMAP_WRITE:
 		if (flags & IOMAP_DIRECT)
--=20
2.43.0