From nobody Thu Apr 9 13:30:34 2026 Received: from pdx-out-008.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-008.esa.us-west-2.outbound.mail-perimeter.amazon.com [52.42.203.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0197033E348; Sun, 8 Mar 2026 18:28:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.42.203.116 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994505; cv=none; b=pjpitdxKw7jmxxjNRoLhDt6R3ERgNvUcWjvMSdwQBDQvNwomt7T2LzvG24YtcWGsRILEHNqEObvqci0F5QYLznLMqIJbOol3H/y5OprBSO6epo6NKfMJUcCpeCCFdnzC95jyX+Qce3IiEIqvOWPe8l5VfFRaD9Tb2NJ9Z41qRo0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994505; c=relaxed/simple; bh=8PNyLdCufw1wJ+Rudba2u0ehjT9bec5MnnyztAojW1I=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=XjT2ssZdztQtTQPhWz/Unj6jMLNdngYkETylgnmkoH1dW2AZTMkI88CaoUY/4bWC2kGyJPCoDpD/SU9SizQx1YwuVYAe5kkh/SvMXondks8msAwMyFCtJq7jfUkbrQpf+GyGVUUtwiZLdk+Zxwcw6Z5wbPZnezeTAzjUFMKoF7Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=b0QafEy1; arc=none smtp.client-ip=52.42.203.116 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="b0QafEy1" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1772994503; x=1804530503; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=uKZECHlQvfktn+FLrbd1kXbKtr6B4SpmpC7n4bWVYv4=; b=b0QafEy1eoJYT+g8ne68ZK8i0hK8wD4x8rpUh3cqJ5Z0xn4RURuZ5cyQ vJoXZNgOEPPBzPdmqe1qV3QLSHN7o9P+IcrrT2Ansc3cJjtW0E1sGSevb DFieV7Bc2A8jcCRd14oAjgjMNzi6mCxvd6qAdcLAHBb8A6Z4JuOKP9l3I aglWW7eZ++MaxDeA5zKSKmaKb3/vBGW/dW05pHu9w0l6OinuK8LMqUTNV dFGEfGI0LKpk+6YuQsbR6VddI0OeAkDtnIJ7bGCbgaspU8JeDpfNLrX5B swPl6oO13KHV4b0NFyLYLSUtVW8RTU9fls+pFIVreYKAxRRV2R3g1ujH5 w==; X-CSE-ConnectionGUID: EdYEGu9ERZKcgbKmHZFn1Q== X-CSE-MsgGUID: LHpB2xutSaWjq4kji7Dqgg== X-IronPort-AV: E=Sophos;i="6.23,109,1770595200"; d="scan'208";a="14575495" Received: from ip-10-5-6-203.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.6.203]) by internal-pdx-out-008.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Mar 2026 18:28:21 +0000 Received: from EX19MTAUWC001.ant.amazon.com [205.251.233.53:6285] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.4.108:2525] with esmtp (Farcaster) id b6cf0bb0-76a1-4bab-a1b3-0ef9b7112b6b; Sun, 8 Mar 2026 18:28:21 +0000 (UTC) X-Farcaster-Flow-ID: b6cf0bb0-76a1-4bab-a1b3-0ef9b7112b6b Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWC001.ant.amazon.com (10.250.64.174) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:20 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.18) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:18 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , , Subject: [PATCH v3 1/4] xfs: stop reclaim before pushing AIL during unmount Date: Sun, 8 Mar 2026 18:28:06 +0000 Message-ID: <20260308182804.33127-7-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260308182804.33127-6-ytohnuki@amazon.com> References: <20260308182804.33127-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWB004.ant.amazon.com (10.13.139.170) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This creates a race where reclaim can free inodes and their log items while the AIL push is still referencing them. Reorder xfs_unmount_flush_inodes() to cancel background reclaim and stop inodegc before pushing the AIL, so that background reclaim and inodegc are no longer running while the AIL is pushed. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: # v5.9 Signed-off-by: Yuto Ohnuki --- fs/xfs/xfs_mount.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c index 9c295abd0a0a..786e1fc720e5 100644 --- a/fs/xfs/xfs_mount.c +++ b/fs/xfs/xfs_mount.c @@ -621,9 +621,9 @@ xfs_unmount_flush_inodes( =20 xfs_set_unmounting(mp); =20 - xfs_ail_push_all_sync(mp->m_ail); - xfs_inodegc_stop(mp); cancel_delayed_work_sync(&mp->m_reclaim_work); + xfs_inodegc_stop(mp); + xfs_ail_push_all_sync(mp->m_ail); xfs_reclaim_inodes(mp); xfs_health_unmount(mp); xfs_healthmon_unmount(mp); --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705 From nobody Thu Apr 9 13:30:34 2026 Received: from pdx-out-008.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-008.esa.us-west-2.outbound.mail-perimeter.amazon.com [52.42.203.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BA4739283D; Sun, 8 Mar 2026 18:28:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.42.203.116 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994506; cv=none; b=CkGh93cGIR5dZdG4ZIkPghoGCEmLZ/PybFMPT1DodKPTotD8rEQsqMQrp3g3mbUoqiB5++cygPqeTRqInXiuauJ1yj6CFoskw4XAZs5mUGFnll5NOIGHCUCRtrlwPRKANyaJxLCVpBv1MqDzhUPSnoVzqeNNMi+18fe9BCGrrng= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994506; c=relaxed/simple; bh=zLMN9+R3TcKfIQICVwuSHYqAKVdUpKlnJmncphhvbK8=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=WyE9rvaaak+kgm6GjWFOm4okKXRkvf1F+9h96W/P8IBZtPys0WhcaRk7Fa9AvxgXEofC5wuJIoA0t2Y7kEoGLhx5VLXnLldq1Ae8QVtXj9lL4X/nuJjrgLDdG7pj+kxO1Mktyr3C3YuhuNHqM5tSIVhu079HgPnD8MqN6sqNelU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=mfdNifbw; arc=none smtp.client-ip=52.42.203.116 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="mfdNifbw" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1772994505; x=1804530505; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=xxNWM3yg6rCQ2GaizLCYP3y/nhylL6KTTtZ38mtodWg=; b=mfdNifbw6O2HG7GnoxXjACbr/WxWHBuGfZ3VdLYuha26vP5cMlYv614T 8TccNm/h+pIKhtHkysa/nqo16bDfF3yFblh4zFUT8xq7Eohs5fJOwWoIX GioPFGrxgMjYrOuIY7KECO9QbqSmb9xgmLfQ21N/ZofN3CWeFcJunwM5F IPZ8XACyoNE9pBuGAVy0EH3dYQgZMokTR05QomixGgNBsmm323LhSML9D 8M2m9wR6L/8u6C0FG6pbVK8YukIc5RmVUarpnhQrgsb3n67gXdxPEVTqS +kGEMcMoyqCgsDDr7i8JXl5LH0Ew+8y+7sZ7AYoD+3Rczok/d1j0a8y4O g==; X-CSE-ConnectionGUID: HKNvzKu0TM224L6+ThPT6w== X-CSE-MsgGUID: 7zQ07h3uQpK41nMlRux01g== X-IronPort-AV: E=Sophos;i="6.23,109,1770595200"; d="scan'208";a="14575498" Received: from ip-10-5-6-203.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.6.203]) by internal-pdx-out-008.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Mar 2026 18:28:24 +0000 Received: from EX19MTAUWB002.ant.amazon.com [205.251.233.48:16326] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.6.153:2525] with esmtp (Farcaster) id 1203a453-8489-4ab9-a65c-e19db4ef0a33; Sun, 8 Mar 2026 18:28:23 +0000 (UTC) X-Farcaster-Flow-ID: 1203a453-8489-4ab9-a65c-e19db4ef0a33 Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWB002.ant.amazon.com (10.250.64.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:23 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.18) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:21 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , Subject: [PATCH v3 2/4] xfs: refactor xfsaild_push loop into helper Date: Sun, 8 Mar 2026 18:28:07 +0000 Message-ID: <20260308182804.33127-8-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260308182804.33127-6-ytohnuki@amazon.com> References: <20260308182804.33127-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWB004.ant.amazon.com (10.13.139.170) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Factor the loop body of xfsaild_push() into a separate xfsaild_process_logitem() helper to improve readability. This is a pure code movement with no functional change. The subsequent patch to fix a use-after-free in the AIL push path depends on this refactoring. Cc: # v5.9 Signed-off-by: Yuto Ohnuki Reviewed-by: Dave Chinner --- fs/xfs/xfs_trans_ail.c | 116 +++++++++++++++++++++++------------------ 1 file changed, 64 insertions(+), 52 deletions(-) diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c index 923729af4206..ac747804e1d6 100644 --- a/fs/xfs/xfs_trans_ail.c +++ b/fs/xfs/xfs_trans_ail.c @@ -458,6 +458,69 @@ xfs_ail_calc_push_target( return target_lsn; } =20 +static void +xfsaild_process_logitem( + struct xfs_ail *ailp, + struct xfs_log_item *lip, + xfs_lsn_t lsn, + int *stuck, + int *flushing) +{ + struct xfs_mount *mp =3D ailp->ail_log->l_mp; + int lock_result; + + /* + * Note that iop_push may unlock and reacquire the AIL lock. We + * rely on the AIL cursor implementation to be able to deal with + * the dropped lock. + */ + lock_result =3D xfsaild_push_item(ailp, lip); + switch (lock_result) { + case XFS_ITEM_SUCCESS: + XFS_STATS_INC(mp, xs_push_ail_success); + trace_xfs_ail_push(lip); + + ailp->ail_last_pushed_lsn =3D lsn; + break; + + case XFS_ITEM_FLUSHING: + /* + * The item or its backing buffer is already being + * flushed. The typical reason for that is that an + * inode buffer is locked because we already pushed the + * updates to it as part of inode clustering. + * + * We do not want to stop flushing just because lots + * of items are already being flushed, but we need to + * re-try the flushing relatively soon if most of the + * AIL is being flushed. + */ + XFS_STATS_INC(mp, xs_push_ail_flushing); + trace_xfs_ail_flushing(lip); + + (*flushing)++; + ailp->ail_last_pushed_lsn =3D lsn; + break; + + case XFS_ITEM_PINNED: + XFS_STATS_INC(mp, xs_push_ail_pinned); + trace_xfs_ail_pinned(lip); + + (*stuck)++; + ailp->ail_log_flush++; + break; + case XFS_ITEM_LOCKED: + XFS_STATS_INC(mp, xs_push_ail_locked); + trace_xfs_ail_locked(lip); + + (*stuck)++; + break; + default: + ASSERT(0); + break; + } +} + static long xfsaild_push( struct xfs_ail *ailp) @@ -505,62 +568,11 @@ xfsaild_push( =20 lsn =3D lip->li_lsn; while ((XFS_LSN_CMP(lip->li_lsn, ailp->ail_target) <=3D 0)) { - int lock_result; =20 if (test_bit(XFS_LI_FLUSHING, &lip->li_flags)) goto next_item; =20 - /* - * Note that iop_push may unlock and reacquire the AIL lock. We - * rely on the AIL cursor implementation to be able to deal with - * the dropped lock. - */ - lock_result =3D xfsaild_push_item(ailp, lip); - switch (lock_result) { - case XFS_ITEM_SUCCESS: - XFS_STATS_INC(mp, xs_push_ail_success); - trace_xfs_ail_push(lip); - - ailp->ail_last_pushed_lsn =3D lsn; - break; - - case XFS_ITEM_FLUSHING: - /* - * The item or its backing buffer is already being - * flushed. The typical reason for that is that an - * inode buffer is locked because we already pushed the - * updates to it as part of inode clustering. - * - * We do not want to stop flushing just because lots - * of items are already being flushed, but we need to - * re-try the flushing relatively soon if most of the - * AIL is being flushed. - */ - XFS_STATS_INC(mp, xs_push_ail_flushing); - trace_xfs_ail_flushing(lip); - - flushing++; - ailp->ail_last_pushed_lsn =3D lsn; - break; - - case XFS_ITEM_PINNED: - XFS_STATS_INC(mp, xs_push_ail_pinned); - trace_xfs_ail_pinned(lip); - - stuck++; - ailp->ail_log_flush++; - break; - case XFS_ITEM_LOCKED: - XFS_STATS_INC(mp, xs_push_ail_locked); - trace_xfs_ail_locked(lip); - - stuck++; - break; - default: - ASSERT(0); - break; - } - + xfsaild_process_logitem(ailp, lip, lsn, &stuck, &flushing); count++; =20 /* --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705 From nobody Thu Apr 9 13:30:34 2026 Received: from pdx-out-003.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-003.esa.us-west-2.outbound.mail-perimeter.amazon.com [44.246.68.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32519394495; Sun, 8 Mar 2026 18:28:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=44.246.68.102 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994520; cv=none; b=Wo3DTOTpGrM9SIX0atkWS4JkA6kjQHXaQFXDDXtGiq76JsRC+tWPzIRPXHgZL7bJffeIdxV/OStsfMiMeeLdexZWulV2deK4IgTVRhjoOm782BP3giCHcwBqE4cv9tDXuBPsyShE1UokE2KKrbiLHl02CEv/+W07a0hRIWQZC8k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994520; c=relaxed/simple; bh=1UIppoZyir+61CDau2LCokh4PD34UW78nSJShCzVnyE=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Ky27WPkjprFAiaWVsn5lLdLSbhjMycWwT7q6UcwNfjg5T0wUeptXFPrWVlDODXHOPXAN7DNDWCJ1Ennpbo0KuwSrnyeizJWGpZ0woK8YeJZnOb/byLUb4Tcw9unQMA0/v6JitmJP5bc1u1WBBA+XehcwqvNWce3eEoAgMhd3P3s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=rPKNi0jT; arc=none smtp.client-ip=44.246.68.102 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="rPKNi0jT" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1772994509; x=1804530509; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=AueivNNeE//yBNWDqGURJYyIQboJLeELbylOy5lnfSU=; b=rPKNi0jTkL0SSjZA1jTkdrndsjfcrieCXwxNH3P/VguDwun9Wa3ADFFh /RfLPUKfypB4CLiocqbWjZfMyIvCXBoDtbgQDJct7dspFNzXY5yxU+aoE NpBJW84ZlIfalPmug5dpz1qBB62xXc6MipA+kM8XxC29SAQOyYpM+Jab7 z+YdC8PDCXN5xVk6Vf4NRcbj9eVJZcHn4vEDs7ImNxa3z/9Ve8ZXLuUeo wk97MYxGFcGBQYxBQcmpeaXn4xRBE16FLRGjSenndBjoEVC67A+Ro98QR 5UlTFkFm4fNijdq5orq7JoSFoGKohnc5yRP2r1W8dMUslgxj1wKAIC+W7 g==; X-CSE-ConnectionGUID: ZcFVHh2zTS+iuBTxwHb1+g== X-CSE-MsgGUID: JiOmpOdnR9+V3bgTU02qEg== X-IronPort-AV: E=Sophos;i="6.23,109,1770595200"; d="scan'208";a="14587972" Received: from ip-10-5-0-115.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.0.115]) by internal-pdx-out-003.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Mar 2026 18:28:26 +0000 Received: from EX19MTAUWA002.ant.amazon.com [205.251.233.178:6408] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.52.102:2525] with esmtp (Farcaster) id 5ee920d1-6f3e-4586-bebb-47a18ba0f82b; Sun, 8 Mar 2026 18:28:26 +0000 (UTC) X-Farcaster-Flow-ID: 5ee920d1-6f3e-4586-bebb-47a18ba0f82b Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:26 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.18) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:24 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , , Subject: [PATCH v3 3/4] xfs: avoid dereferencing log items after push callbacks Date: Sun, 8 Mar 2026 18:28:08 +0000 Message-ID: <20260308182804.33127-9-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260308182804.33127-6-ytohnuki@amazon.com> References: <20260308182804.33127-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWB004.ant.amazon.com (10.13.139.170) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. The tracepoints in the switch statement dereference the log item after iop_push() returns, which can result in a use-after-free. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: # v5.9 Signed-off-by: Yuto Ohnuki Reviewed-by: Dave Chinner --- fs/xfs/xfs_trace.h | 36 ++++++++++++++++++++++++++++++++---- fs/xfs/xfs_trans_ail.c | 24 ++++++++++++++++-------- 2 files changed, 48 insertions(+), 12 deletions(-) diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h index 813e5a9f57eb..0e994b3f768f 100644 --- a/fs/xfs/xfs_trace.h +++ b/fs/xfs/xfs_trace.h @@ -56,6 +56,7 @@ #include =20 struct xfs_agf; +struct xfs_ail; struct xfs_alloc_arg; struct xfs_attr_list_context; struct xfs_buf_log_item; @@ -1650,16 +1651,43 @@ TRACE_EVENT(xfs_log_force, DEFINE_EVENT(xfs_log_item_class, name, \ TP_PROTO(struct xfs_log_item *lip), \ TP_ARGS(lip)) -DEFINE_LOG_ITEM_EVENT(xfs_ail_push); -DEFINE_LOG_ITEM_EVENT(xfs_ail_pinned); -DEFINE_LOG_ITEM_EVENT(xfs_ail_locked); -DEFINE_LOG_ITEM_EVENT(xfs_ail_flushing); DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_mark); DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_skip); DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_unpin); DEFINE_LOG_ITEM_EVENT(xlog_ail_insert_abort); DEFINE_LOG_ITEM_EVENT(xfs_trans_free_abort); =20 +DECLARE_EVENT_CLASS(xfs_ail_push_class, + TP_PROTO(struct xfs_ail *ailp, uint type, unsigned long flags, xfs_lsn_t = lsn), + TP_ARGS(ailp, type, flags, lsn), + TP_STRUCT__entry( + __field(dev_t, dev) + __field(uint, type) + __field(unsigned long, flags) + __field(xfs_lsn_t, lsn) + ), + TP_fast_assign( + __entry->dev =3D ailp->ail_log->l_mp->m_super->s_dev; + __entry->type =3D type; + __entry->flags =3D flags; + __entry->lsn =3D lsn; + ), + TP_printk("dev %d:%d lsn %d/%d type %s flags %s", + MAJOR(__entry->dev), MINOR(__entry->dev), + CYCLE_LSN(__entry->lsn), BLOCK_LSN(__entry->lsn), + __print_symbolic(__entry->type, XFS_LI_TYPE_DESC), + __print_flags(__entry->flags, "|", XFS_LI_FLAGS)) +) + +#define DEFINE_AIL_PUSH_EVENT(name) \ +DEFINE_EVENT(xfs_ail_push_class, name, \ + TP_PROTO(struct xfs_ail *ailp, uint type, unsigned long flags, xfs_lsn_t = lsn), \ + TP_ARGS(ailp, type, flags, lsn)) +DEFINE_AIL_PUSH_EVENT(xfs_ail_push); +DEFINE_AIL_PUSH_EVENT(xfs_ail_pinned); +DEFINE_AIL_PUSH_EVENT(xfs_ail_locked); +DEFINE_AIL_PUSH_EVENT(xfs_ail_flushing); + DECLARE_EVENT_CLASS(xfs_ail_class, TP_PROTO(struct xfs_log_item *lip, xfs_lsn_t old_lsn, xfs_lsn_t new_lsn), TP_ARGS(lip, old_lsn, new_lsn), diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c index ac747804e1d6..14ffb77b12ea 100644 --- a/fs/xfs/xfs_trans_ail.c +++ b/fs/xfs/xfs_trans_ail.c @@ -365,6 +365,12 @@ xfsaild_resubmit_item( return XFS_ITEM_SUCCESS; } =20 +/* + * Push a single log item from the AIL. + * + * @lip may have been released and freed by the time this function returns, + * so callers must not dereference the log item afterwards. + */ static inline uint xfsaild_push_item( struct xfs_ail *ailp, @@ -462,11 +468,13 @@ static void xfsaild_process_logitem( struct xfs_ail *ailp, struct xfs_log_item *lip, - xfs_lsn_t lsn, int *stuck, int *flushing) { struct xfs_mount *mp =3D ailp->ail_log->l_mp; + uint type =3D lip->li_type; + unsigned long flags =3D lip->li_flags; + xfs_lsn_t item_lsn =3D lip->li_lsn; int lock_result; =20 /* @@ -478,9 +486,9 @@ xfsaild_process_logitem( switch (lock_result) { case XFS_ITEM_SUCCESS: XFS_STATS_INC(mp, xs_push_ail_success); - trace_xfs_ail_push(lip); + trace_xfs_ail_push(ailp, type, flags, item_lsn); =20 - ailp->ail_last_pushed_lsn =3D lsn; + ailp->ail_last_pushed_lsn =3D item_lsn; break; =20 case XFS_ITEM_FLUSHING: @@ -496,22 +504,22 @@ xfsaild_process_logitem( * AIL is being flushed. */ XFS_STATS_INC(mp, xs_push_ail_flushing); - trace_xfs_ail_flushing(lip); + trace_xfs_ail_flushing(ailp, type, flags, item_lsn); =20 (*flushing)++; - ailp->ail_last_pushed_lsn =3D lsn; + ailp->ail_last_pushed_lsn =3D item_lsn; break; =20 case XFS_ITEM_PINNED: XFS_STATS_INC(mp, xs_push_ail_pinned); - trace_xfs_ail_pinned(lip); + trace_xfs_ail_pinned(ailp, type, flags, item_lsn); =20 (*stuck)++; ailp->ail_log_flush++; break; case XFS_ITEM_LOCKED: XFS_STATS_INC(mp, xs_push_ail_locked); - trace_xfs_ail_locked(lip); + trace_xfs_ail_locked(ailp, type, flags, item_lsn); =20 (*stuck)++; break; @@ -572,7 +580,7 @@ xfsaild_push( if (test_bit(XFS_LI_FLUSHING, &lip->li_flags)) goto next_item; =20 - xfsaild_process_logitem(ailp, lip, lsn, &stuck, &flushing); + xfsaild_process_logitem(ailp, lip, &stuck, &flushing); count++; =20 /* --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705 From nobody Thu Apr 9 13:30:34 2026 Received: from pdx-out-003.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-003.esa.us-west-2.outbound.mail-perimeter.amazon.com [44.246.68.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 774E239448C; Sun, 8 Mar 2026 18:28:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=44.246.68.102 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994521; cv=none; b=Wqhe2A8GFPMbUfwerO3fLSZ0sCghHtCiHBzNaRlzfxpzytQddl4rRflEGT7fWH9e4Tk5zFlyCVI7Yn+2/L866HsLW4SAjc6dnqigztavgD6ws6c+dLQigCexLL/DBnOT/2oFx1yFuQvMdmJ60O8xu6OkNzipoDFbn5j1LQoHes8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772994521; c=relaxed/simple; bh=612fuy+SrLXkZBZcVKEJDpAdsrWFDyRiBahGFybMnLo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=hBukyMltzdOZcKXB+FGDQuZ3bjTWZBU+lWRjOTVsSPP6QjY6eTZ6FF9BFqqNCs1uQTyaX+NulpaKO6QLUVWsC0jF7dTw7Xppx0DO4Sf9idVFozsLXJHdkzY4BIvZCfd/k11XtlEIfWPU2Ko7HFqMm0dn+u7lbbh4oEAKpKbUcDM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=tAQyajFf; arc=none smtp.client-ip=44.246.68.102 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="tAQyajFf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1772994520; x=1804530520; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=WRc9x4f6CuM/9PVF31ZAOzT26sMcBoVArIU7CRsUxak=; b=tAQyajFfFNv8WJnH10/5XUOV5O46R4kYFgmT7eHrcDEC0qYF7TFdvw2C SRNS5u3PLKvA4pHG/GKsRlcX1CV/ZzJGjNavLH30JJHuDGGzlq6mUMeCj 1rWa3Gg/tddNvawGePpKgSuen1gioAhzSMoNlbRmbqUFPEWogUbfvsutD 5cHmrpuCuApwtPvhKIbnwvC915fGrbYogJlU2+kvmsfeRw2P6pbqZgifr veszLT6cOBhuBnGHJuv+mPU8zClhzSFx0DlSC8ay6CHSul8y+eTV+M4Lf FJ0FIyk6binpJ3NMeYiyNKnESvlNdD95OVVBcBZq9fdvx7cmwD1pDTl5p g==; X-CSE-ConnectionGUID: frtOTujARgKjv0+zPOS2Aw== X-CSE-MsgGUID: QmzJba9vQACGtSpOPG1IJA== X-IronPort-AV: E=Sophos;i="6.23,109,1770595200"; d="scan'208";a="14587974" Received: from ip-10-5-9-48.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.9.48]) by internal-pdx-out-003.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Mar 2026 18:28:29 +0000 Received: from EX19MTAUWB001.ant.amazon.com [205.251.233.51:6139] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.34.39:2525] with esmtp (Farcaster) id 9e87af4e-7e08-41e4-987e-e7ff4e193084; Sun, 8 Mar 2026 18:28:29 +0000 (UTC) X-Farcaster-Flow-ID: 9e87af4e-7e08-41e4-987e-e7ff4e193084 Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWB001.ant.amazon.com (10.250.64.248) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:29 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.18) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Sun, 8 Mar 2026 18:28:27 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , , Subject: [PATCH v3 4/4] xfs: save ailp before dropping the AIL lock in push callbacks Date: Sun, 8 Mar 2026 18:28:09 +0000 Message-ID: <20260308182804.33127-10-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260308182804.33127-6-ytohnuki@amazon.com> References: <20260308182804.33127-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWB004.ant.amazon.com (10.13.139.170) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: # v5.9 Signed-off-by: Yuto Ohnuki Reviewed-by: "Darrick J. Wong" Reviewed-by: Dave Chinner --- fs/xfs/xfs_dquot_item.c | 9 +++++++-- fs/xfs/xfs_inode_item.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/fs/xfs/xfs_dquot_item.c b/fs/xfs/xfs_dquot_item.c index 491e2a7053a3..65a0e69c3d08 100644 --- a/fs/xfs/xfs_dquot_item.c +++ b/fs/xfs/xfs_dquot_item.c @@ -125,6 +125,7 @@ xfs_qm_dquot_logitem_push( struct xfs_dq_logitem *qlip =3D DQUOT_ITEM(lip); struct xfs_dquot *dqp =3D qlip->qli_dquot; struct xfs_buf *bp; + struct xfs_ail *ailp =3D lip->li_ailp; uint rval =3D XFS_ITEM_SUCCESS; int error; =20 @@ -153,7 +154,7 @@ xfs_qm_dquot_logitem_push( goto out_unlock; } =20 - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); =20 error =3D xfs_dquot_use_attached_buf(dqp, &bp); if (error =3D=3D -EAGAIN) { @@ -172,9 +173,13 @@ xfs_qm_dquot_logitem_push( rval =3D XFS_ITEM_FLUSHING; } xfs_buf_relse(bp); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ =20 out_relock_ail: - spin_lock(&lip->li_ailp->ail_lock); + spin_lock(&ailp->ail_lock); out_unlock: mutex_unlock(&dqp->q_qlock); return rval; diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c index 8913036b8024..4ae81eed0442 100644 --- a/fs/xfs/xfs_inode_item.c +++ b/fs/xfs/xfs_inode_item.c @@ -746,6 +746,7 @@ xfs_inode_item_push( struct xfs_inode_log_item *iip =3D INODE_ITEM(lip); struct xfs_inode *ip =3D iip->ili_inode; struct xfs_buf *bp =3D lip->li_buf; + struct xfs_ail *ailp =3D lip->li_ailp; uint rval =3D XFS_ITEM_SUCCESS; int error; =20 @@ -771,7 +772,7 @@ xfs_inode_item_push( if (!xfs_buf_trylock(bp)) return XFS_ITEM_LOCKED; =20 - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); =20 /* * We need to hold a reference for flushing the cluster buffer as it may @@ -795,7 +796,11 @@ xfs_inode_item_push( rval =3D XFS_ITEM_LOCKED; } =20 - spin_lock(&lip->li_ailp->ail_lock); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ + spin_lock(&ailp->ail_lock); return rval; } =20 --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705