From nobody Wed Apr 8 03:06:10 2026 Received: from pdx-out-006.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-006.esa.us-west-2.outbound.mail-perimeter.amazon.com [52.26.1.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7990331A065; Tue, 10 Mar 2026 18:38:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.26.1.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167935; cv=none; b=jhdyr72mCUI5cmNyqTgPygMfZlv4xWtBDst9fiEsiqTgKJmrwINfn80Btbxuh0ysI2OblQoGrpvYiu60uVhNHmvduZJrw72xQaOv2S2rjEoamhvIItfpA48X7lUVLENPVjZjigSb2IBj0g7XEVHMrPVFzfJ0WzvmOxWDkagGBv8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167935; c=relaxed/simple; bh=HeqsfeBcTBt4ArfKV32ZtW3E86s8D5Uxvo1ghrvN2zo=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=ACOTyln0zeIBL4S3dNRDLeDwRbIdoW1k77AJyCY1Ee0/7rXeCtkHjhKoxekqTymd5GAMqef1+Cs7/gmU/nX3hXkXuSA6PM5tp73KIrEOur6oRrymyWjOKZqkHLla4scgQCz+NLI7G8+Tj3ZD32SXsZmQSnOsWmg+8A+JrxDl58E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=Lg/wj79U; arc=none smtp.client-ip=52.26.1.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="Lg/wj79U" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1773167934; x=1804703934; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=JtOydYU3WqE8Z2TOBVP6syGAXK8byl5NV2hYUJzJtXk=; b=Lg/wj79UAHpAX+ITMKjZb/Jzsfm537R7rg2pMX2XJmsL0gox1ds0t9sk I/m58Ww/YaT7WnSYvfcx81smDawVXb5GP4aziC0wEydeZRWzTaIo3LedI Bufy7bKWrGGcHKVN41Vldps/dD6UXJGAE1h28vGnkE/8Zi0ipVM11Hb+u /AeSfYl5HWXC2Lg7MxrDfrruNCZ+O+tq3n3F/FruU2G0aG17l4Q4kbXWE qb1AU2HC8kC54aAshr3q/eqvg0dE7znbtQfW6DFPcL63VwuOKqLtPX8k3 gS2sUIXnopB6I+7F+THyZ4Kh8evLJpL9v6ineDhoLy2O+AsC7zO8MubSM w==; X-CSE-ConnectionGUID: oeo/sL4gQqWEEvSO1v0gOQ== X-CSE-MsgGUID: bkRKWOB/QDGgDahUeXi26Q== X-IronPort-AV: E=Sophos;i="6.23,112,1770595200"; d="scan'208";a="14738389" Received: from ip-10-5-9-48.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.9.48]) by internal-pdx-out-006.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2026 18:38:50 +0000 Received: from EX19MTAUWC002.ant.amazon.com [205.251.233.111:3067] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.33.152:2525] with esmtp (Farcaster) id 08a1a1eb-2d27-4c44-9dbf-ad6240b37571; Tue, 10 Mar 2026 18:38:50 +0000 (UTC) X-Farcaster-Flow-ID: 08a1a1eb-2d27-4c44-9dbf-ad6240b37571 Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:50 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.15) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:48 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , , Subject: [PATCH v4 1/4] xfs: stop reclaim before pushing AIL during unmount Date: Tue, 10 Mar 2026 18:38:37 +0000 Message-ID: <20260310183835.89827-7-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260310183835.89827-6-ytohnuki@amazon.com> References: <20260310183835.89827-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWC002.ant.amazon.com (10.13.139.242) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort and free dirty inodes. Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background reclaim before pushing the AIL. Stop inodegc before cancelling m_reclaim_work because the inodegc worker can re-queue m_reclaim_work via xfs_inodegc_set_reclaimable. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: # v5.9 Signed-off-by: Yuto Ohnuki Reviewed-by: "Darrick J. Wong" --- fs/xfs/xfs_mount.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c index 9c295abd0a0a..ef1ea8a1238c 100644 --- a/fs/xfs/xfs_mount.c +++ b/fs/xfs/xfs_mount.c @@ -608,8 +608,9 @@ xfs_unmount_check( * have been retrying in the background. This will prevent never-ending * retries in AIL pushing from hanging the unmount. * - * Finally, we can push the AIL to clean all the remaining dirty objects, = then - * reclaim the remaining inodes that are still in memory at this point in = time. + * Stop inodegc and background reclaim before pushing the AIL so that they + * are not running while the AIL is being flushed. Then push the AIL to + * clean all the remaining dirty objects and reclaim the remaining inodes. */ static void xfs_unmount_flush_inodes( @@ -621,9 +622,9 @@ xfs_unmount_flush_inodes( =20 xfs_set_unmounting(mp); =20 - xfs_ail_push_all_sync(mp->m_ail); xfs_inodegc_stop(mp); cancel_delayed_work_sync(&mp->m_reclaim_work); + xfs_ail_push_all_sync(mp->m_ail); xfs_reclaim_inodes(mp); xfs_health_unmount(mp); xfs_healthmon_unmount(mp); --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705 From nobody Wed Apr 8 03:06:10 2026 Received: from pdx-out-006.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-006.esa.us-west-2.outbound.mail-perimeter.amazon.com [52.26.1.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5FAD31A07F; Tue, 10 Mar 2026 18:38:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=52.26.1.71 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167936; cv=none; b=gCkPcmfAKl1CkqqHpFy0rD7kfpJ29ht8w5C9+hshJI6FnbALLbTpgPcatY+bOYM26A6Z0h8UKPvisVbocDwO0vxvqn+Udc4n3LHcnBtyzHaWNBVR9JL1MKd4XlVQoq6qd/7n4IqLp1ERtfE9j6E2WuoRnos+rfSgvtV6g2tpjjw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167936; c=relaxed/simple; bh=rIVnGInd1Kc7Lfu07d1MuB7hupkdwmJcYNnvcOPk9Kk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=gR3j0jMk1nVPCxzLEjQO4yKfNCN052ezXOXtG7EIIg/TgUOLPyW+hXDDKiwe2Y1W6py3s6jJ+G84se2HwXsldBg3N0dAMNpMwcYvwtzj8ZA4KOXs97ukn6OMcgT3ZKyboTdfZ2p8i2+0kdcJgjDpplis/31mgREizUO7lUDCsaQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=e8sroEZ0; arc=none smtp.client-ip=52.26.1.71 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="e8sroEZ0" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1773167935; x=1804703935; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=5xv1p9eU47NVp3o9CONDiQJ1V9HKJVb9C2TnW6MdRvY=; b=e8sroEZ0Yb6QlVv2DcaYqL6adc/OZnm8YNtvCtEaJ3qk3PIBQXBflR5F buUStUSJcLvyv8L50tu5lCZUe7bGxZmB63qz12lE+mqmTPQ2ED7BMDINq ilhKMyvckIferjQCDVaq5oFCWe6w9a62EC82Dx59Ip8ef0EX64YVZ+UI4 QTW969suaAPotpB0O6tL/ptAvvyBws1zFDRyFih+k45fwen86anOKow35 TQzOZ3VXlO9AJ+hHu/BJQonW67ws8J4LH31pU4UihVw0VinKVb1wEFoA5 GWiwuSzBAO01uDDqTOHbou/3qPKB1gf2ofwCezGodQPoMK37VV3NbvTA9 Q==; X-CSE-ConnectionGUID: Zssv5p6xQ5qJrtvDYpksNw== X-CSE-MsgGUID: 964qTTVhSkul/FQ5HOYJYA== X-IronPort-AV: E=Sophos;i="6.23,112,1770595200"; d="scan'208";a="14738412" Received: from ip-10-5-0-115.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.0.115]) by internal-pdx-out-006.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2026 18:38:54 +0000 Received: from EX19MTAUWA001.ant.amazon.com [205.251.233.236:23881] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.4.108:2525] with esmtp (Farcaster) id d3e8d478-92a2-4f29-b065-91f9d57ca7df; Tue, 10 Mar 2026 18:38:54 +0000 (UTC) X-Farcaster-Flow-ID: d3e8d478-92a2-4f29-b065-91f9d57ca7df Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWA001.ant.amazon.com (10.250.64.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:54 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.15) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:52 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , , Subject: [PATCH v4 2/4] xfs: avoid dereferencing log items after push callbacks Date: Tue, 10 Mar 2026 18:38:38 +0000 Message-ID: <20260310183835.89827-8-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260310183835.89827-6-ytohnuki@amazon.com> References: <20260310183835.89827-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWC002.ant.amazon.com (10.13.139.242) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling xfsaild_push_item(), and introducing a new xfs_ail_push_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: # v5.9 Signed-off-by: Yuto Ohnuki Reviewed-by: "Darrick J. Wong" --- fs/xfs/xfs_trace.h | 36 ++++++++++++++++++++++++++++++++---- fs/xfs/xfs_trans_ail.c | 26 +++++++++++++++++++------- 2 files changed, 51 insertions(+), 11 deletions(-) diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h index 813e5a9f57eb..0e994b3f768f 100644 --- a/fs/xfs/xfs_trace.h +++ b/fs/xfs/xfs_trace.h @@ -56,6 +56,7 @@ #include =20 struct xfs_agf; +struct xfs_ail; struct xfs_alloc_arg; struct xfs_attr_list_context; struct xfs_buf_log_item; @@ -1650,16 +1651,43 @@ TRACE_EVENT(xfs_log_force, DEFINE_EVENT(xfs_log_item_class, name, \ TP_PROTO(struct xfs_log_item *lip), \ TP_ARGS(lip)) -DEFINE_LOG_ITEM_EVENT(xfs_ail_push); -DEFINE_LOG_ITEM_EVENT(xfs_ail_pinned); -DEFINE_LOG_ITEM_EVENT(xfs_ail_locked); -DEFINE_LOG_ITEM_EVENT(xfs_ail_flushing); DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_mark); DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_skip); DEFINE_LOG_ITEM_EVENT(xfs_cil_whiteout_unpin); DEFINE_LOG_ITEM_EVENT(xlog_ail_insert_abort); DEFINE_LOG_ITEM_EVENT(xfs_trans_free_abort); =20 +DECLARE_EVENT_CLASS(xfs_ail_push_class, + TP_PROTO(struct xfs_ail *ailp, uint type, unsigned long flags, xfs_lsn_t = lsn), + TP_ARGS(ailp, type, flags, lsn), + TP_STRUCT__entry( + __field(dev_t, dev) + __field(uint, type) + __field(unsigned long, flags) + __field(xfs_lsn_t, lsn) + ), + TP_fast_assign( + __entry->dev =3D ailp->ail_log->l_mp->m_super->s_dev; + __entry->type =3D type; + __entry->flags =3D flags; + __entry->lsn =3D lsn; + ), + TP_printk("dev %d:%d lsn %d/%d type %s flags %s", + MAJOR(__entry->dev), MINOR(__entry->dev), + CYCLE_LSN(__entry->lsn), BLOCK_LSN(__entry->lsn), + __print_symbolic(__entry->type, XFS_LI_TYPE_DESC), + __print_flags(__entry->flags, "|", XFS_LI_FLAGS)) +) + +#define DEFINE_AIL_PUSH_EVENT(name) \ +DEFINE_EVENT(xfs_ail_push_class, name, \ + TP_PROTO(struct xfs_ail *ailp, uint type, unsigned long flags, xfs_lsn_t = lsn), \ + TP_ARGS(ailp, type, flags, lsn)) +DEFINE_AIL_PUSH_EVENT(xfs_ail_push); +DEFINE_AIL_PUSH_EVENT(xfs_ail_pinned); +DEFINE_AIL_PUSH_EVENT(xfs_ail_locked); +DEFINE_AIL_PUSH_EVENT(xfs_ail_flushing); + DECLARE_EVENT_CLASS(xfs_ail_class, TP_PROTO(struct xfs_log_item *lip, xfs_lsn_t old_lsn, xfs_lsn_t new_lsn), TP_ARGS(lip, old_lsn, new_lsn), diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c index 923729af4206..63266d31b514 100644 --- a/fs/xfs/xfs_trans_ail.c +++ b/fs/xfs/xfs_trans_ail.c @@ -365,6 +365,12 @@ xfsaild_resubmit_item( return XFS_ITEM_SUCCESS; } =20 +/* + * Push a single log item from the AIL. + * + * @lip may have been released and freed by the time this function returns, + * so callers must not dereference the log item afterwards. + */ static inline uint xfsaild_push_item( struct xfs_ail *ailp, @@ -505,7 +511,10 @@ xfsaild_push( =20 lsn =3D lip->li_lsn; while ((XFS_LSN_CMP(lip->li_lsn, ailp->ail_target) <=3D 0)) { - int lock_result; + int lock_result; + uint type =3D lip->li_type; + unsigned long flags =3D lip->li_flags; + xfs_lsn_t item_lsn =3D lip->li_lsn; =20 if (test_bit(XFS_LI_FLUSHING, &lip->li_flags)) goto next_item; @@ -514,14 +523,17 @@ xfsaild_push( * Note that iop_push may unlock and reacquire the AIL lock. We * rely on the AIL cursor implementation to be able to deal with * the dropped lock. + * + * The log item may have been freed by the push, so it must not + * be accessed or dereferenced below this line. */ lock_result =3D xfsaild_push_item(ailp, lip); switch (lock_result) { case XFS_ITEM_SUCCESS: XFS_STATS_INC(mp, xs_push_ail_success); - trace_xfs_ail_push(lip); + trace_xfs_ail_push(ailp, type, flags, item_lsn); =20 - ailp->ail_last_pushed_lsn =3D lsn; + ailp->ail_last_pushed_lsn =3D item_lsn; break; =20 case XFS_ITEM_FLUSHING: @@ -537,22 +549,22 @@ xfsaild_push( * AIL is being flushed. */ XFS_STATS_INC(mp, xs_push_ail_flushing); - trace_xfs_ail_flushing(lip); + trace_xfs_ail_flushing(ailp, type, flags, item_lsn); =20 flushing++; - ailp->ail_last_pushed_lsn =3D lsn; + ailp->ail_last_pushed_lsn =3D item_lsn; break; =20 case XFS_ITEM_PINNED: XFS_STATS_INC(mp, xs_push_ail_pinned); - trace_xfs_ail_pinned(lip); + trace_xfs_ail_pinned(ailp, type, flags, item_lsn); =20 stuck++; ailp->ail_log_flush++; break; case XFS_ITEM_LOCKED: XFS_STATS_INC(mp, xs_push_ail_locked); - trace_xfs_ail_locked(lip); + trace_xfs_ail_locked(ailp, type, flags, item_lsn); =20 stuck++; break; --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705 From nobody Wed Apr 8 03:06:10 2026 Received: from pdx-out-001.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-001.esa.us-west-2.outbound.mail-perimeter.amazon.com [44.245.243.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE5ED31A065; Tue, 10 Mar 2026 18:39:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=44.245.243.92 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167945; cv=none; b=m2OmVZzjevcR77JZV5/nl6iOzMdrjVEbizo/lSRsSW+rX0G3elqYg88lJqBlxpI2/mxP9YfoiC8LoFhcVeOjZc57m5V4IPHxKuNSQceHqOekNG3vHC+7NpPI5rN2QeC2AE23zzlTEIfHVog5YCE9Fx8cBIDATR1j1y4MFjZIE94= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167945; c=relaxed/simple; bh=A9j5b+rQvehAI7NL74S2TgM6Wg4Uf9+5xGABk0nrT3g=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=CfoNcQouje7MdOEdJGZDlvq6GONqJIyKIArBJseig25m4uud6tyd1cxR3a3dl5ONPyl5kOxCLAqewEJgy8uqlzc873NC1hRjdk1oxGBOi5lywQWISKRbQ7iU7aWBuea9PTLQVhlBRlIMOngt5YdGbVrb9N/GgJkVJk79qnnKrAQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=lmPwzUnv; arc=none smtp.client-ip=44.245.243.92 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="lmPwzUnv" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1773167944; x=1804703944; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=vVjnwKHzMvt5HNbkq0uZWsIbyPr5V7v/G9NKgqI0neI=; b=lmPwzUnvXelLnqpJqsouvs+mKXk38osHhIGC80f6yt6mSj3wDePwKS18 auYG9ZL6oJNdzWDNWo8n2WHNgIG7RhIYox844DF4K2aa719sE/skvsTEy W63Onz+mvkR2A0WQufognVsAByokmN4+RefuMt1Fif1/DuEffzfeqd2LX 34fclsVnbZ/ppJMIpP6ManhBNXM6bBJmfXAIMquLW9nZmYtabylfgYKrS z5PyF3YBwywpTyY6uOVDF2MxU8ruwLr3SXFIeac+GrGrhyid6GVlguPNv z6T0o2lVQbC2VYDfKR47HMvYzomk6SQ/jBomu8WgHYdbN2NwsaqXjq6Vs Q==; X-CSE-ConnectionGUID: Je/2pfdCQx6p8Wu2rlTgfA== X-CSE-MsgGUID: hIGc9hrdRi6q8VP2S86ucA== X-IronPort-AV: E=Sophos;i="6.23,112,1770595200"; d="scan'208";a="14264659" Received: from ip-10-5-6-203.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.6.203]) by internal-pdx-out-001.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2026 18:39:01 +0000 Received: from EX19MTAUWB001.ant.amazon.com [205.251.233.51:13189] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.33.152:2525] with esmtp (Farcaster) id e285a619-f1d8-4fda-8b32-bf3b74c52e60; Tue, 10 Mar 2026 18:39:00 +0000 (UTC) X-Farcaster-Flow-ID: e285a619-f1d8-4fda-8b32-bf3b74c52e60 Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWB001.ant.amazon.com (10.250.64.248) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:57 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.15) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:55 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki , , , "Darrick J. Wong" Subject: [PATCH v4 3/4] xfs: save ailp before dropping the AIL lock in push callbacks Date: Tue, 10 Mar 2026 18:38:39 +0000 Message-ID: <20260310183835.89827-9-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260310183835.89827-6-ytohnuki@amazon.com> References: <20260310183835.89827-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWC002.ant.amazon.com (10.13.139.242) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local variable while the AIL lock is held and the log item is guaranteed to be valid. Reported-by: syzbot+652af2b3c5569c4ab63c@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D652af2b3c5569c4ab63c Fixes: 90c60e164012 ("xfs: xfs_iflush() is no longer necessary") Cc: # v5.9 Reviewed-by: "Darrick J. Wong" Reviewed-by: Dave Chinner Signed-off-by: Yuto Ohnuki --- fs/xfs/xfs_dquot_item.c | 9 +++++++-- fs/xfs/xfs_inode_item.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/fs/xfs/xfs_dquot_item.c b/fs/xfs/xfs_dquot_item.c index 491e2a7053a3..65a0e69c3d08 100644 --- a/fs/xfs/xfs_dquot_item.c +++ b/fs/xfs/xfs_dquot_item.c @@ -125,6 +125,7 @@ xfs_qm_dquot_logitem_push( struct xfs_dq_logitem *qlip =3D DQUOT_ITEM(lip); struct xfs_dquot *dqp =3D qlip->qli_dquot; struct xfs_buf *bp; + struct xfs_ail *ailp =3D lip->li_ailp; uint rval =3D XFS_ITEM_SUCCESS; int error; =20 @@ -153,7 +154,7 @@ xfs_qm_dquot_logitem_push( goto out_unlock; } =20 - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); =20 error =3D xfs_dquot_use_attached_buf(dqp, &bp); if (error =3D=3D -EAGAIN) { @@ -172,9 +173,13 @@ xfs_qm_dquot_logitem_push( rval =3D XFS_ITEM_FLUSHING; } xfs_buf_relse(bp); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ =20 out_relock_ail: - spin_lock(&lip->li_ailp->ail_lock); + spin_lock(&ailp->ail_lock); out_unlock: mutex_unlock(&dqp->q_qlock); return rval; diff --git a/fs/xfs/xfs_inode_item.c b/fs/xfs/xfs_inode_item.c index 8913036b8024..4ae81eed0442 100644 --- a/fs/xfs/xfs_inode_item.c +++ b/fs/xfs/xfs_inode_item.c @@ -746,6 +746,7 @@ xfs_inode_item_push( struct xfs_inode_log_item *iip =3D INODE_ITEM(lip); struct xfs_inode *ip =3D iip->ili_inode; struct xfs_buf *bp =3D lip->li_buf; + struct xfs_ail *ailp =3D lip->li_ailp; uint rval =3D XFS_ITEM_SUCCESS; int error; =20 @@ -771,7 +772,7 @@ xfs_inode_item_push( if (!xfs_buf_trylock(bp)) return XFS_ITEM_LOCKED; =20 - spin_unlock(&lip->li_ailp->ail_lock); + spin_unlock(&ailp->ail_lock); =20 /* * We need to hold a reference for flushing the cluster buffer as it may @@ -795,7 +796,11 @@ xfs_inode_item_push( rval =3D XFS_ITEM_LOCKED; } =20 - spin_lock(&lip->li_ailp->ail_lock); + /* + * The buffer no longer protects the log item from reclaim, so + * do not reference lip after this point. + */ + spin_lock(&ailp->ail_lock); return rval; } =20 --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705 From nobody Wed Apr 8 03:06:10 2026 Received: from pdx-out-012.esa.us-west-2.outbound.mail-perimeter.amazon.com (pdx-out-012.esa.us-west-2.outbound.mail-perimeter.amazon.com [35.162.73.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 19BE0319860; Tue, 10 Mar 2026 18:39:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=35.162.73.231 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167951; cv=none; b=EjuRR0QGnQfnr9/VsXDaofVpYk/VrB1gkUm8erUpIlMdlmMG/4tVuzmsOlkB0DRN+BGBGr5Owv5OSf1r9kxjrhCP17ouMEb8O2VjWqyVDEAIx4tOXnZ0c5BFEFPoJqNLSsH7oRDYzIco6H8O/tTmyvcmJjRBUW3YEp840osY248= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773167951; c=relaxed/simple; bh=ugCxwAnkKxNq3cd/FvFAywTt11Al2okO0P4Ue3iUiAM=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=s0JnnJDDqDMClWbAkl/fP3X+RRdDHwyTX+7LgYCOdBVm7Udzfid75BGVsDXFs3IgBVwQZ7q2mly7tim/jQNIZVHzGEAB6rmBVmFMTN5L6BSejteF5RsAmlrhcbcYEd5bBcceKhYmJ36zIncq0hIzylH3f8POejqBhrBbUg0PTeg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com; spf=pass smtp.mailfrom=amazon.com; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b=mdPtN5+5; arc=none smtp.client-ip=35.162.73.231 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=amazon.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=amazon.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=amazon.com header.i=@amazon.com header.b="mdPtN5+5" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazoncorp2; t=1773167950; x=1804703950; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=4NnVIiiPnNfD22/cOrpxQtuLL3TRTQnIr3yN1LcrQTw=; b=mdPtN5+514Sl3jJ72hvj6zAZ8Pe9FIGF+Tyr4wldtEcRC+6ckpWEklKq rk8pdXezpUOsgtf7UxbO/eTI7mCYrGknYgmHxTC8lvACOgglORrJKXgNc JE3fxGxX0R2fHzg678BKv589LQTgb5nooRNgafFm2waNiUO+i8+1JZECu xikI00xWuW01G3QyTWaryxMUdENhETDcvil6n0QsxLn2Ib4Dfmnl4t9+u CYcDGH65Z1MUwcRZhJqztwnu6v58LJhqiKUSip+FA+CMtASbyACF2V4KL 379JJnSGJEZ1hyTXFcM38FTxGraWKWf9SbDxFAaO63+DCpv52rGTNtyni Q==; X-CSE-ConnectionGUID: UukqTGmsSsuzgaDY9ujWPA== X-CSE-MsgGUID: 9/r7+1+8So+BI8O9gofq0w== X-IronPort-AV: E=Sophos;i="6.23,112,1770595200"; d="scan'208";a="14537315" Received: from ip-10-5-9-48.us-west-2.compute.internal (HELO smtpout.naws.us-west-2.prod.farcaster.email.amazon.dev) ([10.5.9.48]) by internal-pdx-out-012.esa.us-west-2.outbound.mail-perimeter.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2026 18:39:06 +0000 Received: from EX19MTAUWC002.ant.amazon.com [205.251.233.111:1842] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.26.67:2525] with esmtp (Farcaster) id 015c37b5-5e0c-4ec1-a167-c5bc2692f652; Tue, 10 Mar 2026 18:39:06 +0000 (UTC) X-Farcaster-Flow-ID: 015c37b5-5e0c-4ec1-a167-c5bc2692f652 Received: from EX19D001UWA001.ant.amazon.com (10.13.138.214) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:39:00 +0000 Received: from c889f3b07a0a.amazon.com (10.106.82.15) by EX19D001UWA001.ant.amazon.com (10.13.138.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.2562.37; Tue, 10 Mar 2026 18:38:58 +0000 From: Yuto Ohnuki To: Carlos Maiolino , Dave Chinner CC: "Darrick J . Wong" , Brian Foster , , , Yuto Ohnuki Subject: [PATCH v4 4/4] xfs: refactor xfsaild_push loop into helper Date: Tue, 10 Mar 2026 18:38:40 +0000 Message-ID: <20260310183835.89827-10-ytohnuki@amazon.com> X-Mailer: git-send-email 2.50.0 In-Reply-To: <20260310183835.89827-6-ytohnuki@amazon.com> References: <20260310183835.89827-6-ytohnuki@amazon.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: EX19D036UWC002.ant.amazon.com (10.13.139.242) To EX19D001UWA001.ant.amazon.com (10.13.138.214) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Factor the loop body of xfsaild_push() into a separate xfsaild_process_logitem() helper to improve readability. This is a pure code movement with no functional change. Signed-off-by: Yuto Ohnuki Reviewed-by: "Darrick J. Wong" --- fs/xfs/xfs_trans_ail.c | 127 ++++++++++++++++++++++------------------- 1 file changed, 69 insertions(+), 58 deletions(-) diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c index 63266d31b514..99a9bf3762b7 100644 --- a/fs/xfs/xfs_trans_ail.c +++ b/fs/xfs/xfs_trans_ail.c @@ -464,6 +464,74 @@ xfs_ail_calc_push_target( return target_lsn; } =20 +static void +xfsaild_process_logitem( + struct xfs_ail *ailp, + struct xfs_log_item *lip, + int *stuck, + int *flushing) +{ + struct xfs_mount *mp =3D ailp->ail_log->l_mp; + uint type =3D lip->li_type; + unsigned long flags =3D lip->li_flags; + xfs_lsn_t item_lsn =3D lip->li_lsn; + int lock_result; + + /* + * Note that iop_push may unlock and reacquire the AIL lock. We + * rely on the AIL cursor implementation to be able to deal with + * the dropped lock. + * + * The log item may have been freed by the push, so it must not + * be accessed or dereferenced below this line. + */ + lock_result =3D xfsaild_push_item(ailp, lip); + switch (lock_result) { + case XFS_ITEM_SUCCESS: + XFS_STATS_INC(mp, xs_push_ail_success); + trace_xfs_ail_push(ailp, type, flags, item_lsn); + + ailp->ail_last_pushed_lsn =3D item_lsn; + break; + + case XFS_ITEM_FLUSHING: + /* + * The item or its backing buffer is already being + * flushed. The typical reason for that is that an + * inode buffer is locked because we already pushed the + * updates to it as part of inode clustering. + * + * We do not want to stop flushing just because lots + * of items are already being flushed, but we need to + * re-try the flushing relatively soon if most of the + * AIL is being flushed. + */ + XFS_STATS_INC(mp, xs_push_ail_flushing); + trace_xfs_ail_flushing(ailp, type, flags, item_lsn); + + (*flushing)++; + ailp->ail_last_pushed_lsn =3D item_lsn; + break; + + case XFS_ITEM_PINNED: + XFS_STATS_INC(mp, xs_push_ail_pinned); + trace_xfs_ail_pinned(ailp, type, flags, item_lsn); + + (*stuck)++; + ailp->ail_log_flush++; + break; + case XFS_ITEM_LOCKED: + XFS_STATS_INC(mp, xs_push_ail_locked); + trace_xfs_ail_locked(ailp, type, flags, item_lsn); + + (*stuck)++; + break; + default: + ASSERT(0); + break; + } +} + static long xfsaild_push( struct xfs_ail *ailp) @@ -511,68 +579,11 @@ xfsaild_push( =20 lsn =3D lip->li_lsn; while ((XFS_LSN_CMP(lip->li_lsn, ailp->ail_target) <=3D 0)) { - int lock_result; - uint type =3D lip->li_type; - unsigned long flags =3D lip->li_flags; - xfs_lsn_t item_lsn =3D lip->li_lsn; =20 if (test_bit(XFS_LI_FLUSHING, &lip->li_flags)) goto next_item; =20 - /* - * Note that iop_push may unlock and reacquire the AIL lock. We - * rely on the AIL cursor implementation to be able to deal with - * the dropped lock. - * - * The log item may have been freed by the push, so it must not - * be accessed or dereferenced below this line. - */ - lock_result =3D xfsaild_push_item(ailp, lip); - switch (lock_result) { - case XFS_ITEM_SUCCESS: - XFS_STATS_INC(mp, xs_push_ail_success); - trace_xfs_ail_push(ailp, type, flags, item_lsn); - - ailp->ail_last_pushed_lsn =3D item_lsn; - break; - - case XFS_ITEM_FLUSHING: - /* - * The item or its backing buffer is already being - * flushed. The typical reason for that is that an - * inode buffer is locked because we already pushed the - * updates to it as part of inode clustering. - * - * We do not want to stop flushing just because lots - * of items are already being flushed, but we need to - * re-try the flushing relatively soon if most of the - * AIL is being flushed. - */ - XFS_STATS_INC(mp, xs_push_ail_flushing); - trace_xfs_ail_flushing(ailp, type, flags, item_lsn); - - flushing++; - ailp->ail_last_pushed_lsn =3D item_lsn; - break; - - case XFS_ITEM_PINNED: - XFS_STATS_INC(mp, xs_push_ail_pinned); - trace_xfs_ail_pinned(ailp, type, flags, item_lsn); - - stuck++; - ailp->ail_log_flush++; - break; - case XFS_ITEM_LOCKED: - XFS_STATS_INC(mp, xs_push_ail_locked); - trace_xfs_ail_locked(ailp, type, flags, item_lsn); - - stuck++; - break; - default: - ASSERT(0); - break; - } - + xfsaild_process_logitem(ailp, lip, &stuck, &flushing); count++; =20 /* --=20 2.50.1 Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, L-1855 Luxembourg= , R.C.S. Luxembourg B186284 Amazon Web Services EMEA SARL, Irish Branch, One Burlington Plaza, Burlingt= on Road, Dublin 4, Ireland, branch registration number 908705