From nobody Tue Apr 7 01:03:00 2026 Received: from mail-yw1-f170.google.com (mail-yw1-f170.google.com [209.85.128.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A746537F74E for ; Tue, 17 Mar 2026 05:46:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773726369; cv=none; b=uk366NlFe1UHfaQAF9PT+PcyhR6KdWLRdcTB453Z0D7uyIR/infzR8HimC22W2CnppH4euV2UckPviEKQdmrUedILqSaVVIxUrSFfm0swW4Xb9AlfY8OlGthQYTiyKE1EA2MXFHFWmcLdh6+wgIRcPgn8HdeBhtOwTlHoc+iO+Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1773726369; c=relaxed/simple; bh=1mx9pC3Db9aZxNWnAVJfapwFqxCAYBBSuiLUGwcoB1M=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=uGzdNWU5ocuM+JldOq9cSrv7Xd8DxGkqGQDg91O2KCwAIvw3F3qWOfr91Gg8zu8q/1vxxGdP3EKBwTL9d64FWT8Iuh/VdUoJ470zwJEz/UvScs1DOcctBy6V44fnlHDDxNtzbcoqgidnYz9ZGWESLAQ8kDen/Lk9vcWye78robk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=G6xEnpX5; arc=none smtp.client-ip=209.85.128.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="G6xEnpX5" Received: by mail-yw1-f170.google.com with SMTP id 00721157ae682-79a2ee65171so26944047b3.2 for ; Mon, 16 Mar 2026 22:46:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1773726366; x=1774331166; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JnnP6Bx0kBxMh3k33p04W5Vj+obACePADAInhTRjyag=; b=G6xEnpX53fX+9nzQgkrugCimkj9AWCp48vM8Oqk4J9lm/OnX3EyCI4ae+JyF8f+rh8 TDEERvN7J5u/xzu6ZCTC+eHG90ZPMhXmTGSpbi19KbSsBqZYDnkcsTCCvBb8QHs+zGbn vOsRdrRkAQeFZo0qmsNLNmREYpEx7Ss7H1tQS73zBWu1P/S346rjiwxJEwz0MDL2bnGt mOXMNxVQGZi53lYMiahF2Ih/IJ8w/73E/Asysgh4im0t+8cyzv7VZUUlxGA4cmfQ0ZoN f9yoQxDBjk5mIf9iGRDgTYvKQ21EUrurXK4LwQmYT3z4r6f+XzDjQJP3TDIupW1YXa+O 7t5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1773726366; x=1774331166; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JnnP6Bx0kBxMh3k33p04W5Vj+obACePADAInhTRjyag=; b=qG1LLQ/0SYbhElzInJbn4XMLOLqNgJn9B+LoC/UnmquhLfPWs2MtsO2yY6r+vISQHD 4NJ4gDHLcgnqri87C7VdFEcAxeHEKp2OWsz81URsfT51vUdR615f7DtuS8wvRyDVDf6r 7FcqrMU5MzosYaX/Xk9iSyT8N9RVJ5ulHopA0V9W8l3I3VrZFnc3SHoryuTLf22sK+JT MdOBIpPmWPw2dtUafjFPVHyhvdTqq4EqAUzCgn78c676czTY+rPUBYhwBCLG7qrfP2Iq qmbxVUQCdi6fTI0P/dcZRwC2/AXdksYSupdi4IZ3SYg7g/tSA8MdJRjKbDdEIwhB3vxv B4tw== X-Forwarded-Encrypted: i=1; AJvYcCWby6aPCWLhmGi+yHa29IsHwUOHEEVDDABESGasfSSb+Iv1pvGcB6w6OTQe8SctFAVIaD5LxltwR43l8RU=@vger.kernel.org X-Gm-Message-State: AOJu0Yy5APOvqpvnMcv07Orj5YDXCkyfDi/riTaPvUu9yPKzNacCukz2 t9pVD867MIXXZyK4kRk27oe1vqWUn+5etesljPmO61GqwxWX8Cx3ondg X-Gm-Gg: ATEYQzxuOrMx+IhZotlCIFLOOY8Wq6n1Zkvf2af1gYcoFDnuq+ebki9T49kK9ARPueQ j54I7iAuHI6Vc0NkdvUEXoxpGUcf+eTtzuVwDyDQX23a1tVMnr93XuvSvTtOL3At6ZEv5zN0cQH k9bfoiwE6Q9MiSe+nI/tkTSTt4yHHbA7eOgMXujWiidZgoL7vFXdynJhM4zzOKFDLV3pJ6+SfSi ysPJTYd0ZrJFvQXwc1DTY2O1qJC0DnPmMfGUGKIHW48yQV4PQwBOk4vsu+PyQENjDEWKsw2jkNi 1hJs9T/QvFPa3xhAO847zMvZW644akSFRN6sPfxo8Pcu10qSdA989HSGn0RthssNg85Hu2dI5Ye P+dnrBqce4OyeqwA61fXO0RGw22851lI3fBfB0+mYHoPcMPyhsFZpZORqsdaLbtk1/6d1muOfMz +YTIka2zGPQVs/wZ/5YeV/eb3AWSAEE7g= X-Received: by 2002:a05:690c:6b12:b0:79a:4ba5:f32e with SMTP id 00721157ae682-79a4ba5f689mr67351107b3.31.1773726366621; Mon, 16 Mar 2026 22:46:06 -0700 (PDT) Received: from JooHJ-PC.localdomain ([163.152.3.130]) by smtp.gmail.com with ESMTPSA id 00721157ae682-79a664975e5sm4831337b3.1.2026.03.16.22.46.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Mar 2026 22:46:06 -0700 (PDT) From: Hyungjung Joo To: viro@zeniv.linux.org.uk, brauner@kernel.org, linux-fsdevel@vger.kernel.org Cc: jack@suse.cz, greg@kroah.com, linux-kernel@vger.kernel.org, HyungJung Joo Subject: [PATCH] fs/mbcache: cancel shrink work before destroying the cache Date: Tue, 17 Mar 2026 14:45:56 +0900 Message-Id: <20260317054556.1821600-1-jhj140711@gmail.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: HyungJung Joo mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first. If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free. This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem. Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down. Signed-off-by: Hyungjung Joo Reviewed-by: Jan Kara --- fs/mbcache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/mbcache.c b/fs/mbcache.c index 480d02d6ebf0..2a6319b4072c 100644 --- a/fs/mbcache.c +++ b/fs/mbcache.c @@ -406,6 +406,7 @@ void mb_cache_destroy(struct mb_cache *cache) { struct mb_cache_entry *entry, *next; =20 + cancel_work_sync(&cache->c_shrink_work); shrinker_free(cache->c_shrink); =20 /* --=20 2.34.1