Re: [PATCH v4 0/4] xfs: fix AIL push use-after-free during shutdown

Next message: Carlos Maiolino: "Re: [PATCH] xfs: scrub: unlock dquot before early return in quota scrub"
Previous message: Fernando Fernandez Mancera: "Re: [PATCH 01/10 net-next v3] ipv6: convert CONFIG_IPV6 to built-in only and clean up Kconfigs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Carlos Maiolino

Date: Wed Mar 18 2026 - 06:15:50 EST

On Tue, 10 Mar 2026 18:38:36 +0000, Yuto Ohnuki wrote:
> When a filesystem is shut down, background inode reclaim and the xfsaild
> can race to abort and free dirty inodes. Since commit 90c60e164012
> ("xfs: xfs_iflush() is no longer necessary"), xfs_inode_item_push() no
> longer holds ILOCK_SHARED while flushing, removing the protection that
> prevented the inode from being reclaimed during the flush.
>
> This results in use-after-free when dereferencing log items after
> iop_push() returns, or when reacquiring the AIL lock via lip->li_ailp.
>
> [...]

Applied to for-next, thanks!

[1/4] xfs: stop reclaim before pushing AIL during unmount
commit: 4f24a767e3d64a5f58c595b5c29b6063a201f1e3
[2/4] xfs: avoid dereferencing log items after push callbacks
commit: 79ef34ec0554ec04bdbafafbc9836423734e1bd6
[3/4] xfs: save ailp before dropping the AIL lock in push callbacks
commit: 394d70b86fae9fe865e7e6d9540b7696f73aa9b6
[4/4] xfs: refactor xfsaild_push loop into helper
commit: 7cac60947335f8d88a6390814840590a61134484

Best regards,
--
Carlos Maiolino <cem@xxxxxxxxxx>