[lvc-project] Patch "fs: writeback: fix use-after-free in __mark_inode_dirty()" has been added to the 5.10-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Wed Dec 3 16:31:18 MSK 2025 

This is a note to let you know that I've just added the patch titled

    fs: writeback: fix use-after-free in __mark_inode_dirty()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-197598-greg=kroah.com at vger.kernel.org Fri Nov 28 15:41:26 2025
From: Nazar Kalashnikov <sivartiwe at gmail.com>
Date: Fri, 28 Nov 2025 17:41:19 +0300
Subject: fs: writeback: fix use-after-free in __mark_inode_dirty()
To: stable at vger.kernel.org, Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Cc: Nazar Kalashnikov <sivartiwe at gmail.com>, Alexander Viro <viro at zeniv.linux.org.uk>, linux-fsdevel at vger.kernel.org, linux-kernel at vger.kernel.org, lvc-project at linuxtesting.org, Jiufei Xue <jiufei.xue at samsung.com>, Jan Kara <jack at suse.cz>, Christian Brauner <brauner at kernel.org>
Message-ID: <20251128144121.54603-1-sivartiwe at gmail.com>

From: Jiufei Xue <jiufei.xue at samsung.com>

[ Upstream commit d02d2c98d25793902f65803ab853b592c7a96b29 ]

An use-after-free issue occurred when __mark_inode_dirty() get the
bdi_writeback that was in the progress of switching.

CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1
......
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __mark_inode_dirty+0x124/0x418
lr : __mark_inode_dirty+0x118/0x418
sp : ffffffc08c9dbbc0
........
Call trace:
 __mark_inode_dirty+0x124/0x418
 generic_update_time+0x4c/0x60
 file_modified+0xcc/0xd0
 ext4_buffered_write_iter+0x58/0x124
 ext4_file_write_iter+0x54/0x704
 vfs_write+0x1c0/0x308
 ksys_write+0x74/0x10c
 __arm64_sys_write+0x1c/0x28
 invoke_syscall+0x48/0x114
 el0_svc_common.constprop.0+0xc0/0xe0
 do_el0_svc+0x1c/0x28
 el0_svc+0x40/0xe4
 el0t_64_sync_handler+0x120/0x12c
 el0t_64_sync+0x194/0x198

Root cause is:

systemd-random-seed                         kworker
----------------------------------------------------------------------
___mark_inode_dirty                     inode_switch_wbs_work_fn

  spin_lock(&inode->i_lock);
  inode_attach_wb
  locked_inode_to_wb_and_lock_list
     get inode->i_wb
     spin_unlock(&inode->i_lock);
     spin_lock(&wb->list_lock)
  spin_lock(&inode->i_lock)
  inode_io_list_move_locked
  spin_unlock(&wb->list_lock)
  spin_unlock(&inode->i_lock)
                                    spin_lock(&old_wb->list_lock)
                                      inode_do_switch_wbs
                                        spin_lock(&inode->i_lock)
                                        inode->i_wb = new_wb
                                        spin_unlock(&inode->i_lock)
                                    spin_unlock(&old_wb->list_lock)
                                    wb_put_many(old_wb, nr_switched)
                                      cgwb_release
                                      old wb released
  wb_wakeup_delayed() accesses wb,
  then trigger the use-after-free
  issue

Fix this race condition by holding inode spinlock until
wb_wakeup_delayed() finished.

Signed-off-by: Jiufei Xue <jiufei.xue at samsung.com>
Link: https://lore.kernel.org/20250728100715.3863241-1-jiufei.xue@samsung.com
Reviewed-by: Jan Kara <jack at suse.cz>
Signed-off-by: Christian Brauner <brauner at kernel.org>
Signed-off-by: Nazar Kalashnikov <sivartiwe at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
Backport fix for CVE-2025-39866
 fs/fs-writeback.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -2326,9 +2326,6 @@ void __mark_inode_dirty(struct inode *in
 			wakeup_bdi = inode_io_list_move_locked(inode, wb,
 							       dirty_list);
 
-			spin_unlock(&wb->list_lock);
-			trace_writeback_dirty_inode_enqueue(inode);
-
 			/*
 			 * If this is the first dirty inode for this bdi,
 			 * we have to wake-up the corresponding bdi thread
@@ -2338,6 +2335,10 @@ void __mark_inode_dirty(struct inode *in
 			if (wakeup_bdi &&
 			    (wb->bdi->capabilities & BDI_CAP_WRITEBACK))
 				wb_wakeup_delayed(wb);
+
+			spin_unlock(&wb->list_lock);
+			trace_writeback_dirty_inode_enqueue(inode);
+
 			return;
 		}
 	}


Patches currently in stable-queue which might be from sivartiwe at gmail.com are

queue-5.10/bluetooth-add-more-enc-key-size-check.patch
queue-5.10/netfilter-nf_set_pipapo-fix-initial-map-fill.patch
queue-5.10/scsi-pm80xx-set-phy-enable_completion-only-when-we.patch
queue-5.10/fs-writeback-fix-use-after-free-in-__mark_inode_dirty.patch

More information about the lvc-project mailing list