2460731 – (CVE-2026-31453) CVE-2026-31453 kernel: xfs: avoid dereferencing log items after push callbacks

Bug 2460731 (CVE-2026-31453) - CVE-2026-31453 kernel: xfs: avoid dereferencing log items after push callbacks

Summary: CVE-2026-31453 kernel: xfs: avoid dereferencing log items after push callbacks

Keywords:
Status:	NEW
Alias:	CVE-2026-31453
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 15:07 UTC by OSIDB Bzimport
Modified:	2026-04-24 16:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:07:58 UTC

In the Linux kernel, the following vulnerability has been resolved:

xfs: avoid dereferencing log items after push callbacks

After xfsaild_push_item() calls iop_push(), the log item may have been
freed if the AIL lock was dropped during the push. Background inode
reclaim or the dquot shrinker can free the log item while the AIL lock
is not held, and the tracepoints in the switch statement dereference
the log item after iop_push() returns.

Fix this by capturing the log item type, flags, and LSN before calling
xfsaild_push_item(), and introducing a new xfs_ail_push_class trace
event class that takes these pre-captured values and the ailp pointer
instead of the log item pointer.

Comment 1 Keith Grant 2026-04-22 17:32:37 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042248-CVE-2026-31453-6c3f@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.