2460710 – (CVE-2026-31454) CVE-2026-31454 kernel: xfs: save ailp before dropping the AIL lock in push callbacks

Bug 2460710 (CVE-2026-31454) - CVE-2026-31454 kernel: xfs: save ailp before dropping the AIL lock in push callbacks

Summary: CVE-2026-31454 kernel: xfs: save ailp before dropping the AIL lock in push ca...

Keywords:
Status:	NEW
Alias:	CVE-2026-31454
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-22 15:06 UTC by OSIDB Bzimport
Modified:	2026-04-24 16:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:06:50 UTC

In the Linux kernel, the following vulnerability has been resolved:

xfs: save ailp before dropping the AIL lock in push callbacks

In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock
is dropped to perform buffer IO. Once the cluster buffer no longer
protects the log item from reclaim, the log item may be freed by
background reclaim or the dquot shrinker. The subsequent spin_lock()
call dereferences lip->li_ailp, which is a use-after-free.

Fix this by saving the ailp pointer in a local variable while the AIL
lock is held and the log item is guaranteed to be valid.

Comment 1 Keith Grant 2026-04-22 17:35:25 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042249-CVE-2026-31454-ae01@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.