Linux Kernel XFS AIL Lock Management Vulnerability Leading to Use-After-Free

A use-after-free vulnerability has been identified in the Linux kernel's XFS file system. This issue arises in the functions 'xfs_inode_item_push()' and 'xfs_qm_dquot_logitem_push()' when the AIL lock is released to perform buffer I/O. Once the buffer no longer safeguards the log item, it can be reclaimed by background processes, leaving a dangling pointer. The problem occurs because the subsequent operation attempts to access a freed log item, causing a use-after-free condition.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where a freed memory location is accessed, potentially allowing for arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, the XFS file system must be used with a workload that triggers the 'xfs_inode_item_push()' or 'xfs_qm_dquot_logitem_push()' functions. This can be done by manipulating the AIL lock and performing buffer I/O in a way that the log item is freed before the lock is reacquired, creating a use-after-free scenario.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Archive.