CVE-2026-31453

After xfsaildpushitem() calls ioppush(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after ioppush() returns.

Fix this by capturing the log item type, flags, and LSN before calling xfsaildpushitem(), and introducing a new xfsailpush_class trace event class that takes these pre-captured values and the ailp pointer instead of the log item pointer.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31453.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

90c60e16401248a4900f3f9387f563d0178dcf34

Fixed

c8a2ab339b88d10fc34a3318c92f07d8a467019d

Fixed

7121b22b0bac89394cc4c6a54b5aebc15347bdf5

Fixed

c4d603e8e58a3bf35480135ccca2b4f7238abda5

Fixed

95fb5d643cc70959baa54cd17f52f80ffc3295e7

Fixed

451c6329d9afa45862c36fe6677eb7750db60617

Fixed

79ef34ec0554ec04bdbafafbc9836423734e1bd6

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31453.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.9.0

Fixed

6.1.168

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.131

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.80

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.21

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.11

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31453.json"