[v2,0/2] btrfs: fix use-after-free in btrfs_encoded_read_endio

Message ID	cover.1731407982.git.jth@kernel.org (mailing list archive)
Headers	show Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 739481FBF4B for <linux-btrfs@vger.kernel.org>; Tue, 12 Nov 2024 13:53:47 +0000 (UTC) From: Johannes Thumshirn <jth@kernel.org> To: linux-btrfs@vger.kernel.org Cc: Filipe Manana <fdmanana@suse.com>, Damien Le Moal <dlemoal@kernel.org>, Johannes Thumshirn <johannes.thumshirn@wdc.com>, Johannes Thumshirn <jth@kernel.org>, Mark Harmstone <maharmstone@fb.com>, Omar Sandoval <osandov@osandov.com> Subject: [PATCH v2 0/2] btrfs: fix use-after-free in btrfs_encoded_read_endio Date: Tue, 12 Nov 2024 14:53:24 +0100 Message-ID: <cover.1731407982.git.jth@kernel.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	btrfs: fix use-after-free in btrfs_encoded_read_endio \| expand [v2,0/2] btrfs: fix use-after-free in btrfs_encoded_read_endio [v2,1/2] btrfs: fix use-after-free in btrfs_encoded_read_endio [v2,2/2] btrfs: simplify waiting for encoded read endios

Message ID

cover.1731407982.git.jth@kernel.org (mailing list archive)

Headers

From: Johannes Thumshirn <jth@kernel.org>
To: linux-btrfs@vger.kernel.org
Cc: Filipe Manana <fdmanana@suse.com>,
	Damien Le Moal <dlemoal@kernel.org>,
	Johannes Thumshirn <johannes.thumshirn@wdc.com>,
	Johannes Thumshirn <jth@kernel.org>,
	Mark Harmstone <maharmstone@fb.com>,
	Omar Sandoval <osandov@osandov.com>
Subject: [PATCH v2 0/2] btrfs: fix use-after-free in btrfs_encoded_read_endio
Date: Tue, 12 Nov 2024 14:53:24 +0100
Message-ID: <cover.1731407982.git.jth@kernel.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

btrfs: fix use-after-free in btrfs_encoded_read_endio | expand

Message

Johannes Thumshirn Nov. 12, 2024, 1:53 p.m. UTC

Shinichiro reported a occassional memory corruption in our CI system with
btrfs/248 that lead to panics. He also managed to reproduce this
corruption reliably on one host. See patch 1/2 for details on the
corruption and the fix, patch 2/2 is a cleanup Damien suggested on top of
the fix to make the code more obvious.

Changes to v1:
- Update commit message of patch 1/1
- Prevent double-free of 'priv' in case of io_uring in 2/2
- Use wait_for_completion_io() in 2/2
- Convert priv->pending from atomic_t to refcount_t calling it refs in 2/2

Link to v1:
https://lore.kernel.org/linux-btrfs/cover.1731316882.git.jth@kernel.org

Johannes Thumshirn (2):
  btrfs: fix use-after-free in btrfs_encoded_read_endio
  btrfs: simplify waiting for encoded read endios

 fs/btrfs/inode.c | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)