On Tue, Mar 18, 2025 at 07:21:00AM +0000, Pavel Begunkov wrote: > On 3/17/25 13:57, Sidong Yang wrote: > > This patch fixes a bug on encoded_read. In btrfs_uring_encoded_read(), > > btrfs_encoded_read could return -EAGAIN when receiving requests concurrently. > > And data->iov goes to out_free and it freed and return -EAGAIN. io-uring > > subsystem would call it again and it doesn't reset data. And data->iov > > freed and iov_iter reference it. iov_iter would be used in > > btrfs_uring_read_finished() and could be raise memory bug. > > Fixes should go first. Please send it separately, and CC Mark. > A "Fixes" tag would also be good to have. Okay, I'll remove this from patch series. Thanks, Sidong > > > Signed-off-by: Sidong Yang <sidong.yang@xxxxxxxxxx> > > --- > > fs/btrfs/ioctl.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c > > index a7b52fd99059..02fa8dd1a3ce 100644 > > --- a/fs/btrfs/ioctl.c > > +++ b/fs/btrfs/ioctl.c > > @@ -4922,6 +4922,9 @@ static int btrfs_uring_encoded_read(struct io_uring_cmd *cmd, unsigned int issue > > ret = btrfs_encoded_read(&kiocb, &data->iter, &data->args, &cached_state, > > &disk_bytenr, &disk_io_size); > > + > > + if (ret == -EAGAIN) > > + goto out_acct; > > if (ret < 0 && ret != -EIOCBQUEUED) > > goto out_free; > > -- > Pavel Begunkov >
