Patch "btrfs: assert delayed node locked when removing delayed item" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 2 Oct 2023 21:24:20 -0400

This is a note to let you know that I've just added the patch titled

    btrfs: assert delayed node locked when removing delayed item

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     btrfs-assert-delayed-node-locked-when-removing-delay.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 58aa74df2100fe261a76a08282e5770839f0aded
Author: Filipe Manana <fdmanana@xxxxxxxx>
Date:   Mon Aug 28 09:06:44 2023 +0100

    btrfs: assert delayed node locked when removing delayed item
    
    [ Upstream commit a57c2d4e46f519b24558ae0752c17eec416ac72a ]
    
    When removing a delayed item, or releasing which will remove it as well,
    we will modify one of the delayed node's rbtrees and item counter if the
    delayed item is in one of the rbtrees. This require having the delayed
    node's mutex locked, otherwise we will race with other tasks modifying
    the rbtrees and the counter.
    
    This is motivated by a previous version of another patch actually calling
    btrfs_release_delayed_item() after unlocking the delayed node's mutex and
    against a delayed item that is in a rbtree.
    
    So assert at __btrfs_remove_delayed_item() that the delayed node's mutex
    is locked.
    
    Reviewed-by: Qu Wenruo <wqu@xxxxxxxx>
    Signed-off-by: Filipe Manana <fdmanana@xxxxxxxx>
    Reviewed-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: David Sterba <dsterba@xxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 9dacf72a75d0e..1331e56e8e84f 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -407,6 +407,7 @@ static void finish_one_item(struct btrfs_delayed_root *delayed_root)
 
 static void __btrfs_remove_delayed_item(struct btrfs_delayed_item *delayed_item)
 {
+	struct btrfs_delayed_node *delayed_node = delayed_item->delayed_node;
 	struct rb_root_cached *root;
 	struct btrfs_delayed_root *delayed_root;
 
@@ -414,18 +415,21 @@ static void __btrfs_remove_delayed_item(struct btrfs_delayed_item *delayed_item)
 	if (RB_EMPTY_NODE(&delayed_item->rb_node))
 		return;
 
-	delayed_root = delayed_item->delayed_node->root->fs_info->delayed_root;
+	/* If it's in a rbtree, then we need to have delayed node locked. */
+	lockdep_assert_held(&delayed_node->mutex);
+
+	delayed_root = delayed_node->root->fs_info->delayed_root;
 
 	BUG_ON(!delayed_root);
 
 	if (delayed_item->type == BTRFS_DELAYED_INSERTION_ITEM)
-		root = &delayed_item->delayed_node->ins_root;
+		root = &delayed_node->ins_root;
 	else
-		root = &delayed_item->delayed_node->del_root;
+		root = &delayed_node->del_root;
 
 	rb_erase_cached(&delayed_item->rb_node, root);
 	RB_CLEAR_NODE(&delayed_item->rb_node);
-	delayed_item->delayed_node->count--;
+	delayed_node->count--;
 
 	finish_one_item(delayed_root);
 }






