From: Filipe Manana <fdmanana@xxxxxxxx>
commit 59f37036bb7ab3d554c24abc856aabca01126414 upstream.
At btrfs_scan_root() we are accessing the inode's root (and fs_info) in a
call to btrfs_fs_closing() after we have scheduled the inode for a delayed
iput, and that can result in a use-after-free on the inode in case the
cleaner kthread does the iput before we dereference the inode in the call
to btrfs_fs_closing().
Fix this by using the fs_info stored already in a local variable instead
of doing inode->root->fs_info.
Fixes: 102044384056 ("btrfs: make the extent map shrinker run asynchronously as a work queue job")
CC: stable@xxxxxxxxxxxxxxx # 6.13+
Tested-by: Ivan Shapovalov <intelfx@xxxxxxxxxxxx>
Link: https://lore.kernel.org/linux-btrfs/0414d690ac5680d0d77dfc930606cdc36e42e12f.camel@xxxxxxxxxxxx/
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@xxxxxxx>
Reviewed-by: Qu Wenruo <wqu@xxxxxxxx>
Signed-off-by: Filipe Manana <fdmanana@xxxxxxxx>
Signed-off-by: David Sterba <dsterba@xxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/btrfs/extent_map.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/btrfs/extent_map.c
+++ b/fs/btrfs/extent_map.c
@@ -1258,8 +1258,7 @@ static long btrfs_scan_root(struct btrfs
fs_info->em_shrinker_last_ino = btrfs_ino(inode);
iput(&inode->vfs_inode);
- if (ctx->scanned >= ctx->nr_to_scan ||
- btrfs_fs_closing(inode->root->fs_info))
+ if (ctx->scanned >= ctx->nr_to_scan || btrfs_fs_closing(fs_info))
break;
cond_resched();
Patches currently in stable-queue which might be from fdmanana@xxxxxxxx are
queue-6.13/btrfs-fix-use-after-free-on-inode-when-scanning-root-during-em-shrinking.patch
queue-6.13/btrfs-fix-data-overwriting-bug-during-buffered-write-when-block-size-page-size.patch
queue-6.13/btrfs-do-regular-iput-instead-of-delayed-iput-during-extent-map-shrinking.patch
queue-6.13/btrfs-skip-inodes-without-loaded-extent-maps-when-shrinking-extent-maps.patch
