| Message ID | 20230714084241.548739-1-hch@lst.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | btrfs: fix ordered extent split error handling in btrfs_dio_submit_io | expand |
On Fri, Jul 14, 2023 at 10:42:41AM +0200, Christoph Hellwig wrote: > When the call to btrfs_extract_ordered_extent in btrfs_dio_submit_io > fails to allocate memory for a new ordered_extent, it calls into the > btrfs_dio_end_io for error handling. btrfs_dio_end_io then assumes that > bbio->ordered is set because it is supposed to be at this point, except > for this error handling corner case. Try to not overload the > btrfs_dio_end_io with error handling of a bio in a non-canonical state, > and instead call btrfs_finish_ordered_extent and iomap_dio_bio_end_io > directly for this error case. > > Fixes: b41b6f6937dc ("btrfs: use btrfs_finish_ordered_extent to complete direct writes") > Reported-by: syzbot <syzbot+5b82f0e951f8c2bcdb8f@syzkaller.appspotmail.com> > Signed-off-by: Christoph Hellwig <hch@lst.de> > Tested-by: syzbot <syzbot+5b82f0e951f8c2bcdb8f@syzkaller.appspotmail.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Thanks, Josef
On Fri, Jul 14, 2023 at 10:42:41AM +0200, Christoph Hellwig wrote: > When the call to btrfs_extract_ordered_extent in btrfs_dio_submit_io > fails to allocate memory for a new ordered_extent, it calls into the > btrfs_dio_end_io for error handling. btrfs_dio_end_io then assumes that > bbio->ordered is set because it is supposed to be at this point, except > for this error handling corner case. Try to not overload the > btrfs_dio_end_io with error handling of a bio in a non-canonical state, > and instead call btrfs_finish_ordered_extent and iomap_dio_bio_end_io > directly for this error case. > > Fixes: b41b6f6937dc ("btrfs: use btrfs_finish_ordered_extent to complete direct writes") > Reported-by: syzbot <syzbot+5b82f0e951f8c2bcdb8f@syzkaller.appspotmail.com> > Signed-off-by: Christoph Hellwig <hch@lst.de> > Tested-by: syzbot <syzbot+5b82f0e951f8c2bcdb8f@syzkaller.appspotmail.com> Added to misc-next, thanks.
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index dbbb67293e345c..a7064c2bee5b8e 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -7849,8 +7849,11 @@ static void btrfs_dio_submit_io(const struct iomap_iter *iter, struct bio *bio, ret = btrfs_extract_ordered_extent(bbio, dio_data->ordered); if (ret) { - bbio->bio.bi_status = errno_to_blk_status(ret); - btrfs_dio_end_io(bbio); + btrfs_finish_ordered_extent(dio_data->ordered, NULL, + file_offset, dip->bytes, + !ret); + bio->bi_status = errno_to_blk_status(ret); + iomap_dio_bio_end_io(bio); return; } }
When the call to btrfs_extract_ordered_extent in btrfs_dio_submit_io fails to allocate memory for a new ordered_extent, it calls into the btrfs_dio_end_io for error handling. btrfs_dio_end_io then assumes that bbio->ordered is set because it is supposed to be at this point, except for this error handling corner case. Try to not overload the btrfs_dio_end_io with error handling of a bio in a non-canonical state, and instead call btrfs_finish_ordered_extent and iomap_dio_bio_end_io directly for this error case. Fixes: b41b6f6937dc ("btrfs: use btrfs_finish_ordered_extent to complete direct writes") Reported-by: syzbot <syzbot+5b82f0e951f8c2bcdb8f@syzkaller.appspotmail.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Tested-by: syzbot <syzbot+5b82f0e951f8c2bcdb8f@syzkaller.appspotmail.com> --- fs/btrfs/inode.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)