btrfs: fix double inode unlock for direct IO sync writes

Message ID	7aa71067c2946ea3a7165f26899324e0df7d772e.1722588255.git.fdmanana@suse.com (mailing list archive)
State	New, archived
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7695C1C3793 for <linux-btrfs@vger.kernel.org>; Fri, 2 Aug 2024 08:44:56 +0000 (UTC) From: fdmanana@kernel.org To: linux-btrfs@vger.kernel.org Subject: [PATCH] btrfs: fix double inode unlock for direct IO sync writes Date: Fri, 2 Aug 2024 09:44:52 +0100 Message-Id: <7aa71067c2946ea3a7165f26899324e0df7d772e.1722588255.git.fdmanana@suse.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	btrfs: fix double inode unlock for direct IO sync writes \| expand btrfs: fix double inode unlock for direct IO sync writes

Message ID

7aa71067c2946ea3a7165f26899324e0df7d772e.1722588255.git.fdmanana@suse.com (mailing list archive)

State

New, archived

Headers

From: fdmanana@kernel.org
To: linux-btrfs@vger.kernel.org
Subject: [PATCH] btrfs: fix double inode unlock for direct IO sync writes
Date: Fri,  2 Aug 2024 09:44:52 +0100
Message-Id: 
 <7aa71067c2946ea3a7165f26899324e0df7d772e.1722588255.git.fdmanana@suse.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

btrfs: fix double inode unlock for direct IO sync writes | expand

Commit Message

Filipe Manana Aug. 2, 2024, 8:44 a.m. UTC

From: Filipe Manana <fdmanana@suse.com>

If we do a direct IO sync write, at btrfs_sync_file(), and we need to skip
inode logging or we get an error starting a transaction or an error when
flushing delalloc, we end up unlocking the inode when we shouldn't under
the 'out_release_extents' label.

Fix that by checking if we have to skip inode locking/unlocking under
that label.

Reported-by: syzbot+7dbbb74af6291b5a5a8b@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/000000000000dfd631061eaeb4bc@google.com/
Fixes: 939b656bc8ab ("btrfs: fix corruption after buffer fault in during direct IO append write")
Signed-off-by: Filipe Manana <fdmanana@suse.com>
---
 fs/btrfs/file.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Josef Bacik Aug. 2, 2024, 3:54 p.m. UTC | #1

On Fri, Aug 02, 2024 at 09:44:52AM +0100, fdmanana@kernel.org wrote:
> From: Filipe Manana <fdmanana@suse.com>
> 
> If we do a direct IO sync write, at btrfs_sync_file(), and we need to skip
> inode logging or we get an error starting a transaction or an error when
> flushing delalloc, we end up unlocking the inode when we shouldn't under
> the 'out_release_extents' label.
> 
> Fix that by checking if we have to skip inode locking/unlocking under
> that label.
> 
> Reported-by: syzbot+7dbbb74af6291b5a5a8b@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/linux-btrfs/000000000000dfd631061eaeb4bc@google.com/
> Fixes: 939b656bc8ab ("btrfs: fix corruption after buffer fault in during direct IO append write")
> Signed-off-by: Filipe Manana <fdmanana@suse.com>

Heh I just saw this syzbot thing and came to the list to see if you fixed it,

Reviewed-by: Josef Bacik <josef@toxicpanda.com>

Thanks,

Josef

diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index d742c04931d6..76f4cc686af9 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1868,7 +1868,10 @@  int btrfs_sync_file(struct file *file, loff_t start, loff_t end, int datasync)
 
 out_release_extents:
 	btrfs_release_log_ctx_extents(&ctx);
-	btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
+	if (skip_ilock)
+		up_write(&inode->i_mmap_lock);
+	else
+		btrfs_inode_unlock(inode, BTRFS_ILOCK_MMAP);
 	goto out;
 }

btrfs: fix double inode unlock for direct IO sync writes

Commit Message

Comments

Patch