[v3,0/2] btrfs: fix use-after-free in btrfs_encoded_read_endio

Message

Johannes Thumshirn Nov. 13, 2024, 5:16 p.m. UTC

Shinichiro reported a occassional memory corruption in our CI system with
btrfs/248 that lead to panics. He also managed to reproduce this
corruption reliably on one host. See patch 1/2 for details on the
corruption and the fix, patch 2/2 is a cleanup Damien suggested on top of
the fix to make the code more obvious.

Changes to v2:
- Make patch 1/2 only do the atomic_dec_and_test() as a minimal viable fix
- Make patch 2/2 only do completion and refcount_t 

Link to v2:
https://lore.kernel.org/linux-btrfs/cover.1731407982.git.jth@kernel.org

Changes to v1:
- Update commit message of patch 1/1
- Prevent double-free of 'priv' in case of io_uring in 2/2
- Use wait_for_completion_io() in 2/2
- Convert priv->pending from atomic_t to refcount_t calling it refs in 2/2

Link to v1:
https://lore.kernel.org/linux-btrfs/cover.1731316882.git.jth@kernel.org


Johannes Thumshirn (2):
  btrfs: fix use-after-free in btrfs_encoded_read_endio
  btrfs: simplify waiting for encoded read endios

 fs/btrfs/inode.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)