Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp652524pxb; Tue, 5 Apr 2022 17:23:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJykSCIu+Fpe1MUUGaNTGOtet0OiT32AZm/9/Wo8x/SIEjpQNWdwSwOxOec+8p9Ab5GMsADm X-Received: by 2002:a17:902:cec5:b0:154:6b18:6157 with SMTP id d5-20020a170902cec500b001546b186157mr5913660plg.145.1649204635012; Tue, 05 Apr 2022 17:23:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649204635; cv=none; d=google.com; s=arc-20160816; b=C8m/ssf1EMWb8a2oGklxjw8l+0QENeMu6Hs8OpBBkpkNRFWMeS/hR1idlnNrTd8NdE Y+K/qPOpIxzYQnA1Ol30q2jE5LnDMJWlTZOv3Bc/zYPv3eFGyDa9d292FgBIe14u3lqn oYRws31MCsl2t51VkmMJ4qtOW4ci5JWHWB8HvMDxsY2oYHOETplKVLnOdIavcjwI/29S 6pM9Lkdob9r8bgvbIEeZxENo9AdialKgpNU79DhPcDNto6eab4lHD8afwAx/X+s3kUIb gnVY9aBEejBMxU4nzqU7GZexHVxVPCGOcZ7lua9GOhMKHf9R6XM+uYQ7z2eg7R0Xw8ik 62Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Wf+aXTw736I7VcWuV+K/gNwi9fL2NMRQPw1oKdjTxzk=; b=sL4yCkrh8/FDk26MeMfbwMFjHrdEfJbxpNBpZE0Ff0z7R9FeMEt2tYRKABhPI6+dar syTwwnzTIKO5AtVqo1XIMNxV8MNymKApMRp4wpED2V5qHO9DF5m23UbLzgbLaJy9Dubp kGrJrwgkwc7SYFPgieJ5dRGDYAQMKcEnAjvVycBiFruRpsKJaWegHqV06mzmDnS2vM9b 9MoRZxD+3DM7ODHVFSaW3pePXx2xcCeFy3e3U+nrdSrTMr+/0OJGZqy3LJvD0B+Q4/iu 5kL+vkyHF5dJ3MLIDRm2rKLfEhtrnRVZRCHBRGsfObnD7SZdkaQ5ZE5PmNBBfr4cfez2 POeA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ebmFm1tI; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id c13-20020aa78c0d000000b004fb0c7ab1easi12618760pfd.302.2022.04.05.17.23.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Apr 2022 17:23:55 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ebmFm1tI; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 82B182325F7; Tue, 5 Apr 2022 17:10:53 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236100AbiDENjg (ORCPT + 99 others); Tue, 5 Apr 2022 09:39:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345198AbiDEJWV (ORCPT ); Tue, 5 Apr 2022 05:22:21 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3838D2CE13; Tue, 5 Apr 2022 02:09:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CD23661577; Tue, 5 Apr 2022 09:09:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF27FC385A0; Tue, 5 Apr 2022 09:09:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649149774; bh=dfwslQshdOGJvbL0tDsFD7rVh7X7+dHJBiQvqfoAksw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ebmFm1tILaLHhl2FprVv+5sMHi1WeeeXZ5xiCPBblmhxxpIEZmRWHsmZVGt8aAjyE KI7itjlB1udBHKRibY4lWf1Ok1QmjS/4ZAHNy1Zhn7C315uaOsf1TV5NW59bMchOMs Ey9hYthMTv8R8S+HKzIcCWNMeSvBF0vg7lWMj+M4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Boris Burkov , Josef Bacik , David Sterba , Sasha Levin Subject: [PATCH 5.16 0798/1017] btrfs: do not clean up repair bio if submit fails Date: Tue, 5 Apr 2022 09:28:31 +0200 Message-Id: <20220405070417.937994199@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josef Bacik [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/extent_io.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index c3f466362103..ced0195f3390 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2640,7 +2640,6 @@ int btrfs_repair_one_sector(struct inode *inode, const int icsum = bio_offset >> fs_info->sectorsize_bits; struct bio *repair_bio; struct btrfs_bio *repair_bbio; - blk_status_t status; btrfs_debug(fs_info, "repair read error: read error at %llu", start); @@ -2679,13 +2678,13 @@ int btrfs_repair_one_sector(struct inode *inode, "repair read error: submitting new read to mirror %d", failrec->this_mirror); - status = submit_bio_hook(inode, repair_bio, failrec->this_mirror, - failrec->bio_flags); - if (status) { - free_io_failure(failure_tree, tree, failrec); - bio_put(repair_bio); - } - return blk_status_to_errno(status); + /* + * At this point we have a bio, so any errors from submit_bio_hook() + * will be handled by the endio on the repair_bio, so we can't return an + * error here. + */ + submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags); + return BLK_STS_OK; } static void end_page_read(struct page *page, bool uptodate, u64 start, u32 len) -- 2.34.1