Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp666034pxb; Tue, 5 Apr 2022 17:57:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy/V74suv5yqka73h9fS0c08BPyP9mLJJKA9iNRd1O+madGjkwDVZtjCA1HsrUarlYw7RQB X-Received: by 2002:a17:907:216f:b0:6ce:d85f:35cf with SMTP id rl15-20020a170907216f00b006ced85f35cfmr6143278ejb.517.1649206659649; Tue, 05 Apr 2022 17:57:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649206659; cv=none; d=google.com; s=arc-20160816; b=jb+VdV/LAjuw/MUZ+yGJMOWu/e3AYXL79B/A2sjRLTq108LX4ezM/owyeTdCkDUZhZ q78wL2k+DhiZfaVWslezMLEBbIhi3g7LSFMMv5oRT2WughPhhHbTOIIra0fuKNnsHP/b KyrjRkFOnrCG5ba2iZ5JnxTV6ejZjvT6DNtiF1XayLtBw9NJIAmdUrPCH5Gfd++yp3H0 EaTXuh7Bm2nMVVjoyE3MHMtDNKKKdQo5zZLPzMR6Z+339c0jDxhWrlCZMPdiG5Xuw4Mu QVmsXb74S2xASs+jZovjmXFY3TVRqvyZj8ITuZZ3VbButwRR4kWDdL483HpWl9f+Hdtg dtvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WE4q5rIA+welq0l8Tz+jmUEhKRQHefWYej6liL/NS/A=; b=elMRxayX66lzVHFTsgVw1Ad+V30sRGL4PZOs/wlEdjbj4El6H2MzXxRvPUnqtmqd9s hZv4Jm+eu/U2ua7PNN5X2WlWuKMulKEpPvODV/jwqOlKcfib0v8NtWWTTeJP8HDl3DOg tWTGStL4wWeiGMIs2jYiV72Rx9JXLx8+FwVGdpfaFvtadRrvoNnYh7zItTcatXTQ6/K9 uu5LAreIZYBXpFIrDxM93IhlZfO8qJhO4bZTZMOlJs4Ae78pwsRpwlN/IdfEJTivn1OK 4krHexS9jKJtxMBMOBbJCTdusKySj3YmItSsfqbdx+IFpvFgwaB79poPC2m4EKrmWJz0 Ul9Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fC9q7qJz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m19-20020a056402511300b00418c2b5bdddsi10726287edd.191.2022.04.05.17.57.13; Tue, 05 Apr 2022 17:57:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=fC9q7qJz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1355233AbiDELOj (ORCPT + 99 others); Tue, 5 Apr 2022 07:14:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237812AbiDEI3r (ORCPT ); Tue, 5 Apr 2022 04:29:47 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2F1B1C10C; Tue, 5 Apr 2022 01:21:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 2D2F161001; Tue, 5 Apr 2022 08:21:23 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3AB05C385A1; Tue, 5 Apr 2022 08:21:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649146882; bh=rFOg9al4mEyIRqPvlPsicSLMLCrx/7ve6uqJM49XIXA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=fC9q7qJzR32PjsCD5UQ3uDo306wd1xUmv/MdfK7BCSDdLjS1fgbqa/6HrB95qjpiF LEvKwxBBLRkfQXBZrxXu6aPtACKpBH+uUKfcGgpQ7XLnuXjp5+kYbjYHxCDouhbMEh bUjrWE4Cn8tDCxK0fvJq/GTDryPM9Gz2MjjxT85A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Boris Burkov , Josef Bacik , David Sterba , Sasha Levin Subject: [PATCH 5.17 0884/1126] btrfs: do not clean up repair bio if submit fails Date: Tue, 5 Apr 2022 09:27:11 +0200 Message-Id: <20220405070433.478747551@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070407.513532867@linuxfoundation.org> References: <20220405070407.513532867@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josef Bacik [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin --- fs/btrfs/extent_io.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index f767c1164742..99028984340a 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2639,7 +2639,6 @@ int btrfs_repair_one_sector(struct inode *inode, const int icsum = bio_offset >> fs_info->sectorsize_bits; struct bio *repair_bio; struct btrfs_bio *repair_bbio; - blk_status_t status; btrfs_debug(fs_info, "repair read error: read error at %llu", start); @@ -2678,13 +2677,13 @@ int btrfs_repair_one_sector(struct inode *inode, "repair read error: submitting new read to mirror %d", failrec->this_mirror); - status = submit_bio_hook(inode, repair_bio, failrec->this_mirror, - failrec->bio_flags); - if (status) { - free_io_failure(failure_tree, tree, failrec); - bio_put(repair_bio); - } - return blk_status_to_errno(status); + /* + * At this point we have a bio, so any errors from submit_bio_hook() + * will be handled by the endio on the repair_bio, so we can't return an + * error here. + */ + submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_flags); + return BLK_STS_OK; } static void end_page_read(struct page *page, bool uptodate, u64 start, u32 len) -- 2.34.1