--- /dev/null
+From a8f70799a4dd156c5843792db81da2382553ad5e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 12:55:53 +0800
+Subject: btrfs: add a sanity check for btrfs root in btrfs_search_slot()
+
+From: Lizhi Xu <lizhi.xu@windriver.com>
+
+[ Upstream commit 3ed51857a50f530ac7a1482e069dfbd1298558d4 ]
+
+Syzbot reports a null-ptr-deref in btrfs_search_slot().
+
+The reproducer is using rescue=ibadroots, and the extent tree root is
+corrupted thus the extent tree is NULL.
+
+When scrub tries to search the extent tree to gather the needed extent
+info, btrfs_search_slot() doesn't check if the target root is NULL or
+not, resulting the null-ptr-deref.
+
+Add sanity check for btrfs root before using it in btrfs_search_slot().
+
+Reported-by: syzbot+3030e17bd57a73d39bd7@syzkaller.appspotmail.com
+Fixes: 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots")
+Link: https://syzkaller.appspot.com/bug?extid=3030e17bd57a73d39bd7
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Tested-by: syzbot+3030e17bd57a73d39bd7@syzkaller.appspotmail.com
+Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 0cc919d15b144..9c05cab473f57 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -2010,7 +2010,7 @@ int btrfs_search_slot(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+ const struct btrfs_key *key, struct btrfs_path *p,
+ int ins_len, int cow)
+ {
+- struct btrfs_fs_info *fs_info = root->fs_info;
++ struct btrfs_fs_info *fs_info;
+ struct extent_buffer *b;
+ int slot;
+ int ret;
+@@ -2023,6 +2023,10 @@ int btrfs_search_slot(struct btrfs_trans_handle *trans, struct btrfs_root *root,
+ int min_write_lock_level;
+ int prev_cmp;
+
++ if (!root)
++ return -EINVAL;
++
++ fs_info = root->fs_info;
+ might_sleep();
+
+ lowest_level = p->lowest_level;
+--
+2.43.0
+
--- /dev/null
+From f69c768017aa91a534783223b34a00f64f222a7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 15:50:17 +0100
+Subject: btrfs: change btrfs_encoded_read() so that reading of extent is done
+ by caller
+
+From: Mark Harmstone <maharmstone@fb.com>
+
+[ Upstream commit 26efd44796c6dd7a64f039a0dda6d558eac97a3e ]
+
+Change the behaviour of btrfs_encoded_read() so that if it needs to read
+an extent from disk, it leaves the extent and inode locked and returns
+-EIOCBQUEUED. The caller is then responsible for doing the I/O via
+btrfs_encoded_read_regular() and unlocking the extent and inode.
+
+Signed-off-by: Mark Harmstone <maharmstone@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 05b36b04d74a ("btrfs: fix use-after-free in btrfs_encoded_read_endio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/btrfs_inode.h | 9 ++++++-
+ fs/btrfs/inode.c | 57 ++++++++++++++++++++----------------------
+ fs/btrfs/ioctl.c | 32 +++++++++++++++++++++++-
+ 3 files changed, 66 insertions(+), 32 deletions(-)
+
+diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h
+index 5e2d93c2dfb5a..db53a3263fbd0 100644
+--- a/fs/btrfs/btrfs_inode.h
++++ b/fs/btrfs/btrfs_inode.h
+@@ -616,7 +616,14 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+ u64 disk_bytenr, u64 disk_io_size,
+ struct page **pages);
+ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+- struct btrfs_ioctl_encoded_io_args *encoded);
++ struct btrfs_ioctl_encoded_io_args *encoded,
++ struct extent_state **cached_state,
++ u64 *disk_bytenr, u64 *disk_io_size);
++ssize_t btrfs_encoded_read_regular(struct kiocb *iocb, struct iov_iter *iter,
++ u64 start, u64 lockend,
++ struct extent_state **cached_state,
++ u64 disk_bytenr, u64 disk_io_size,
++ size_t count, bool compressed, bool *unlocked);
+ ssize_t btrfs_do_encoded_write(struct kiocb *iocb, struct iov_iter *from,
+ const struct btrfs_ioctl_encoded_io_args *encoded);
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 753e9cb0c3717..9c4f1a3742f3f 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9177,13 +9177,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+ return blk_status_to_errno(READ_ONCE(priv.status));
+ }
+
+-static ssize_t btrfs_encoded_read_regular(struct kiocb *iocb,
+- struct iov_iter *iter,
+- u64 start, u64 lockend,
+- struct extent_state **cached_state,
+- u64 disk_bytenr, u64 disk_io_size,
+- size_t count, bool compressed,
+- bool *unlocked)
++ssize_t btrfs_encoded_read_regular(struct kiocb *iocb, struct iov_iter *iter,
++ u64 start, u64 lockend,
++ struct extent_state **cached_state,
++ u64 disk_bytenr, u64 disk_io_size,
++ size_t count, bool compressed, bool *unlocked)
+ {
+ struct btrfs_inode *inode = BTRFS_I(file_inode(iocb->ki_filp));
+ struct extent_io_tree *io_tree = &inode->io_tree;
+@@ -9244,15 +9242,16 @@ static ssize_t btrfs_encoded_read_regular(struct kiocb *iocb,
+ }
+
+ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+- struct btrfs_ioctl_encoded_io_args *encoded)
++ struct btrfs_ioctl_encoded_io_args *encoded,
++ struct extent_state **cached_state,
++ u64 *disk_bytenr, u64 *disk_io_size)
+ {
+ struct btrfs_inode *inode = BTRFS_I(file_inode(iocb->ki_filp));
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+ struct extent_io_tree *io_tree = &inode->io_tree;
+ ssize_t ret;
+ size_t count = iov_iter_count(iter);
+- u64 start, lockend, disk_bytenr, disk_io_size;
+- struct extent_state *cached_state = NULL;
++ u64 start, lockend;
+ struct extent_map *em;
+ bool unlocked = false;
+
+@@ -9278,13 +9277,13 @@ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ lockend - start + 1);
+ if (ret)
+ goto out_unlock_inode;
+- lock_extent(io_tree, start, lockend, &cached_state);
++ lock_extent(io_tree, start, lockend, cached_state);
+ ordered = btrfs_lookup_ordered_range(inode, start,
+ lockend - start + 1);
+ if (!ordered)
+ break;
+ btrfs_put_ordered_extent(ordered);
+- unlock_extent(io_tree, start, lockend, &cached_state);
++ unlock_extent(io_tree, start, lockend, cached_state);
+ cond_resched();
+ }
+
+@@ -9304,7 +9303,7 @@ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ free_extent_map(em);
+ em = NULL;
+ ret = btrfs_encoded_read_inline(iocb, iter, start, lockend,
+- &cached_state, extent_start,
++ cached_state, extent_start,
+ count, encoded, &unlocked);
+ goto out;
+ }
+@@ -9317,12 +9316,12 @@ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ inode->vfs_inode.i_size) - iocb->ki_pos;
+ if (em->disk_bytenr == EXTENT_MAP_HOLE ||
+ (em->flags & EXTENT_FLAG_PREALLOC)) {
+- disk_bytenr = EXTENT_MAP_HOLE;
++ *disk_bytenr = EXTENT_MAP_HOLE;
+ count = min_t(u64, count, encoded->len);
+ encoded->len = count;
+ encoded->unencoded_len = count;
+ } else if (extent_map_is_compressed(em)) {
+- disk_bytenr = em->disk_bytenr;
++ *disk_bytenr = em->disk_bytenr;
+ /*
+ * Bail if the buffer isn't large enough to return the whole
+ * compressed extent.
+@@ -9331,7 +9330,7 @@ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ ret = -ENOBUFS;
+ goto out_em;
+ }
+- disk_io_size = em->disk_num_bytes;
++ *disk_io_size = em->disk_num_bytes;
+ count = em->disk_num_bytes;
+ encoded->unencoded_len = em->ram_bytes;
+ encoded->unencoded_offset = iocb->ki_pos - (em->start - em->offset);
+@@ -9341,35 +9340,32 @@ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ goto out_em;
+ encoded->compression = ret;
+ } else {
+- disk_bytenr = extent_map_block_start(em) + (start - em->start);
++ *disk_bytenr = extent_map_block_start(em) + (start - em->start);
+ if (encoded->len > count)
+ encoded->len = count;
+ /*
+ * Don't read beyond what we locked. This also limits the page
+ * allocations that we'll do.
+ */
+- disk_io_size = min(lockend + 1, iocb->ki_pos + encoded->len) - start;
+- count = start + disk_io_size - iocb->ki_pos;
++ *disk_io_size = min(lockend + 1, iocb->ki_pos + encoded->len) - start;
++ count = start + *disk_io_size - iocb->ki_pos;
+ encoded->len = count;
+ encoded->unencoded_len = count;
+- disk_io_size = ALIGN(disk_io_size, fs_info->sectorsize);
++ *disk_io_size = ALIGN(*disk_io_size, fs_info->sectorsize);
+ }
+ free_extent_map(em);
+ em = NULL;
+
+- if (disk_bytenr == EXTENT_MAP_HOLE) {
+- unlock_extent(io_tree, start, lockend, &cached_state);
++ if (*disk_bytenr == EXTENT_MAP_HOLE) {
++ unlock_extent(io_tree, start, lockend, cached_state);
+ btrfs_inode_unlock(inode, BTRFS_ILOCK_SHARED);
+ unlocked = true;
+ ret = iov_iter_zero(count, iter);
+ if (ret != count)
+ ret = -EFAULT;
+ } else {
+- ret = btrfs_encoded_read_regular(iocb, iter, start, lockend,
+- &cached_state, disk_bytenr,
+- disk_io_size, count,
+- encoded->compression,
+- &unlocked);
++ ret = -EIOCBQUEUED;
++ goto out_em;
+ }
+
+ out:
+@@ -9378,10 +9374,11 @@ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ out_em:
+ free_extent_map(em);
+ out_unlock_extent:
+- if (!unlocked)
+- unlock_extent(io_tree, start, lockend, &cached_state);
++ /* Leave inode and extent locked if we need to do a read. */
++ if (!unlocked && ret != -EIOCBQUEUED)
++ unlock_extent(io_tree, start, lockend, cached_state);
+ out_unlock_inode:
+- if (!unlocked)
++ if (!unlocked && ret != -EIOCBQUEUED)
+ btrfs_inode_unlock(inode, BTRFS_ILOCK_SHARED);
+ return ret;
+ }
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 226c91fe31a70..3e3722a732393 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4514,12 +4514,17 @@ static int btrfs_ioctl_encoded_read(struct file *file, void __user *argp,
+ size_t copy_end_kernel = offsetofend(struct btrfs_ioctl_encoded_io_args,
+ flags);
+ size_t copy_end;
++ struct btrfs_inode *inode = BTRFS_I(file_inode(file));
++ struct btrfs_fs_info *fs_info = inode->root->fs_info;
++ struct extent_io_tree *io_tree = &inode->io_tree;
+ struct iovec iovstack[UIO_FASTIOV];
+ struct iovec *iov = iovstack;
+ struct iov_iter iter;
+ loff_t pos;
+ struct kiocb kiocb;
+ ssize_t ret;
++ u64 disk_bytenr, disk_io_size;
++ struct extent_state *cached_state = NULL;
+
+ if (!capable(CAP_SYS_ADMIN)) {
+ ret = -EPERM;
+@@ -4572,7 +4577,32 @@ static int btrfs_ioctl_encoded_read(struct file *file, void __user *argp,
+ init_sync_kiocb(&kiocb, file);
+ kiocb.ki_pos = pos;
+
+- ret = btrfs_encoded_read(&kiocb, &iter, &args);
++ ret = btrfs_encoded_read(&kiocb, &iter, &args, &cached_state,
++ &disk_bytenr, &disk_io_size);
++
++ if (ret == -EIOCBQUEUED) {
++ bool unlocked = false;
++ u64 start, lockend, count;
++
++ start = ALIGN_DOWN(kiocb.ki_pos, fs_info->sectorsize);
++ lockend = start + BTRFS_MAX_UNCOMPRESSED - 1;
++
++ if (args.compression)
++ count = disk_io_size;
++ else
++ count = args.len;
++
++ ret = btrfs_encoded_read_regular(&kiocb, &iter, start, lockend,
++ &cached_state, disk_bytenr,
++ disk_io_size, count,
++ args.compression, &unlocked);
++
++ if (!unlocked) {
++ unlock_extent(io_tree, start, lockend, &cached_state);
++ btrfs_inode_unlock(inode, BTRFS_ILOCK_SHARED);
++ }
++ }
++
+ if (ret >= 0) {
+ fsnotify_access(file);
+ if (copy_to_user(argp + copy_end,
+--
+2.43.0
+
--- /dev/null
+From 11b860b050b8cb78344dcc993724244b59f0891e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 15:46:13 +0000
+Subject: btrfs: don't loop for nowait writes when checking for cross
+ references
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit ed67f2a913a4f0fc505db29805c41dd07d3cb356 ]
+
+When checking for delayed refs when verifying if there are cross
+references for a data extent, we stop if the path has nowait set and we
+can't try lock the delayed ref head's mutex, returning -EAGAIN with the
+goal of making a write fallback to a blocking context. However we ignore
+the -EAGAIN at btrfs_cross_ref_exist() when check_delayed_ref() returns
+it, and keep looping instead of immediately returning the -EAGAIN to the
+caller.
+
+Fix this by not looping if we get -EAGAIN and we have a nowait path.
+
+Fixes: 26ce91144631 ("btrfs: make can_nocow_extent nowait compatible")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index d9f511babd89a..b43a8611aca5c 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -2446,7 +2446,7 @@ int btrfs_cross_ref_exist(struct btrfs_root *root, u64 objectid, u64 offset,
+ goto out;
+
+ ret = check_delayed_ref(root, path, objectid, offset, bytenr);
+- } while (ret == -EAGAIN);
++ } while (ret == -EAGAIN && !path->nowait);
+
+ out:
+ btrfs_release_path(path);
+--
+2.43.0
+
--- /dev/null
+From 78a0a972a2b8bfbfc6df72a099d5ed847635a4a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 16:31:47 +0200
+Subject: btrfs: drop unused parameter file_offset from
+ btrfs_encoded_read_regular_fill_pages()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 590168edbe6317ca9f4066215fb099f43ffe745c ]
+
+The file_offset parameter used to be passed to encoded read struct but
+was removed in commit b665affe93d8 ("btrfs: remove unused members from
+struct btrfs_encoded_read_private").
+
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 05b36b04d74a ("btrfs: fix use-after-free in btrfs_encoded_read_endio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/btrfs_inode.h | 3 +--
+ fs/btrfs/inode.c | 6 +++---
+ fs/btrfs/send.c | 2 +-
+ 3 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/fs/btrfs/btrfs_inode.h b/fs/btrfs/btrfs_inode.h
+index e152fde888fc9..5e2d93c2dfb5a 100644
+--- a/fs/btrfs/btrfs_inode.h
++++ b/fs/btrfs/btrfs_inode.h
+@@ -613,8 +613,7 @@ int btrfs_writepage_cow_fixup(struct folio *folio);
+ int btrfs_encoded_io_compression_from_extent(struct btrfs_fs_info *fs_info,
+ int compress_type);
+ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+- u64 file_offset, u64 disk_bytenr,
+- u64 disk_io_size,
++ u64 disk_bytenr, u64 disk_io_size,
+ struct page **pages);
+ ssize_t btrfs_encoded_read(struct kiocb *iocb, struct iov_iter *iter,
+ struct btrfs_ioctl_encoded_io_args *encoded);
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 1e4ca1e7d2e58..753e9cb0c3717 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9132,8 +9132,8 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio)
+ }
+
+ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+- u64 file_offset, u64 disk_bytenr,
+- u64 disk_io_size, struct page **pages)
++ u64 disk_bytenr, u64 disk_io_size,
++ struct page **pages)
+ {
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+ struct btrfs_encoded_read_private priv = {
+@@ -9203,7 +9203,7 @@ static ssize_t btrfs_encoded_read_regular(struct kiocb *iocb,
+ goto out;
+ }
+
+- ret = btrfs_encoded_read_regular_fill_pages(inode, start, disk_bytenr,
++ ret = btrfs_encoded_read_regular_fill_pages(inode, disk_bytenr,
+ disk_io_size, pages);
+ if (ret)
+ goto out;
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index b068469871f8e..0cb11dcd10cd4 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -5677,7 +5677,7 @@ static int send_encoded_extent(struct send_ctx *sctx, struct btrfs_path *path,
+ * Note that send_buf is a mapping of send_buf_pages, so this is really
+ * reading into send_buf.
+ */
+- ret = btrfs_encoded_read_regular_fill_pages(BTRFS_I(inode), offset,
++ ret = btrfs_encoded_read_regular_fill_pages(BTRFS_I(inode),
+ disk_bytenr, disk_num_bytes,
+ sctx->send_buf_pages +
+ (data_offset >> PAGE_SHIFT));
+--
+2.43.0
+
--- /dev/null
+From ab4e577cef12a57a5f647316735343913d037b29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 18:16:48 +0100
+Subject: btrfs: fix use-after-free in btrfs_encoded_read_endio()
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+[ Upstream commit 05b36b04d74a517d6675bf2f90829ff1ac7e28dc ]
+
+Shinichiro reported the following use-after free that sometimes is
+happening in our CI system when running fstests' btrfs/284 on a TCMU
+runner device:
+
+ BUG: KASAN: slab-use-after-free in lock_release+0x708/0x780
+ Read of size 8 at addr ffff888106a83f18 by task kworker/u80:6/219
+
+ CPU: 8 UID: 0 PID: 219 Comm: kworker/u80:6 Not tainted 6.12.0-rc6-kts+ #15
+ Hardware name: Supermicro Super Server/X11SPi-TF, BIOS 3.3 02/21/2020
+ Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x6e/0xa0
+ ? lock_release+0x708/0x780
+ print_report+0x174/0x505
+ ? lock_release+0x708/0x780
+ ? __virt_addr_valid+0x224/0x410
+ ? lock_release+0x708/0x780
+ kasan_report+0xda/0x1b0
+ ? lock_release+0x708/0x780
+ ? __wake_up+0x44/0x60
+ lock_release+0x708/0x780
+ ? __pfx_lock_release+0x10/0x10
+ ? __pfx_do_raw_spin_lock+0x10/0x10
+ ? lock_is_held_type+0x9a/0x110
+ _raw_spin_unlock_irqrestore+0x1f/0x60
+ __wake_up+0x44/0x60
+ btrfs_encoded_read_endio+0x14b/0x190 [btrfs]
+ btrfs_check_read_bio+0x8d9/0x1360 [btrfs]
+ ? lock_release+0x1b0/0x780
+ ? trace_lock_acquire+0x12f/0x1a0
+ ? __pfx_btrfs_check_read_bio+0x10/0x10 [btrfs]
+ ? process_one_work+0x7e3/0x1460
+ ? lock_acquire+0x31/0xc0
+ ? process_one_work+0x7e3/0x1460
+ process_one_work+0x85c/0x1460
+ ? __pfx_process_one_work+0x10/0x10
+ ? assign_work+0x16c/0x240
+ worker_thread+0x5e6/0xfc0
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0x2c3/0x3a0
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x31/0x70
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+
+ Allocated by task 3661:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ __kasan_kmalloc+0xaa/0xb0
+ btrfs_encoded_read_regular_fill_pages+0x16c/0x6d0 [btrfs]
+ send_extent_data+0xf0f/0x24a0 [btrfs]
+ process_extent+0x48a/0x1830 [btrfs]
+ changed_cb+0x178b/0x2ea0 [btrfs]
+ btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]
+ _btrfs_ioctl_send+0x117/0x330 [btrfs]
+ btrfs_ioctl+0x184a/0x60a0 [btrfs]
+ __x64_sys_ioctl+0x12e/0x1a0
+ do_syscall_64+0x95/0x180
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+ Freed by task 3661:
+ kasan_save_stack+0x30/0x50
+ kasan_save_track+0x14/0x30
+ kasan_save_free_info+0x3b/0x70
+ __kasan_slab_free+0x4f/0x70
+ kfree+0x143/0x490
+ btrfs_encoded_read_regular_fill_pages+0x531/0x6d0 [btrfs]
+ send_extent_data+0xf0f/0x24a0 [btrfs]
+ process_extent+0x48a/0x1830 [btrfs]
+ changed_cb+0x178b/0x2ea0 [btrfs]
+ btrfs_ioctl_send+0x3bf9/0x5c20 [btrfs]
+ _btrfs_ioctl_send+0x117/0x330 [btrfs]
+ btrfs_ioctl+0x184a/0x60a0 [btrfs]
+ __x64_sys_ioctl+0x12e/0x1a0
+ do_syscall_64+0x95/0x180
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+ The buggy address belongs to the object at ffff888106a83f00
+ which belongs to the cache kmalloc-rnd-07-96 of size 96
+ The buggy address is located 24 bytes inside of
+ freed 96-byte region [ffff888106a83f00, ffff888106a83f60)
+
+ The buggy address belongs to the physical page:
+ page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888106a83800 pfn:0x106a83
+ flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
+ page_type: f5(slab)
+ raw: 0017ffffc0000000 ffff888100053680 ffffea0004917200 0000000000000004
+ raw: ffff888106a83800 0000000080200019 00000001f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffff888106a83e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ ffff888106a83e80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ >ffff888106a83f00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ ^
+ ffff888106a83f80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
+ ffff888106a84000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ==================================================================
+
+Further analyzing the trace and the crash dump's vmcore file shows that
+the wake_up() call in btrfs_encoded_read_endio() is calling wake_up() on
+the wait_queue that is in the private data passed to the end_io handler.
+
+Commit 4ff47df40447 ("btrfs: move priv off stack in
+btrfs_encoded_read_regular_fill_pages()") moved 'struct
+btrfs_encoded_read_private' off the stack.
+
+Before that commit one can see a corruption of the private data when
+analyzing the vmcore after a crash:
+
+*(struct btrfs_encoded_read_private *)0xffff88815626eec8 = {
+ .wait = (wait_queue_head_t){
+ .lock = (spinlock_t){
+ .rlock = (struct raw_spinlock){
+ .raw_lock = (arch_spinlock_t){
+ .val = (atomic_t){
+ .counter = (int)-2005885696,
+ },
+ .locked = (u8)0,
+ .pending = (u8)157,
+ .locked_pending = (u16)40192,
+ .tail = (u16)34928,
+ },
+ .magic = (unsigned int)536325682,
+ .owner_cpu = (unsigned int)29,
+ .owner = (void *)__SCT__tp_func_btrfs_transaction_commit+0x0 = 0x0,
+ .dep_map = (struct lockdep_map){
+ .key = (struct lock_class_key *)0xffff8881575a3b6c,
+ .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 },
+ .name = (const char *)0xffff88815626f100 = "",
+ .wait_type_outer = (u8)37,
+ .wait_type_inner = (u8)178,
+ .lock_type = (u8)154,
+ },
+ },
+ .__padding = (u8 [24]){ 0, 157, 112, 136, 50, 174, 247, 31, 29 },
+ .dep_map = (struct lockdep_map){
+ .key = (struct lock_class_key *)0xffff8881575a3b6c,
+ .class_cache = (struct lock_class *[2]){ 0xffff8882a71985c0, 0xffffea00066f5d40 },
+ .name = (const char *)0xffff88815626f100 = "",
+ .wait_type_outer = (u8)37,
+ .wait_type_inner = (u8)178,
+ .lock_type = (u8)154,
+ },
+ },
+ .head = (struct list_head){
+ .next = (struct list_head *)0x112cca,
+ .prev = (struct list_head *)0x47,
+ },
+ },
+ .pending = (atomic_t){
+ .counter = (int)-1491499288,
+ },
+ .status = (blk_status_t)130,
+}
+
+Here we can see several indicators of in-memory data corruption, e.g. the
+large negative atomic values of ->pending or
+->wait->lock->rlock->raw_lock->val, as well as the bogus spinlock magic
+0x1ff7ae32 (decimal 536325682 above) instead of 0xdead4ead or the bogus
+pointer values for ->wait->head.
+
+To fix this, change atomic_dec_return() to atomic_dec_and_test() to fix the
+corruption, as atomic_dec_return() is defined as two instructions on
+x86_64, whereas atomic_dec_and_test() is defined as a single atomic
+operation. This can lead to a situation where counter value is already
+decremented but the if statement in btrfs_encoded_read_endio() is not
+completely processed, i.e. the 0 test has not completed. If another thread
+continues executing btrfs_encoded_read_regular_fill_pages() the
+atomic_dec_return() there can see an already updated ->pending counter and
+continues by freeing the private data. Continuing in the endio handler the
+test for 0 succeeds and the wait_queue is woken up, resulting in a
+use-after-free.
+
+Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Suggested-by: Damien Le Moal <Damien.LeMoal@wdc.com>
+Fixes: 1881fba89bd5 ("btrfs: add BTRFS_IOC_ENCODED_READ ioctl")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 857cbe9b07d28..d067db2619713 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9126,7 +9126,7 @@ static void btrfs_encoded_read_endio(struct btrfs_bio *bbio)
+ */
+ WRITE_ONCE(priv->status, bbio->bio.bi_status);
+ }
+- if (!atomic_dec_return(&priv->pending))
++ if (atomic_dec_and_test(&priv->pending))
+ wake_up(&priv->wait);
+ bio_put(&bbio->bio);
+ }
+--
+2.43.0
+
--- /dev/null
+From e56651b59263d09fc6d20bb067e35c0713c81160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Oct 2024 15:50:19 +0100
+Subject: btrfs: move priv off stack in btrfs_encoded_read_regular_fill_pages()
+
+From: Mark Harmstone <maharmstone@fb.com>
+
+[ Upstream commit 68d3b27e05c7ca5545e88465f5e2be6eda0e11df ]
+
+Change btrfs_encoded_read_regular_fill_pages() so that the priv struct
+is allocated rather than stored on the stack, in preparation for adding
+an asynchronous mode to the function.
+
+Signed-off-by: Mark Harmstone <maharmstone@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Stable-dep-of: 05b36b04d74a ("btrfs: fix use-after-free in btrfs_encoded_read_endio()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 29 ++++++++++++++++++-----------
+ 1 file changed, 18 insertions(+), 11 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 9c4f1a3742f3f..857cbe9b07d28 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -9136,16 +9136,21 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+ struct page **pages)
+ {
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+- struct btrfs_encoded_read_private priv = {
+- .pending = ATOMIC_INIT(1),
+- };
++ struct btrfs_encoded_read_private *priv;
+ unsigned long i = 0;
+ struct btrfs_bio *bbio;
++ int ret;
+
+- init_waitqueue_head(&priv.wait);
++ priv = kmalloc(sizeof(struct btrfs_encoded_read_private), GFP_NOFS);
++ if (!priv)
++ return -ENOMEM;
++
++ init_waitqueue_head(&priv->wait);
++ atomic_set(&priv->pending, 1);
++ priv->status = 0;
+
+ bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info,
+- btrfs_encoded_read_endio, &priv);
++ btrfs_encoded_read_endio, priv);
+ bbio->bio.bi_iter.bi_sector = disk_bytenr >> SECTOR_SHIFT;
+ bbio->inode = inode;
+
+@@ -9153,11 +9158,11 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+ size_t bytes = min_t(u64, disk_io_size, PAGE_SIZE);
+
+ if (bio_add_page(&bbio->bio, pages[i], bytes, 0) < bytes) {
+- atomic_inc(&priv.pending);
++ atomic_inc(&priv->pending);
+ btrfs_submit_bbio(bbio, 0);
+
+ bbio = btrfs_bio_alloc(BIO_MAX_VECS, REQ_OP_READ, fs_info,
+- btrfs_encoded_read_endio, &priv);
++ btrfs_encoded_read_endio, priv);
+ bbio->bio.bi_iter.bi_sector = disk_bytenr >> SECTOR_SHIFT;
+ bbio->inode = inode;
+ continue;
+@@ -9168,13 +9173,15 @@ int btrfs_encoded_read_regular_fill_pages(struct btrfs_inode *inode,
+ disk_io_size -= bytes;
+ } while (disk_io_size);
+
+- atomic_inc(&priv.pending);
++ atomic_inc(&priv->pending);
+ btrfs_submit_bbio(bbio, 0);
+
+- if (atomic_dec_return(&priv.pending))
+- io_wait_event(priv.wait, !atomic_read(&priv.pending));
++ if (atomic_dec_return(&priv->pending))
++ io_wait_event(priv->wait, !atomic_read(&priv->pending));
+ /* See btrfs_encoded_read_endio() for ordering. */
+- return blk_status_to_errno(READ_ONCE(priv.status));
++ ret = blk_status_to_errno(READ_ONCE(priv->status));
++ kfree(priv);
++ return ret;
+ }
+
+ ssize_t btrfs_encoded_read_regular(struct kiocb *iocb, struct iov_iter *iter,
+--
+2.43.0
+
--- /dev/null
+From 77ea5bf7ff8fa2cfa1dc15a31f7fa2af7343eb79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 11:29:21 +0000
+Subject: btrfs: ref-verify: fix use-after-free after invalid ref action
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 7c4e39f9d2af4abaf82ca0e315d1fd340456620f ]
+
+At btrfs_ref_tree_mod() after we successfully inserted the new ref entry
+(local variable 'ref') into the respective block entry's rbtree (local
+variable 'be'), if we find an unexpected action of BTRFS_DROP_DELAYED_REF,
+we error out and free the ref entry without removing it from the block
+entry's rbtree. Then in the error path of btrfs_ref_tree_mod() we call
+btrfs_free_ref_cache(), which iterates over all block entries and then
+calls free_block_entry() for each one, and there we will trigger a
+use-after-free when we are called against the block entry to which we
+added the freed ref entry to its rbtree, since the rbtree still points
+to the block entry, as we didn't remove it from the rbtree before freeing
+it in the error path at btrfs_ref_tree_mod(). Fix this by removing the
+new ref entry from the rbtree before freeing it.
+
+Syzbot report this with the following stack traces:
+
+ BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615
+ __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+ update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+ btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+ btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+ btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+ btrfs_insert_empty_items+0x9c/0x1a0 fs/btrfs/ctree.c:4314
+ btrfs_insert_empty_item fs/btrfs/ctree.h:669 [inline]
+ btrfs_insert_orphan_item+0x1f1/0x320 fs/btrfs/orphan.c:23
+ btrfs_orphan_add+0x6d/0x1a0 fs/btrfs/inode.c:3482
+ btrfs_unlink+0x267/0x350 fs/btrfs/inode.c:4293
+ vfs_unlink+0x365/0x650 fs/namei.c:4469
+ do_unlinkat+0x4ae/0x830 fs/namei.c:4533
+ __do_sys_unlinkat fs/namei.c:4576 [inline]
+ __se_sys_unlinkat fs/namei.c:4569 [inline]
+ __x64_sys_unlinkat+0xcc/0xf0 fs/namei.c:4569
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ BTRFS error (device loop0 state EA): Ref action 1, root 5, ref_root 5, parent 0, owner 260, offset 0, num_refs 1
+ __btrfs_mod_ref+0x76b/0xac0 fs/btrfs/extent-tree.c:2521
+ update_ref_for_cow+0x96a/0x11f0
+ btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+ btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+ btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+ btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+ __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+ btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+ __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+ __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+ btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+ prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+ relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+ btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+ btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+ __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+ btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+ BTRFS error (device loop0 state EA): Ref action 2, root 5, ref_root 0, parent 8564736, owner 0, offset 0, num_refs 18446744073709551615
+ __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+ update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+ btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+ btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+ btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+ btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+ __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+ btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+ __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+ __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+ btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+ prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+ relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+ btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+ btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+ __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+ btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in rb_first+0x69/0x70 lib/rbtree.c:473
+ Read of size 8 at addr ffff888042d1af38 by task syz.0.0/5329
+
+ CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller #0
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ rb_first+0x69/0x70 lib/rbtree.c:473
+ free_block_entry+0x78/0x230 fs/btrfs/ref-verify.c:248
+ btrfs_free_ref_cache+0xa3/0x100 fs/btrfs/ref-verify.c:917
+ btrfs_ref_tree_mod+0x139f/0x15e0 fs/btrfs/ref-verify.c:898
+ btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544
+ __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+ update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+ btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+ btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+ btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+ btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+ __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+ btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+ __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+ __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+ btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+ prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+ relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+ btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+ btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+ __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+ btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+ btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ RIP: 0033:0x7f996df7e719
+ RSP: 002b:00007f996ede7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 00007f996e135f80 RCX: 00007f996df7e719
+ RDX: 0000000020000180 RSI: 00000000c4009420 RDI: 0000000000000004
+ RBP: 00007f996dff139e R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 0000000000000000 R14: 00007f996e135f80 R15: 00007fff79f32e68
+ </TASK>
+
+ Allocated by task 5329:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:257 [inline]
+ __kmalloc_cache_noprof+0x19c/0x2c0 mm/slub.c:4295
+ kmalloc_noprof include/linux/slab.h:878 [inline]
+ kzalloc_noprof include/linux/slab.h:1014 [inline]
+ btrfs_ref_tree_mod+0x264/0x15e0 fs/btrfs/ref-verify.c:701
+ btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544
+ __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+ update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+ btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+ btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+ btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+ btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+ __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+ btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+ __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+ __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+ btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+ prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+ relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+ btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+ btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+ __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+ btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+ btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Freed by task 5329:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:230 [inline]
+ slab_free_hook mm/slub.c:2342 [inline]
+ slab_free mm/slub.c:4579 [inline]
+ kfree+0x1a0/0x440 mm/slub.c:4727
+ btrfs_ref_tree_mod+0x136c/0x15e0
+ btrfs_free_extent+0x33c/0x380 fs/btrfs/extent-tree.c:3544
+ __btrfs_mod_ref+0x7dd/0xac0 fs/btrfs/extent-tree.c:2523
+ update_ref_for_cow+0x9cd/0x11f0 fs/btrfs/ctree.c:512
+ btrfs_force_cow_block+0x9f6/0x1da0 fs/btrfs/ctree.c:594
+ btrfs_cow_block+0x35e/0xa40 fs/btrfs/ctree.c:754
+ btrfs_search_slot+0xbdd/0x30d0 fs/btrfs/ctree.c:2116
+ btrfs_lookup_inode+0xdc/0x480 fs/btrfs/inode-item.c:411
+ __btrfs_update_delayed_inode+0x1e7/0xb90 fs/btrfs/delayed-inode.c:1030
+ btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1114 [inline]
+ __btrfs_commit_inode_delayed_items+0x2318/0x24a0 fs/btrfs/delayed-inode.c:1137
+ __btrfs_run_delayed_items+0x213/0x490 fs/btrfs/delayed-inode.c:1171
+ btrfs_commit_transaction+0x8a8/0x3740 fs/btrfs/transaction.c:2313
+ prepare_to_relocate+0x3c4/0x4c0 fs/btrfs/relocation.c:3586
+ relocate_block_group+0x16c/0xd40 fs/btrfs/relocation.c:3611
+ btrfs_relocate_block_group+0x77d/0xd90 fs/btrfs/relocation.c:4081
+ btrfs_relocate_chunk+0x12c/0x3b0 fs/btrfs/volumes.c:3377
+ __btrfs_balance+0x1b0f/0x26b0 fs/btrfs/volumes.c:4161
+ btrfs_balance+0xbdc/0x10c0 fs/btrfs/volumes.c:4538
+ btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:907 [inline]
+ __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ The buggy address belongs to the object at ffff888042d1af00
+ which belongs to the cache kmalloc-64 of size 64
+ The buggy address is located 56 bytes inside of
+ freed 64-byte region [ffff888042d1af00, ffff888042d1af40)
+
+ The buggy address belongs to the physical page:
+ page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42d1a
+ anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
+ page_type: f5(slab)
+ raw: 04fff00000000000 ffff88801ac418c0 0000000000000000 dead000000000001
+ raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
+ page dumped because: kasan: bad access detected
+ page_owner tracks the page as allocated
+ page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5055, tgid 5055 (dhcpcd-run-hook), ts 40377240074, free_ts 40376848335
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1541
+ prep_new_page mm/page_alloc.c:1549 [inline]
+ get_page_from_freelist+0x3649/0x3790 mm/page_alloc.c:3459
+ __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4735
+ alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
+ alloc_slab_page+0x6a/0x140 mm/slub.c:2412
+ allocate_slab+0x5a/0x2f0 mm/slub.c:2578
+ new_slab mm/slub.c:2631 [inline]
+ ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
+ __slab_alloc+0x58/0xa0 mm/slub.c:3908
+ __slab_alloc_node mm/slub.c:3961 [inline]
+ slab_alloc_node mm/slub.c:4122 [inline]
+ __do_kmalloc_node mm/slub.c:4263 [inline]
+ __kmalloc_noprof+0x25a/0x400 mm/slub.c:4276
+ kmalloc_noprof include/linux/slab.h:882 [inline]
+ kzalloc_noprof include/linux/slab.h:1014 [inline]
+ tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
+ tomoyo_encode+0x26f/0x540 security/tomoyo/realpath.c:80
+ tomoyo_realpath_from_path+0x59e/0x5e0 security/tomoyo/realpath.c:283
+ tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
+ tomoyo_check_open_permission+0x255/0x500 security/tomoyo/file.c:771
+ security_file_open+0x777/0x990 security/security.c:3109
+ do_dentry_open+0x369/0x1460 fs/open.c:945
+ vfs_open+0x3e/0x330 fs/open.c:1088
+ do_open fs/namei.c:3774 [inline]
+ path_openat+0x2c84/0x3590 fs/namei.c:3933
+ page last free pid 5055 tgid 5055 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1112 [inline]
+ free_unref_page+0xcfb/0xf20 mm/page_alloc.c:2642
+ free_pipe_info+0x300/0x390 fs/pipe.c:860
+ put_pipe_info fs/pipe.c:719 [inline]
+ pipe_release+0x245/0x320 fs/pipe.c:742
+ __fput+0x23f/0x880 fs/file_table.c:431
+ __do_sys_close fs/open.c:1567 [inline]
+ __se_sys_close fs/open.c:1552 [inline]
+ __x64_sys_close+0x7f/0x110 fs/open.c:1552
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Memory state around the buggy address:
+ ffff888042d1ae00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ffff888042d1ae80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+ >ffff888042d1af00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ ^
+ ffff888042d1af80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+ ffff888042d1b000: 00 00 00 00 00 fc fc 00 00 00 00 00 fc fc 00 00
+
+Reported-by: syzbot+7325f164162e200000c1@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/673723eb.050a0220.1324f8.00a8.GAE@google.com/T/#u
+Fixes: fd708b81d972 ("Btrfs: add a extent ref verify tool")
+CC: stable@vger.kernel.org # 4.19+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ref-verify.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/btrfs/ref-verify.c b/fs/btrfs/ref-verify.c
+index 9522a8b79d22b..2928abf7eb827 100644
+--- a/fs/btrfs/ref-verify.c
++++ b/fs/btrfs/ref-verify.c
+@@ -857,6 +857,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_info *fs_info,
+ "dropping a ref for a root that doesn't have a ref on the block");
+ dump_block_entry(fs_info, be);
+ dump_ref_action(fs_info, ra);
++ rb_erase(&ref->node, &be->refs);
+ kfree(ref);
+ kfree(ra);
+ goto out_unlock;
+--
+2.43.0
+
--- /dev/null
+From b13c249df94778f806cf23e5e046b6377253834f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 18:08:54 +0530
+Subject: quota: flush quota_release_work upon quota writeback
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit ac6f420291b3fee1113f21d612fa88b628afab5b ]
+
+One of the paths quota writeback is called from is:
+
+freeze_super()
+ sync_filesystem()
+ ext4_sync_fs()
+ dquot_writeback_dquots()
+
+Since we currently don't always flush the quota_release_work queue in
+this path, we can end up with the following race:
+
+ 1. dquot are added to releasing_dquots list during regular operations.
+ 2. FS Freeze starts, however, this does not flush the quota_release_work queue.
+ 3. Freeze completes.
+ 4. Kernel eventually tries to flush the workqueue while FS is frozen which
+ hits a WARN_ON since transaction gets started during frozen state:
+
+ ext4_journal_check_start+0x28/0x110 [ext4] (unreliable)
+ __ext4_journal_start_sb+0x64/0x1c0 [ext4]
+ ext4_release_dquot+0x90/0x1d0 [ext4]
+ quota_release_workfn+0x43c/0x4d0
+
+Which is the following line:
+
+ WARN_ON(sb->s_writers.frozen == SB_FREEZE_COMPLETE);
+
+Which ultimately results in generic/390 failing due to dmesg
+noise. This was detected on powerpc machine 15 cores.
+
+To avoid this, make sure to flush the workqueue during
+dquot_writeback_dquots() so we dont have any pending workitems after
+freeze.
+
+Reported-by: Disha Goel <disgoel@linux.ibm.com>
+CC: stable@vger.kernel.org
+Fixes: dabc8b207566 ("quota: fix dqput() to follow the guarantees dquot_srcu should provide")
+Reviewed-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20241121123855.645335-2-ojaswin@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index b40410cd39af4..71c0ce31a4c4d 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -689,6 +689,8 @@ int dquot_writeback_dquots(struct super_block *sb, int type)
+
+ WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount));
+
++ flush_delayed_work("a_release_work);
++
+ for (cnt = 0; cnt < MAXQUOTAS; cnt++) {
+ if (type != -1 && cnt != type)
+ continue;
+--
+2.43.0
+
--- /dev/null
+xfs-remove-unknown-compat-feature-check-in-superbloc.patch
+quota-flush-quota_release_work-upon-quota-writeback.patch
+btrfs-drop-unused-parameter-file_offset-from-btrfs_e.patch
+btrfs-change-btrfs_encoded_read-so-that-reading-of-e.patch
+btrfs-move-priv-off-stack-in-btrfs_encoded_read_regu.patch
+btrfs-fix-use-after-free-in-btrfs_encoded_read_endio.patch
+btrfs-don-t-loop-for-nowait-writes-when-checking-for.patch
+btrfs-add-a-sanity-check-for-btrfs-root-in-btrfs_sea.patch
+btrfs-ref-verify-fix-use-after-free-after-invalid-re.patch
--- /dev/null
+From 2f7acbf2a838b5393b3d72a8ac2445a68a77a06d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2024 17:17:15 +0800
+Subject: xfs: remove unknown compat feature check in superblock write
+ validation
+
+From: Long Li <leo.lilong@huawei.com>
+
+[ Upstream commit 652f03db897ba24f9c4b269e254ccc6cc01ff1b7 ]
+
+Compat features are new features that older kernels can safely ignore,
+allowing read-write mounts without issues. The current sb write validation
+implementation returns -EFSCORRUPTED for unknown compat features,
+preventing filesystem write operations and contradicting the feature's
+definition.
+
+Additionally, if the mounted image is unclean, the log recovery may need
+to write to the superblock. Returning an error for unknown compat features
+during sb write validation can cause mount failures.
+
+Although XFS currently does not use compat feature flags, this issue
+affects current kernels' ability to mount images that may use compat
+feature flags in the future.
+
+Since superblock read validation already warns about unknown compat
+features, it's unnecessary to repeat this warning during write validation.
+Therefore, the relevant code in write validation is being removed.
+
+Fixes: 9e037cb7972f ("xfs: check for unknown v5 feature bits in superblock write verifier")
+Cc: stable@vger.kernel.org # v4.19+
+Signed-off-by: Long Li <leo.lilong@huawei.com>
+Reviewed-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/libxfs/xfs_sb.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/fs/xfs/libxfs/xfs_sb.c b/fs/xfs/libxfs/xfs_sb.c
+index d95409f3cba66..02ebcbc4882f5 100644
+--- a/fs/xfs/libxfs/xfs_sb.c
++++ b/fs/xfs/libxfs/xfs_sb.c
+@@ -297,13 +297,6 @@ xfs_validate_sb_write(
+ * the kernel cannot support since we checked for unsupported bits in
+ * the read verifier, which means that memory is corrupt.
+ */
+- if (xfs_sb_has_compat_feature(sbp, XFS_SB_FEAT_COMPAT_UNKNOWN)) {
+- xfs_warn(mp,
+-"Corruption detected in superblock compatible features (0x%x)!",
+- (sbp->sb_features_compat & XFS_SB_FEAT_COMPAT_UNKNOWN));
+- return -EFSCORRUPTED;
+- }
+-
+ if (!xfs_is_readonly(mp) &&
+ xfs_sb_has_ro_compat_feature(sbp, XFS_SB_FEAT_RO_COMPAT_UNKNOWN)) {
+ xfs_alert(mp,
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
