From b528f40b47862280537394e83867738dc119b99b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Feb 2026 13:21:08 +0100 Subject: [PATCH] 6.18-stable patches added patches: bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch pci-endpoint-avoid-creating-sub-groups-asynchronously.patch wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch xfs-fix-uaf-in-xchk_btree_check_block_owner.patch --- ...e-after-free-in-driver_override_show.patch | 46 +++++ ...riables-related-to-memory-alloc-free.patch | 170 ++++++++++++++++++ ...file-backed-mounts-w-directio-option.patch | 101 +++++++++++ ...d-creating-sub-groups-asynchronously.patch | 99 ++++++++++ queue-6.18/series | 6 + ...ab-out-of-bounds-in-rtl8xxxu_sta_add.patch | 48 +++++ ...-uaf-in-xchk_btree_check_block_owner.patch | 57 ++++++ 7 files changed, 527 insertions(+) create mode 100644 queue-6.18/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch create mode 100644 queue-6.18/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch create mode 100644 queue-6.18/erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch create mode 100644 queue-6.18/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch create mode 100644 queue-6.18/wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch create mode 100644 queue-6.18/xfs-fix-uaf-in-xchk_btree_check_block_owner.patch diff --git a/queue-6.18/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch b/queue-6.18/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch new file mode 100644 index 0000000000..28deed466d --- /dev/null +++ b/queue-6.18/bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch @@ -0,0 +1,46 @@ +From 148891e95014b5dc5878acefa57f1940c281c431 Mon Sep 17 00:00:00 2001 +From: Gui-Dong Han +Date: Wed, 3 Dec 2025 01:44:38 +0800 +Subject: bus: fsl-mc: fix use-after-free in driver_override_show() + +From: Gui-Dong Han + +commit 148891e95014b5dc5878acefa57f1940c281c431 upstream. + +The driver_override_show() function reads the driver_override string +without holding the device_lock. However, driver_override_store() uses +driver_set_override(), which modifies and frees the string while holding +the device_lock. + +This can result in a concurrent use-after-free if the string is freed +by the store function while being read by the show function. + +Fix this by holding the device_lock around the read operation. + +Fixes: 1f86a00c1159 ("bus/fsl-mc: add support for 'driver_override' in the mc-bus") +Cc: stable@vger.kernel.org +Signed-off-by: Gui-Dong Han +Reviewed-by: Ioana Ciornei +Link: https://lore.kernel.org/r/20251202174438.12658-1-hanguidong02@gmail.com +Signed-off-by: Christophe Leroy (CS GROUP) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/fsl-mc/fsl-mc-bus.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/bus/fsl-mc/fsl-mc-bus.c ++++ b/drivers/bus/fsl-mc/fsl-mc-bus.c +@@ -202,8 +202,12 @@ static ssize_t driver_override_show(stru + struct device_attribute *attr, char *buf) + { + struct fsl_mc_device *mc_dev = to_fsl_mc_device(dev); ++ ssize_t len; + +- return sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_lock(dev); ++ len = sysfs_emit(buf, "%s\n", mc_dev->driver_override); ++ device_unlock(dev); ++ return len; + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-6.18/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch b/queue-6.18/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch new file mode 100644 index 0000000000..08f84efeef --- /dev/null +++ b/queue-6.18/drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch @@ -0,0 +1,170 @@ +From 52b330799e2d6f825ae2bb74662ec1b10eb954bb Mon Sep 17 00:00:00 2001 +From: Jeongjun Park +Date: Mon, 19 Jan 2026 17:25:53 +0900 +Subject: drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free + +From: Jeongjun Park + +commit 52b330799e2d6f825ae2bb74662ec1b10eb954bb upstream. + +Exynos Virtual Display driver performs memory alloc/free operations +without lock protection, which easily causes concurrency problem. + +For example, use-after-free can occur in race scenario like this: +``` + CPU0 CPU1 CPU2 + ---- ---- ---- + vidi_connection_ioctl() + if (vidi->connection) // true + drm_edid = drm_edid_alloc(); // alloc drm_edid + ... + ctx->raw_edid = drm_edid; + ... + drm_mode_getconnector() + drm_helper_probe_single_connector_modes() + vidi_get_modes() + if (ctx->raw_edid) // true + drm_edid_dup(ctx->raw_edid); + if (!drm_edid) // false + ... + vidi_connection_ioctl() + if (vidi->connection) // false + drm_edid_free(ctx->raw_edid); // free drm_edid + ... + drm_edid_alloc(drm_edid->edid) + kmemdup(edid); // UAF!! + ... +``` + +To prevent these vulns, at least in vidi_context, member variables related +to memory alloc/free should be protected with ctx->lock. + +Cc: +Signed-off-by: Jeongjun Park +Signed-off-by: Inki Dae +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_vidi.c | 38 ++++++++++++++++++++++++++----- + 1 file changed, 32 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_vidi.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_vidi.c +@@ -186,29 +186,37 @@ static ssize_t vidi_store_connection(str + const char *buf, size_t len) + { + struct vidi_context *ctx = dev_get_drvdata(dev); +- int ret; ++ int ret, new_connected; + +- ret = kstrtoint(buf, 0, &ctx->connected); ++ ret = kstrtoint(buf, 0, &new_connected); + if (ret) + return ret; +- +- if (ctx->connected > 1) ++ if (new_connected > 1) + return -EINVAL; + ++ mutex_lock(&ctx->lock); ++ + /* + * Use fake edid data for test. If raw_edid is set then it can't be + * tested. + */ + if (ctx->raw_edid) { + DRM_DEV_DEBUG_KMS(dev, "edid data is not fake data.\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto fail; + } + ++ ctx->connected = new_connected; ++ mutex_unlock(&ctx->lock); ++ + DRM_DEV_DEBUG_KMS(dev, "requested connection.\n"); + + drm_helper_hpd_irq_event(ctx->drm_dev); + + return len; ++fail: ++ mutex_unlock(&ctx->lock); ++ return ret; + } + + static DEVICE_ATTR(connection, 0644, vidi_show_connection, +@@ -238,11 +246,14 @@ int vidi_connection_ioctl(struct drm_dev + return -EINVAL; + } + ++ mutex_lock(&ctx->lock); + if (ctx->connected == vidi->connection) { ++ mutex_unlock(&ctx->lock); + DRM_DEV_DEBUG_KMS(ctx->dev, + "same connection request.\n"); + return -EINVAL; + } ++ mutex_unlock(&ctx->lock); + + if (vidi->connection) { + const struct drm_edid *drm_edid; +@@ -262,14 +273,21 @@ int vidi_connection_ioctl(struct drm_dev + "edid data is invalid.\n"); + return -EINVAL; + } ++ mutex_lock(&ctx->lock); + ctx->raw_edid = drm_edid; ++ mutex_unlock(&ctx->lock); + } else { + /* with connection = 0, free raw_edid */ ++ mutex_lock(&ctx->lock); + drm_edid_free(ctx->raw_edid); + ctx->raw_edid = NULL; ++ mutex_unlock(&ctx->lock); + } + ++ mutex_lock(&ctx->lock); + ctx->connected = vidi->connection; ++ mutex_unlock(&ctx->lock); ++ + drm_helper_hpd_irq_event(ctx->drm_dev); + + return 0; +@@ -284,7 +302,7 @@ static enum drm_connector_status vidi_de + * connection request would come from user side + * to do hotplug through specific ioctl. + */ +- return ctx->connected ? connector_status_connected : ++ return READ_ONCE(ctx->connected) ? connector_status_connected : + connector_status_disconnected; + } + +@@ -307,11 +325,15 @@ static int vidi_get_modes(struct drm_con + const struct drm_edid *drm_edid; + int count; + ++ mutex_lock(&ctx->lock); ++ + if (ctx->raw_edid) + drm_edid = drm_edid_dup(ctx->raw_edid); + else + drm_edid = drm_edid_alloc(fake_edid_info, sizeof(fake_edid_info)); + ++ mutex_unlock(&ctx->lock); ++ + drm_edid_connector_update(connector, drm_edid); + + count = drm_edid_connector_add_modes(connector); +@@ -456,9 +478,13 @@ static void vidi_remove(struct platform_ + { + struct vidi_context *ctx = platform_get_drvdata(pdev); + ++ mutex_lock(&ctx->lock); ++ + drm_edid_free(ctx->raw_edid); + ctx->raw_edid = NULL; + ++ mutex_unlock(&ctx->lock); ++ + component_del(&pdev->dev, &vidi_component_ops); + } + diff --git a/queue-6.18/erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch b/queue-6.18/erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch new file mode 100644 index 0000000000..a0dd64debc --- /dev/null +++ b/queue-6.18/erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch @@ -0,0 +1,101 @@ +From 1caf50ce4af096d0280d59a31abdd85703cd995c Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 6 Feb 2026 06:30:05 +0800 +Subject: erofs: fix UAF issue for file-backed mounts w/ directio option + +From: Chao Yu + +commit 1caf50ce4af096d0280d59a31abdd85703cd995c upstream. + +[ 9.269940][ T3222] Call trace: +[ 9.269948][ T3222] ext4_file_read_iter+0xac/0x108 +[ 9.269979][ T3222] vfs_iocb_iter_read+0xac/0x198 +[ 9.269993][ T3222] erofs_fileio_rq_submit+0x12c/0x180 +[ 9.270008][ T3222] erofs_fileio_submit_bio+0x14/0x24 +[ 9.270030][ T3222] z_erofs_runqueue+0x834/0x8ac +[ 9.270054][ T3222] z_erofs_read_folio+0x120/0x220 +[ 9.270083][ T3222] filemap_read_folio+0x60/0x120 +[ 9.270102][ T3222] filemap_fault+0xcac/0x1060 +[ 9.270119][ T3222] do_pte_missing+0x2d8/0x1554 +[ 9.270131][ T3222] handle_mm_fault+0x5ec/0x70c +[ 9.270142][ T3222] do_page_fault+0x178/0x88c +[ 9.270167][ T3222] do_translation_fault+0x38/0x54 +[ 9.270183][ T3222] do_mem_abort+0x54/0xac +[ 9.270208][ T3222] el0_da+0x44/0x7c +[ 9.270227][ T3222] el0t_64_sync_handler+0x5c/0xf4 +[ 9.270253][ T3222] el0t_64_sync+0x1bc/0x1c0 + +EROFS may encounter above panic when enabling file-backed mount w/ +directio mount option, the root cause is it may suffer UAF in below +race condition: + +- z_erofs_read_folio wq s_dio_done_wq + - z_erofs_runqueue + - erofs_fileio_submit_bio + - erofs_fileio_rq_submit + - vfs_iocb_iter_read + - ext4_file_read_iter + - ext4_dio_read_iter + - iomap_dio_rw + : bio was submitted and return -EIOCBQUEUED + - dio_aio_complete_work + - dio_complete + - dio->iocb->ki_complete (erofs_fileio_ki_complete()) + - kfree(rq) + : it frees iocb, iocb.ki_filp can be UAF in file_accessed(). + - file_accessed + : access NULL file point + +Introduce a reference count in struct erofs_fileio_rq, and initialize it +as two, both erofs_fileio_ki_complete() and erofs_fileio_rq_submit() will +decrease reference count, the last one decreasing the reference count +to zero will free rq. + +Cc: stable@kernel.org +Fixes: fb176750266a ("erofs: add file-backed mount support") +Fixes: 6422cde1b0d5 ("erofs: use buffered I/O for file-backed mounts by default") +Signed-off-by: Chao Yu +Reviewed-by: Gao Xiang +Signed-off-by: Gao Xiang +Signed-off-by: Greg Kroah-Hartman +--- + fs/erofs/fileio.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/erofs/fileio.c ++++ b/fs/erofs/fileio.c +@@ -10,6 +10,7 @@ struct erofs_fileio_rq { + struct bio bio; + struct kiocb iocb; + struct super_block *sb; ++ refcount_t ref; + }; + + struct erofs_fileio { +@@ -42,7 +43,8 @@ static void erofs_fileio_ki_complete(str + } + } + bio_uninit(&rq->bio); +- kfree(rq); ++ if (refcount_dec_and_test(&rq->ref)) ++ kfree(rq); + } + + static void erofs_fileio_rq_submit(struct erofs_fileio_rq *rq) +@@ -66,6 +68,8 @@ static void erofs_fileio_rq_submit(struc + revert_creds(old_cred); + if (ret != -EIOCBQUEUED) + erofs_fileio_ki_complete(&rq->iocb, ret); ++ if (refcount_dec_and_test(&rq->ref)) ++ kfree(rq); + } + + static struct erofs_fileio_rq *erofs_fileio_rq_alloc(struct erofs_map_dev *mdev) +@@ -76,6 +80,7 @@ static struct erofs_fileio_rq *erofs_fil + bio_init(&rq->bio, NULL, rq->bvecs, ARRAY_SIZE(rq->bvecs), REQ_OP_READ); + rq->iocb.ki_filp = mdev->m_dif->file; + rq->sb = mdev->m_sb; ++ refcount_set(&rq->ref, 2); + return rq; + } + diff --git a/queue-6.18/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch b/queue-6.18/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch new file mode 100644 index 0000000000..98db5292a5 --- /dev/null +++ b/queue-6.18/pci-endpoint-avoid-creating-sub-groups-asynchronously.patch @@ -0,0 +1,99 @@ +From 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c Mon Sep 17 00:00:00 2001 +From: Liu Song +Date: Thu, 10 Jul 2025 14:38:45 +0800 +Subject: PCI: endpoint: Avoid creating sub-groups asynchronously + +From: Liu Song + +commit 7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c upstream. + +The asynchronous creation of sub-groups by a delayed work could lead to a +NULL pointer dereference when the driver directory is removed before the +work completes. + +The crash can be easily reproduced with the following commands: + + # cd /sys/kernel/config/pci_ep/functions/pci_epf_test + # for i in {1..20}; do mkdir test && rmdir test; done + + BUG: kernel NULL pointer dereference, address: 0000000000000088 + ... + Call Trace: + configfs_register_group+0x3d/0x190 + pci_epf_cfs_work+0x41/0x110 + process_one_work+0x18f/0x350 + worker_thread+0x25a/0x3a0 + +Fix this issue by using configfs_add_default_group() API which does not +have the deadlock problem as configfs_register_group() and does not require +the delayed work handler. + +Fixes: e85a2d783762 ("PCI: endpoint: Add support in configfs to associate two EPCs with EPF") +Signed-off-by: Liu Song +[mani: slightly reworded the description and added stable list] +Signed-off-by: Manivannan Sadhasivam +Signed-off-by: Bjorn Helgaas +Cc: stable@kernel.org +Link: https://patch.msgid.link/20250710143845409gLM6JdlwPhlHG9iX3F6jK@zte.com.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/endpoint/pci-ep-cfs.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +--- a/drivers/pci/endpoint/pci-ep-cfs.c ++++ b/drivers/pci/endpoint/pci-ep-cfs.c +@@ -23,7 +23,6 @@ struct pci_epf_group { + struct config_group group; + struct config_group primary_epc_group; + struct config_group secondary_epc_group; +- struct delayed_work cfs_work; + struct pci_epf *epf; + int index; + }; +@@ -103,7 +102,7 @@ static struct config_group + secondary_epc_group = &epf_group->secondary_epc_group; + config_group_init_type_name(secondary_epc_group, "secondary", + &pci_secondary_epc_type); +- configfs_register_group(&epf_group->group, secondary_epc_group); ++ configfs_add_default_group(secondary_epc_group, &epf_group->group); + + return secondary_epc_group; + } +@@ -166,7 +165,7 @@ static struct config_group + + config_group_init_type_name(primary_epc_group, "primary", + &pci_primary_epc_type); +- configfs_register_group(&epf_group->group, primary_epc_group); ++ configfs_add_default_group(primary_epc_group, &epf_group->group); + + return primary_epc_group; + } +@@ -570,15 +569,13 @@ static void pci_ep_cfs_add_type_group(st + return; + } + +- configfs_register_group(&epf_group->group, group); ++ configfs_add_default_group(group, &epf_group->group); + } + +-static void pci_epf_cfs_work(struct work_struct *work) ++static void pci_epf_cfs_add_sub_groups(struct pci_epf_group *epf_group) + { +- struct pci_epf_group *epf_group; + struct config_group *group; + +- epf_group = container_of(work, struct pci_epf_group, cfs_work.work); + group = pci_ep_cfs_add_primary_group(epf_group); + if (IS_ERR(group)) { + pr_err("failed to create 'primary' EPC interface\n"); +@@ -637,9 +634,7 @@ static struct config_group *pci_epf_make + + kfree(epf_name); + +- INIT_DELAYED_WORK(&epf_group->cfs_work, pci_epf_cfs_work); +- queue_delayed_work(system_wq, &epf_group->cfs_work, +- msecs_to_jiffies(1)); ++ pci_epf_cfs_add_sub_groups(epf_group); + + return &epf_group->group; + diff --git a/queue-6.18/series b/queue-6.18/series index 6e8e5854ed..7f85b7d082 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -40,3 +40,9 @@ scsi-qla2xxx-allow-recovery-for-tape-devices.patch scsi-qla2xxx-delay-module-unload-while-fabric-scan-in-progress.patch scsi-qla2xxx-free-sp-in-error-path-to-fix-system-crash.patch scsi-qla2xxx-query-fw-again-before-proceeding-with-login.patch +bus-fsl-mc-fix-use-after-free-in-driver_override_show.patch +erofs-fix-uaf-issue-for-file-backed-mounts-w-directio-option.patch +xfs-fix-uaf-in-xchk_btree_check_block_owner.patch +drm-exynos-vidi-use-ctx-lock-to-protect-struct-vidi_context-member-variables-related-to-memory-alloc-free.patch +pci-endpoint-avoid-creating-sub-groups-asynchronously.patch +wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch diff --git a/queue-6.18/wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch b/queue-6.18/wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch new file mode 100644 index 0000000000..df6212d57a --- /dev/null +++ b/queue-6.18/wifi-rtl8xxxu-fix-slab-out-of-bounds-in-rtl8xxxu_sta_add.patch @@ -0,0 +1,48 @@ +From 86c946bcc00f6390ef65e9614ae60a9377e454f8 Mon Sep 17 00:00:00 2001 +From: Ali Tariq +Date: Thu, 25 Dec 2025 11:54:29 +0000 +Subject: wifi: rtl8xxxu: fix slab-out-of-bounds in rtl8xxxu_sta_add + +From: Ali Tariq + +commit 86c946bcc00f6390ef65e9614ae60a9377e454f8 upstream. + +The driver does not set hw->sta_data_size, which causes mac80211 to +allocate insufficient space for driver private station data in +__sta_info_alloc(). When rtl8xxxu_sta_add() accesses members of +struct rtl8xxxu_sta_info through sta->drv_priv, this results in a +slab-out-of-bounds write. + +KASAN report on RISC-V (VisionFive 2) with RTL8192EU adapter: + + BUG: KASAN: slab-out-of-bounds in rtl8xxxu_sta_add+0x31c/0x346 + Write of size 8 at addr ffffffd6d3e9ae88 by task kworker/u16:0/12 + +Set hw->sta_data_size to sizeof(struct rtl8xxxu_sta_info) during +probe, similar to how hw->vif_data_size is configured. This ensures +mac80211 allocates sufficient space for the driver's per-station +private data. + +Tested on StarFive VisionFive 2 v1.2A board. + +Fixes: eef55f1545c9 ("wifi: rtl8xxxu: support multiple interfaces in {add,remove}_interface()") +Cc: stable@vger.kernel.org +Signed-off-by: Ali Tariq +Reviewed-by: Ping-Ke Shih +Signed-off-by: Ping-Ke Shih +Link: https://patch.msgid.link/20251225115430.13011-1-alitariq45892@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtl8xxxu/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c +@@ -7927,6 +7927,7 @@ static int rtl8xxxu_probe(struct usb_int + goto err_set_intfdata; + + hw->vif_data_size = sizeof(struct rtl8xxxu_vif); ++ hw->sta_data_size = sizeof(struct rtl8xxxu_sta_info); + + hw->wiphy->max_scan_ssids = 1; + hw->wiphy->max_scan_ie_len = IEEE80211_MAX_DATA_LEN; diff --git a/queue-6.18/xfs-fix-uaf-in-xchk_btree_check_block_owner.patch b/queue-6.18/xfs-fix-uaf-in-xchk_btree_check_block_owner.patch new file mode 100644 index 0000000000..b93b0ab3ea --- /dev/null +++ b/queue-6.18/xfs-fix-uaf-in-xchk_btree_check_block_owner.patch @@ -0,0 +1,57 @@ +From 1c253e11225bc5167217897885b85093e17c2217 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 23 Jan 2026 09:27:39 -0800 +Subject: xfs: fix UAF in xchk_btree_check_block_owner + +From: Darrick J. Wong + +commit 1c253e11225bc5167217897885b85093e17c2217 upstream. + +We cannot dereference bs->cur when trying to determine if bs->cur +aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed. +Fix this by sampling before type before any freeing could happen. +The correct temporal ordering was broken when we removed xfs_btnum_t. + +Cc: r772577952@gmail.com +Cc: # v6.9 +Fixes: ec793e690f801d ("xfs: remove xfs_btnum_t") +Signed-off-by: "Darrick J. Wong" +Reviewed-by: Christoph Hellwig +Tested-by: Jiaming Zhang +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/scrub/btree.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/xfs/scrub/btree.c ++++ b/fs/xfs/scrub/btree.c +@@ -370,12 +370,15 @@ xchk_btree_check_block_owner( + { + xfs_agnumber_t agno; + xfs_agblock_t agbno; ++ bool is_bnobt, is_rmapbt; + bool init_sa; + int error = 0; + + if (!bs->cur) + return 0; + ++ is_bnobt = xfs_btree_is_bno(bs->cur->bc_ops); ++ is_rmapbt = xfs_btree_is_rmap(bs->cur->bc_ops); + agno = xfs_daddr_to_agno(bs->cur->bc_mp, daddr); + agbno = xfs_daddr_to_agbno(bs->cur->bc_mp, daddr); + +@@ -398,11 +401,11 @@ xchk_btree_check_block_owner( + * have to nullify it (to shut down further block owner checks) if + * self-xref encounters problems. + */ +- if (!bs->sc->sa.bno_cur && xfs_btree_is_bno(bs->cur->bc_ops)) ++ if (!bs->sc->sa.bno_cur && is_bnobt) + bs->cur = NULL; + + xchk_xref_is_only_owned_by(bs->sc, agbno, 1, bs->oinfo); +- if (!bs->sc->sa.rmap_cur && xfs_btree_is_rmap(bs->cur->bc_ops)) ++ if (!bs->sc->sa.rmap_cur && is_rmapbt) + bs->cur = NULL; + + out_free: -- 2.47.3