From nobody Mon Feb 9 03:16:56 2026 Received: from mail-pf1-f227.google.com (mail-pf1-f227.google.com [209.85.210.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B43D21ADCB for ; Tue, 23 Dec 2025 08:02:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.227 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766476971; cv=none; b=Xyeh7KoHumGI59ITfG7BbgRDejLmUR57+tNNjHVv8C86MsH15c+KgP7udCrDogvchmDzbQAoGCOKeBtfrBBKz620RFIckDwLYKhjxNzX4Y3Y4gztJFmEQheRLoTCpRY4emlRI/e4MLllHyKJZ0ngyCfBw7lJFxd+d5w/2PqboQY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766476971; c=relaxed/simple; bh=9sxiLrElTI5Ztk43MEmWpEu6IKgM9WAgv2dhiRlK6Kg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CXPC+Dfs6/LGv+r2xnSZDihtyacf8FjPkPETULSRCFHDi7PCaA8o3wlrXtOgIwBNlFbksJZNPu6/ojptwvHrJ0A2DeY1RwPv0YG6hvsNaMElZ2AAzVCZwcEMS6bwDvAXkN0GKybM01+T7CvdLLH9VhhzlqIa9V+/YcCfZVo0mHA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=aOxPLi3c; arc=none smtp.client-ip=209.85.210.227 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="aOxPLi3c" Received: by mail-pf1-f227.google.com with SMTP id d2e1a72fcca58-7c32c6eb79dso287332b3a.1 for ; Tue, 23 Dec 2025 00:02:50 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766476969; x=1767081769; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OTUH1SPKBV/BQ5rzdoe3NdUj8Uqe/XoIX8txSdtTxSM=; b=dB22W/znw5EevS0IWHpsbZRPHEqdqG0lKIUYSVIii2DmSeu/Z/oRv1fKncaSM/sL2e BAt7bPK0Lf4hBO5dsteshvUrkmCUlw5ndOrtfFppX1wNMp69x2dB9wp9dROq14D4qkd7 4klQlBOWFG9wTR1whwoZLEz6t8wxPuxa0b/hLRmsrvxb7smU0k1y023JLhkQJl6ZBBz8 wIJU/M4l7uV47AZDLYaa08P2C9vNyHZ+yBNioDEhNvI2Ot+smPZMK3xMxejp8o76H0E8 f99sTz1KShALEGqJg8ORp6GJrk+r+InqtfOs6qg3OqsFbjHcsQX1tZRa2jFPhcYcS27j 4ZjA== X-Forwarded-Encrypted: i=1; AJvYcCVGwsWRGMSAUUW50YqmSoXIOfMRDDETmo7H7ueFl1k720BMvnVmbTqX671aF0WvJjZnBbxnQLbm3silLn0=@vger.kernel.org X-Gm-Message-State: AOJu0YxfEqy/he/htL8C9bf1hHiaRQvTNKhUAVbZ7mgSJNt7NPEZG7Aw SVmXXk08UElDNBdNdYslTqTg0w1aNk8e+ZSfvlpjqe3qLgJq2DQt8Pj656Hz9NjqvQRryaXshgS 0KmF8sPu35z4Af1m3Y+mrBHmKissJeke6uvhkEVEYALRfcW/NKxUCrewUoIGFDqTtesKEiZkQW1 g0W9HqB4Cc+2tYuz9YKR+TBxKz0Jw/xRUNhIm6stunVVUCCMY2B7OEiuD8exvT6/gWA4cF1cfkx /1LxnBdz4p3VP6SwsLVgSt+1bQLiN1+OoiRsdM= X-Gm-Gg: AY/fxX5ux6+Utup48PXHg2g5nsliDd56W2byWSIGWJZ5LyZuuZogkDjKpqv3qPtpUb2 4gO1e6IYj5d1IwNaleRh4+F/RI40n4scHmPtBzpSNC/539gakQMT+yW3BG+mLjo741vk+Tt4ZzD D9zx7EdcR2LbJbcMl3ikc3Pi0Mj0L6hLb+JK5xIVzaqd33WwjyB+HLjhd7TcHWk4GqCl6QuUEQf +MZy+L9P+32K3gPktZGIDMl899f+b62aaMleCSIKilkK5Q1ztPq2cWvcVvzVVNXbwjOGMitiu0C 9c4v5IfWd5wC6YnvmGZPlDzB/EiVH3oAG3T5HcMv2WxS4MQdHbEZFGt11JU9QJKvCJmSGkhf3Zz NoiEkJsCfYFCRGSMLYvYdvPUCKqjkmFcOhctl5r0MH3Icv1ddSgDlWs+42X2cDBc5Fad6vnFRmm EueOSLiJE7P3FC+wFt1r71osv6114oVGag67NtAeB7+0Vlq5kl5wyxFxcl8XQ= X-Google-Smtp-Source: AGHT+IGu2m86b/xtnZDNuqr86WL2z0JTwKWjXxPOyneUOrp/4sNX+VV+iVHTPjxqeq2Vb0c1RpRzFLNWXt6K X-Received: by 2002:a05:7022:698a:b0:11e:3e9:3ea4 with SMTP id a92af1059eb24-121722ec1bbmr8978319c88.6.1766476969177; Tue, 23 Dec 2025 00:02:49 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id a92af1059eb24-1217252ca05sm2519497c88.4.2025.12.23.00.02.48 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Dec 2025 00:02:49 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qv1-f69.google.com with SMTP id 6a1803df08f44-88fce043335so8439176d6.2 for ; Tue, 23 Dec 2025 00:02:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1766476968; x=1767081768; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=OTUH1SPKBV/BQ5rzdoe3NdUj8Uqe/XoIX8txSdtTxSM=; b=aOxPLi3cmG7xNLQbzY81NKyu+rRR6l+tjiEJ0KXp+yP1dDq35nn/DX+SRydMnLGrTz p4osyAUEWGiIUbrUPkqeurmuYAN6OQ/vAiGdPb4VEYiFRjqe9fjU85rfKxaWLdcYRRQl b9i3K2fz6rZIA83SXRXi2Y/oCuY334/i057wc= X-Forwarded-Encrypted: i=1; AJvYcCU0dMnW5GE8BMZxPcygEwyVRIIodGSyRFaz/A3i1/3ztDLqnt2PCvAsT3KJPSwZQo46gKxUo4qfkwpSv5k=@vger.kernel.org X-Received: by 2002:a05:622a:11d4:b0:4f3:616c:dbed with SMTP id d75a77b69052e-4f4abbc85d9mr156899341cf.0.1766476967700; Tue, 23 Dec 2025 00:02:47 -0800 (PST) X-Received: by 2002:a05:622a:11d4:b0:4f3:616c:dbed with SMTP id d75a77b69052e-4f4abbc85d9mr156899141cf.0.1766476967188; Tue, 23 Dec 2025 00:02:47 -0800 (PST) Received: from keerthanak-ph5-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4f4c46e4aabsm53636071cf.16.2025.12.23.00.02.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Dec 2025 00:02:46 -0800 (PST) From: Keerthana K To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Boris Burkov , Bin Lan , He Zhe , Keerthana K Subject: [PATCH v5.10.y] btrfs: do not clean up repair bio if submit fails Date: Tue, 23 Dec 2025 08:00:41 +0000 Message-ID: <20251223080041.1428811-1-keerthana.kalyanasundaram@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Josef Bacik [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov Signed-off-by: Josef Bacik Signed-off-by: David Sterba [Minor context change fixed.] Signed-off-by: Bin Lan Signed-off-by: He Zhe Signed-off-by: Greg Kroah-Hartman [ Keerthana: Backported the patch to v5.10.y ] Signed-off-by: Keerthana K --- fs/btrfs/extent_io.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 489d370ddd60..3d0b854e0c19 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2655,7 +2655,6 @@ blk_status_t btrfs_submit_read_repair(struct inode *i= node, bool need_validation; struct bio *repair_bio; struct btrfs_io_bio *repair_io_bio; - blk_status_t status; =20 btrfs_debug(fs_info, "repair read error: read error at %llu", start); @@ -2699,13 +2698,13 @@ blk_status_t btrfs_submit_read_repair(struct inode = *inode, "repair read error: submitting new read to mirror %d, in_validation=3D%d", failrec->this_mirror, failrec->in_validation); =20 - status =3D submit_bio_hook(inode, repair_bio, failrec->this_mirror, - failrec->bio_flags); - if (status) { - free_io_failure(failure_tree, tree, failrec); - bio_put(repair_bio); - } - return status; + /* + * At this point we have a bio, so any errors from submit_bio_hook() + * will be handled by the endio on the repair_bio, so we can't return an + * error here. + */ + submit_bio_hook(inode, repair_bio, failrec->this_mirror, failrec->bio_fla= gs); + return BLK_STS_OK; } =20 /* lots and lots of room for performance fixes in the end_bio funcs */ --=20 2.43.7