diff options
| author | Boris Burkov <boris@bur.io> | 2024-12-13 12:33:22 -0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-01-02 10:34:25 +0100 |
| commit | dd8bbfe723778bfcb49256ac15c66eae966b8632 (patch) | |
| tree | c73ac951d91f92a33eaa4b1dec35fdb5922bf9e2 | |
| parent | c3a403d8ce36f5a809a492581de5ad17843e4701 (diff) | |
btrfs: check folio mapping after unlock in put_file_data()
commit 0fba7be1ca6df2881e68386e5575fe096f33c4ca upstream.
When we call btrfs_read_folio() we get an unlocked folio, so it is possible
for a different thread to concurrently modify folio->mapping. We must
check that this hasn't happened once we do have the lock.
CC: stable@vger.kernel.org # 6.12+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | fs/btrfs/send.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c index 0cb11dcd10cd..b1015f383f75 100644 --- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -5291,6 +5291,7 @@ static int put_file_data(struct send_ctx *sctx, u64 offset, u32 len) unsigned cur_len = min_t(unsigned, len, PAGE_SIZE - pg_offset); +again: folio = filemap_lock_folio(mapping, index); if (IS_ERR(folio)) { page_cache_sync_readahead(mapping, @@ -5323,6 +5324,11 @@ static int put_file_data(struct send_ctx *sctx, u64 offset, u32 len) ret = -EIO; break; } + if (folio->mapping != mapping) { + folio_unlock(folio); + folio_put(folio); + goto again; + } } memcpy_from_folio(sctx->send_buf + sctx->send_size, folio, |