[PATCH] bcachefs: Fix UAF by journal write path

From: Kent Overstreet
Date: Fri Jul 18 2025 - 13:04:43 EST

Next message: Lorenzo Stoakes: "Re: [PATCH v5 3/7] mm: Add batched versions of ptep_modify_prot_start/commit"
Previous message: Jakub Kicinski: "Re: [PATCH net-next 2/5] netconsole: move netpoll_parse_ip_addr() earlier for reuse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Previously, we handled synchronization with shutdown vs. the journal
write path by holding the journal lock until we were done, after marking
the write as completed.

But we don't want to be kicking off discards under the journal lock, so
we need an actual ref - just set the journal write closure's parent to
bch_fs.cl.

Fixes: b4d6e204f892 ("bcachefs: Fix triggering of discard by the journal path")
Signed-off-by: Kent Overstreet <kent.overstreet@xxxxxxxxx>

diff --git a/fs/bcachefs/journal.c b/fs/bcachefs/journal.c
index de03e20f6e30..376c9b3b20fe 100644
--- a/fs/bcachefs/journal.c
+++ b/fs/bcachefs/journal.c
@@ -182,6 +182,8 @@ journal_error_check_stuck(struct journal *j, int error, unsigned flags)

void bch2_journal_do_writes(struct journal *j)
{
+ struct bch_fs *c = container_of(j, struct bch_fs, journal);
+
for (u64 seq = journal_last_unwritten_seq(j);
seq <= journal_cur_seq(j);
seq++) {
@@ -196,7 +198,7 @@ void bch2_journal_do_writes(struct journal *j)
if (!journal_state_seq_count(j, j->reservations, seq)) {
j->seq_write_started = seq;
w->write_started = true;
- closure_call(&w->io, bch2_journal_write, j->wq, NULL);
+ closure_call(&w->io, bch2_journal_write, j->wq, &c->cl);
}

break;

Next message: Lorenzo Stoakes: "Re: [PATCH v5 3/7] mm: Add batched versions of ptep_modify_prot_start/commit"
Previous message: Jakub Kicinski: "Re: [PATCH net-next 2/5] netconsole: move netpoll_parse_ip_addr() earlier for reuse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]