Commit d93ff5fa authored May 22, 2024 by Kent Overstreet

bcachefs: Fix race path in bch2_inode_insert()



__destroy_new_inode() is appropriate when we have _just_allocated the
inode, but not when it's been fully initialized and on i_sb_list.

Reported-by:  <syzbot+a0ddc9873c280a4cb18f@syzkaller.appspotmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

parent cd3b31f9

fs/bcachefs/fs.c

+1 −2

Original line number	Diff line number	Diff line
		@@ -188,8 +188,7 @@ static struct bch_inode_info bch2_inode_insert(struct bch_fs c, struct bch_ino
		BUG_ON(!old);

		if (unlikely(old != inode)) {
		__destroy_inode(&inode->v);
		kmem_cache_free(bch2_inode_cache, inode);
		discard_new_inode(&inode->v);
		inode = old;
		} else {
		mutex_lock(&c->vfs_inodes_lock);