6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov boris@bur.io
commit 0fba7be1ca6df2881e68386e5575fe096f33c4ca upstream.
When we call btrfs_read_folio() we get an unlocked folio, so it is possible for a different thread to concurrently modify folio->mapping. We must check that this hasn't happened once we do have the lock.
CC: stable@vger.kernel.org # 6.12+ Reviewed-by: Qu Wenruo wqu@suse.com Signed-off-by: Boris Burkov boris@bur.io Signed-off-by: David Sterba dsterba@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/btrfs/send.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/fs/btrfs/send.c +++ b/fs/btrfs/send.c @@ -5291,6 +5291,7 @@ static int put_file_data(struct send_ctx unsigned cur_len = min_t(unsigned, len, PAGE_SIZE - pg_offset);
+again: folio = filemap_lock_folio(mapping, index); if (IS_ERR(folio)) { page_cache_sync_readahead(mapping, @@ -5323,6 +5324,11 @@ static int put_file_data(struct send_ctx ret = -EIO; break; } + if (folio->mapping != mapping) { + folio_unlock(folio); + folio_put(folio); + goto again; + } }
memcpy_from_folio(sctx->send_buf + sctx->send_size, folio,