bcachefs: Hold read lock in bch2_snapshot_tree_oldest_subvol()

botta633 · Kent Overstreet · commit 39c3aad43f6f · 2024-09-21T14:54:18.000-04:00
Syzbot reports a problem that a warning is triggered due to suspicious
use of rcu_dereference_check(). That is triggered by a call of
bch2_snapshot_tree_oldest_subvol().

The cause of the warning is that inside
bch2_snapshot_tree_oldest_subvol(), snapshot_t() is called which calls
rcu_dereference() that requires a read lock to be held. Also, the call
of bch2_snapshot_tree_next() eventually calls snapshot_t().

To fix this, call rcu_read_lock() before calling snapshot_t(). Then,
release the lock after the termination of the while loop.

Reported-by: &lt;syzbot+f7c41a878676b72c16a6@syzkaller.appspotmail.com&gt;
Signed-off-by: Ahmed Ehab &lt;bottaawesome633@gmail.com&gt;
Signed-off-by: Kent Overstreet &lt;kent.overstreet@linux.dev&gt;
diff --git a/fs/bcachefs/snapshot.c b/fs/bcachefs/snapshot.c
@@ -469,6 +469,7 @@ static u32 bch2_snapshot_tree_oldest_subvol(struct bch_fs *c, u32 snapshot_root)
 	u32 id = snapshot_root;
 	u32 subvol = 0, s;
 
+	rcu_read_lock();
 	while (id) {
 		s = snapshot_t(c, id)->subvol;
 
@@ -477,6 +478,7 @@ static u32 bch2_snapshot_tree_oldest_subvol(struct bch_fs *c, u32 snapshot_root)
 
 		id = bch2_snapshot_tree_next(c, id);
 	}
+	rcu_read_unlock();
 
 	return subvol;
 }

Original file line number	Diff line number	Diff line change
`@@ -469,6 +469,7 @@ static u32 bch2_snapshot_tree_oldest_subvol(struct bch_fs *c, u32 snapshot_root)`
`469`	`469`	`u32 id = snapshot_root;`
`470`	`470`	`u32 subvol = 0, s;`
`471`	`471`
	`472`	`+ rcu_read_lock();`
`472`	`473`	`while (id) {`
`473`	`474`	`s = snapshot_t(c, id)->subvol;`
`474`	`475`
`@@ -477,6 +478,7 @@ static u32 bch2_snapshot_tree_oldest_subvol(struct bch_fs *c, u32 snapshot_root)`
`477`	`478`
`478`	`479`	`id = bch2_snapshot_tree_next(c, id);`
`479`	`480`	`}`
	`481`	`+ rcu_read_unlock();`
`480`	`482`
`481`	`483`	`return subvol;`
`482`	`484`	`}`