On 19.09.2018 09:59, Qu Wenruo wrote: > In the following case, we could trigger a use-after-free bug: > > CPU0 | CPU1 > ------------------------------------------------------------------------- > btrfs_remove_delayed_node | btrfs_get_delayed_node > |- delayed_node = | |- node = btrfs_inode->delayed_node; > | btrfs_inode->delayed_node | | > |- btrfs_release_delaedy_node() | | > |- ref_count_dev_and_test() | | > |- kmem_cache_free() | | > Now delayed node is freed | | > | |- refcount_inc(&node->refs) > btrfs_remove_delayed_node is called from evict_inode which is called once the inode has been freed and there are no more referencs to this inode (inode->i_count is 0). Also before calling btrfs_remove_delayed_node we have flushed all the pages and ordered extents. So the crucial bit of information missing is what is the higher-level operation that requests the delayed node for a freed inode ?
