[PATCH] ocfs2: remove debugfs before shutting down recovery

[Zhang Cen <rollkingzzc@gmail.com>]

ocfs2_osb_debug_open() builds the per-mount fs_state snapshot by calling
ocfs2_osb_dump(), which reads osb->recovery_map. During normal unmount,
ocfs2_dismount_volume() currently calls ocfs2_recovery_exit() before it
removes osb->osb_debug_root, so a concurrent fs_state open can still
enter ocfs2_osb_dump() after the recovery map has been freed.

operations, so moving it ahead of ocfs2_recovery_exit() closes the
post-free/pre-remove window without changing the recovery-state logic.
This also makes the normal unmount path match the existing mount-error
state.

The buggy scenario involves two paths, with each column showing the
order within that path:

1. Open the per-mount fs_state file      1. ocfs2_dismount_volume() starts
2. ocfs2_osb_debug_open() calls          2. ocfs2_recovery_exit() frees
   ocfs2_osb_dump()                         osb->recovery_map
   osb->recovery_map                        runs later

Validation reproduced this kernel report:
KASAN slab-use-after-free in ocfs2_osb_debug_open+0x478/0xaa0
RIP: 0033:0x7f65fc97a001
The buggy address belongs to the object at ffff8881049c3da0 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of freed 8-byte region
[ffff8881049c3da0, ffff8881049c3da8)
Read of size 4
Call trace:
  dump_stack_lvl+0x66/0xa0 (?:?)
  print_report+0xd0/0x630 (?:?)
  ocfs2_osb_debug_open+0x478/0xaa0 (fs/ocfs2/super.c:343)
  srso_alias_return_thunk+0x5/0xfbef5 (?:?)
  __virt_addr_valid+0x188/0x2f0 (?:?)
  kasan_report+0xe4/0x120 (?:?)
  full_proxy_open_regular+0x113/0x170 (?:?)
  do_dentry_open+0x233/0x7f0 (?:?)
  vfs_open+0x5a/0x1b0 (?:?)
  security_inode_permission+0x19/0x60 (?:?)
  path_openat+0x679/0x1540 (?:?)
  kmem_cache_alloc_noprof+0x1ea/0x5f0 (?:?)
  do_getname+0x2e/0x1d0 (?:?)
  do_sys_openat2+0xa4/0x150 (?:?)
  __x64_sys_openat+0xd0/0x140 (?:?)
  do_syscall_64+0x10c/0x640 (arch/x86/entry/syscall_64.c:87)
  entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
  do_file_open+0x190/0x2a0 (?:?)
  __lock_acquire+0x42f/0x1a60 (?:?)
  _raw_spin_unlock+0x23/0x40 (?:?)
  alloc_fd+0x210/0x350 (?:?)
  do_sys_openat2+0xce/0x150 (?:?)
  irqentry_exit+0xac/0x6e0 (?:?)
Freed by task stack:
  kasan_save_stack+0x33/0x60 (?:?)
  kasan_save_track+0x14/0x30 (?:?)
  kasan_save_free_info+0x3b/0x60 (?:?)
  __kasan_slab_free+0x5f/0x80 (?:?)
  kfree+0x30f/0x580 (?:?)
  ocfs2_dismount_volume+0x168/0x560 (fs/ocfs2/super.c:1868)
  generic_shutdown_super+0xc3/0x220 (fs/ocfs2/super.c:?)
  kill_block_super+0x29/0x60 (fs/ocfs2/super.c:?)
  deactivate_locked_super+0x66/0xe0 (fs/ocfs2/super.c:?)
  cleanup_mnt+0x13d/0x210 (?:?)
  task_work_run+0xfa/0x170 (?:?)
  exit_to_user_mode_loop+0xd6/0x430 (?:?)
  do_syscall_64+0x3cb/0x640 (arch/x86/entry/syscall_64.c:87)
  entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)

Fixes: 5e7a3ed9f1a6 ("ocfs2: further debugfs cleanups")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
---
 fs/ocfs2/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index b875f01c9756..357f210b6a43 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -1826,6 +1826,9 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
 
 	ocfs2_truncate_log_shutdown(osb);
 
+	ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
+	debugfs_remove_recursive(osb->osb_debug_root);
+
 	/* This will disable recovery and flush any recovery work. */
 	ocfs2_recovery_exit(osb);
 
@@ -1865,9 +1868,6 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
 
 	ocfs2_dlm_shutdown(osb, hangup_needed);
 
-	ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
-	debugfs_remove_recursive(osb->osb_debug_root);
-
 	if (hangup_needed)
 		ocfs2_cluster_hangup(osb->uuid_str, strlen(osb->uuid_str));
 
-- 
2.43.0