[PATCH] btrfs: fix delayed_node ref_tracker use after free

[PATCH] btrfs: fix delayed_node ref_tracker use after free

[Leo Martins]

Move the print before releasing the delayed node.

In my initial testing there was a bug that was causing delayed_nodes
to not get freed which is why I put the print after the release. This
obviously neglects the case where the delayed node is properly freed.

Add condition to make sure we only print if we have more than one
reference to the delayed_node to prevent printing when we only have
the reference taken in btrfs_kill_all_delayed_nodes().

Fixes: b767a28d6154 ("btrfs: print leaked references in kill_all_delayed_nodes()")
Signed-off-by: Leo Martins <loemra.dev@gmail.com>
---
 fs/btrfs/delayed-inode.c | 2 +-
 fs/btrfs/delayed-inode.h | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 41e37f7f67cc..3df7b9d7fbe8 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -2110,9 +2110,9 @@ void btrfs_kill_all_delayed_nodes(struct btrfs_root *root)
 
 		for (int i = 0; i < count; i++) {
 			__btrfs_kill_delayed_node(delayed_nodes[i]);
+			btrfs_delayed_node_ref_tracker_dir_print(delayed_nodes[i]);
 			btrfs_release_delayed_node(delayed_nodes[i],
 						   &delayed_node_trackers[i]);
-			btrfs_delayed_node_ref_tracker_dir_print(delayed_nodes[i]);
 		}
 	}
 }
diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
index 0d949edc0caf..b09d4ec8c77d 100644
--- a/fs/btrfs/delayed-inode.h
+++ b/fs/btrfs/delayed-inode.h
@@ -219,6 +219,13 @@ static inline void btrfs_delayed_node_ref_tracker_dir_print(struct btrfs_delayed
 	if (!btrfs_test_opt(node->root->fs_info, REF_TRACKER))
 		return;
 
+	/*
+	 * Only print if there are leaked references. The caller is
+	 * holding one reference, so if refs == 1 there is no leak.
+	 */
+	if (refcount_read(&node->refs) == 1)
+		return;
+
 	ref_tracker_dir_print(&node->ref_dir.dir,
 			      BTRFS_DELAYED_NODE_REF_TRACKER_DISPLAY_LIMIT);
 }
-- 
2.47.3

Re: [PATCH] btrfs: fix delayed_node ref_tracker use after free

[Christoph Hellwig]

This fixes the use after free I saw in xfstests btrfs/071:

Tested-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH] btrfs: fix delayed_node ref_tracker use after free

[David Sterba]

On Mon, Oct 20, 2025 at 04:16:15PM -0700, Leo Martins wrote:
> Move the print before releasing the delayed node.
> 
> In my initial testing there was a bug that was causing delayed_nodes
> to not get freed which is why I put the print after the release. This
> obviously neglects the case where the delayed node is properly freed.
> 
> Add condition to make sure we only print if we have more than one
> reference to the delayed_node to prevent printing when we only have
> the reference taken in btrfs_kill_all_delayed_nodes().
> 
> Fixes: b767a28d6154 ("btrfs: print leaked references in kill_all_delayed_nodes()")
> Signed-off-by: Leo Martins <loemra.dev@gmail.com>

Added to for-next, thanks.