From: Andreas Gruenbacher <agruenba@redhat.com> stable inclusion from stable-v6.6.128 commit 4991b13cc9f1eed093bfeeabc4ac7dedb17816cb category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/15235 CVE: CVE-2026-45984 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 92099f0c92270c8c7a79e6bc6e0312ad248ea331 ] Add a metapath_dibh() helper for extracting the inode's buffer head from a metapath. Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Stable-dep-of: faddeb848305 ("gfs2: Fix use-after-free in iomap inline data write path") Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- fs/gfs2/bmap.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c index 73d3d4c5d583..5d16d35ff076 100644 --- a/fs/gfs2/bmap.c +++ b/fs/gfs2/bmap.c @@ -317,6 +317,12 @@ static void gfs2_metapath_ra(struct gfs2_glock *gl, __be64 *start, __be64 *end) } } +static inline struct buffer_head * +metapath_dibh(struct metapath *mp) +{ + return mp->mp_bh[0]; +} + static int __fillup_metapath(struct gfs2_inode *ip, struct metapath *mp, unsigned int x, unsigned int h) { @@ -660,7 +666,7 @@ static int __gfs2_iomap_alloc(struct inode *inode, struct iomap *iomap, { struct gfs2_inode *ip = GFS2_I(inode); struct gfs2_sbd *sdp = GFS2_SB(inode); - struct buffer_head *dibh = mp->mp_bh[0]; + struct buffer_head *dibh = metapath_dibh(mp); u64 bn; unsigned n, i, blks, alloced = 0, iblks = 0, branch_start = 0; size_t dblks = iomap->length >> inode->i_blkbits; -- 2.34.1