bcachefs: Fix a use after free

Turns out, we weren't waiting on in flight btree writes when freeing
existing btree nodes. This lead to stray btree writes overwriting newly
allocated buckets, but only started showing itself with some of the
recent allocator work and another patch to move submitting of btree
writes to worqueues.

Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

1 files changed, 8 insertions, 0 deletions

diff --git a/fs/bcachefs/btree_update_interior.c b/fs/bcachefs/btree_update_interior.c
index b3137525f9c1..dabd1a3e3aa3 100644
--- a/fs/bcachefs/btree_update_interior.c
+++ b/fs/bcachefs/btree_update_interior.c
@@ -887,6 +887,14 @@ void bch2_btree_interior_update_will_free_node(struct btree_update *as,
 	btree_update_drop_new_node(c, b);
 
 	btree_update_will_delete_key(as, &b->key);
+
+	/*
+	 * XXX: Waiting on io with btree node locks held, we don't want to be
+	 * doing this. We can't have btree writes happening after the space has
+	 * been freed, but we really only need to block before
+	 * btree_update_nodes_written_trans() happens.
+	 */
+	btree_node_wait_on_io(b);
 }
 
 void bch2_btree_update_done(struct btree_update *as)