bcachefs: Fix race path in bch2_inode_insert()

__destroy_new_inode() is appropriate when we have _just_allocated the
inode, but not when it's been fully initialized and on i_sb_list.

Reported-by: syzbot+a0ddc9873c280a4cb18f@syzkaller.appspotmail.com
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

diff --git a/fs/bcachefs/fs.c b/fs/bcachefs/fs.c
index 9b41c6e9deefca7c1a088e92f7edb9fe4bbae0be..96040a95cf4667069ad8dac4cc02a56f45382dc8 100644 (file)
--- a/fs/bcachefs/fs.c
+++ b/fs/bcachefs/fs.c
@@ -188,8 +188,7 @@ static struct bch_inode_info *bch2_inode_insert(struct bch_fs *c, struct bch_ino
        BUG_ON(!old);
 
        if (unlikely(old != inode)) {
-               __destroy_inode(&inode->v);
-               kmem_cache_free(bch2_inode_cache, inode);
+               discard_new_inode(&inode->v);
                inode = old;
        } else {
                mutex_lock(&c->vfs_inodes_lock);