nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()

stable inclusion
from stable-v5.10.181
commit 6b4205ea97901f822004e6c8d59484ccfda03faa
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I8GJZJ

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6b4205ea97901f822004e6c8d59484ccfda03faa

--------------------------------

commit 9b5a04ac upstream.

During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer().  However, since
nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may
cause use-after-free read if inodes are left in "garbage_list" and
released by nilfs_dispose_list() at the end of nilfs_detach_log_writer().

Fix this issue by modifying nilfs_evict_inode() to only clear inode
without additional metadata changes that use nilfs_root if the file system
is degraded to read-only or the writer is detached.

Link: https://lkml.kernel.org/r/20230509152956.8313-1-konishi.ryusuke@gmail.com


Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by:  <syzbot+78d4495558999f55d1da@syzkaller.appspotmail.com>
Closes: https://lkml.kernel.org/r/00000000000099e5ac05fb1c3b85@google.com


Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>