* Patch "writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list()" has been added to the 4.5-stable tree
@ 2016-04-10 18:12 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2016-04-10 18:12 UTC (permalink / raw)
To: tj, axboe, gregkh, tahsin; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list()
to the 4.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
writeback-cgroup-fix-premature-wb_put-in-locked_inode_to_wb_and_lock_list.patch
and it can be found in the queue-4.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 614a4e3773148a31f58dc174bbf578ceb63510c2 Mon Sep 17 00:00:00 2001
From: Tejun Heo <tj@kernel.org>
Date: Fri, 18 Mar 2016 13:50:03 -0400
Subject: writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list()
From: Tejun Heo <tj@kernel.org>
commit 614a4e3773148a31f58dc174bbf578ceb63510c2 upstream.
locked_inode_to_wb_and_lock_list() wb_get()'s the wb associated with
the target inode, unlocks inode, locks the wb's list_lock and verifies
that the inode is still associated with the wb. To prevent the wb
going away between dropping inode lock and acquiring list_lock, the wb
is pinned while inode lock is held. The wb reference is put right
after acquiring list_lock citing that the wb won't be dereferenced
anymore.
This isn't true. If the inode is still associated with the wb, the
inode has reference and it's safe to return the wb; however, if inode
has been switched, the wb still needs to be unlocked which is a
dereference and can lead to use-after-free if it it races with wb
destruction.
Fix it by putting the reference after releasing list_lock.
Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: 87e1d789bf55 ("writeback: implement [locked_]inode_to_wb_and_lock_list()")
Tested-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fs-writeback.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -281,13 +281,15 @@ locked_inode_to_wb_and_lock_list(struct
wb_get(wb);
spin_unlock(&inode->i_lock);
spin_lock(&wb->list_lock);
- wb_put(wb); /* not gonna deref it anymore */
/* i_wb may have changed inbetween, can't use inode_to_wb() */
- if (likely(wb == inode->i_wb))
- return wb; /* @inode already has ref */
+ if (likely(wb == inode->i_wb)) {
+ wb_put(wb); /* @inode already has ref */
+ return wb;
+ }
spin_unlock(&wb->list_lock);
+ wb_put(wb);
cpu_relax();
spin_lock(&inode->i_lock);
}
Patches currently in stable-queue which might be from tj@kernel.org are
queue-4.5/writeback-cgroup-fix-premature-wb_put-in-locked_inode_to_wb_and_lock_list.patch
queue-4.5/writeback-cgroup-fix-use-of-the-wrong-bdi_writeback-which-mismatches-the-inode.patch
queue-4.5/cgroup-ignore-css_sets-associated-with-dead-cgroups-during-migration.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-04-10 18:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-10 18:12 Patch "writeback, cgroup: fix premature wb_put() in locked_inode_to_wb_and_lock_list()" has been added to the 4.5-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.