[PATCH] fs/mbcache: cancel shrink work before destroying the cache

public inbox for linux-fsdevel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] fs/mbcache: cancel shrink work before destroying the cache
@ 2026-03-17  5:45 Hyungjung Joo
  2026-03-17 14:38 ` Christian Brauner
  2026-03-18 18:23 ` Jan Kara
  0 siblings, 2 replies; 5+ messages in thread
From: Hyungjung Joo @ 2026-03-17  5:45 UTC (permalink / raw)
  To: viro, brauner, linux-fsdevel; +Cc: jack, greg, linux-kernel, HyungJung Joo

From: HyungJung Joo <jhj140711@gmail.com>

mb_cache_destroy() calls shrinker_free() and then frees all cache
entries and the cache itself, but it does not cancel the pending
c_shrink_work work item first.

If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
and the work item is still pending or running when mb_cache_destroy()
runs, mb_cache_shrink_worker() will access the cache after its memory
has been freed, causing a use-after-free.

This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.

Cancel the work item with cancel_work_sync() before calling
shrinker_free(), ensuring the worker has finished and will not be
rescheduled before the cache is torn down.

Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>
---
 fs/mbcache.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/mbcache.c b/fs/mbcache.c
index 480d02d6ebf0..2a6319b4072c 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -406,6 +406,7 @@ void mb_cache_destroy(struct mb_cache *cache)
 {
 	struct mb_cache_entry *entry, *next;

+	cancel_work_sync(&cache->c_shrink_work);
 	shrinker_free(cache->c_shrink);

 	/*
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache
  2026-03-17  5:45 [PATCH] fs/mbcache: cancel shrink work before destroying the cache Hyungjung Joo
@ 2026-03-17 14:38 ` Christian Brauner
  2026-03-17 15:43   ` Hyungjung Joo
  2026-03-18 18:23 ` Jan Kara
  1 sibling, 1 reply; 5+ messages in thread
From: Christian Brauner @ 2026-03-17 14:38 UTC (permalink / raw)
  To: Hyungjung Joo
  Cc: Christian Brauner, jack, greg, linux-kernel, viro, linux-fsdevel

On Tue, 17 Mar 2026 14:45:56 +0900, Hyungjung Joo wrote:
> mb_cache_destroy() calls shrinker_free() and then frees all cache
> entries and the cache itself, but it does not cancel the pending
> c_shrink_work work item first.
> 
> If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
> and the work item is still pending or running when mb_cache_destroy()
> runs, mb_cache_shrink_worker() will access the cache after its memory
> has been freed, causing a use-after-free.
> 
> [...]

Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
correct.

---

Applied to the vfs-7.1.misc branch of the vfs/vfs.git tree.
Patches in the vfs-7.1.misc branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.1.misc

[1/1] fs/mbcache: cancel shrink work before destroying the cache
      https://git.kernel.org/vfs/vfs/c/d227786ab111

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache
  2026-03-17 14:38 ` Christian Brauner
@ 2026-03-17 15:43   ` Hyungjung Joo
  2026-03-18  9:42     ` Christian Brauner
  0 siblings, 1 reply; 5+ messages in thread
From: Hyungjung Joo @ 2026-03-17 15:43 UTC (permalink / raw)
  To: Christian Brauner; +Cc: jack, greg, linux-kernel, viro, linux-fsdevel

2026년 3월 17일 (화) PM 11:38, Christian Brauner <brauner@kernel.org>님이 작성:

> Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
> correct.

I'm sorry, forgot the fixes tag.
Below is the correct fixes: tag.
Fixes: c2f3140fe2ec
Cc: stable@vger.kernel.org

Thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache
  2026-03-17 15:43   ` Hyungjung Joo
@ 2026-03-18  9:42     ` Christian Brauner
  0 siblings, 0 replies; 5+ messages in thread
From: Christian Brauner @ 2026-03-18  9:42 UTC (permalink / raw)
  To: Hyungjung Joo; +Cc: jack, greg, linux-kernel, viro, linux-fsdevel

On Wed, Mar 18, 2026 at 12:43:19AM +0900, Hyungjung Joo wrote:
> 2026년 3월 17일 (화) PM 11:38, Christian Brauner <brauner@kernel.org>님이 작성:
> 
> > Pretty sure this is AI generated and it misses a Fixes: tag but otherwise looks
> > correct.
> 
> I'm sorry, forgot the fixes tag.
> Below is the correct fixes: tag.
> Fixes: c2f3140fe2ec
> Cc: stable@vger.kernel.org

I had already added that.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] fs/mbcache: cancel shrink work before destroying the cache
  2026-03-17  5:45 [PATCH] fs/mbcache: cancel shrink work before destroying the cache Hyungjung Joo
  2026-03-17 14:38 ` Christian Brauner
@ 2026-03-18 18:23 ` Jan Kara
  1 sibling, 0 replies; 5+ messages in thread
From: Jan Kara @ 2026-03-18 18:23 UTC (permalink / raw)
  To: Hyungjung Joo; +Cc: viro, brauner, linux-fsdevel, jack, greg, linux-kernel

On Tue 17-03-26 14:45:56, Hyungjung Joo wrote:
> From: HyungJung Joo <jhj140711@gmail.com>
> 
> mb_cache_destroy() calls shrinker_free() and then frees all cache
> entries and the cache itself, but it does not cancel the pending
> c_shrink_work work item first.
> 
> If mb_cache_entry_create() schedules c_shrink_work via schedule_work()
> and the work item is still pending or running when mb_cache_destroy()
> runs, mb_cache_shrink_worker() will access the cache after its memory
> has been freed, causing a use-after-free.
> 
> This is only reachable by a privileged user (root or CAP_SYS_ADMIN)
> who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem.
> 
> Cancel the work item with cancel_work_sync() before calling
> shrinker_free(), ensuring the worker has finished and will not be
> rescheduled before the cache is torn down.
> 
> Signed-off-by: Hyungjung Joo <jhj140711@gmail.com>

Thanks! The patch looks good to me. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza


> ---
>  fs/mbcache.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/mbcache.c b/fs/mbcache.c
> index 480d02d6ebf0..2a6319b4072c 100644
> --- a/fs/mbcache.c
> +++ b/fs/mbcache.c
> @@ -406,6 +406,7 @@ void mb_cache_destroy(struct mb_cache *cache)
>  {
>  	struct mb_cache_entry *entry, *next;
>  
> +	cancel_work_sync(&cache->c_shrink_work);
>  	shrinker_free(cache->c_shrink);
>  
>  	/*
> -- 
> 2.34.1
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-03-18 18:23 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-17  5:45 [PATCH] fs/mbcache: cancel shrink work before destroying the cache Hyungjung Joo
2026-03-17 14:38 ` Christian Brauner
2026-03-17 15:43   ` Hyungjung Joo
2026-03-18  9:42     ` Christian Brauner
2026-03-18 18:23 ` Jan Kara

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox