projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9451aa0)
block: ensure the bdi is freed after inode_detach_wb
authorChristoph Hellwig <hch@lst.de>
Mon, 16 Aug 2021 12:26:14 +0000 (14:26 +0200)
committerJens Axboe <axboe@kernel.dk>
Mon, 16 Aug 2021 16:49:11 +0000 (10:49 -0600)
inode_detach_wb references the "main" bdi of the inode.  With the
recent change to move the bdi from the request_queue to the gendisk
this causes a guaranteed use after free when using certain cgroup
configurations.  The big itself is older through as any non-default
inode reference (e.g. an open file descriptor) could have injected
this use after free even before that.

Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks")
Reported-by: Qian Cai <quic_qiancai@quicinc.com>
Reported-by: syzbot <syzbot+1fb38bb7d3ce0fa3e1c4@syzkaller.appspotmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210816122614.601358-3-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
block/genhd.c patch | blob | history
fs/block_dev.c patch | blob | history

diff --git a/block/genhd.c b/block/genhd.c
index ed58ddf..731a460 100644 (file)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1084,7 +1084,6 @@ static void disk_release(struct device *dev)
 
        might_sleep();
 
-       bdi_put(disk->bdi);
        disk_release_events(disk);
        kfree(disk->random);
        xa_destroy(&disk->part_tbl);
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 4bd2a63..d3a8062 100644 (file)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -812,8 +812,11 @@ static void bdev_free_inode(struct inode *inode)
        free_percpu(bdev->bd_stats);
        kfree(bdev->bd_meta_info);
 
-       if (!bdev_is_partition(bdev))
+       if (!bdev_is_partition(bdev)) {
+               if (bdev->bd_disk && bdev->bd_disk->bdi)
+                       bdi_put(bdev->bd_disk->bdi);
                kfree(bdev->bd_disk);
+       }
 
        if (MAJOR(bdev->bd_dev) == BLOCK_EXT_MAJOR)
                blk_free_ext_minor(MINOR(bdev->bd_dev));
@@ -833,8 +836,6 @@ static void bdev_evict_inode(struct inode *inode)
        truncate_inode_pages_final(&inode->i_data);
        invalidate_inode_buffers(inode); /* is it needed here? */
        clear_inode(inode);
-       /* Detach inode from wb early as bdi_put() may free bdi->wb */
-       inode_detach_wb(inode);
 }
 
 static const struct super_operations bdev_sops = {
MicroBlaze GIT Repository