| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210330092933.81311-1-songmuchun@bytedance.com>
Date: Tue, 30 Mar 2021 17:29:33 +0800
From: Muchun Song <songmuchun@...edance.com>
To: viro@...iv.linux.org.uk, tj@...nel.org, axboe@...com
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Muchun Song <songmuchun@...edance.com>
Subject: [PATCH] writeback: fix obtain a reference to a freeing memcg css
The caller of wb_get_create() should pin the memcg, because
wb_get_create() relies on this guarantee. The rcu read lock
only can guarantee that the memcg css returned by css_from_id()
cannot be released, but the reference of the memcg can be zero.
Fix it by holding a reference to the css before calling
wb_get_create(). This is not a problem I encountered in the
real world. Just the result of a code review.
Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates")
Signed-off-by: Muchun Song <songmuchun@...edance.com>
---
fs/fs-writeback.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 3ac002561327..afa658ffc09f 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -506,8 +506,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
/* find and pin the new wb */
rcu_read_lock();
memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
- if (memcg_css)
+ if (memcg_css && css_tryget(memcg_css)) {
isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
+ css_put(memcg_css);
+ }
rcu_read_unlock();
if (!isw->new_wb)
goto out_free;
--
2.11.0
Powered by blists - more mailing lists