block: ensure the bdi is freed after inode_detach_wb

inode_detach_wb references the "main" bdi of the inode. With the recent change to move the bdi from the request_queue to the gendisk this causes a guaranteed use after free when using certain cgroup configurations. The big itself is older through as any non-default inode reference (e.g. an open file descriptor) could have injected this use after free even before that. Fixes: 52ebea74 ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") Reported-by: N Qian Cai <quic_qiancai@quicinc.com> Reported-by: N syzbot <syzbot+1fb38bb7d3ce0fa3e1c4@syzkaller.appspotmail.com> Signed-off-by: N Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20210816122614.601358-3-hch@lst.deSigned-off-by: N Jens Axboe <axboe@kernel.dk>

block: ensure the bdi is freed after inode_detach_wb
inode_detach_wb references the "main" bdi of the inode. With the recent change to move the bdi from the request_queue to the gendisk this causes a guaranteed use after free when using certain cgroup configurations. The big itself is older through as any non-default inode reference (e.g. an open file descriptor) could have injected this use after free even before that. Fixes: 52ebea74 ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") Reported-by: N Qian Cai <quic_qiancai@quicinc.com> Reported-by: N syzbot <syzbot+1fb38bb7d3ce0fa3e1c4@syzkaller.appspotmail.com> Signed-off-by: N Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20210816122614.601358-3-hch@lst.deSigned-off-by: N Jens Axboe <axboe@kernel.dk>
889c05cc · Christoph Hellwig · Jens Axboe · 9451aa0a · 889c05cc · 889c05cc
隐藏空白更改
内联并排

Showing with 4 addition and 4 deletion

block/genhd.c block/genhd.c +0 -1

fs/block_dev.c fs/block_dev.c +4 -3

未找到文件。
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1084,7 +1084,6 @@ static void disk_release(struct device *dev)

 	might_sleep();

-	bdi_put(disk->bdi);
 	disk_release_events(disk);
 	kfree(disk->random);
 	xa_destroy(&disk->part_tbl);

--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -812,8 +812,11 @@ static void bdev_free_inode(struct inode *inode)
 	free_percpu(bdev->bd_stats);
 	kfree(bdev->bd_meta_info);

-	if (!bdev_is_partition(bdev))
+	if (!bdev_is_partition(bdev)) {
+		if (bdev->bd_disk && bdev->bd_disk->bdi)
+			bdi_put(bdev->bd_disk->bdi);
 		kfree(bdev->bd_disk);
+	}

 	if (MAJOR(bdev->bd_dev) == BLOCK_EXT_MAJOR)
 		blk_free_ext_minor(MINOR(bdev->bd_dev));
@@ -833,8 +836,6 @@ static void bdev_evict_inode(struct inode *inode)
 	truncate_inode_pages_final(&inode->i_data);
 	invalidate_inode_buffers(inode); /* is it needed here? */
 	clear_inode(inode);
-	/* Detach inode from wb early as bdi_put() may free bdi->wb */
-	inode_detach_wb(inode);
 }

 static const struct super_operations bdev_sops = {