Re: [PATCH] bdi: Fix another oops in wb_workfn()
From: Tejun Heo <tj@kernel.org>
Date: 2018-06-11 16:01:35
Also in:
linux-fsdevel, lkml
Subsystem:
memory management, memory management - misc, the rest · Maintainers:
Andrew Morton, David Hildenbrand, Linus Torvalds
Possibly related (same subject, not in this thread)
- 2018-06-22 · Re: [PATCH] bdi: Fix another oops in wb_workfn() · Jens Axboe <axboe@kernel.dk>
- 2018-06-22 · Re: [PATCH] bdi: Fix another oops in wb_workfn() · Jan Kara <jack@suse.cz>
- 2018-06-19 · Re: [PATCH] bdi: Fix another oops in wb_workfn() · Jan Kara <jack@suse.cz>
- 2018-06-18 · Re: [PATCH] bdi: Fix another oops in wb_workfn() · Tejun Heo <tj@kernel.org>
- 2018-06-18 · Re: [PATCH] bdi: Fix another oops in wb_workfn() · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Hello, On Mon, Jun 11, 2018 at 11:12:48AM +0200, Jan Kara wrote:
However this is wrong and so is the patch. The problem is in cgwb_bdi_unregister() which does cgwb_kill() and thus drops bdi's reference to wb structures before going through the list of wbs again and calling wb_shutdown() on each of them. The writeback structures we are accessing at this point can be already freed in principle like: CPU1 CPU2 cgwb_bdi_unregister() cgwb_kill(*slot); cgwb_release() queue_work(cgwb_release_wq, &wb->release_work); cgwb_release_workfn() wb = list_first_entry(&bdi->wb_list, ...) spin_unlock_irq(&cgwb_lock); wb_shutdown(wb); ... kfree_rcu(wb, rcu); wb_shutdown(wb); -> oops use-after-free I'm not 100% sure how to fix this. wb structures can be at various phases of shutdown (or there may be other external references still existing) when we enter cgwb_bdi_unregister() so I think adding a way for cgwb_bdi_unregister() to wait for standard wb shutdown path to finish is the most robust way. What do you think about attached patch Tejun? So far only compile tested... Possible problem with it is that now cgwb_bdi_unregister() will wait for all wb references to be dropped so it adds some implicit dependencies to bdi shutdown path.
Would something like the following work or am I missing the point entirely? Thanks.
diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index 347cc83..359cacd 100644
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c@@ -715,14 +715,19 @@ static void cgwb_bdi_unregister(struct backing_dev_info *bdi) WARN_ON(test_bit(WB_registered, &bdi->wb.state)); spin_lock_irq(&cgwb_lock); - radix_tree_for_each_slot(slot, &bdi->cgwb_tree, &iter, 0) - cgwb_kill(*slot); + radix_tree_for_each_slot(slot, &bdi->cgwb_tree, &iter, 0) { + struct bdi_writeback *wb = *slot; + + wb_get(wb); + cgwb_kill(wb); + } while (!list_empty(&bdi->wb_list)) { wb = list_first_entry(&bdi->wb_list, struct bdi_writeback, bdi_node); spin_unlock_irq(&cgwb_lock); wb_shutdown(wb); + wb_put(wb); spin_lock_irq(&cgwb_lock); } spin_unlock_irq(&cgwb_lock);
--
tejun