Hi, all We have reported a use-after-free crash for bdi device in __blkg_prfill_rwstat() (see Patch #3). The bug is caused by printing device kobj->name while the device and kobj->name has been freed by bdi_unregister(). In fact, commit 68f23b8906 "memcg: fix a crash in wb_workfn when a device disappears" has tried to address the issue, but the code is till somewhat racy after that commit. In this patchset, we try to protect device lifetime with RCU, avoiding the device been freed when others used. A way which maybe fix the problem is copy device name into special memory (as discussed in [0]), but that is also need lock protect. [0] https://lore.kernel.org/linux-block/20200219125505.GP16121@xxxxxxxxxxxxxx/ V1: https://www.spinics.net/lists/linux-block/msg49693.html Add a new spinlock and copy kobj->name into caller buffer. Or using synchronize_rcu() to wait until reader complete. Yufen Yu (7): blk-wbt: use bdi_dev_name() to get device name fs/ceph: use bdi_dev_name() to get device name bdi: protect device lifetime with RCU bdi: create a new function bdi_get_dev_name() bfq: fix potential kernel crash when print dev err info memcg: fix crash in wb_workfn when bdi unregister blk-wbt: replace bdi_dev_name() with bdi_get_dev_name() block/bfq-iosched.c | 7 +++-- block/blk-cgroup.c | 8 ++++-- block/genhd.c | 4 +-- fs/ceph/debugfs.c | 2 +- fs/ext4/super.c | 2 +- fs/fs-writeback.c | 4 ++- include/linux/backing-dev-defs.h | 8 +++++- include/linux/backing-dev.h | 31 +++++++++++++++++++-- include/trace/events/wbt.h | 8 +++--- include/trace/events/writeback.h | 38 ++++++++++++-------------- mm/backing-dev.c | 59 +++++++++++++++++++++++++++++++++------- 11 files changed, 124 insertions(+), 47 deletions(-) -- 2.16.2.dirty
