Hi, all We have reported a use-after-free crash for bdi device in __blkg_prfill_rwstat(). The bug is caused by printing device kobj->name while the device and kobj->name has been freed by bdi_unregister(). In fact, commit 68f23b8906 "memcg: fix a crash in wb_workfn when a device disappears" has tried to address the issue, but the code is till somewhat racy after that commit. In this patchset, we try to protect bdi->dev with spinlock and copy device name into caller buffer, avoiding use-after-free. V4: * Fix coding error in bdi_get_dev_name() * Write one patch for each broken caller V3: https://www.spinics.net/lists/linux-block/msg51111.html Use spinlock to protect bdi->dev and copy device name into caller buffer V2: https://www.spinics.net/lists/linux-fsdevel/msg163206.html Try to protect device lifetime with RCU. V1: https://www.spinics.net/lists/linux-block/msg49693.html Add a new spinlock and copy kobj->name into caller buffer. Or using synchronize_rcu() to wait until reader complete. Yufen Yu (6): bdi: use bdi_dev_name() to get device name bdi: protect bdi->dev with spinlock bfq: fix potential kernel crash when print error info memcg: fix crash in wb_workfn when bdi unregister blk-wbt: replace bdi_dev_name() with bdi_get_dev_name() blkcg: fix use-after-free for bdi->dev block/bfq-iosched.c | 6 +++-- block/blk-cgroup-rwstat.c | 6 +++-- block/blk-cgroup.c | 19 +++++----------- block/blk-iocost.c | 14 +++++++----- block/blk-iolatency.c | 5 +++-- block/blk-throttle.c | 6 +++-- fs/ceph/debugfs.c | 2 +- fs/fs-writeback.c | 4 +++- include/linux/backing-dev-defs.h | 1 + include/linux/backing-dev.h | 26 ++++++++++++++++++++++ include/linux/blk-cgroup.h | 1 - include/trace/events/wbt.h | 8 +++---- include/trace/events/writeback.h | 38 ++++++++++++++------------------ mm/backing-dev.c | 9 ++++++-- 14 files changed, 88 insertions(+), 57 deletions(-) -- 2.17.2
