inode_detach_wb references the "main" bdi of the inode. With the
recent change to move the bdi from the request_queue to the gendisk
this causes a guaranteed use after free when using certain cgroup
configurations. The big itself is older through as any non-default
inode reference (e.g. an open file descriptor) could have injected
this use after free even before that.
Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks")
Reported-by: Qian Cai <quic_qiancai@xxxxxxxxxxx>
Reported-by: syzbot <syzbot+1fb38bb7d3ce0fa3e1c4@xxxxxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
---
block/genhd.c | 1 -
fs/block_dev.c | 7 ++++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/block/genhd.c b/block/genhd.c
index ed58ddf6258b..731a46063132 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1084,7 +1084,6 @@ static void disk_release(struct device *dev)
might_sleep();
- bdi_put(disk->bdi);
disk_release_events(disk);
kfree(disk->random);
xa_destroy(&disk->part_tbl);
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 4bd2a632c79c..d3a8062302a0 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -812,8 +812,11 @@ static void bdev_free_inode(struct inode *inode)
free_percpu(bdev->bd_stats);
kfree(bdev->bd_meta_info);
- if (!bdev_is_partition(bdev))
+ if (!bdev_is_partition(bdev)) {
+ if (bdev->bd_disk && bdev->bd_disk->bdi)
+ bdi_put(bdev->bd_disk->bdi);
kfree(bdev->bd_disk);
+ }
if (MAJOR(bdev->bd_dev) == BLOCK_EXT_MAJOR)
blk_free_ext_minor(MINOR(bdev->bd_dev));
@@ -833,8 +836,6 @@ static void bdev_evict_inode(struct inode *inode)
truncate_inode_pages_final(&inode->i_data);
invalidate_inode_buffers(inode); /* is it needed here? */
clear_inode(inode);
- /* Detach inode from wb early as bdi_put() may free bdi->wb */
- inode_detach_wb(inode);
}
static const struct super_operations bdev_sops = {
--
2.30.2
