On Tue, Jul 09, 2013 at 09:51:24PM +0200, Jan Kara wrote: > The following race can lead to ext4_evict_inode() seeing i_ioend_count > > 0 and thus triggering a sanity check warning: > > CPU1 CPU2 > ext4_end_bio() ext4_evict_inode() > ext4_finish_bio() > end_page_writeback(); > truncate_inode_pages() > evict page > WARN_ON(i_ioend_count > 0); > ext4_put_io_end_defer() > ext4_release_io_end() > dec i_ioend_count > > This is possible use-after-free bug since we decrement i_ioend_count in > possibly released inode. > > Since i_ioend_count is used only for sanity checks one possible solution > would be to just remove it but for now I'd like to keep those sanity > checks to help debugging the new ext4 writeback code. > > This patch changes ext4_end_bio() to call ext4_put_io_end_defer() before > ext4_finish_bio() in the shortcut case when unwritten extent conversion > isn't needed. In that case we don't need the io_end so we are safe to > drop it early. > > Reported-by: Guenter Roeck <linux@xxxxxxxxxxxx> > Signed-off-by: Jan Kara <jack@xxxxxxx> > --- I just saw the problem again, oddly enough while building an image with this patch. I'll run the kernel with the patch and let you know how it goes. Guenter -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
