Eric Biggers <ebiggers3@xxxxxxxxx> wrote:
> ->s_umount is released once here and again in destroy_unused_super().
Good catch, thanks. The interface has changed over the lifetime of the
patches. How about the attached patch?
David
---
commit b3899e214a6a0e0551f6dc707b28d61b11e718a5
Author: David Howells <dhowells@xxxxxxxxxx>
Date: Tue Jul 3 22:35:28 2018 +0100
vfs: Locking fix for sget_fc()
In sget_fc(), don't drop the s_umount lock before calling
destroy_unused_super() as that will drop the lock.
Fixes: 8a2e54b8af88 ("vfs: Implement a filesystem superblock creation/configuration context")
Reported-by: Eric Biggers <ebiggers3@xxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
diff --git a/fs/super.c b/fs/super.c
index 43400f5fa33a..b014cd48a451 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -516,19 +516,14 @@ struct super_block *sget_fc(struct fs_context *fc,
continue;
if (fc->user_ns != old->s_user_ns) {
spin_unlock(&sb_lock);
- if (s) {
- up_write(&s->s_umount);
+ if (s)
destroy_unused_super(s);
- }
return ERR_PTR(-EBUSY);
}
if (!grab_super(old))
goto retry;
- if (s) {
- up_write(&s->s_umount);
+ if (s)
destroy_unused_super(s);
- s = NULL;
- }
return old;
}
}
@@ -545,7 +540,6 @@ struct super_block *sget_fc(struct fs_context *fc,
if (err) {
s->s_fs_info = NULL;
spin_unlock(&sb_lock);
- up_write(&s->s_umount);
destroy_unused_super(s);
return ERR_PTR(err);
}
