On Mon 07-06-21 18:31:18, Roman Gushchin wrote: > isw_nr_in_flight is used do determine whether the inode switch queue > should be flushed from the umount path. Currently it's increased > after grabbing an inode and even scheduling the switch work. It means > the umount path can be walked past cleanup_offline_cgwb() with active > inode references, which can result in a "Busy inodes after unmount." > message and use-after-free issues (with inode->i_sb which gets freed). > > Fix it by incrementing isw_nr_in_flight before doing anything with > the inode and decrementing in the case when switching wasn't scheduled. > > The problem hasn't yet been seen in the real life and was discovered > by Jan Kara by looking into the code. > > Suggested-by: Jan Kara <jack@xxxxxxxx> > Signed-off-by: Roman Gushchin <guro@xxxxxx> Looks good. Feel free to add: Reviewed-by: Jan Kara <jack@xxxxxxx> Honza > --- > fs/fs-writeback.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c > index 3564efcc4b78..e2cc860a001b 100644 > --- a/fs/fs-writeback.c > +++ b/fs/fs-writeback.c > @@ -505,6 +505,8 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) > if (!isw) > return; > > + atomic_inc(&isw_nr_in_flight); > + > /* find and pin the new wb */ > rcu_read_lock(); > memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys); > @@ -535,11 +537,10 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) > * Let's continue after I_WB_SWITCH is guaranteed to be visible. > */ > call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); > - > - atomic_inc(&isw_nr_in_flight); > return; > > out_free: > + atomic_dec(&isw_nr_in_flight); > if (isw->new_wb) > wb_put(isw->new_wb); > kfree(isw); > -- > 2.31.1 > -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
