David Wysochanski <dwysocha@xxxxxxxxxx> wrote: > > [ 432.921382] BUG: KASAN: use-after-free in > > fscache_unhash_cookie+0x9e/0x160 [fscache]^M I think the patch below is the way to fix this. David --- fscache: Need to go round again after processing LRU_DISCARDING state There's a race between the LRU discard and relinquishment actions. In the state machine, fscache_cookie_state_machine(), the ACTIVE state transits to the LRU_DISCARD state in preference to transiting to the RELINQUISHING or WITHDRAWING states. This should be fine, but the LRU_DISCARDING state just breaks out the bottom of the function without going round again after transiting to the QUIESCENT state. However, if both LRU discard and relinquishment happen *before* the SM runs, one of the queue events will get discarded, along with the ref that would be associated with it. The last ref is then discarded and the cookie is removed without completing the relinquishment process - leaving the cookie hashed. The fix is to make sure that the SM always goes back around after changing the state. Signed-off-by: David Howells <dhowells@xxxxxxxxxx> --- diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c index d7e825d636e2..8d0769a5ee2b 100644 --- a/fs/fscache/cookie.c +++ b/fs/fscache/cookie.c @@ -755,7 +755,7 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie) set_bit(FSCACHE_COOKIE_NO_DATA_TO_READ, &cookie->flags); __fscache_set_cookie_state(cookie, FSCACHE_COOKIE_STATE_QUIESCENT); wake = true; - break; + goto again_locked; case FSCACHE_COOKIE_STATE_DROPPED: break;
