fix del_timer() misuse for ->s_err_report

Message ID	20131204072926.GK10323@ZenIV.linux.org.uk
State	Accepted, archived
Headers	show Return-Path: <linux-ext4-owner@vger.kernel.org> Date: Wed, 4 Dec 2013 07:29:26 +0000 From: Al Viro <viro@ZenIV.linux.org.uk> To: Theodore Ts'o <tytso@mit.edu> Cc: linux-kernel@vger.kernel.org, linux-ext4@vger.kernel.org Subject: [PATCH] fix del_timer() misuse for ->s_err_report Message-ID: <20131204072926.GK10323@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk

Message ID

20131204072926.GK10323@ZenIV.linux.org.uk

State

Accepted, archived

Headers

Date: Wed, 4 Dec 2013 07:29:26 +0000
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Theodore Ts'o <tytso@mit.edu>
Cc: linux-kernel@vger.kernel.org, linux-ext4@vger.kernel.org
Subject: [PATCH] fix del_timer() misuse for ->s_err_report
Message-ID: <20131204072926.GK10323@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk

Commit Message

Al Viro Dec. 4, 2013, 7:29 a.m. UTC

That thing should be del_timer_sync(); consider what happens
if ext4_put_super() call of del_timer() happens to come just as it's
getting run on another CPU.  Since that timer reschedules itself
to run next day, you are pretty much guaranteed that you'll end up
with kfree'd scheduled timer, with usual fun consequences.  AFAICS,
that's -stable fodder all way back to 2010... [the second del_timer_sync()
is almost certainly not needed, but it doesn't hurt either]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Theodore Ts'o Dec. 9, 2013, 1:56 a.m. UTC | #1

On Wed, Dec 04, 2013 at 07:29:26AM +0000, Al Viro wrote:
> That thing should be del_timer_sync(); consider what happens
> if ext4_put_super() call of del_timer() happens to come just as it's
> getting run on another CPU.  Since that timer reschedules itself
> to run next day, you are pretty much guaranteed that you'll end up
> with kfree'd scheduled timer, with usual fun consequences.  AFAICS,
> that's -stable fodder all way back to 2010... [the second del_timer_sync()
> is almost certainly not needed, but it doesn't hurt either]
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Nice catch.  Thanks, applied.

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index c977f4e..9d70c0c 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -792,7 +792,7 @@  static void ext4_put_super(struct super_block *sb)
 	}
 
 	ext4_es_unregister_shrinker(sbi);
-	del_timer(&sbi->s_err_report);
+	del_timer_sync(&sbi->s_err_report);
 	ext4_release_system_zone(sb);
 	ext4_mb_release(sb);
 	ext4_ext_release(sb);
@@ -4184,7 +4184,7 @@  failed_mount_wq:
 	}
 failed_mount3:
 	ext4_es_unregister_shrinker(sbi);
-	del_timer(&sbi->s_err_report);
+	del_timer_sync(&sbi->s_err_report);
 	if (sbi->s_flex_groups)
 		ext4_kvfree(sbi->s_flex_groups);
 	percpu_counter_destroy(&sbi->s_freeclusters_counter);

fix del_timer() misuse for ->s_err_report

Commit Message

Comments

Patch