Skip to content

Commit aa97f6c

Browse files
linfeng2999axboe
linfeng2999
authored and
axboe
committed
bcache: fix NULL pointer reference in cached_dev_detach_finish
Commit 0259d44 ("bcache: move calc_cached_dev_sectors to proper place on backing device detach") tries to fix calc_cached_dev_sectors when bcache device detaches, but now we have: cached_dev_detach_finish ... bcache_device_detach(&dc->disk); ... closure_put(&d->c->caching); d->c = NULL; [*explicitly set dc->disk.c to NULL*] list_move(&dc->list, &uncached_devices); calc_cached_dev_sectors(dc->disk.c); [*passing a NULL pointer*] ... Upper codeflows shows how bug happens, this patch fix the problem by caching dc->disk.c beforehand, and cache_set won't be freed under us because c->caching closure at least holds a reference count and closure callback __cache_set_unregister only being called by bch_cache_set_stop which using closure_queue(&c->caching), that means c->caching closure callback for destroying cache_set won't be trigger by previous closure_put(&d->c->caching). So at this stage(while cached_dev_detach_finish is calling) it's safe to access cache_set dc->disk.c. Fixes: 0259d44 ("bcache: move calc_cached_dev_sectors to proper place on backing device detach") Signed-off-by: Lin Feng <linf@wangsu.com> Signed-off-by: Coly Li <colyli@suse.de> Link: https://lore.kernel.org/r/20211112053629.3437-2-colyli@suse.de Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent cb2ac29 commit aa97f6c

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

drivers/md/bcache/super.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1139,6 +1139,7 @@ static void cancel_writeback_rate_update_dwork(struct cached_dev *dc)
11391139
static void cached_dev_detach_finish(struct work_struct *w)
11401140
{
11411141
struct cached_dev *dc = container_of(w, struct cached_dev, detach);
1142+
struct cache_set *c = dc->disk.c;
11421143

11431144
BUG_ON(!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags));
11441145
BUG_ON(refcount_read(&dc->count));
@@ -1156,7 +1157,7 @@ static void cached_dev_detach_finish(struct work_struct *w)
11561157

11571158
bcache_device_detach(&dc->disk);
11581159
list_move(&dc->list, &uncached_devices);
1159-
calc_cached_dev_sectors(dc->disk.c);
1160+
calc_cached_dev_sectors(c);
11601161

11611162
clear_bit(BCACHE_DEV_DETACHING, &dc->disk.flags);
11621163
clear_bit(BCACHE_DEV_UNLINK_DONE, &dc->disk.flags);

0 commit comments

Comments
 (0)