linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file()
@ 2021-03-11 11:05 gregkh
  2021-03-11 11:16 ` Christoph Hellwig
  0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2021-03-11 11:05 UTC (permalink / raw)
  To: Christoph Hellwig, Joel Becker
  Cc: linux-kernel, Al Viro, Daniel Rosenberg, stable, Greg Kroah-Hartman

From: Daniel Rosenberg <drosen@google.com>

__configfs_open_file() used to use configfs_get_config_item, but changed
in commit b0841eefd969 ("configfs: provide exclusion between IO and
removals") to just call to_item. The error path still tries to clean up
the reference, incorrectly decrementing the ref count.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Cc: stable@vger.kernel.org
Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/configfs/file.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/fs/configfs/file.c b/fs/configfs/file.c
index 1f0270229d7b..8b7c8a8a09f3 100644
--- a/fs/configfs/file.c
+++ b/fs/configfs/file.c
@@ -378,7 +378,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
 
 	attr = to_attr(dentry);
 	if (!attr)
-		goto out_put_item;
+		goto out_put_module;
 
 	if (type & CONFIGFS_ITEM_BIN_ATTR) {
 		buffer->bin_attr = to_bin_attr(dentry);
@@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
 	/* Grab the module reference for this attribute if we have one */
 	error = -ENODEV;
 	if (!try_module_get(buffer->owner))
-		goto out_put_item;
+		goto out_put_module;
 
 	error = -EACCES;
 	if (!buffer->item->ci_type)
@@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
 
 out_put_module:
 	module_put(buffer->owner);
-out_put_item:
-	config_item_put(buffer->item);
 out_free_buffer:
 	up_read(&frag->frag_sem);
 	kfree(buffer);
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file()
  2021-03-11 11:05 [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file() gregkh
@ 2021-03-11 11:16 ` Christoph Hellwig
  2021-03-11 11:29   ` Greg KH
  0 siblings, 1 reply; 3+ messages in thread
From: Christoph Hellwig @ 2021-03-11 11:16 UTC (permalink / raw)
  To: gregkh
  Cc: Christoph Hellwig, Joel Becker, linux-kernel, Al Viro,
	Daniel Rosenberg, stable

I've actually just queued up a similar patch from Daiyue Zhang.

> -		goto out_put_item;
> +		goto out_put_module;
>  
>  	if (type & CONFIGFS_ITEM_BIN_ATTR) {
>  		buffer->bin_attr = to_bin_attr(dentry);
> @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
>  	/* Grab the module reference for this attribute if we have one */
>  	error = -ENODEV;
>  	if (!try_module_get(buffer->owner))
> -		goto out_put_item;
> +		goto out_put_module;
>  
>  	error = -EACCES;
>  	if (!buffer->item->ci_type)
> @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
>  
>  out_put_module:
>  	module_put(buffer->owner);
> -out_put_item:
> -	config_item_put(buffer->item);
>  out_free_buffer:

But the goto labe changes here look incorrect anyway, as they now introduce
a double put on the module..

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file()
  2021-03-11 11:16 ` Christoph Hellwig
@ 2021-03-11 11:29   ` Greg KH
  0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2021-03-11 11:29 UTC (permalink / raw)
  To: Christoph Hellwig
  Cc: Joel Becker, linux-kernel, Al Viro, Daniel Rosenberg, stable

On Thu, Mar 11, 2021 at 12:16:25PM +0100, Christoph Hellwig wrote:
> I've actually just queued up a similar patch from Daiyue Zhang.
> 
> > -		goto out_put_item;
> > +		goto out_put_module;
> >  
> >  	if (type & CONFIGFS_ITEM_BIN_ATTR) {
> >  		buffer->bin_attr = to_bin_attr(dentry);
> > @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
> >  	/* Grab the module reference for this attribute if we have one */
> >  	error = -ENODEV;
> >  	if (!try_module_get(buffer->owner))
> > -		goto out_put_item;
> > +		goto out_put_module;
> >  
> >  	error = -EACCES;
> >  	if (!buffer->item->ci_type)
> > @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
> >  
> >  out_put_module:
> >  	module_put(buffer->owner);
> > -out_put_item:
> > -	config_item_put(buffer->item);
> >  out_free_buffer:
> 
> But the goto labe changes here look incorrect anyway, as they now introduce
> a double put on the module..

Oops, should be one label lower.  Daniel must not have checked this on
a system with modules :)

Let me go fix this up...

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-11 11:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-11 11:05 [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file() gregkh
2021-03-11 11:16 ` Christoph Hellwig
2021-03-11 11:29   ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).