* [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file()
@ 2021-03-11 11:05 gregkh
2021-03-11 11:16 ` Christoph Hellwig
0 siblings, 1 reply; 3+ messages in thread
From: gregkh @ 2021-03-11 11:05 UTC (permalink / raw)
To: Christoph Hellwig, Joel Becker
Cc: linux-kernel, Al Viro, Daniel Rosenberg, stable, Greg Kroah-Hartman
From: Daniel Rosenberg <drosen@google.com>
__configfs_open_file() used to use configfs_get_config_item, but changed
in commit b0841eefd969 ("configfs: provide exclusion between IO and
removals") to just call to_item. The error path still tries to clean up
the reference, incorrectly decrementing the ref count.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Cc: stable@vger.kernel.org
Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals")
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/configfs/file.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/configfs/file.c b/fs/configfs/file.c
index 1f0270229d7b..8b7c8a8a09f3 100644
--- a/fs/configfs/file.c
+++ b/fs/configfs/file.c
@@ -378,7 +378,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
attr = to_attr(dentry);
if (!attr)
- goto out_put_item;
+ goto out_put_module;
if (type & CONFIGFS_ITEM_BIN_ATTR) {
buffer->bin_attr = to_bin_attr(dentry);
@@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
/* Grab the module reference for this attribute if we have one */
error = -ENODEV;
if (!try_module_get(buffer->owner))
- goto out_put_item;
+ goto out_put_module;
error = -EACCES;
if (!buffer->item->ci_type)
@@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
out_put_module:
module_put(buffer->owner);
-out_put_item:
- config_item_put(buffer->item);
out_free_buffer:
up_read(&frag->frag_sem);
kfree(buffer);
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file()
2021-03-11 11:05 [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file() gregkh
@ 2021-03-11 11:16 ` Christoph Hellwig
2021-03-11 11:29 ` Greg KH
0 siblings, 1 reply; 3+ messages in thread
From: Christoph Hellwig @ 2021-03-11 11:16 UTC (permalink / raw)
To: gregkh
Cc: Christoph Hellwig, Joel Becker, linux-kernel, Al Viro,
Daniel Rosenberg, stable
I've actually just queued up a similar patch from Daiyue Zhang.
> - goto out_put_item;
> + goto out_put_module;
>
> if (type & CONFIGFS_ITEM_BIN_ATTR) {
> buffer->bin_attr = to_bin_attr(dentry);
> @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
> /* Grab the module reference for this attribute if we have one */
> error = -ENODEV;
> if (!try_module_get(buffer->owner))
> - goto out_put_item;
> + goto out_put_module;
>
> error = -EACCES;
> if (!buffer->item->ci_type)
> @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
>
> out_put_module:
> module_put(buffer->owner);
> -out_put_item:
> - config_item_put(buffer->item);
> out_free_buffer:
But the goto labe changes here look incorrect anyway, as they now introduce
a double put on the module..
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file()
2021-03-11 11:16 ` Christoph Hellwig
@ 2021-03-11 11:29 ` Greg KH
0 siblings, 0 replies; 3+ messages in thread
From: Greg KH @ 2021-03-11 11:29 UTC (permalink / raw)
To: Christoph Hellwig
Cc: Joel Becker, linux-kernel, Al Viro, Daniel Rosenberg, stable
On Thu, Mar 11, 2021 at 12:16:25PM +0100, Christoph Hellwig wrote:
> I've actually just queued up a similar patch from Daiyue Zhang.
>
> > - goto out_put_item;
> > + goto out_put_module;
> >
> > if (type & CONFIGFS_ITEM_BIN_ATTR) {
> > buffer->bin_attr = to_bin_attr(dentry);
> > @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
> > /* Grab the module reference for this attribute if we have one */
> > error = -ENODEV;
> > if (!try_module_get(buffer->owner))
> > - goto out_put_item;
> > + goto out_put_module;
> >
> > error = -EACCES;
> > if (!buffer->item->ci_type)
> > @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
> >
> > out_put_module:
> > module_put(buffer->owner);
> > -out_put_item:
> > - config_item_put(buffer->item);
> > out_free_buffer:
>
> But the goto labe changes here look incorrect anyway, as they now introduce
> a double put on the module..
Oops, should be one label lower. Daniel must not have checked this on
a system with modules :)
Let me go fix this up...
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-03-11 11:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-11 11:05 [PATCH] configfs: Fix config_item refcnt error in __configfs_open_file() gregkh
2021-03-11 11:16 ` Christoph Hellwig
2021-03-11 11:29 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).