Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp171755pxb;
        Fri, 8 Jan 2021 01:38:39 -0800 (PST)
X-Google-Smtp-Source: ABdhPJznhd75uDK6qNMvXb9TDhKhdvMsa97xmzPJsIioWsO+hG9gmshyHxv5MdivmMdAsuGj0XHF
X-Received: by 2002:aa7:d5d6:: with SMTP id d22mr4594701eds.160.1610098719439;
        Fri, 08 Jan 2021 01:38:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610098719; cv=none;
        d=google.com; s=arc-20160816;
        b=BsgMs7DBEbMtAwPbIWkZTGyJ+iRsxt2F28vMLZnHr8+chZaLpQ3a4DyHfTYrY9zK3W
         fff7nzNFPNgTtTViDIvp5JuTyIwQjffbS37k+DU3mmlCMwx6oPg8Q291piIcina8o0ct
         TmmrVxasq0iGvGmoFA8nSzwr/Gg/wrpBKKnYzrp6bhr/tESpl7xZ7hIO4mOAkDAa8r/A
         e+Bue/tkfY7//jdcLhtBfUGEzdYa8QwvKClYCLrBugSL8FCqWf9zduH+1+SIvRmdPfud
         /Lksqoep/dnlmKlhtxWfwufyP4UjBCsq1SV5JGLLSD+B1Ld51HRRZ1gDBEmdC5fmhecI
         Ghvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=NcXUnQ2H6P4MHHNyyR4wzfk+dKIVwjuFKfUNiq074og=;
        b=X6eeuGRWuQx41ZIAO3AVwHNY6d88QZ6OrtXrgDDb/KSlf1gEGhmTbMbl6q3p/YdXsN
         e8tp6mfX/eim++7pbR1HmsAeB9f9mk4E6edMfxm4jtTNdZzHxjgAQN/ViJ4A0PFCE8YT
         rOj2WAXwDnwPhwu+4nPwFvlbHVobPxLt5d3PHleqG7GyD6NjI4qbD3WCAsbNFWvcWZrJ
         4BoF41YdQNTxrCzzV8QiQZWK5ehrj6GMLVCJ8sZiWKj82rdOhOZIkSj8vrQOddyUJ2O0
         D5pRjvCRpQDuM2jmtjEYEZnSNR3iDo8ifgjlReaLfHcYtaaANigKqGtunGiCl3pjACDi
         aXtA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id qo17si3304640ejb.296.2021.01.08.01.38.14;
        Fri, 08 Jan 2021 01:38:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727614AbhAHJhE (ORCPT <rfc822;linuxmindflow@gmail.com>
        + 99 others); Fri, 8 Jan 2021 04:37:04 -0500
Received: from verein.lst.de ([213.95.11.211]:43255 "EHLO verein.lst.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727294AbhAHJhE (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Jan 2021 04:37:04 -0500
Received: by verein.lst.de (Postfix, from userid 2407)
        id BE02E67373; Fri,  8 Jan 2021 10:36:21 +0100 (CET)
Date:   Fri, 8 Jan 2021 10:36:21 +0100
From:   Christoph Hellwig <hch@lst.de>
To:     Satya Tangirala <satyat@google.com>
Cc:     Bob Peterson <rpeterso@redhat.com>, Christoph Hellwig <hch@lst.de>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jens Axboe <axboe@kernel.dk>
Subject: Re: [PATCH] fs: Fix freeze_bdev()/thaw_bdev() accounting of
 bd_fsfreeze_sb
Message-ID: <20210108093621.GA3788@lst.de>
References: <20201224044954.1349459-1-satyat@google.com> <20210107162000.GA2693@lst.de> <1137375419.42956970.1610036857271.JavaMail.zimbra@redhat.com> <X/eUd4iLxnl2nYRF@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <X/eUd4iLxnl2nYRF@google.com>
User-Agent: Mutt/1.5.17 (2007-11-01)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 07, 2021 at 11:08:39PM +0000, Satya Tangirala wrote:
> >  		error = sb->s_op->freeze_super(sb);
> >  	else
> > @@ -600,6 +602,7 @@ int thaw_bdev(struct block_device *bdev)
> >  	if (!sb)
> >  		goto out;
> >  
> > +	bdev->bd_fsfreeze_sb = NULL;
> This causes bdev->bd_fsfreeze_sb to be set to NULL even if the call to
> thaw_super right after this line fail. So if a caller tries to call
> thaw_bdev() again after receiving such an error, that next call won't even
> try to call thaw_super(). Is that what we want here?  (I don't know much
> about this code, but from a cursory glance I think this difference is
> visible to emergency_thaw_bdev() in fs/buffer.c)

Yes, that definitively is an issue.

> 
> I think the second difference (decrementing bd_fsfreeze_count when
> get_active_super() returns NULL) doesn't change anything w.r.t the
> use-after-free. It does however, change the behaviour of the function
> slightly, and it might be caller visible (because from a cursory glance, it
> looks like we're reading the bd_fsfreeze_count from some other places like
> fs/super.c). Even before 040f04bd2e82, the code wouldn't decrement
> bd_fsfreeze_count when get_active_super() returned NULL - so is this change
> in behaviour intentional? And if so, maybe it should go in a separate
> patch?

Yes, that would be a change in behavior.  And I'm not sure why we would
want to change it.  But if so we should do it in a separate patch that
documents the why, on top of the patch that already is in the block tree.