Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3706087pxj;
        Mon, 7 Jun 2021 18:35:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxVCWGy7Qq2St5cYSHnvAe6GhBiZar57oBpdgEtaTwX+KjprD7VJ3K9bQx2Q3KWn/Mpm70R
X-Received: by 2002:aa7:c2c7:: with SMTP id m7mr23023972edp.156.1623116130873;
        Mon, 07 Jun 2021 18:35:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623116130; cv=none;
        d=google.com; s=arc-20160816;
        b=zkmdnbb/qmS88ij8Fw/0RK07AgM3eoFrPyozt17Cyx0SCjZwVZSuKPFQ/91d+hG0Uq
         bqMDKmfbybau1q8BsBjwxcQn1dL6dhP3lp040sVrH0sfzqmKahd1Yym+X3yjAT7A1LQQ
         UDulQQ5AE4K7Ya/ye9eUSmgwI0D265EZ24YckXk6Nah8lI6QVFIPS2yVcaPOmfmmLWUy
         2DgbPSLMrXnNoq23wlg5Wg4/zBzG4YD/nDqnlbbXuqobliRXa0WLJ9ZEI+6RH9WQh44M
         IMSQnmdQIJiUMoUrP50n4de5MsQxKH9w+MK94OD2SL4Cy+xmpcK4HdhaGckfHcOCtglg
         Q5Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=UnR5/HPn3nu3OonRftQmCkI+MWqhatoGojrvOHmp0+Q=;
        b=eD+/Zegxdf5AT3dEURIQAB1YNAaGlAU272UC3r0xYgaw1Xgcbm5MiNxJ/03PUvJOx+
         t+WUIQpAzloI3ChpOjfcJCJkgt4kGvt0jt2V281EiUUuTtZKQSdsuzjaKdG1T5Ch/tw9
         Ezx9G/iqejN2efaTpysGbA90dwdIfKVTckkSC+mHONiRwTSbK95PhTHp7ASUJDYlRsfY
         vUb+CDEjKrxIxaJKWp1IVx+CydMIsHmmm4riDP5RDOQuPkth7MeMiem5Pq9YBoam//A+
         QoLZ2gTziKzPSz1c4LMwBgUShs0ggtQt5uerA3WnOXsASuGl3A2L+miV80EKog586fDn
         ucrg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@fb.com header.s=facebook header.b=I7Kdkfz3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fb.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id s23si14295381edt.365.2021.06.07.18.35.08;
        Mon, 07 Jun 2021 18:35:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@fb.com header.s=facebook header.b=I7Kdkfz3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fb.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230503AbhFHBgA (ORCPT <rfc822;luscent@gmail.com> + 99 others);
        Mon, 7 Jun 2021 21:36:00 -0400
Received: from mx0b-00082601.pphosted.com ([67.231.153.30]:10174 "EHLO
        mx0b-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S230239AbhFHBf7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Jun 2021 21:35:59 -0400
Received: from pps.filterd (m0148460.ppops.net [127.0.0.1])
        by mx0a-00082601.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1581XwKr003575
        for <linux-kernel@vger.kernel.org>; Mon, 7 Jun 2021 18:34:07 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject
 : date : message-id : in-reply-to : references : mime-version :
 content-transfer-encoding : content-type; s=facebook;
 bh=UnR5/HPn3nu3OonRftQmCkI+MWqhatoGojrvOHmp0+Q=;
 b=I7Kdkfz34jOsjRUVQU6uPuOEAD4BRpnlOa7n4+gbGUK8MLFmcRK7iZyUCmT2cl4n5iWD
 9j18LYMIQLGFGtqBtLYkYyrlVdcylSNVFhHFzlWcnCNcdhlSeABRG69P3knc3j+PPOGo
 rG5dqybsYqQ3EzQmDltzLIf+pg9/9F5fUXU= 
Received: from mail.thefacebook.com ([163.114.132.120])
        by mx0a-00082601.pphosted.com with ESMTP id 391m0t4154-10
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Mon, 07 Jun 2021 18:34:07 -0700
Received: from intmgw001.46.prn1.facebook.com (2620:10d:c085:208::f) by
 mail.thefacebook.com (2620:10d:c085:21d::7) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2176.2; Mon, 7 Jun 2021 18:34:03 -0700
Received: by devvm3388.prn0.facebook.com (Postfix, from userid 111017)
        id 9654F81D6D47; Mon,  7 Jun 2021 18:31:29 -0700 (PDT)
From:   Roman Gushchin <guro@fb.com>
To:     Jan Kara <jack@suse.cz>, Tejun Heo <tj@kernel.org>
CC:     <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <linux-mm@kvack.org>, Alexander Viro <viro@zeniv.linux.org.uk>,
        Dennis Zhou <dennis@kernel.org>,
        Dave Chinner <dchinner@redhat.com>, <cgroups@vger.kernel.org>,
        Roman Gushchin <guro@fb.com>, Jan Kara <jack@suse.com>
Subject: [PATCH v8 3/8] writeback, cgroup: increment isw_nr_in_flight before grabbing an inode
Date:   Mon, 7 Jun 2021 18:31:18 -0700
Message-ID: <20210608013123.1088882-4-guro@fb.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210608013123.1088882-1-guro@fb.com>
References: <20210608013123.1088882-1-guro@fb.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-FB-Internal: Safe
Content-Type: text/plain
X-Proofpoint-GUID: fWTl066kAjAuevcWPsl49TO4IcbsHPwj
X-Proofpoint-ORIG-GUID: fWTl066kAjAuevcWPsl49TO4IcbsHPwj
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761
 definitions=2021-06-08_01:2021-06-04,2021-06-08 signatures=0
X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 malwarescore=0
 impostorscore=0 mlxscore=0 suspectscore=0 phishscore=0 priorityscore=1501
 bulkscore=0 spamscore=0 lowpriorityscore=0 mlxlogscore=999 clxscore=1015
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2104190000 definitions=main-2106080008
X-FB-Internal: deliver
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

isw_nr_in_flight is used do determine whether the inode switch queue
should be flushed from the umount path. Currently it's increased
after grabbing an inode and even scheduling the switch work. It means
the umount path can be walked past cleanup_offline_cgwb() with active
inode references, which can result in a "Busy inodes after unmount."
message and use-after-free issues (with inode->i_sb which gets freed).

Fix it by incrementing isw_nr_in_flight before doing anything with
the inode and decrementing in the case when switching wasn't scheduled.

The problem hasn't yet been seen in the real life and was discovered
by Jan Kara by looking into the code.

Suggested-by: Jan Kara <jack@suse.com>
Signed-off-by: Roman Gushchin <guro@fb.com>
---
 fs/fs-writeback.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 3564efcc4b78..e2cc860a001b 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -505,6 +505,8 @@ static void inode_switch_wbs(struct inode *inode, int=
 new_wb_id)
 	if (!isw)
 		return;
=20
+	atomic_inc(&isw_nr_in_flight);
+
 	/* find and pin the new wb */
 	rcu_read_lock();
 	memcg_css =3D css_from_id(new_wb_id, &memory_cgrp_subsys);
@@ -535,11 +537,10 @@ static void inode_switch_wbs(struct inode *inode, i=
nt new_wb_id)
 	 * Let's continue after I_WB_SWITCH is guaranteed to be visible.
 	 */
 	call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
-
-	atomic_inc(&isw_nr_in_flight);
 	return;
=20
 out_free:
+	atomic_dec(&isw_nr_in_flight);
 	if (isw->new_wb)
 		wb_put(isw->new_wb);
 	kfree(isw);
--=20
2.31.1