Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp402798pxp;
        Wed, 16 Mar 2022 08:07:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzvnRo6PTxtPhKVzOYEGJPLfEvF7ivmYP4S/QJuBHvekiArUD41N3Xfvpez89k+g2ODYUm8
X-Received: by 2002:a9d:6358:0:b0:5b2:48e2:7aed with SMTP id y24-20020a9d6358000000b005b248e27aedmr180862otk.70.1647443251688;
        Wed, 16 Mar 2022 08:07:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647443251; cv=none;
        d=google.com; s=arc-20160816;
        b=gFHMajrTjNZEW+WQB5aGFs5eVf0bXnp9wULLxmn5sLKJr4GJCY4iRhhVyrmLXNV6PZ
         jZrWWqn/HTdJnmYMDbEyfpLRvF9i+5otzePA2/Z/cwp75KgKKt6zKeRL5mcpEJmaq9T0
         iRH1SsWGbc5fwgnvQcnE/zH04+VxntV/iqC9l/1ZMx91s6lFGXhZ4qX07Kox8lL2/sVr
         8tlJNWMaCjX+Ka/Rr6X1Gac5arnL33zKc7BXqOpV2ytUAJ/pWyHAYuGORVmNHLJz5N3P
         hhH7wFQgPK+shqGwfVG8K8hmSXaIDucvzvjrhGIwHmQos/d0NqchT4LENmB8TUPa/i8X
         ceEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=pnmlfyHr7HPPQj7/5zlXGi2amzWnjEUzVrKnbTNeSmc=;
        b=lx958P4vyz8s4sLJr2li2h41M9EGQvQnCrYlEfOpj4/uTaLBekRfsCnXAn3582wvbK
         zUmxWNLVpZV4a38FHU3BUms95lQE6NJr2THWXaiUC8qWGUC6/yDK6ILEyaOqTqw2VWy3
         oa+fZmGOHyUaQr1uOMrasaixh/mVDkJR8NgabiyS7qj/7RWsLGhwxxmPeqPsbbzTLUh9
         c8tBUwbxyCM5dMy6T54A8ZShevnmfCg+5OEhNvsJXxhugw3KJfQgosyE7LUmZFO0VmAT
         dgl7SJlEQRgTb8ln3Ky72rthYKcFa/GAvxgaouOuP0wUI2PUPvWDkVwTlZNfZb/LPmQB
         Nc6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k06gW234;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id be27-20020a056808219b00b002d9e19318b1si1033371oib.96.2022.03.16.08.07.16;
        Wed, 16 Mar 2022 08:07:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=k06gW234;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240837AbiCNMNe (ORCPT <rfc822;shakeebbk@gmail.com> + 99 others);
        Mon, 14 Mar 2022 08:13:34 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56192 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242917AbiCNMLS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Mar 2022 08:11:18 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A73233A28;
        Mon, 14 Mar 2022 05:10:08 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id CCBF7B80DF7;
        Mon, 14 Mar 2022 12:10:06 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7B9AEC340EC;
        Mon, 14 Mar 2022 12:10:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1647259805;
        bh=jSQBdgjmG/0puOUtBTQLeaUF/iDNY/kxEsrAKEP7R2Y=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=k06gW234fdo8rx7UK6d3USApiKWYvHZ7mBVizPwWbbKaJYhwj+Fw18EECOwogUsqh
         0YRjguvWTQB/QpCOlpD8oORnhtK3/8V+mBhjyKVr7kQbgMKqFsOUf/Y/24VFyP+6Ua
         NM+AXEHz1IK6iVEUbgIS71qotfvbdXPRWIG1P9QQ=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jann Horn <jannh@google.com>,
        David Howells <dhowells@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 5.15 094/110] watch_queue, pipe: Free watchqueue state after clearing pipe ring
Date:   Mon, 14 Mar 2022 12:54:36 +0100
Message-Id: <20220314112745.651950510@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220314112743.029192918@linuxfoundation.org>
References: <20220314112743.029192918@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Howells <dhowells@redhat.com>

commit db8facfc9fafacefe8a835416a6b77c838088f8b upstream.

In free_pipe_info(), free the watchqueue state after clearing the pipe
ring as each pipe ring descriptor has a release function, and in the
case of a notification message, this is watch_queue_pipe_buf_release()
which tries to mark the allocation bitmap that was previously released.

Fix this by moving the put of the pipe's ref on the watch queue to after
the ring has been cleared.  We still need to call watch_queue_clear()
before doing that to make sure that the pipe is disconnected from any
notification sources first.

Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/pipe.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -830,10 +830,8 @@ void free_pipe_info(struct pipe_inode_in
 	int i;
 
 #ifdef CONFIG_WATCH_QUEUE
-	if (pipe->watch_queue) {
+	if (pipe->watch_queue)
 		watch_queue_clear(pipe->watch_queue);
-		put_watch_queue(pipe->watch_queue);
-	}
 #endif
 
 	(void) account_pipe_buffers(pipe->user, pipe->nr_accounted, 0);
@@ -843,6 +841,10 @@ void free_pipe_info(struct pipe_inode_in
 		if (buf->ops)
 			pipe_buf_release(pipe, buf);
 	}
+#ifdef CONFIG_WATCH_QUEUE
+	if (pipe->watch_queue)
+		put_watch_queue(pipe->watch_queue);
+#endif
 	if (pipe->tmp_page)
 		__free_page(pipe->tmp_page);
 	kfree(pipe->bufs);