Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp957582pxp; Wed, 16 Mar 2022 22:37:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6nrOYEsODdkJVsZ4/6qD5Tmgi8f0fczJhCZemoZjvMTklUYoJJYndv6+c8V9KZKYbAXCG X-Received: by 2002:a17:90a:19d2:b0:1be:d815:477f with SMTP id 18-20020a17090a19d200b001bed815477fmr3470892pjj.23.1647495437689; Wed, 16 Mar 2022 22:37:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647495437; cv=none; d=google.com; s=arc-20160816; b=Zh/6TWxMUbCbA/oZaObIdutsu5Gcv1njvnneNVFTLYL9ih6Omye+lHsfVFMiWoL+Ae 70AWlnmsPBZvwgnEHWxZ5c7RD1V7ZLUvF6FWoY7d7HhpOa6viSwaWxEI7P2chSaDoQbc ZLo6USwixnypiZpzM4nKb+LxPx2SbQzlNxJnrrUB9E2tjN1glhY0PdnFTM6WXv1+ivPc B6oFJuL3qpDmeicFfNrsstVGofmKjB5t+yitk+scoVpDhH+laPEaLh6B15FtPGuSpvQa PfNxpb3tcBqeX0UVPLDttHevXr+HkEVBv+3DPkv2IBndHlQh4wkk+imc88OdfWnsAp+3 +FFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pnmlfyHr7HPPQj7/5zlXGi2amzWnjEUzVrKnbTNeSmc=; b=kpYjIeX4eQ4WcBziaftuOgISRlWOaYplTAyb6NjracqCgdi0Mbye1hXFOkcWnJvgpb BlbEW8wP2Ybayrwd+/PXEzFGSL9lVa2pUxe8qJHPh0grDkhfCNBA1A4tm3cL86P6piGB dNHs3DbaGYpWZo/DjqD/zhJzyrfOvtv5d0qK4eLGvuQ7x+xAOKTqSZMD6DaVeFntWjkU QuIy6xWeWMX2wpjK4D0kwQBL47EG2hpdTsOXTewfTaikBqABqiyZ0mGUwCeXlN0Vllr3 m0xDDi2XpjpX4bHeXwpD2iAEgXwckpfazWtsx1w72iWzCXtRSH9p6G8uFK36aaHtSvpy +s6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s1SbI+Wj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v22-20020a62a516000000b004f66ce63681si3599640pfm.181.2022.03.16.22.37.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Mar 2022 22:37:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s1SbI+Wj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AA6BCED9E1; Wed, 16 Mar 2022 21:40:55 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235016AbiCNMGm (ORCPT + 99 others); Mon, 14 Mar 2022 08:06:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33892 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240556AbiCNMFU (ORCPT ); Mon, 14 Mar 2022 08:05:20 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C8BB47AF3; Mon, 14 Mar 2022 05:02:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 836A2612FB; Mon, 14 Mar 2022 12:02:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 851D1C340E9; Mon, 14 Mar 2022 12:02:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647259351; bh=jSQBdgjmG/0puOUtBTQLeaUF/iDNY/kxEsrAKEP7R2Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s1SbI+Wj+UyFgzxrwXqoo0z8wsXP5WF1oR2w9l/dWrj7tS77yz4hlKr469KGzwFNV ZgDV1lpQ7tmVKzPcyXVtZiEH8Y+wDemrOCOQ3fypKgVZl8SP3ToRavyJOlxrCXwARZ YuODNLWJqqV5dSNTeL2VtsMnUqFHxhZqgOLKK//s= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , David Howells , Linus Torvalds Subject: [PATCH 5.10 59/71] watch_queue, pipe: Free watchqueue state after clearing pipe ring Date: Mon, 14 Mar 2022 12:53:52 +0100 Message-Id: <20220314112739.582363593@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112737.929694832@linuxfoundation.org> References: <20220314112737.929694832@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: David Howells commit db8facfc9fafacefe8a835416a6b77c838088f8b upstream. In free_pipe_info(), free the watchqueue state after clearing the pipe ring as each pipe ring descriptor has a release function, and in the case of a notification message, this is watch_queue_pipe_buf_release() which tries to mark the allocation bitmap that was previously released. Fix this by moving the put of the pipe's ref on the watch queue to after the ring has been cleared. We still need to call watch_queue_clear() before doing that to make sure that the pipe is disconnected from any notification sources first. Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-by: Jann Horn Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/pipe.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/fs/pipe.c +++ b/fs/pipe.c @@ -830,10 +830,8 @@ void free_pipe_info(struct pipe_inode_in int i; #ifdef CONFIG_WATCH_QUEUE - if (pipe->watch_queue) { + if (pipe->watch_queue) watch_queue_clear(pipe->watch_queue); - put_watch_queue(pipe->watch_queue); - } #endif (void) account_pipe_buffers(pipe->user, pipe->nr_accounted, 0); @@ -843,6 +841,10 @@ void free_pipe_info(struct pipe_inode_in if (buf->ops) pipe_buf_release(pipe, buf); } +#ifdef CONFIG_WATCH_QUEUE + if (pipe->watch_queue) + put_watch_queue(pipe->watch_queue); +#endif if (pipe->tmp_page) __free_page(pipe->tmp_page); kfree(pipe->bufs);