From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=LhOy=NC=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-12.2 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 321A1C432BE
	for <linux-mm@archiver.kernel.org>; Wed, 11 Aug 2021 11:25:22 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 9461E60F56
	for <linux-mm@archiver.kernel.org>; Wed, 11 Aug 2021 11:25:21 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 9461E60F56
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=suse.cz
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id BA2736B0071; Wed, 11 Aug 2021 07:25:20 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B51BE8D0002; Wed, 11 Aug 2021 07:25:20 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A40D58D0001; Wed, 11 Aug 2021 07:25:20 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0105.hostedemail.com [216.40.44.105])
	by kanga.kvack.org (Postfix) with ESMTP id 8CC6C6B0071
	for <linux-mm@kvack.org>; Wed, 11 Aug 2021 07:25:20 -0400 (EDT)
Received: from smtpin22.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 73D5182499A8
	for <linux-mm@kvack.org>; Wed, 11 Aug 2021 11:25:19 +0000 (UTC)
X-FDA: 78462568758.22.9B1790A
Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29])
	by imf16.hostedemail.com (Postfix) with ESMTP id E1AA8F0024BA
	for <linux-mm@kvack.org>; Wed, 11 Aug 2021 11:25:18 +0000 (UTC)
Received: from relay2.suse.de (relay2.suse.de [149.44.160.134])
	by smtp-out2.suse.de (Postfix) with ESMTP id A12D120160;
	Wed, 11 Aug 2021 11:25:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
	t=1628681117; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=mvtlkHF7iDVRQSHX2Nfm7jjJKIqvUV90SO9Pow6pFtw=;
	b=nKygt8fhOTlysffsMmdsaOkOrdrv+AUZ6uKwvOWk2O1XaesHiD29zXUgM3YBTTNiGJ9ub+
	+92BDc57n/hjQG4atRRG2VSPnRj5Xn0WnwP7hqNeKRH948kaef5re1DpWBlFiDwPrXzdvB
	Xq4upryfZpyMEinXfr2EshptMI7cTTI=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
	s=susede2_ed25519; t=1628681117;
	h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
	 mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=mvtlkHF7iDVRQSHX2Nfm7jjJKIqvUV90SO9Pow6pFtw=;
	b=ugtkNHI7S7C94GN1noD2pxe5uiJOg13OW6qwb/ZkgZAviVhtETPQ1lZfcnue5y9g4NT1T1
	iSc+jDcEby0+wIBA==
Received: from quack2.suse.cz (unknown [10.100.224.230])
	by relay2.suse.de (Postfix) with ESMTP id 8AEDAA3C17;
	Wed, 11 Aug 2021 11:25:17 +0000 (UTC)
Received: by quack2.suse.cz (Postfix, from userid 1000)
	id 2F3081E6204; Wed, 11 Aug 2021 13:25:14 +0200 (CEST)
Date: Wed, 11 Aug 2021 13:25:14 +0200
From: Jan Kara <jack@suse.cz>
To: Christoph Hellwig <hch@lst.de>
Cc: Qian Cai <quic_qiancai@quicinc.com>, Jens Axboe <axboe@kernel.dk>,
	Tejun Heo <tj@kernel.org>, Jan Kara <jack@suse.cz>,
	linux-block@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>, cgroups@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: move the bdi from the request_queue to the gendisk
Message-ID: <20210811112514.GC14725@quack2.suse.cz>
References: <20210809141744.1203023-1-hch@lst.de>
 <e5e19d15-7efd-31f4-941a-a5eb2f94b898@quicinc.com>
 <20210810200256.GA30809@lst.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210810200256.GA30809@lst.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: E1AA8F0024BA
Authentication-Results: imf16.hostedemail.com;
	dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=nKygt8fh;
	dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=ugtkNHI7;
	dmarc=none;
	spf=pass (imf16.hostedemail.com: domain of jack@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=jack@suse.cz
X-Stat-Signature: 7hfkz8hcsm9eqywwnqzq8etmand7yrkj
X-HE-Tag: 1628681118-188792
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue 10-08-21 22:02:56, Christoph Hellwig wrote:
> On Tue, Aug 10, 2021 at 03:36:39PM -0400, Qian Cai wrote:
> > 
> > 
> > On 8/9/2021 10:17 AM, Christoph Hellwig wrote:
> > > Hi Jens,
> > > 
> > > this series moves the pointer to the bdi from the request_queue
> > > to the bdi, better matching the life time rules of the different
> > > objects.
> > 
> > Reverting this series fixed an use-after-free in bdev_evict_inode().
> 
> Please try the patch below as a band-aid.  Although the proper fix is
> that non-default bdi_writeback structures grab a reference to the bdi,
> as this was a landmine that might have already caused spurious issues
> before.

Well, non-default bdi_writeback structures do hold bdi reference - see
wb_exit() which drops the reference. I think the problem rather was that a
block device's inode->i_wb was pointing to the default bdi_writeback
structure and that got freed after bdi_put() before block device inode was
shutdown through bdput()... So what I think we need is that if the inode
references the default writeback structure, it actually holds a reference
to the bdi.

								Honza
> 
> diff --git a/block/genhd.c b/block/genhd.c
> index f8def1129501..2e4a9d187196 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -1086,7 +1086,6 @@ static void disk_release(struct device *dev)
>  
>  	might_sleep();
>  
> -	bdi_put(disk->bdi);
>  	if (MAJOR(dev->devt) == BLOCK_EXT_MAJOR)
>  		blk_free_ext_minor(MINOR(dev->devt));
>  	disk_release_events(disk);
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 7c969f81327a..c6087dbae6cf 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -849,11 +849,15 @@ static void init_once(void *data)
>  
>  static void bdev_evict_inode(struct inode *inode)
>  {
> +	struct block_device *bdev = I_BDEV(inode);
> +
>  	truncate_inode_pages_final(&inode->i_data);
>  	invalidate_inode_buffers(inode); /* is it needed here? */
>  	clear_inode(inode);
>  	/* Detach inode from wb early as bdi_put() may free bdi->wb */
>  	inode_detach_wb(inode);
> +	if (!bdev_is_partition(bdev))
> +		bdi_put(bdev->bd_disk->bdi);
>  }
>  
>  static const struct super_operations bdev_sops = {
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR