diff options
| author | Sahitya Tummala <stummala@codeaurora.org> | 2017-04-19 11:50:03 +0530 |
|---|---|---|
| committer | Sahitya Tummala <stummala@codeaurora.org> | 2017-05-04 09:41:48 +0530 |
| commit | d07d314e7d1d451afcc428ca074b9e03d38bf302 (patch) | |
| tree | 16ff023c3d11e7f6326f0c8073a828ba3d709408 /kernel/workqueue.c | |
| parent | 50a43711dc69c2d102504145a1a55acd47504aea (diff) | |
fs/mbcache: fix use after free issue in mb_cache_shrink_scan()
Fix the below potential race between these two contexts -
mb_cache_entry_get() and mb_cache_shrink_scan(), which results
into use after free issue.
task a:
mb_cache_shrink_scan()
|--if(!list_empty(&mb_cache_lru_list))
|--get the ce entry
|--list_del_init(&ce->e_lru_list);
|--check ce->e_used, ce->e_queued,
ce->e_refcnt and continue
-> gets prempted here
task b:
ext4_xattr_release_block()
|--mb_cache_entry_get()
|--get ce from hlist_bl_for_each_entry()
|--increment ce->e_used and
list_del_init(&ce->e_lru_list)
|--mb_cache_entry_free()
|--hlist_bl_lock(ce->e_block_hash_p);
-> results into use after free
Also, fix similar potential race between mb_cache_entry_alloc() and
mb_cache_entry_get() in case if cache->c_max_entries is reached.
Change-Id: I01049bae5d914cfb8494ab299ec2e068745d1110
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Diffstat (limited to 'kernel/workqueue.c')
0 files changed, 0 insertions, 0 deletions