summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2022-03-11 13:23:38 +0000
committerLinus Torvalds <torvalds@linux-foundation.org>2022-03-11 10:17:12 -0800
commitdb8facfc9fafacefe8a835416a6b77c838088f8b (patch)
tree2f51a12315d4a96ce097736087eec3eec548f50a
parentc993ee0f9f81caf5767a50d1faeba39a0dc82af2 (diff)
downloadlwn-db8facfc9fafacefe8a835416a6b77c838088f8b.tar.gz
lwn-db8facfc9fafacefe8a835416a6b77c838088f8b.zip
watch_queue, pipe: Free watchqueue state after clearing pipe ring
In free_pipe_info(), free the watchqueue state after clearing the pipe ring as each pipe ring descriptor has a release function, and in the case of a notification message, this is watch_queue_pipe_buf_release() which tries to mark the allocation bitmap that was previously released. Fix this by moving the put of the pipe's ref on the watch queue to after the ring has been cleared. We still need to call watch_queue_clear() before doing that to make sure that the pipe is disconnected from any notification sources first. Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-by: Jann Horn <jannh@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/pipe.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/fs/pipe.c b/fs/pipe.c
index cc28623a67b6..4eb88bc138bb 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -831,10 +831,8 @@ void free_pipe_info(struct pipe_inode_info *pipe)
int i;
#ifdef CONFIG_WATCH_QUEUE
- if (pipe->watch_queue) {
+ if (pipe->watch_queue)
watch_queue_clear(pipe->watch_queue);
- put_watch_queue(pipe->watch_queue);
- }
#endif
(void) account_pipe_buffers(pipe->user, pipe->nr_accounted, 0);
@@ -844,6 +842,10 @@ void free_pipe_info(struct pipe_inode_info *pipe)
if (buf->ops)
pipe_buf_release(pipe, buf);
}
+#ifdef CONFIG_WATCH_QUEUE
+ if (pipe->watch_queue)
+ put_watch_queue(pipe->watch_queue);
+#endif
if (pipe->tmp_page)
__free_page(pipe->tmp_page);
kfree(pipe->bufs);