netfs, fscache: Prevent Oops in fscache_put_cache()

Message ID 9872f991-56a8-4915-b9b0-53accd6db0ef@moroto.mountain
State New
Headers
Series netfs, fscache: Prevent Oops in fscache_put_cache() |

Commit Message

Dan Carpenter Jan. 10, 2024, 6:54 p.m. UTC
  This function dereferences "cache" and then checks if it's
IS_ERR_OR_NULL().  Check first, then dereference.

Fixes: 9549332df4ed ("fscache: Implement cache registration")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 fs/netfs/fscache_cache.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
  

Comments

David Howells Jan. 10, 2024, 7:01 p.m. UTC | #1
Dan Carpenter <dan.carpenter@linaro.org> wrote:

>  	zero = __refcount_dec_and_test(&cache->ref, &ref);
> -	trace_fscache_cache(debug_id, ref - 1, where);
> +	trace_fscache_cache(cache->debug_id, ref - 1, where);

You can't do that if !zero.  cache may be deallocated between the two lines.

David
  
Dan Carpenter Jan. 10, 2024, 7:07 p.m. UTC | #2
On Wed, Jan 10, 2024 at 07:01:40PM +0000, David Howells wrote:
> Dan Carpenter <dan.carpenter@linaro.org> wrote:
> 
> >  	zero = __refcount_dec_and_test(&cache->ref, &ref);
> > -	trace_fscache_cache(debug_id, ref - 1, where);
> > +	trace_fscache_cache(cache->debug_id, ref - 1, where);
> 
> You can't do that if !zero.  cache may be deallocated between the two lines.

Ah...  Right.  I misread what was going on in the latter part of the
function.  Sorry, I'll resend.

regards,
dan carpenter
  

Patch

diff --git a/fs/netfs/fscache_cache.c b/fs/netfs/fscache_cache.c
index d645f8b302a2..f0722cc2eae5 100644
--- a/fs/netfs/fscache_cache.c
+++ b/fs/netfs/fscache_cache.c
@@ -179,7 +179,6 @@  EXPORT_SYMBOL(fscache_acquire_cache);
 void fscache_put_cache(struct fscache_cache *cache,
 		       enum fscache_cache_trace where)
 {
-	unsigned int debug_id = cache->debug_id;
 	bool zero;
 	int ref;
 
@@ -187,7 +186,7 @@  void fscache_put_cache(struct fscache_cache *cache,
 		return;
 
 	zero = __refcount_dec_and_test(&cache->ref, &ref);
-	trace_fscache_cache(debug_id, ref - 1, where);
+	trace_fscache_cache(cache->debug_id, ref - 1, where);
 
 	if (zero) {
 		down_write(&fscache_addremove_sem);