From: Daniel Rosenberg drosen@google.com
__configfs_open_file() used to use configfs_get_config_item, but changed in commit b0841eefd969 ("configfs: provide exclusion between IO and removals") to just call to_item. The error path still tries to clean up the reference, incorrectly decrementing the ref count.
Signed-off-by: Daniel Rosenberg drosen@google.com Cc: stable@vger.kernel.org Fixes: b0841eefd969 ("configfs: provide exclusion between IO and removals") Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- fs/configfs/file.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/configfs/file.c b/fs/configfs/file.c index 1f0270229d7b..8b7c8a8a09f3 100644 --- a/fs/configfs/file.c +++ b/fs/configfs/file.c @@ -378,7 +378,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
attr = to_attr(dentry); if (!attr) - goto out_put_item; + goto out_put_module;
if (type & CONFIGFS_ITEM_BIN_ATTR) { buffer->bin_attr = to_bin_attr(dentry); @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type /* Grab the module reference for this attribute if we have one */ error = -ENODEV; if (!try_module_get(buffer->owner)) - goto out_put_item; + goto out_put_module;
error = -EACCES; if (!buffer->item->ci_type) @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type
out_put_module: module_put(buffer->owner); -out_put_item: - config_item_put(buffer->item); out_free_buffer: up_read(&frag->frag_sem); kfree(buffer);
I've actually just queued up a similar patch from Daiyue Zhang.
goto out_put_item;
goto out_put_module;if (type & CONFIGFS_ITEM_BIN_ATTR) { buffer->bin_attr = to_bin_attr(dentry); @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type /* Grab the module reference for this attribute if we have one */ error = -ENODEV; if (!try_module_get(buffer->owner))
goto out_put_item;
goto out_put_module;error = -EACCES; if (!buffer->item->ci_type) @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type out_put_module: module_put(buffer->owner); -out_put_item:
- config_item_put(buffer->item);
out_free_buffer:
But the goto labe changes here look incorrect anyway, as they now introduce a double put on the module..
On Thu, Mar 11, 2021 at 12:16:25PM +0100, Christoph Hellwig wrote:
I've actually just queued up a similar patch from Daiyue Zhang.
goto out_put_item;
goto out_put_module;if (type & CONFIGFS_ITEM_BIN_ATTR) { buffer->bin_attr = to_bin_attr(dentry); @@ -391,7 +391,7 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type /* Grab the module reference for this attribute if we have one */ error = -ENODEV; if (!try_module_get(buffer->owner))
goto out_put_item;
goto out_put_module;error = -EACCES; if (!buffer->item->ci_type) @@ -435,8 +435,6 @@ static int __configfs_open_file(struct inode *inode, struct file *file, int type out_put_module: module_put(buffer->owner); -out_put_item:
- config_item_put(buffer->item);
out_free_buffer:
But the goto labe changes here look incorrect anyway, as they now introduce a double put on the module..
Oops, should be one label lower. Daniel must not have checked this on a system with modules :)
Let me go fix this up...
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org
-
Christoph Hellwig -
Greg KH -
gregkh@linuxfoundation.org