[PATCH OLK-6.6 0/2] Fix exception when umount with release dev fd - Kernel - mailweb.openeuler.org

newer
[PATCH v11 00/14] arm64: entry:...

[PATCH OLK-6.6 0/2] Fix exception when umount with release dev fd

older
[PATCH OLK-6.6] tracing: Fix crash...

Hongbo Li

28 Jan 2026 28 Jan '26

10:22 a.m.

Fix exception when umount with release dev fd. Hongbo Li (2): mfs: Fix wild-memory-access error when mfs event is destroy. mfs: Do not release the async event immediately when read failed fs/mfs/cache.c | 2 ++ fs/mfs/dev.c | 12 ++++++++---- fs/mfs/super.c | 6 +++++- 3 files changed, 15 insertions(+), 5 deletions(-) -- 2.34.1

Reply

Sign in to reply online Use email software

Show replies by date

Hongbo Li

28 Jan 28 Jan

10:22 a.m.

New subject: [PATCH OLK-6.6 1/2] mfs: Fix wild-memory-access error when mfs event is destroy.

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8440 ------------------ The MFS event holds the inode reference, when the MFS is umounted, the kill_anon_super will clean the inode forcely and report warning if the inode is in used. After that, the mfs_destroy_events will release event and iput, this causes the wild-memory-access error. So we should move mfs_destroy_events forward to keep the release order. Moreover, we should keep the memory access order on caches-> flags to avoid the unexcept mutex status. Fixes: 465dc69f5ba3 ("mfs: Add basic events framework") Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- fs/mfs/cache.c | 2 ++ fs/mfs/super.c | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/mfs/cache.c b/fs/mfs/cache.c index c06dcc9dc758..fbc608982961 100644 --- a/fs/mfs/cache.c +++ b/fs/mfs/cache.c @@ -306,6 +306,8 @@ void mfs_post_event_read(struct mfs_cache_object *object, do { xas_lock(&xas); + /* Ensure flags changed after lock */ + smp_mb__before_atomic(); if (!test_bit(MFS_CACHE_READY, &caches->flags)) { xas_unlock(&xas); goto out; diff --git a/fs/mfs/super.c b/fs/mfs/super.c index 91b1b13b0657..ac35c13bbcee 100644 --- a/fs/mfs/super.c +++ b/fs/mfs/super.c @@ -399,6 +399,8 @@ static void mfs_kill_sb(struct super_block *sb) clear_bit(MFS_MOUNTED, &sbi->flags); if (support_event(sbi)) { + /* The barrier pair to make sure flags is new */ + smp_mb__before_atomic(); while (test_bit(MFS_CACHE_OPENED, &caches->flags)) { static DEFINE_RATELIMIT_STATE(busy_open, 30 * HZ, 1); @@ -407,10 +409,12 @@ static void mfs_kill_sb(struct super_block *sb) continue; pr_warn("Pending until close the /dev/mfs%u...\n", sbi->minor); } + /* Ensure flags status is updated */ + smp_mb__after_atomic(); mfs_fs_dev_exit(sb); } - kill_anon_super(sb); mfs_destroy_events(sb); + kill_anon_super(sb); if (sbi->mtree) { path_put(&sbi->lower); kfree(sbi->mtree); -- 2.34.1

Reply

Sign in to reply online Use email software

Hongbo Li

10:22 a.m.

New subject: [PATCH OLK-6.6 2/2] mfs: Do not release the async event immediately when read failed

hulk inclusion category: bugfix bugzilla: https://atomgit.com/openeuler/kernel/issues/8440 ------------------ When read the async event failed, the original process will destroy the event, but it hasn't remove them out of xarray. This may cause the exceptions during the cleanup period of events. Fixes: 4c5fcceb5f6b ("mfs: Add communication devie and event acquisition operations") Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- fs/mfs/dev.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/fs/mfs/dev.c b/fs/mfs/dev.c index 896fb6550eb5..74aa39ffa988 100644 --- a/fs/mfs/dev.c +++ b/fs/mfs/dev.c @@ -65,8 +65,9 @@ static ssize_t mfs_dev_read(struct file *file, char __user *buf, XA_STATE(xas, &caches->events, caches->next_ev); struct mfs_event *event; struct mfs_msg *msg; + bool sync; size_t n; - int ret = 0; + int ret; xas_lock(&xas); event = mfs_pick_event(&xas, ULONG_MAX); @@ -78,7 +79,8 @@ static ssize_t mfs_dev_read(struct file *file, char __user *buf, xas_unlock(&xas); return 0; } - if (event->syncer) + sync = event->syncer ? true : false; + if (sync) get_mfs_event(event); xas_unlock(&xas); @@ -102,12 +104,14 @@ static ssize_t mfs_dev_read(struct file *file, char __user *buf, xas_lock(&xas); xas_clear_mark(&xas, MFS_EVENT_NEW); caches->next_ev = xas.xa_index + 1; - if (!event->syncer) + if (!sync) xas_store(&xas, NULL); xas_unlock(&xas); out: trace_mfs_dev_read(file, msg->opcode, msg->id, msg->fd); - put_mfs_event(event); + /* unread async event don't need to released immediately */ + if (ret == 0 || sync) + put_mfs_event(event); return ret ? ret : n; } -- 2.34.1

Reply

Sign in to reply online Use email software

patchwork bot

10:26 a.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://atomgit.com/openeuler/kernel/merge_requests/20347 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KFR... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/20347 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/KFR...

Reply

Sign in to reply online Use email software

0

Age (days ago)

0

Last active (days ago)

3 comments

2 participants

tags

participants (2)

Hongbo Li
patchwork bot