block: ensure the bdi is freed after inode_detach_wb

inode_detach_wb references the "main" bdi of the inode. With the recent change to move the bdi from the request_queue to the gendisk this causes a guaranteed use after free when using certain cgroup configurations. The big itself is older through as any non-default inode reference (e.g. an open file descriptor) could have injected this use after free even before that. Fixes: 52ebea749aae ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks") Reported-by: Qian Cai <quic_qiancai@quicinc.com> Reported-by: syzbot <syzbot+1fb38bb7d3ce0fa3e1c4@syzkaller.appspotmail.com> Signed-off-by: Christoph Hellwig <hch@lst.de> Link: https://lore.kernel.org/r/20210816122614.601358-3-hch@lst.de Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Christoph Hellwig <hch@lst.de> 2021-08-16 14:26:14 +0200
committer: Jens Axboe <axboe@kernel.dk> 2021-08-16 10:49:11 -0600
commit: 889c05cc5834a1eef2dbe1e639cfd7a81c4f4c6d (patch)
tree: 61d680894772d993d79976efa1c593cfdb1c0dff /block
parent: 9451aa0aacaf7ea13d1acfd5de8b63a6e0b24fac (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/block/genhd.c b/block/genhd.c
index ed58ddf6258b..731a46063132 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1084,7 +1084,6 @@ static void disk_release(struct device *dev)
 
 	might_sleep();
 
-	bdi_put(disk->bdi);
 	disk_release_events(disk);
 	kfree(disk->random);
 	xa_destroy(&disk->part_tbl);
author	Christoph Hellwig <hch@lst.de>	2021-08-16 14:26:14 +0200
committer	Jens Axboe <axboe@kernel.dk>	2021-08-16 10:49:11 -0600
commit	889c05cc5834a1eef2dbe1e639cfd7a81c4f4c6d (patch)
tree	61d680894772d993d79976efa1c593cfdb1c0dff /block
parent	9451aa0aacaf7ea13d1acfd5de8b63a6e0b24fac (diff)