blkcg: fix use-after-free in __blkg_release_rcu() by making blkcg_gq refcnt an atomic_t

[mirror_ubuntu-zesty-kernel.git] / block / blk-cgroup.c

diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c
index 069bc202ffe340fb69e9e3dc9414fe8b03043bd1..1463ca6b7aaea866523aef8e898c2a7ab59cdf78 100644 (file)
--- a/block/blk-cgroup.c
+++ b/block/blk-cgroup.c
@@ -80,7 +80,7 @@ static struct blkcg_gq *blkg_alloc(struct blkcg *blkcg, struct request_queue *q,
        blkg->q = q;
        INIT_LIST_HEAD(&blkg->q_node);
        blkg->blkcg = blkcg;
-       blkg->refcnt = 1;
+       atomic_set(&blkg->refcnt, 1);
 
        /* root blkg uses @q->root_rl, init rl only for !root blkgs */
        if (blkcg != &blkcg_root) {
@@ -399,11 +399,8 @@ void __blkg_release_rcu(struct rcu_head *rcu_head)
 
        /* release the blkcg and parent blkg refs this blkg has been holding */
        css_put(&blkg->blkcg->css);
-       if (blkg->parent) {
-               spin_lock_irq(blkg->q->queue_lock);
+       if (blkg->parent)
                blkg_put(blkg->parent);
-               spin_unlock_irq(blkg->q->queue_lock);
-       }
 
        blkg_free(blkg);
 }