cgroup: fix broken file xattrs

commit 712317ad97f41e738e1a19aa0a6392a78a84094e upstream.

We should store file xattrs in struct cfent instead of struct cftype,
because cftype is a type while cfent is object instance of cftype.

For example each cgroup has a tasks file, and each tasks file is
associated with a uniq cfent, but all those files share the same
struct cftype.

Alexey Kodanev reported a crash, which can be reproduced:

  # mount -t cgroup -o xattr /sys/fs/cgroup
  # mkdir /sys/fs/cgroup/test
  # setfattr -n trusted.value -v test_value /sys/fs/cgroup/tasks
  # rmdir /sys/fs/cgroup/test
  # umount /sys/fs/cgroup
  oops!

In this case, simple_xattrs_free() will free the same struct simple_xattrs
twice.

tj: Dropped unused local variable @cft from cgroup_diput().

Reported-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

1 files changed, 6 insertions, 5 deletions

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 5fb09428cd24..cddf1d998381 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -162,6 +162,9 @@ struct cfent {
         struct list_head                node;
         struct dentry                   *dentry;
         struct cftype                   *type;
+
+        /* file xattrs */
+        struct simple_xattrs            xattrs;
 };
 
 /*
@@ -908,13 +911,12 @@ static void cgroup_diput(struct dentry *dentry, struct inode *inode)
         } else {
                 struct cfent *cfe = __d_cfe(dentry);
                 struct cgroup *cgrp = dentry->d_parent->d_fsdata;
-                struct cftype *cft = cfe->type;
 
                 WARN_ONCE(!list_empty(&cfe->node) &&
                           cgrp != &cgrp->root->top_cgroup,
                           "cfe still linked for %s\n", cfe->type->name);
+                simple_xattrs_free(&cfe->xattrs);
                 kfree(cfe);
-                simple_xattrs_free(&cft->xattrs);
         }
         iput(inode);
 }
@@ -2553,7 +2555,7 @@ static struct simple_xattrs *__d_xattrs(struct dentry *dentry)
         if (S_ISDIR(dentry->d_inode->i_mode))
                 return &__d_cgrp(dentry)->xattrs;
         else
-                return &__d_cft(dentry)->xattrs;
+                return &__d_cfe(dentry)->xattrs;
 }
 
 static inline int xattr_enabled(struct dentry *dentry)
@@ -2729,8 +2731,6 @@ static int cgroup_add_file(struct cgroup *cgrp, struct cgroup_subsys *subsys,
         umode_t mode;
         char name[MAX_CGROUP_TYPE_NAMELEN + MAX_CFTYPE_NAME + 2] = { 0 };
 
-        simple_xattrs_init(&cft->xattrs);
-
         if (subsys && !test_bit(ROOT_NOPREFIX, &cgrp->root->flags)) {
                 strcpy(name, subsys->name);
                 strcat(name, ".");
@@ -2755,6 +2755,7 @@ static int cgroup_add_file(struct cgroup *cgrp, struct cgroup_subsys *subsys,
                 cfe->type = (void *)cft;
                 cfe->dentry = dentry;
                 dentry->d_fsdata = cfe;
+                simple_xattrs_init(&cfe->xattrs);
                 list_add_tail(&cfe->node, &parent->files);
                 cfe = NULL;
         }