mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-12 21:57:43 +00:00
92e3cc91d8
There are a number of problems that are being seen by the rapidly mounting
and unmounting an afs dynamic root with an explicit cell and volume
specified (which should probably be rejected, but that's a separate issue):
What the tests are doing is to look up/create a cell record for the name
given and then tear it down again without actually using it to try to talk
to a server. This is repeated endlessly, very fast, and the new cell
collides with the old one if it's not quick enough to reuse it.
It appears (as suggested by Hillf Danton) that the search through the RB
tree under a read_seqbegin_or_lock() under RCU conditions isn't safe and
that it's not blocking the write_seqlock(), despite taking two passes at
it. He suggested that the code should take a ref on the cell it's
attempting to look at - but this shouldn't be necessary until we've
compared the cell names. It's possible that I'm missing a barrier
somewhere.
However, using an RCU search for this is overkill, really - we only need to
access the cell name in a few places, and they're places where we're may
end up sleeping anyway.
Fix this by switching to an R/W semaphore instead.
Additionally, draw the down_read() call inside the function (renamed to
afs_find_cell()) since all the callers were taking the RCU read lock (or
should've been[*]).
[*] afs_probe_cell_name() should have been, but that doesn't appear to be
involved in the bug reports.
The symptoms of this look like:
general protection fault, probably for non-canonical address 0xf27d208691691fdb: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x93e924348b48fed8-0x93e924348b48fedf]
...
RIP: 0010:strncasecmp lib/string.c:52 [inline]
RIP: 0010:strncasecmp+0x5f/0x240 lib/string.c:43
afs_lookup_cell_rcu+0x313/0x720 fs/afs/cell.c:88
afs_lookup_cell+0x2ee/0x1440 fs/afs/cell.c:249
afs_parse_source fs/afs/super.c:290 [inline]
...
Fixes:
|
||
|---|---|---|
| .. | ||
| addr_list.c | ||
| afs.h | ||
| afs_cm.h | ||
| afs_fs.h | ||
| afs_vl.h | ||
| cache.c | ||
| callback.c | ||
| cell.c | ||
| cmservice.c | ||
| dir.c | ||
| dir_edit.c | ||
| dir_silly.c | ||
| dynroot.c | ||
| file.c | ||
| flock.c | ||
| fs_operation.c | ||
| fs_probe.c | ||
| fsclient.c | ||
| inode.c | ||
| internal.h | ||
| Kconfig | ||
| main.c | ||
| Makefile | ||
| misc.c | ||
| mntpt.c | ||
| proc.c | ||
| protocol_uae.h | ||
| protocol_yfs.h | ||
| rotate.c | ||
| rxrpc.c | ||
| security.c | ||
| server.c | ||
| server_list.c | ||
| super.c | ||
| vl_alias.c | ||
| vl_list.c | ||
| vl_probe.c | ||
| vl_rotate.c | ||
| vlclient.c | ||
| volume.c | ||
| write.c | ||
| xattr.c | ||
| xdr_fs.h | ||
| yfsclient.c | ||