Received: by 10.223.176.5 with SMTP id f5csp1028473wra; Fri, 2 Feb 2018 09:58:52 -0800 (PST) X-Google-Smtp-Source: AH8x227xravEtvDfVrQ5VN3KbQcdgUGWedVoNTFBIuNuFsKjXxEklOqsBgXeTBJL/RsvdRwjVHNY X-Received: by 2002:a17:902:6ec5:: with SMTP id l5-v6mr36362596pln.443.1517594332045; Fri, 02 Feb 2018 09:58:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517594332; cv=none; d=google.com; s=arc-20160816; b=qU9GAW/qrw65wOzNvyGXibRmo7YES/B+MFxHKzjaHDqM6ELaiLdoB5kbgUT5844c4d Vo7aaRBR98Fbx9Tnk7jWoMddqHYLYNwJ9RX4oPDds4W6gD9j05dfW+N1ziyKmJPjbaE2 IJ50hTsDHbE1bsWu/Xt2t6smOEL8Z3XxtzCUKDAEHxjo146fZjouF6rwrwbVu0aVIlvP 1ycYfPfvXA1hye+5/X5NH0AiB4tbVjGAH4r30yQQKy7KY8FjSZXoxOvipxJAtdlfvkBO C5tP7Zy8QQtSMBHtXeTEvaLU5PwKCFDe6k+j8byLOYap534yaOWOeQ2S/GMQBGmCTVKp +J7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Q42ZVMnFTLLrVidzaifWj6XVYVggj7oTYULss4CZ1NY=; b=iJFy6ccXxq/FmljxlArWaFuKFwAjnFo/UlUy/nIxzX3Wa2p9GBk0GVSq8NXBE6sX1V DrBfDlmDdhY8SrbX5sCkEMYNK2RxcVRB39iXRsuEddSqc3vFpp36iNzWUcmU27j0qxVp Fw2fM+HLaCVMLDf1bN8xQDG+2JxjaqmtvjcUnAopwg60CNnc1MqLexZtvXx9ILS9t8xv p3mPGt8QhpmSjHSXhZVDEdSywkjZQFQB/Wg6lZTMqqXJZzlP1ZgU98SJgyCBzNk31T74 IbcMPhdCpWflZ0PzicR/vhkBShKygXIgfTPc4Ai0tHkRohCeJxbel5sqIFmEN//ZOyiL 90tw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j7-v6si2211092plk.553.2018.02.02.09.58.37; Fri, 02 Feb 2018 09:58:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753498AbeBBR5Z (ORCPT + 99 others); Fri, 2 Feb 2018 12:57:25 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:38528 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753255AbeBBRLG (ORCPT ); Fri, 2 Feb 2018 12:11:06 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4092DEB3; Fri, 2 Feb 2018 17:11:05 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Vasily Averin , Scott Mayhew , "J. Bruce Fields" , Sasha Levin Subject: [PATCH 4.14 089/156] race of lockd inetaddr notifiers vs nlmsvc_rqst change Date: Fri, 2 Feb 2018 17:57:50 +0100 Message-Id: <20180202140844.277091453@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180202140840.242829545@linuxfoundation.org> References: <20180202140840.242829545@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Vasily Averin [ Upstream commit 6b18dd1c03e07262ea0866084856b2a3c5ba8d09 ] lockd_inet[6]addr_event use nlmsvc_rqst without taken nlmsvc_mutex, nlmsvc_rqst can be changed during execution of notifiers and crash the host. Patch enables access to nlmsvc_rqst only when it was correctly initialized and delays its cleanup until notifiers are no longer in use. Note that nlmsvc_rqst can be temporally set to ERR_PTR, so the "if (nlmsvc_rqst)" check in notifiers is insufficient on its own. Signed-off-by: Vasily Averin Tested-by: Scott Mayhew Signed-off-by: J. Bruce Fields Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/lockd/svc.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- a/fs/lockd/svc.c +++ b/fs/lockd/svc.c @@ -57,6 +57,9 @@ static struct task_struct *nlmsvc_task; static struct svc_rqst *nlmsvc_rqst; unsigned long nlmsvc_timeout; +atomic_t nlm_ntf_refcnt = ATOMIC_INIT(0); +DECLARE_WAIT_QUEUE_HEAD(nlm_ntf_wq); + unsigned int lockd_net_id; /* @@ -292,7 +295,8 @@ static int lockd_inetaddr_event(struct n struct in_ifaddr *ifa = (struct in_ifaddr *)ptr; struct sockaddr_in sin; - if (event != NETDEV_DOWN) + if ((event != NETDEV_DOWN) || + !atomic_inc_not_zero(&nlm_ntf_refcnt)) goto out; if (nlmsvc_rqst) { @@ -303,6 +307,8 @@ static int lockd_inetaddr_event(struct n svc_age_temp_xprts_now(nlmsvc_rqst->rq_server, (struct sockaddr *)&sin); } + atomic_dec(&nlm_ntf_refcnt); + wake_up(&nlm_ntf_wq); out: return NOTIFY_DONE; @@ -319,7 +325,8 @@ static int lockd_inet6addr_event(struct struct inet6_ifaddr *ifa = (struct inet6_ifaddr *)ptr; struct sockaddr_in6 sin6; - if (event != NETDEV_DOWN) + if ((event != NETDEV_DOWN) || + !atomic_inc_not_zero(&nlm_ntf_refcnt)) goto out; if (nlmsvc_rqst) { @@ -331,6 +338,8 @@ static int lockd_inet6addr_event(struct svc_age_temp_xprts_now(nlmsvc_rqst->rq_server, (struct sockaddr *)&sin6); } + atomic_dec(&nlm_ntf_refcnt); + wake_up(&nlm_ntf_wq); out: return NOTIFY_DONE; @@ -347,10 +356,12 @@ static void lockd_unregister_notifiers(v #if IS_ENABLED(CONFIG_IPV6) unregister_inet6addr_notifier(&lockd_inet6addr_notifier); #endif + wait_event(nlm_ntf_wq, atomic_read(&nlm_ntf_refcnt) == 0); } static void lockd_svc_exit_thread(void) { + atomic_dec(&nlm_ntf_refcnt); lockd_unregister_notifiers(); svc_exit_thread(nlmsvc_rqst); } @@ -375,6 +386,7 @@ static int lockd_start_svc(struct svc_se goto out_rqst; } + atomic_inc(&nlm_ntf_refcnt); svc_sock_update_bufs(serv); serv->sv_maxconn = nlm_max_connections;