Received: by 10.192.165.156 with SMTP id m28csp724174imm; Thu, 19 Apr 2018 06:35:27 -0700 (PDT) X-Google-Smtp-Source: AIpwx49bGDHGGaqxaxhCUf4h6q5Jyj0c1LLL83jWhtqCaZQ3SG1ORDOJNBtSFIMzLZ5FJos1ustH X-Received: by 10.99.104.200 with SMTP id d191mr5075283pgc.7.1524144927877; Thu, 19 Apr 2018 06:35:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524144927; cv=none; d=google.com; s=arc-20160816; b=o45V5/44nEvbLPTpILJxqJbHaK2Y4IlRC9N6o5ggfUBkcOP6ZiT+0BrP2sePjFgj07 sdiHNXhalzLUyR6XZ3dPAUrrpgPLuLfmEYR3ryCBNv2o+WQzlX7soz0bLMx9pMLoQfFS dElXlZgDn0mKf6wEhgbPo9Q0nhW8HhrP8bFbAvcCqbbg+Dho8abIGdK5pnv1q5JvjKGO fo1z80ZANMAPc7C7tVpTHGR06aVO1P+wucrVBtiiMX+clfyLzDyXVeHNKeMu6KLYKQTx FzDkP0vAzvQc0jFXjZN25Y5YAQoXAuj7jtg4vlyG2RHhR/uL5BvtKrqpMsf8mZ8dyVFz aRbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=bRXzNFCnwJ4eJ738I/sHuv4RXvYfJzP9tDj5X+y55dA=; b=dtsWYJoJm4pEkCvn/DLXh3dpnDa47sOj4zZfBDexV+dTae3rzHytG1BlfsHIEUPSaC EOv65aRSCa+O5nD2BiSawUcRDAfi4HSbXdVTkg+BZpZ864PEWAud4++QKyh38XUd5/uX firmlIUbb+F+XwuFo7KHYY0/QZrks/oSs2tRnJV+GEll5ys/jskSbJeuryFqdiuXdG7m lGxZEFfTUsiA1yJRQwBnOr89iL5oW7edv1jxV3GY3CBNqr7Rf244lZwGmpGPSIV7mZqh 50kpSGtUuXaEGW7MFSXEvRUeUm2UOHDvzYbxmmspWAAYmw/LldltZz+LNkcyT7sor3Up LeIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u3-v6si3531136plb.593.2018.04.19.06.35.13; Thu, 19 Apr 2018 06:35:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753490AbeDSNdd (ORCPT + 99 others); Thu, 19 Apr 2018 09:33:33 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:42972 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752666AbeDSNda (ORCPT ); Thu, 19 Apr 2018 09:33:30 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 182E9414DF3C; Thu, 19 Apr 2018 13:33:30 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-121-60.rdu2.redhat.com [10.10.121.60]) by smtp.corp.redhat.com (Postfix) with ESMTP id E52C110F1C02; Thu, 19 Apr 2018 13:33:28 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 20/24] afs: Fix server record deletion [ver #7] From: David Howells To: viro@zeniv.linux.org.uk Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-afs@lists.infradead.org Date: Thu, 19 Apr 2018 14:33:28 +0100 Message-ID: <152414480842.23902.4728171251942557710.stgit@warthog.procyon.org.uk> In-Reply-To: <152414466005.23902.12967974041384198114.stgit@warthog.procyon.org.uk> References: <152414466005.23902.12967974041384198114.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 19 Apr 2018 13:33:30 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 19 Apr 2018 13:33:30 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org AFS server records get removed from the net->fs_servers tree when they're deleted, but not from the net->fs_addresses{4,6} lists, which can lead to an oops in afs_find_server() when a server record has been removed, for instance during rmmod. Fix this by deleting the record from the by-address lists before posting it for RCU destruction. The reason this hasn't been noticed before is that the fileserver keeps probing the local cache manager, thereby keeping the service record alive, so the oops would only happen when a fileserver eventually gets bored and stops pinging or if the module gets rmmod'd and a call comes in from the fileserver during the window between the server records being destroyed and the socket being closed. The oops looks something like: BUG: unable to handle kernel NULL pointer dereference at 000000000000001c ... Workqueue: kafsd afs_process_async_call [kafs] RIP: 0010:afs_find_server+0x271/0x36f [kafs] ... Call Trace: ? worker_thread+0x230/0x2ac ? worker_thread+0x230/0x2ac afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs] afs_deliver_to_call+0x1ee/0x5e8 [kafs] ? worker_thread+0x230/0x2ac afs_process_async_call+0x5b/0xd0 [kafs] process_one_work+0x2c2/0x504 ? worker_thread+0x230/0x2ac worker_thread+0x1d4/0x2ac ? rescuer_thread+0x29b/0x29b kthread+0x11f/0x127 ? kthread_create_on_node+0x3f/0x3f ret_from_fork+0x24/0x30 Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells --- fs/afs/server.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/fs/afs/server.c b/fs/afs/server.c index e23be63998a8..629c74986cff 100644 --- a/fs/afs/server.c +++ b/fs/afs/server.c @@ -428,8 +428,15 @@ static void afs_gc_servers(struct afs_net *net, struct afs_server *gc_list) } write_sequnlock(&net->fs_lock); - if (deleted) + if (deleted) { + write_seqlock(&net->fs_addr_lock); + if (!hlist_unhashed(&server->addr4_link)) + hlist_del_rcu(&server->addr4_link); + if (!hlist_unhashed(&server->addr6_link)) + hlist_del_rcu(&server->addr6_link); + write_sequnlock(&net->fs_addr_lock); afs_destroy_server(net, server); + } } }