Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3768536imm; Mon, 18 Jun 2018 03:51:32 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ3TGkOhJ7boEIcFuXiiPI7OjhT5g7f1Wqx4/cHjekrlY+krPxHHysUUJMEeLzp87YX1pam X-Received: by 2002:a63:6f8d:: with SMTP id k135-v6mr10717949pgc.48.1529319092769; Mon, 18 Jun 2018 03:51:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529319092; cv=none; d=google.com; s=arc-20160816; b=HVghv+a/R/3YWCWVMPHyuk+S8KETvxtpFq0DGvtKESGCgCZ2pZu6V8tDa93PCNmrom cfD5jhFaWgCb0BfB29moB4n3yQ1a6AWVd9QfXLCKYZt8UGzfVmJ2TH+pTWiZwznV5LIj 9hi7qh57d1t8ZAJwpZpZE+kG8L8ekbaLfyXAExAFBgjVsmRBAEu4nVfa3q6KudxBqEVS mXulOvvh/3AbIe1koXgS580wYIT0EsDXak/WLNRZ5cnuBYxoJ9ItMdByAU9/5MIz5AUr xFRfz1Io+rMTG82fgdsHw4ewBb0lIimT7+0r42/rcTsW5SbsSWgegmbGxdi0fO+Noy81 0ejw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=hJRV/rUOMC2e/sFS6LQyFaz/o5N1/vTRH0sKZsjXYFE=; b=xcfP81Rs4xJOcq/m5hpBm5OljbDN2ZvvTba2TFlLH3OTSuqnbWVHmlT9LBD60EZHig i7sL/IAeVnlUHrZ2qCXOrvtaytxiEn+TavrFi3Hsk3zQ+UHD6LNRnC76TSc69WG8qdlh qlwI8x2Nv/Qd51Cp/FbUK4rDzCa6WFYPLtqnTVz+RhK0kdQvV/Z5XSA2HNZQ5A7kIVAs TJh3QvWhJPmvMZYWBGMHRHL79DD/pVi7+wh+mlE8xrFeQEX/HsqyEfWCHces9Uj7JvMt F95V5EjEs4s1kt/TXRjHScaETcHA1EcF+ujZcNBADOrDYJSIVVXNKC7ntqqj5glEoK/4 NqTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j189-v6si11717099pgd.657.2018.06.18.03.51.18; Mon, 18 Jun 2018 03:51:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965328AbeFRJ7H (ORCPT + 99 others); Mon, 18 Jun 2018 05:59:07 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:54868 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935442AbeFRITZ (ORCPT ); Mon, 18 Jun 2018 04:19:25 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7E0AAC7A; Mon, 18 Jun 2018 08:19:24 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, David Howells , Linus Torvalds , Sasha Levin Subject: [PATCH 4.16 062/279] afs: Fix server record deletion Date: Mon, 18 Jun 2018 10:10:47 +0200 Message-Id: <20180618080611.400153532@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180618080608.851973560@linuxfoundation.org> References: <20180618080608.851973560@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: David Howells [ Upstream commit 660625922b3d9fcb376e5870299bc5c1086e1d32 ] AFS server records get removed from the net->fs_servers tree when they're deleted, but not from the net->fs_addresses{4,6} lists, which can lead to an oops in afs_find_server() when a server record has been removed, for instance during rmmod. Fix this by deleting the record from the by-address lists before posting it for RCU destruction. The reason this hasn't been noticed before is that the fileserver keeps probing the local cache manager, thereby keeping the service record alive, so the oops would only happen when a fileserver eventually gets bored and stops pinging or if the module gets rmmod'd and a call comes in from the fileserver during the window between the server records being destroyed and the socket being closed. The oops looks something like: BUG: unable to handle kernel NULL pointer dereference at 000000000000001c ... Workqueue: kafsd afs_process_async_call [kafs] RIP: 0010:afs_find_server+0x271/0x36f [kafs] ... Call Trace: afs_deliver_cb_init_call_back_state3+0x1f2/0x21f [kafs] afs_deliver_to_call+0x1ee/0x5e8 [kafs] afs_process_async_call+0x5b/0xd0 [kafs] process_one_work+0x2c2/0x504 worker_thread+0x1d4/0x2ac kthread+0x11f/0x127 ret_from_fork+0x24/0x30 Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/afs/server.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/fs/afs/server.c +++ b/fs/afs/server.c @@ -426,8 +426,15 @@ static void afs_gc_servers(struct afs_ne } write_sequnlock(&net->fs_lock); - if (deleted) + if (deleted) { + write_seqlock(&net->fs_addr_lock); + if (!hlist_unhashed(&server->addr4_link)) + hlist_del_rcu(&server->addr4_link); + if (!hlist_unhashed(&server->addr6_link)) + hlist_del_rcu(&server->addr6_link); + write_sequnlock(&net->fs_addr_lock); afs_destroy_server(net, server); + } } }