Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp458308pxx;
        Wed, 28 Oct 2020 08:48:17 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyENKytWn2fyDLJsyFt02lSbpeCkHobeoXkUGw9m0oOloegub8irb7RSVjCWoxkClc+VuY+
X-Received: by 2002:a17:906:8891:: with SMTP id ak17mr8077664ejc.176.1603900097529;
        Wed, 28 Oct 2020 08:48:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603900097; cv=none;
        d=google.com; s=arc-20160816;
        b=LsGtBZeEiO9wXMTroQsn2Tp+UE2TN6WbuiUie8tNPbNwhfoKAjIwyYo3PK3Hki0PcI
         Z/a47cKkrdcjd+wXVQMYqFUw+mS214y+CRcxS1KbdcJ/qofpOYh9c8Dj2jwcE0S55XCj
         lkO9QBt5jnLME8GioctXeTiEREDcy1A8Bb6jQXoLsOgj4g+70471RBWBhZ1OOc4kEsQL
         ia5JyIYNOq56ZJjSWi9JYEE0j38HJYD71z/dpGSiRlysJbhGX9qJofTPszjP6AOPhpE4
         i2TRuAhAuQy9i68xuZUMecslOQ2xcQqqExUMfoWpm9uVZ+1dyAMRTwfv9DcjTnvbKqoU
         k9Rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=uFGBbC0xYToi4UJzBXMKbewYY26FPVE+kVo+X1hR0sk=;
        b=n/6tox+7Ay8jNb/afGg3gg4NcMlCbi+tYhKHhTeGHVDxj/zWKR8nzMkUvGiF9wApl1
         akmM55oj1volAnfrQuyfNICqIlhMTX1yYziZUEY1JcrrgWKOc4mEBsfJLwjBNNqp+IW7
         xpGg1+OE6iRxY63ratpv9heeqeSVBvS7EvKiK8hpdu67fqOR2PNXpzcu0Iechw+IRITQ
         htyEdn9H7ZUdyP/Xj3rv/x5PwGxAdMKBNXUeEON7553O76fppklDDeKFG1HmOGcYTgum
         eKUAZLdgSue7Sd43darLcwpAkaICO5arG68jAXaQGHMgAn2diirUlVKRoXQbNO/NeWu7
         CPTQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rVVnl34F;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w17si2969573ejk.629.2020.10.28.08.47.54;
        Wed, 28 Oct 2020 08:48:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=rVVnl34F;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1813140AbgJ0Qsa (ORCPT <rfc822;wxiaokuan@gmail.com> + 99 others);
        Tue, 27 Oct 2020 12:48:30 -0400
Received: from mail.kernel.org ([198.145.29.99]:33784 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S368820AbgJ0Plp (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Oct 2020 11:41:45 -0400
Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id C7B7F22400;
        Tue, 27 Oct 2020 15:41:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1603813303;
        bh=5t9QDxblpJ8geg63n7LhYS2FNWEyr94Znyehb6jAWLA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=rVVnl34FWH/KxK/8/JMY8IoRip5mgcgfO+A2q9XSiemJz2f4zjMDhuZDjWaTe5Ny+
         i+Z7kH3Kb7zNd7NWxpFuqLARNB6aonLGicHrJ66wdnbDw1XLyBduqus3LXyeqOY4bN
         4jeG2K1ss8uSMUH9sSwbILGk8qpYt/L6xjEnvcjY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+b994ecf2b023f14832c1@syzkaller.appspotmail.com,
        syzbot+0e0db88e1eb44a91ae8d@syzkaller.appspotmail.com,
        syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com,
        syzbot+1ecc2f9d3387f1d79d42@syzkaller.appspotmail.com,
        syzbot+18d51774588492bf3f69@syzkaller.appspotmail.com,
        syzbot+a5e4946b04d6ca8fa5f3@syzkaller.appspotmail.com,
        Hillf Danton <hdanton@sina.com>,
        David Howells <dhowells@redhat.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.9 505/757] afs: Fix cell removal
Date:   Tue, 27 Oct 2020 14:52:35 +0100
Message-Id: <20201027135514.139910764@linuxfoundation.org>
X-Mailer: git-send-email 2.29.1
In-Reply-To: <20201027135450.497324313@linuxfoundation.org>
References: <20201027135450.497324313@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Howells <dhowells@redhat.com>

[ Upstream commit 1d0e850a49a5b56f8f3cb51e74a11e2fedb96be6 ]

Fix cell removal by inserting a more final state than AFS_CELL_FAILED that
indicates that the cell has been unpublished in case the manager is already
requeued and will go through again.  The new AFS_CELL_REMOVED state will
just immediately leave the manager function.

Going through a second time in the AFS_CELL_FAILED state will cause it to
try to remove the cell again, potentially leading to the proc list being
removed.

Fixes: 989782dcdc91 ("afs: Overhaul cell database management")
Reported-by: syzbot+b994ecf2b023f14832c1@syzkaller.appspotmail.com
Reported-by: syzbot+0e0db88e1eb44a91ae8d@syzkaller.appspotmail.com
Reported-by: syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com
Reported-by: syzbot+1ecc2f9d3387f1d79d42@syzkaller.appspotmail.com
Reported-by: syzbot+18d51774588492bf3f69@syzkaller.appspotmail.com
Reported-by: syzbot+a5e4946b04d6ca8fa5f3@syzkaller.appspotmail.com
Suggested-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/afs/cell.c     | 16 ++++++++++------
 fs/afs/internal.h |  1 +
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 1944be78e9b0d..bc7ed46aaca9f 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -291,11 +291,11 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
 	wait_var_event(&cell->state,
 		       ({
 			       state = smp_load_acquire(&cell->state); /* vs error */
-			       state == AFS_CELL_ACTIVE || state == AFS_CELL_FAILED;
+			       state == AFS_CELL_ACTIVE || state == AFS_CELL_REMOVED;
 		       }));
 
 	/* Check the state obtained from the wait check. */
-	if (state == AFS_CELL_FAILED) {
+	if (state == AFS_CELL_REMOVED) {
 		ret = cell->error;
 		goto error;
 	}
@@ -700,7 +700,6 @@ static void afs_deactivate_cell(struct afs_net *net, struct afs_cell *cell)
 static void afs_manage_cell(struct afs_cell *cell)
 {
 	struct afs_net *net = cell->net;
-	bool deleted;
 	int ret, active;
 
 	_enter("%s", cell->name);
@@ -712,13 +711,15 @@ static void afs_manage_cell(struct afs_cell *cell)
 	case AFS_CELL_FAILED:
 		down_write(&net->cells_lock);
 		active = 1;
-		deleted = atomic_try_cmpxchg_relaxed(&cell->active, &active, 0);
-		if (deleted) {
+		if (atomic_try_cmpxchg_relaxed(&cell->active, &active, 0)) {
 			rb_erase(&cell->net_node, &net->cells);
+			smp_store_release(&cell->state, AFS_CELL_REMOVED);
 		}
 		up_write(&net->cells_lock);
-		if (deleted)
+		if (cell->state == AFS_CELL_REMOVED) {
+			wake_up_var(&cell->state);
 			goto final_destruction;
+		}
 		if (cell->state == AFS_CELL_FAILED)
 			goto done;
 		smp_store_release(&cell->state, AFS_CELL_UNSET);
@@ -760,6 +761,9 @@ static void afs_manage_cell(struct afs_cell *cell)
 		wake_up_var(&cell->state);
 		goto again;
 
+	case AFS_CELL_REMOVED:
+		goto done;
+
 	default:
 		break;
 	}
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 0363511290c8d..06e617ee4cd1e 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -326,6 +326,7 @@ enum afs_cell_state {
 	AFS_CELL_DEACTIVATING,
 	AFS_CELL_INACTIVE,
 	AFS_CELL_FAILED,
+	AFS_CELL_REMOVED,
 };
 
 /*
-- 
2.25.1