Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2797518ybb; Sun, 5 Apr 2020 17:11:57 -0700 (PDT) X-Google-Smtp-Source: APiQypKdjzl4gQ0WRmq/xEPp3W1eSgMJOQJOWL9rosrgZIO00HkEc9TS8Htfd8dYCqeXGzqklf/L X-Received: by 2002:a9d:468b:: with SMTP id z11mr15976399ote.311.1586131917546; Sun, 05 Apr 2020 17:11:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586131917; cv=none; d=google.com; s=arc-20160816; b=vE/Ofx60/1UbRTw/SmrU1xSD/1hFPlYxUAqnDCZwL9Zk7DcBY3utPzXYAMIZgArPqs HN7UuHWy9flqWu2t48jzmmRe2njKixHhP5k24q9spcval7K7xpzwfyeJJu9r8LyylJis EOhkk2Tp7QSEuKFZp9tEAGnGOA5BWEb+jRw6m1AdEq3Ev8wfTi2ZzbvMg3SRBAjZxPvT vx1eq95+BFndBqm8GBNHAz48oY+j5/z+Zon8XS9jBfZnIaRd1nic/y+rofaA307b387r 2Wsoyfc8EN26VySdC7DwgKqhX1kvv/teQN7fkLnSXsqNpLmbAHXWux/V8Whg8xHoPYAU tV3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:references :in-reply-to:subject:cc:date:to:from; bh=uw5gbzaaErrA2t/e0cDcU4FuAv6gnWamYLMldxAvjps=; b=us9anOojkOU2vJLU3zF6ywMAqvtddNp3Ebgi3lHKjxMh3WWTc70cJXPNGnHdnKhipV 3gCfCQjd/vqh0lJh1RB06Ux2h0PJumzZCGlrv4qKah4Ekj/1KotVuraOhI+QkuH/UlFH +j3QQ6GIt/aVtyO5T0BqWa5+rHD0GeVMuO0KDXnSWqs5CGxl0fS/WOW4Lp2EDe4JGAes pK5B0eWd/HPFINK83hDJHGgnm+ew7BG1MHCij96WhHT1NPMsMPL5dsvRFcFgofPViWTe shQypww+Ro6y0+VH46fHZPdAXTJOo8Bcpv7tz1GTqkpntM+0xVvBjm3XGrR+0jCF/4zZ nHFg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z22si6814529oto.237.2020.04.05.17.11.33; Sun, 05 Apr 2020 17:11:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727509AbgDFADu (ORCPT + 99 others); Sun, 5 Apr 2020 20:03:50 -0400 Received: from mx2.suse.de ([195.135.220.15]:59890 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727254AbgDFADt (ORCPT ); Sun, 5 Apr 2020 20:03:49 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id E79EAAC75; Mon, 6 Apr 2020 00:03:47 +0000 (UTC) From: NeilBrown To: Yihao Wu , "J . Bruce Fields" , Chuck Lever , Sasha Levin Date: Mon, 06 Apr 2020 10:03:41 +1000 Cc: linux-nfs@vger.kernel.org Subject: Re: [PATCH v3] SUNRPC/cache: Fix unsafe traverse caused double-free in cache_purge In-Reply-To: References: <4568a7cf87f110b8e59fda6f53fda34c550ab403.1586108200.git.wuyihao@linux.alibaba.com> Message-ID: <87sghhwkde.fsf@notabene.neil.brown.name> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, Apr 06 2020, Yihao Wu wrote: > Deleting list entry within hlist_for_each_entry_safe is not safe unless > next pointer (tmp) is protected too. It's not, because once hash_lock > is released, cache_clean may delete the entry that tmp points to. Then > cache_purge can walk to a deleted entry and tries to double free it. > > Fix this bug by holding only the deleted entry's reference. > > Signed-off-by: Yihao Wu > --- > v1->v2: Use Neil's better solution > v2->v3: Fix a checkscript warning > > net/sunrpc/cache.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c > index af0ddd28b081..b445874e8e2f 100644 > --- a/net/sunrpc/cache.c > +++ b/net/sunrpc/cache.c > @@ -541,7 +541,9 @@ void cache_purge(struct cache_detail *detail) > dprintk("RPC: %d entries in %s cache\n", detail->entries, detail->name); > for (i =3D 0; i < detail->hash_size; i++) { > head =3D &detail->hash_table[i]; > - hlist_for_each_entry_safe(ch, tmp, head, cache_list) { > + while (!hlist_empty(head)) { > + ch =3D hlist_entry(head->first, struct cache_head, > + cache_list); > sunrpc_begin_cache_remove_entry(ch, detail); > spin_unlock(&detail->hash_lock); > sunrpc_end_cache_remove_entry(ch, detail); > --=20 > 2.20.1.2432.ga663e714 Reviewed-by: NeilBrown Thanks for finding the bug and testing the solution! NeilBrown --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEG8Yp69OQ2HB7X0l6Oeye3VZigbkFAl6Kcd0ACgkQOeye3VZi gbnFixAAgNieKy6tuW0ODMW2Rk7mJKO31gs1OQJ5sBrvgSOc4eJuRH64e2zYI7SE idBUCcwdTCo6ldH1v9OG8trl2QXuiZA7/CW7bWa0Acr5zm048RWuegiqGmNnaC9g GBKM0ucJa/Cb+GPmFEATUWT6lssnd44J5dYjC/HOlEKHkhI92pg8ZeBMo40xM67b ogxTXIupSZDv6fe6p5OBrEL15HArXkz4aIGAH5Xm2OFSFkVn8RVZB3NEx2Fw1NPj mj7gM41db8ehDzYjZp88mfwAdsNu6KEqGHYyNBnYyvDznLRIi64hSG+Tz+UsCU0l mFJe1338DofkIwnlAsaOQTi4dvyKb7xat1htTv2zNIRJbZhSDe7Ef4gdYdkda4wI NFFCB7c3ROd6kArKXeLupCwPkuX1hS4nR5Qn5hlLcyWey9Rt0XqDEMHDVUrWbk2g 55yUcE5woQLtLb8ESNJquuEFXb76qnaZlrHeTHm7eKD/OdKZqDoeC0kzA9lV57WR 5yuC1KtoUT7oSyFlSthRg1eydWg0l5NJWQLx9etCFPWzFQjX0JBmaz9M76AMbH0Q VuIn1d1mOD/0qi+KZyh947mkoJXsF9huZJ/NQgu4L5d6at9mWwLhF/dQE8oSQeqH 4t6dzUiO1pFmZoYLOOQrl5J5TXVi64M4QY+F9QKV0RxunaeN4ak= =I+T7 -----END PGP SIGNATURE----- --=-=-=--