• D
    afs: Refcount the afs_call struct · 341f741f
    David Howells 提交于
    A static checker warning occurs in the AFS filesystem:
    
    	fs/afs/cmservice.c:155 SRXAFSCB_CallBack()
    	error: dereferencing freed memory 'call'
    
    due to the reply being sent before we access the server it points to.  The
    act of sending the reply causes the call to be freed if an error occurs
    (but not if it doesn't).
    
    On top of this, the lifetime handling of afs_call structs is fragile
    because they get passed around through workqueues without any sort of
    refcounting.
    
    Deal with the issues by:
    
     (1) Fix the maybe/maybe not nature of the reply sending functions with
         regards to whether they release the call struct.
    
     (2) Refcount the afs_call struct and sort out places that need to get/put
         references.
    
     (3) Pass a ref through the work queue and release (or pass on) that ref in
         the work function.  Care has to be taken because a work queue may
         already own a ref to the call.
    
     (4) Do the cleaning up in the put function only.
    
     (5) Simplify module cleanup by always incrementing afs_outstanding_calls
         whenever a call is allocated.
    
     (6) Set the backlog to 0 with kernel_listen() at the beginning of the
         process of closing the socket to prevent new incoming calls from
         occurring and to remove the contribution of preallocated calls from
         afs_outstanding_calls before we wait on it.
    
    A tracepoint is also added to monitor the afs_call refcount and lifetime.
    Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: NDavid Howells <dhowells@redhat.com>
    Fixes: 08e0e7c8: "[AF_RXRPC]: Make the in-kernel AFS filesystem use AF_RXRPC."
    341f741f
cmservice.c 14.3 KB