1. 17 10月, 2020 14 次提交
  2. 16 10月, 2020 6 次提交
    • D
      afs: Don't assert on unpurgeable server records · 7530d3eb
      David Howells 提交于
      Don't give an assertion failure on unpurgeable afs_server records - which
      kills the thread - but rather emit a trace line when we are purging a
      record (which only happens during network namespace removal or rmmod) and
      print a notice of the problem.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      7530d3eb
    • D
      afs: Add tracing for cell refcount and active user count · dca54a7b
      David Howells 提交于
      Add a tracepoint to log the cell refcount and active user count and pass in
      a reason code through various functions that manipulate these counters.
      
      Additionally, a helper function, afs_see_cell(), is provided to log
      interesting places that deal with a cell without actually doing any
      accounting directly.
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      dca54a7b
    • D
      afs: Fix cell removal · 1d0e850a
      David Howells 提交于
      Fix cell removal by inserting a more final state than AFS_CELL_FAILED that
      indicates that the cell has been unpublished in case the manager is already
      requeued and will go through again.  The new AFS_CELL_REMOVED state will
      just immediately leave the manager function.
      
      Going through a second time in the AFS_CELL_FAILED state will cause it to
      try to remove the cell again, potentially leading to the proc list being
      removed.
      
      Fixes: 989782dc ("afs: Overhaul cell database management")
      Reported-by: syzbot+b994ecf2b023f14832c1@syzkaller.appspotmail.com
      Reported-by: syzbot+0e0db88e1eb44a91ae8d@syzkaller.appspotmail.com
      Reported-by: syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com
      Reported-by: syzbot+1ecc2f9d3387f1d79d42@syzkaller.appspotmail.com
      Reported-by: syzbot+18d51774588492bf3f69@syzkaller.appspotmail.com
      Reported-by: syzbot+a5e4946b04d6ca8fa5f3@syzkaller.appspotmail.com
      Suggested-by: NHillf Danton <hdanton@sina.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      cc: Hillf Danton <hdanton@sina.com>
      1d0e850a
    • D
      afs: Fix cell purging with aliases · 286377f6
      David Howells 提交于
      When the afs module is removed, one of the things that has to be done is to
      purge the cell database.  afs_cell_purge() cancels the management timer and
      then starts the cell manager work item to do the purging.  This does a
      single run through and then assumes that all cells are now purged - but
      this is no longer the case.
      
      With the introduction of alias detection, a later cell in the database can
      now be holding an active count on an earlier cell (cell->alias_of).  The
      purge scan passes by the earlier cell first, but this can't be got rid of
      until it has discarded the alias.  Ordinarily, afs_unuse_cell() would
      handle this by setting the management timer to trigger another pass - but
      afs_set_cell_timer() doesn't do anything if the namespace is being removed
      (net->live == false).  rmmod then hangs in the wait on cells_outstanding in
      afs_cell_purge().
      
      Fix this by making afs_set_cell_timer() directly queue the cell manager if
      net->live is false.  This causes additional management passes.
      
      Queueing the cell manager increments cells_outstanding to make sure the
      wait won't complete until all cells are destroyed.
      
      Fixes: 8a070a96 ("afs: Detect cell aliases 1 - Cells with root volumes")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      286377f6
    • D
      afs: Fix cell refcounting by splitting the usage counter · 88c853c3
      David Howells 提交于
      Management of the lifetime of afs_cell struct has some problems due to the
      usage counter being used to determine whether objects of that type are in
      use in addition to whether anyone might be interested in the structure.
      
      This is made trickier by cell objects being cached for a period of time in
      case they're quickly reused as they hold the result of a setup process that
      may be slow (DNS lookups, AFS RPC ops).
      
      Problems include the cached root volume from alias resolution pinning its
      parent cell record, rmmod occasionally hanging and occasionally producing
      assertion failures.
      
      Fix this by splitting the count of active users from the struct reference
      count.  Things then work as follows:
      
       (1) The cell cache keeps +1 on the cell's activity count and this has to
           be dropped before the cell can be removed.  afs_manage_cell() tries to
           exchange the 1 to a 0 with the cells_lock write-locked, and if
           successful, the record is removed from the net->cells.
      
       (2) One struct ref is 'owned' by the activity count.  That is put when the
           active count is reduced to 0 (final_destruction label).
      
       (3) A ref can be held on a cell whilst it is queued for management on a
           work queue without confusing the active count.  afs_queue_cell() is
           added to wrap this.
      
       (4) The queue's ref is dropped at the end of the management.  This is
           split out into a separate function, afs_manage_cell_work().
      
       (5) The root volume record is put after a cell is removed (at the
           final_destruction label) rather then in the RCU destruction routine.
      
       (6) Volumes hold struct refs, but aren't active users.
      
       (7) Both counts are displayed in /proc/net/afs/cells.
      
      There are some management function changes:
      
       (*) afs_put_cell() now just decrements the refcount and triggers the RCU
           destruction if it becomes 0.  It no longer sets a timer to have the
           manager do this.
      
       (*) afs_use_cell() and afs_unuse_cell() are added to increase and decrease
           the active count.  afs_unuse_cell() sets the management timer.
      
       (*) afs_queue_cell() is added to queue a cell with approprate refs.
      
      There are also some other fixes:
      
       (*) Don't let /proc/net/afs/cells access a cell's vllist if it's NULL.
      
       (*) Make sure that candidate cells in lookups are properly destroyed
           rather than being simply kfree'd.  This ensures the bits it points to
           are destroyed also.
      
       (*) afs_dec_cells_outstanding() is now called in cell destruction rather
           than at "final_destruction".  This ensures that cell->net is still
           valid to the end of the destructor.
      
       (*) As a consequence of the previous two changes, move the increment of
           net->cells_outstanding that was at the point of insertion into the
           tree to the allocation routine to correctly balance things.
      
      Fixes: 989782dc ("afs: Overhaul cell database management")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      88c853c3
    • D
      afs: Fix rapid cell addition/removal by not using RCU on cells tree · 92e3cc91
      David Howells 提交于
      There are a number of problems that are being seen by the rapidly mounting
      and unmounting an afs dynamic root with an explicit cell and volume
      specified (which should probably be rejected, but that's a separate issue):
      
      What the tests are doing is to look up/create a cell record for the name
      given and then tear it down again without actually using it to try to talk
      to a server.  This is repeated endlessly, very fast, and the new cell
      collides with the old one if it's not quick enough to reuse it.
      
      It appears (as suggested by Hillf Danton) that the search through the RB
      tree under a read_seqbegin_or_lock() under RCU conditions isn't safe and
      that it's not blocking the write_seqlock(), despite taking two passes at
      it.  He suggested that the code should take a ref on the cell it's
      attempting to look at - but this shouldn't be necessary until we've
      compared the cell names.  It's possible that I'm missing a barrier
      somewhere.
      
      However, using an RCU search for this is overkill, really - we only need to
      access the cell name in a few places, and they're places where we're may
      end up sleeping anyway.
      
      Fix this by switching to an R/W semaphore instead.
      
      Additionally, draw the down_read() call inside the function (renamed to
      afs_find_cell()) since all the callers were taking the RCU read lock (or
      should've been[*]).
      
      [*] afs_probe_cell_name() should have been, but that doesn't appear to be
      involved in the bug reports.
      
      The symptoms of this look like:
      
      	general protection fault, probably for non-canonical address 0xf27d208691691fdb: 0000 [#1] PREEMPT SMP KASAN
      	KASAN: maybe wild-memory-access in range [0x93e924348b48fed8-0x93e924348b48fedf]
      	...
      	RIP: 0010:strncasecmp lib/string.c:52 [inline]
      	RIP: 0010:strncasecmp+0x5f/0x240 lib/string.c:43
      	 afs_lookup_cell_rcu+0x313/0x720 fs/afs/cell.c:88
      	 afs_lookup_cell+0x2ee/0x1440 fs/afs/cell.c:249
      	 afs_parse_source fs/afs/super.c:290 [inline]
      	...
      
      Fixes: 989782dc ("afs: Overhaul cell database management")
      Reported-by: syzbot+459a5dce0b4cb70fd076@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      cc: Hillf Danton <hdanton@sina.com>
      cc: syzkaller-bugs@googlegroups.com
      92e3cc91
  3. 15 10月, 2020 3 次提交
    • A
      fs: fix NULL dereference due to data race in prepend_path() · 09cad075
      Andrii Nakryiko 提交于
      Fix data race in prepend_path() with re-reading mnt->mnt_ns twice
      without holding the lock.
      
      is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might
      re-read the pointer again which could be NULL already, if in between
      reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets
      mnt->mnt_ns to NULL.
      
      This is seen in production with the following stack trace:
      
        BUG: kernel NULL pointer dereference, address: 0000000000000048
        ...
        RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0
        Call Trace:
          d_path+0xe6/0x150
          proc_pid_readlink+0x8f/0x100
          vfs_readlink+0xf8/0x110
          do_readlinkat+0xfd/0x120
          __x64_sys_readlinkat+0x1a/0x20
          do_syscall_64+0x42/0x110
          entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: f2683bd8 ("[PATCH] fix d_absolute_path() interplay with fsmount()")
      Signed-off-by: NAndrii Nakryiko <andrii@kernel.org>
      Reviewed-by: NJosef Bacik <josef@toxicpanda.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      09cad075
    • C
      f2fs: code cleanup by removing unnecessary check · 788e96d1
      Chengguang Xu 提交于
      f2fs_seek_block() is only used for regular file,
      so don't have to check inline dentry in it.
      Signed-off-by: NChengguang Xu <cgxu519@mykernel.net>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      788e96d1
    • J
      f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info · ae284d87
      Jamie Iles 提交于
      syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an
      f2fs filesystem could result in the following splat:
      
        kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250)
        kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750)
        ------------[ cut here ]------------
        ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98
        WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240
        Kernel panic - not syncing: panic_on_warn set ...
        CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S                5.9.0-rc8+ #101
        Hardware name: linux,dummy-virt (DT)
        Call trace:
         dump_backtrace+0x0/0x4d8
         show_stack+0x34/0x48
         dump_stack+0x174/0x1f8
         panic+0x360/0x7a0
         __warn+0x244/0x2ec
         report_bug+0x240/0x398
         bug_handler+0x50/0xc0
         call_break_hook+0x160/0x1d8
         brk_handler+0x30/0xc0
         do_debug_exception+0x184/0x340
         el1_dbg+0x48/0xb0
         el1_sync_handler+0x170/0x1c8
         el1_sync+0x80/0x100
         debug_print_object+0x180/0x240
         debug_check_no_obj_freed+0x200/0x430
         slab_free_freelist_hook+0x190/0x210
         kfree+0x13c/0x460
         f2fs_put_super+0x624/0xa58
         generic_shutdown_super+0x120/0x300
         kill_block_super+0x94/0xf8
         kill_f2fs_super+0x244/0x308
         deactivate_locked_super+0x104/0x150
         deactivate_super+0x118/0x148
         cleanup_mnt+0x27c/0x3c0
         __cleanup_mnt+0x28/0x38
         task_work_run+0x10c/0x248
         do_notify_resume+0x9d4/0x1188
         work_pending+0x8/0x34c
      
      Like the error handling for f2fs_register_sysfs(), we need to wait for
      the kobject to be destroyed before returning to prevent a potential
      use-after-free.
      
      Fixes: bf9e697e ("f2fs: expose features to sysfs entry")
      Cc: Jaegeuk Kim <jaegeuk@kernel.org>
      Cc: Chao Yu <chao@kernel.org>
      Signed-off-by: NJamie Iles <jamie@nuviainc.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      ae284d87
  4. 14 10月, 2020 13 次提交
  5. 11 10月, 2020 4 次提交
    • V
      cifs: Fix incomplete memory allocation on setxattr path · 64b7f674
      Vladimir Zapolskiy 提交于
      On setxattr() syscall path due to an apprent typo the size of a dynamically
      allocated memory chunk for storing struct smb2_file_full_ea_info object is
      computed incorrectly, to be more precise the first addend is the size of
      a pointer instead of the wanted object size. Coincidentally it makes no
      difference on 64-bit platforms, however on 32-bit targets the following
      memcpy() writes 4 bytes of data outside of the dynamically allocated memory.
      
        =============================================================================
        BUG kmalloc-16 (Not tainted): Redzone overwritten
        -----------------------------------------------------------------------------
      
        Disabling lock debugging due to kernel taint
        INFO: 0x79e69a6f-0x9e5cdecf @offset=368. First byte 0x73 instead of 0xcc
        INFO: Slab 0xd36d2454 objects=85 used=51 fp=0xf7d0fc7a flags=0x35000201
        INFO: Object 0x6f171df3 @offset=352 fp=0x00000000
      
        Redzone 5d4ff02d: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc  ................
        Object 6f171df3: 00 00 00 00 00 05 06 00 73 6e 72 75 62 00 66 69  ........snrub.fi
        Redzone 79e69a6f: 73 68 32 0a                                      sh2.
        Padding 56254d82: 5a 5a 5a 5a 5a 5a 5a 5a                          ZZZZZZZZ
        CPU: 0 PID: 8196 Comm: attr Tainted: G    B             5.9.0-rc8+ #3
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1 04/01/2014
        Call Trace:
         dump_stack+0x54/0x6e
         print_trailer+0x12c/0x134
         check_bytes_and_report.cold+0x3e/0x69
         check_object+0x18c/0x250
         free_debug_processing+0xfe/0x230
         __slab_free+0x1c0/0x300
         kfree+0x1d3/0x220
         smb2_set_ea+0x27d/0x540
         cifs_xattr_set+0x57f/0x620
         __vfs_setxattr+0x4e/0x60
         __vfs_setxattr_noperm+0x4e/0x100
         __vfs_setxattr_locked+0xae/0xd0
         vfs_setxattr+0x4e/0xe0
         setxattr+0x12c/0x1a0
         path_setxattr+0xa4/0xc0
         __ia32_sys_lsetxattr+0x1d/0x20
         __do_fast_syscall_32+0x40/0x70
         do_fast_syscall_32+0x29/0x60
         do_SYSENTER_32+0x15/0x20
         entry_SYSENTER_32+0x9f/0xf2
      
      Fixes: 5517554e ("cifs: Add support for writing attributes on SMB2+")
      Signed-off-by: NVladimir Zapolskiy <vladimir@tuxera.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      64b7f674
    • P
      io_uring: keep a pointer ref_node in file_data · b2e96852
      Pavel Begunkov 提交于
      ->cur_refs of struct fixed_file_data always points to percpu_ref
      embedded into struct fixed_file_ref_node. Don't overuse container_of()
      and offsetting, and point directly to fixed_file_ref_node.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      b2e96852
    • P
      io_uring: refactor *files_register()'s error paths · 600cf3f8
      Pavel Begunkov 提交于
      Don't keep repeating cleaning sequences in error paths, write it once
      in the and use labels. It's less error prone and looks cleaner.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      600cf3f8
    • P
      io_uring: clean file_data access in files_register · 5398ae69
      Pavel Begunkov 提交于
      Keep file_data in a local var and replace with it complex references
      such as ctx->file_data.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      5398ae69