From: David Howells <dhowells@redhat.com>
To: Christian Brauner <christian@brauner.io>
Cc: David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
linux-afs@lists.infradead.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v4 19/21] afs: Fix premature cell exposure through /afs
Date: Mon, 22 Jun 2026 10:08:53 +0100 [thread overview]
Message-ID: <20260622090856.2746629-20-dhowells@redhat.com> (raw)
In-Reply-To: <20260622090856.2746629-1-dhowells@redhat.com>
AFS cell records are prematurely exposured through the /afs dynamic root by
virtue of adding them immediately to the net->cells_dyn_ino IDR when the
cell is allocated rather than when it is added to the lookup tree. This
allows a candidate record to be accessed, even if it's actually a duplicate
or not published yet.
Fix this by not adding the cell to cells_dyn_ino until it's confirmed
non-duplicate and is being published. A flag is then used to record
whether it is added to the IDR to make removal from the IDR conditional.
Closes: https://sashiko.dev/#/patchset/20260618155141.2513212-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
---
fs/afs/cell.c | 27 +++++++++++++++++----------
fs/afs/internal.h | 1 +
2 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 9d8937ae24e2..47a2645768d7 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -205,14 +205,7 @@ static struct afs_cell *afs_alloc_cell(struct afs_net *net,
cell->dns_source = vllist->source;
cell->dns_status = vllist->status;
smp_store_release(&cell->dns_lookup_count, 1); /* vs source/status */
- down_write(&net->cells_lock);
- ret = idr_alloc_cyclic(&net->cells_dyn_ino, cell,
- 2, INT_MAX / 2, GFP_KERNEL);
- up_write(&net->cells_lock);
- if (ret < 0)
- goto error;
atomic_inc(&net->cells_outstanding);
- cell->dynroot_ino = ret;
cell->debug_id = atomic_inc_return(&cell_debug_id);
trace_afs_cell(cell->debug_id, 1, 0, afs_cell_trace_alloc);
@@ -306,6 +299,13 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
goto cell_already_exists;
}
+ ret = idr_alloc_cyclic(&net->cells_dyn_ino, candidate,
+ 2, INT_MAX / 2, GFP_KERNEL);
+ if (ret < 0)
+ goto cant_alloc_ino;
+ candidate->dynroot_ino = ret;
+ set_bit(AFS_CELL_FL_HAVE_INO, &candidate->flags);
+
cell = candidate;
candidate = NULL;
afs_use_cell(cell, trace);
@@ -380,6 +380,11 @@ struct afs_cell *afs_lookup_cell(struct afs_net *net,
_leave(" = %p [cell]", cell);
return cell;
+cant_alloc_ino:
+ up_write(&net->cells_lock);
+ afs_put_cell(candidate, afs_cell_trace_put_candidate);
+ goto error_noput;
+
cell_already_exists:
_debug("cell exists");
cell = cursor;
@@ -596,9 +601,11 @@ static void afs_destroy_cell_work(struct work_struct *work)
timer_delete_sync(&cell->management_timer);
cancel_work_sync(&cell->manager);
- down_write(&cell->net->cells_lock);
- idr_remove(&cell->net->cells_dyn_ino, cell->dynroot_ino);
- up_write(&cell->net->cells_lock);
+ if (test_bit(AFS_CELL_FL_HAVE_INO, &cell->flags)) {
+ down_write(&cell->net->cells_lock);
+ idr_remove(&cell->net->cells_dyn_ino, cell->dynroot_ino);
+ up_write(&cell->net->cells_lock);
+ }
call_rcu(&cell->rcu, afs_cell_destroy);
}
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 785c646856d7..601f01e5c15f 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -388,6 +388,7 @@ struct afs_cell {
#define AFS_CELL_FL_NO_GC 0 /* The cell was added manually, don't auto-gc */
#define AFS_CELL_FL_DO_LOOKUP 1 /* DNS lookup requested */
#define AFS_CELL_FL_CHECK_ALIAS 2 /* Need to check for aliases */
+#define AFS_CELL_FL_HAVE_INO 3 /* Have dynroot_ino */
enum afs_cell_state state;
short error;
enum dns_record_source dns_source:8; /* Latest source of data from lookup */
next prev parent reply other threads:[~2026-06-22 9:10 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 9:08 [PATCH v4 00/21] afs: Miscellaneous fixes David Howells
2026-06-22 9:08 ` [PATCH v4 01/21] afs: handle CB.InitCallBackState3 requests without a server record David Howells
2026-06-22 9:08 ` [PATCH v4 02/21] afs: Fix error code in afs_extract_vl_addrs() David Howells
2026-06-22 9:08 ` [PATCH v4 03/21] afs: fix NULL pointer dereference in afs_get_tree() David Howells
2026-06-22 9:08 ` [PATCH v4 04/21] afs: Fix double netfs initialisation in afs_root_iget() David Howells
2026-06-22 9:08 ` [PATCH v4 05/21] afs: Remove setting of AS_RELEASE_ALWAYS for symlinks and mountpoints David Howells
2026-06-22 9:08 ` [PATCH v4 06/21] afs: Fix directory inode initialisation order David Howells
2026-06-22 9:08 ` [PATCH v4 07/21] afs: use kvfree() to free memory allocated by kvcalloc() David Howells
2026-06-22 9:08 ` [PATCH v4 08/21] afs: Remove erroneous seq |= 1 in volume lookup loop David Howells
2026-06-22 9:08 ` [PATCH v4 09/21] afs: check for duplicate servers in VL server list David Howells
2026-06-22 9:08 ` [PATCH v4 10/21] afs: Fix bulk lookup malfunction due to change in dir_emit() API David Howells
2026-06-22 9:08 ` [PATCH v4 11/21] afs: Fix misplaced inc of net->cells_outstanding David Howells
2026-06-22 9:08 ` [PATCH v4 12/21] afs: Fix reinitialisation of the inode, in particular ->lock_work David Howells
2026-06-22 9:08 ` [PATCH v4 13/21] afs: Fix callback service message parsers to pass through -EAGAIN David Howells
2026-06-22 9:08 ` [PATCH v4 14/21] afs: Use scoped_seqlock_read() rather than manually doing seqlock stuff David Howells
2026-06-22 9:08 ` [PATCH v4 15/21] afs: Fix missing NULL pointer check in afs_break_some_callbacks() David Howells
2026-06-22 9:08 ` [PATCH v4 16/21] afs: Fix leak of ungot volume David Howells
2026-06-22 9:08 ` [PATCH v4 17/21] afs: Fix vllist leak David Howells
2026-06-22 9:08 ` [PATCH v4 18/21] afs: Fix lack of locking around modifications of net->cells_dyn_ino David Howells
2026-06-22 9:08 ` David Howells [this message]
2026-06-22 9:29 ` [PATCH v4 19/21] afs: Fix premature cell exposure through /afs David Howells
2026-06-22 9:08 ` [PATCH v4 20/21] afs: Fix the volume AFS_VOLUME_RM_TREE is set on David Howells
2026-06-22 9:08 ` [PATCH v4 21/21] afs: Fix unchecked-length string display in debug statement David Howells
2026-06-22 14:37 ` [PATCH v4 00/21] afs: Miscellaneous fixes Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622090856.2746629-20-dhowells@redhat.com \
--to=dhowells@redhat.com \
--cc=christian@brauner.io \
--cc=linux-afs@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.