From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
Sasha Levin <sashal@kernel.org>,
linux-afs@lists.infradead.org
Subject: [PATCH AUTOSEL 4.19 44/45] afs: Fix leak in afs_lookup_cell_rcu()
Date: Thu, 29 Aug 2019 14:15:44 -0400 [thread overview]
Message-ID: <20190829181547.8280-44-sashal@kernel.org> (raw)
In-Reply-To: <20190829181547.8280-1-sashal@kernel.org>
From: David Howells <dhowells@redhat.com>
[ Upstream commit a5fb8e6c02d6a518fb2b1a2b8c2471fa77b69436 ]
Fix a leak on the cell refcount in afs_lookup_cell_rcu() due to
non-clearance of the default error in the case a NULL cell name is passed
and the workstation default cell is used.
Also put a bit at the end to make sure we don't leak a cell ref if we're
going to be returning an error.
This leak results in an assertion like the following when the kafs module is
unloaded:
AFS: Assertion failed
2 == 1 is false
0x2 == 0x1 is false
------------[ cut here ]------------
kernel BUG at fs/afs/cell.c:770!
...
RIP: 0010:afs_manage_cells+0x220/0x42f [kafs]
...
process_one_work+0x4c2/0x82c
? pool_mayday_timeout+0x1e1/0x1e1
? do_raw_spin_lock+0x134/0x175
worker_thread+0x336/0x4a6
? rescuer_thread+0x4af/0x4af
kthread+0x1de/0x1ee
? kthread_park+0xd4/0xd4
ret_from_fork+0x24/0x30
Fixes: 989782dcdc91 ("afs: Overhaul cell database management")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/cell.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index 6127f0fcd62c4..ee07162d35c7a 100644
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -76,6 +76,7 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net,
cell = rcu_dereference_raw(net->ws_cell);
if (cell) {
afs_get_cell(cell);
+ ret = 0;
break;
}
ret = -EDESTADDRREQ;
@@ -110,6 +111,9 @@ struct afs_cell *afs_lookup_cell_rcu(struct afs_net *net,
done_seqretry(&net->cells_lock, seq);
+ if (ret != 0 && cell)
+ afs_put_cell(net, cell);
+
return ret == 0 ? cell : ERR_PTR(ret);
}
--
2.20.1
next prev parent reply other threads:[~2019-08-29 18:23 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 18:15 [PATCH AUTOSEL 4.19 01/45] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 02/45] netfilter: nf_tables: use-after-free in failing rule with bound set Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 03/45] rxrpc: Fix local endpoint refcounting Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 04/45] tools: bpftool: fix error message (prog -> object) Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 05/45] hv_netvsc: Fix a warning of suspicious RCU usage Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 06/45] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 07/45] Bluetooth: btqca: Add a short delay before downloading the NVM Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 08/45] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 09/45] ibmveth: Convert multicast list size for little-endian system Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 10/45] gpio: Fix build error of function redefinition Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 11/45] netfilter: nft_flow_offload: skip tcp rst and fin packets Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 12/45] rxrpc: Fix local endpoint replacement Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 13/45] rxrpc: Fix read-after-free in rxrpc_queue_local() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 14/45] drm/mediatek: use correct device to import PRIME buffers Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 15/45] drm/mediatek: set DMA max segment size Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 16/45] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 17/45] scsi: target: tcmu: avoid use-after-free after command timeout Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 18/45] cxgb4: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 19/45] liquidio: add cleanup in octeon_setup_iq() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 20/45] net: myri10ge: fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 21/45] lan78xx: Fix " Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 22/45] vfs: fix page locking deadlocks when deduping files Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 23/45] cx82310_eth: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 24/45] net: kalmia: fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 25/45] ibmvnic: Unmap DMA address of TX descriptor buffers after use Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 26/45] net: cavium: fix driver name Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 27/45] wimax/i2400m: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 28/45] ravb: Fix use-after-free ravb_tstamp_skb Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 29/45] kprobes: Fix potential deadlock in kprobe_optimizer() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 30/45] HID: cp2112: prevent sleeping function called from invalid context Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 31/45] x86/boot/compressed/64: Fix boot on machines with broken E820 table Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 32/45] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 33/45] Tools: hv: kvp: eliminate 'may be used uninitialized' warning Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 34/45] nvme-multipath: fix possible I/O hang when paths are updated Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 35/45] IB/mlx4: Fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 36/45] infiniband: hfi1: fix a memory leak bug Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 37/45] infiniband: hfi1: fix memory leaks Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 38/45] selftests: kvm: fix state save/load on processors without XSAVE Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 39/45] selftests/kvm: make platform_info_test pass on AMD Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 40/45] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 41/45] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 42/45] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Sasha Levin
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 43/45] KVM: arm/arm64: Only skip MMIO insn once Sasha Levin
2019-08-29 18:15 ` Sasha Levin [this message]
2019-08-29 18:15 ` [PATCH AUTOSEL 4.19 45/45] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190829181547.8280-44-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).