From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, David Howells <dhowells@redhat.com>,
Jeffrey Altman <jaltman@auristor.com>,
Marc Dionne <marc.dionne@auristor.com>,
linux-afs@lists.infradead.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 24/95] afs: Fix use-after-free due to get/remove race in volume tree
Date: Wed, 3 Jan 2024 17:54:32 +0100 [thread overview]
Message-ID: <20240103164857.740565772@linuxfoundation.org> (raw)
In-Reply-To: <20240103164853.921194838@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 9a6b294ab496650e9f270123730df37030911b55 ]
When an afs_volume struct is put, its refcount is reduced to 0 before
the cell->volume_lock is taken and the volume removed from the
cell->volumes tree.
Unfortunately, this means that the lookup code can race and see a volume
with a zero ref in the tree, resulting in a use-after-free:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
...
RIP: 0010:refcount_warn_saturate+0x7a/0xda
...
Call Trace:
afs_get_volume+0x3d/0x55
afs_create_volume+0x126/0x1de
afs_validate_fc+0xfe/0x130
afs_get_tree+0x20/0x2e5
vfs_get_tree+0x1d/0xc9
do_new_mount+0x13b/0x22e
do_mount+0x5d/0x8a
__do_sys_mount+0x100/0x12a
do_syscall_64+0x3a/0x94
entry_SYSCALL_64_after_hwframe+0x62/0x6a
Fix this by:
(1) When putting, use a flag to indicate if the volume has been removed
from the tree and skip the rb_erase if it has.
(2) When looking up, use a conditional ref increment and if it fails
because the refcount is 0, replace the node in the tree and set the
removal flag.
Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell")
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/internal.h | 2 ++
fs/afs/volume.c | 26 +++++++++++++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index b29e9c206f782..0c03877cdaf7e 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -589,6 +589,7 @@ struct afs_volume {
#define AFS_VOLUME_OFFLINE 4 /* - T if volume offline notice given */
#define AFS_VOLUME_BUSY 5 /* - T if volume busy notice given */
#define AFS_VOLUME_MAYBE_NO_IBULK 6 /* - T if some servers don't have InlineBulkStatus */
+#define AFS_VOLUME_RM_TREE 7 /* - Set if volume removed from cell->volumes */
#ifdef CONFIG_AFS_FSCACHE
struct fscache_cookie *cache; /* caching cookie */
#endif
@@ -1507,6 +1508,7 @@ extern struct afs_vlserver_list *afs_extract_vlserver_list(struct afs_cell *,
extern struct afs_volume *afs_create_volume(struct afs_fs_context *);
extern void afs_activate_volume(struct afs_volume *);
extern void afs_deactivate_volume(struct afs_volume *);
+bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason);
extern struct afs_volume *afs_get_volume(struct afs_volume *, enum afs_volume_trace);
extern void afs_put_volume(struct afs_net *, struct afs_volume *, enum afs_volume_trace);
extern int afs_check_volume_status(struct afs_volume *, struct afs_operation *);
diff --git a/fs/afs/volume.c b/fs/afs/volume.c
index 32941bffa2ec1..137a970c19fb3 100644
--- a/fs/afs/volume.c
+++ b/fs/afs/volume.c
@@ -33,8 +33,13 @@ static struct afs_volume *afs_insert_volume_into_cell(struct afs_cell *cell,
} else if (p->vid > volume->vid) {
pp = &(*pp)->rb_right;
} else {
- volume = afs_get_volume(p, afs_volume_trace_get_cell_insert);
- goto found;
+ if (afs_try_get_volume(p, afs_volume_trace_get_cell_insert)) {
+ volume = p;
+ goto found;
+ }
+
+ set_bit(AFS_VOLUME_RM_TREE, &volume->flags);
+ rb_replace_node_rcu(&p->cell_node, &volume->cell_node, &cell->volumes);
}
}
@@ -57,7 +62,8 @@ static void afs_remove_volume_from_cell(struct afs_volume *volume)
afs_volume_trace_remove);
write_seqlock(&cell->volume_lock);
hlist_del_rcu(&volume->proc_link);
- rb_erase(&volume->cell_node, &cell->volumes);
+ if (!test_and_set_bit(AFS_VOLUME_RM_TREE, &volume->flags))
+ rb_erase(&volume->cell_node, &cell->volumes);
write_sequnlock(&cell->volume_lock);
}
}
@@ -236,6 +242,20 @@ static void afs_destroy_volume(struct afs_net *net, struct afs_volume *volume)
_leave(" [destroyed]");
}
+/*
+ * Try to get a reference on a volume record.
+ */
+bool afs_try_get_volume(struct afs_volume *volume, enum afs_volume_trace reason)
+{
+ int r;
+
+ if (__refcount_inc_not_zero(&volume->ref, &r)) {
+ trace_afs_volume(volume->vid, r + 1, reason);
+ return true;
+ }
+ return false;
+}
+
/*
* Get a reference on a volume record.
*/
--
2.43.0
next prev parent reply other threads:[~2024-01-03 17:03 UTC|newest]
Thread overview: 109+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:54 [PATCH 5.15 00/95] 5.15.146-rc1 review Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 01/95] ARM: dts: dra7: Fix DRA7 L3 NoC node register size Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 02/95] ARM: OMAP2+: Fix null pointer dereference and memory leak in omap_soc_device_init Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 03/95] reset: Fix crash when freeing non-existent optional resets Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 04/95] s390/vx: fix save/restore of fpu kernel context Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 05/95] wifi: iwlwifi: pcie: add another missing bh-disable for rxq->lock Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 06/95] wifi: mac80211: mesh_plink: fix matches_local logic Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 07/95] Revert "net/mlx5e: fix double free of encap_header in update funcs" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 08/95] Revert "net/mlx5e: fix double free of encap_header" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 09/95] net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 10/95] net/mlx5e: fix a potential double-free in fs_udp_create_groups Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 11/95] net/mlx5: Fix fw tracer first block check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 12/95] net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 13/95] net: sched: ife: fix potential use-after-free Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 14/95] ethernet: atheros: fix a memleak in atl1e_setup_ring_resources Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 15/95] net/rose: fix races in rose_kill_by_device() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 16/95] net: mana: select PAGE_POOL Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 17/95] net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 18/95] afs: Fix the dynamic roots d_delete to always delete unused dentries Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 19/95] afs: Fix dynamic root lookup DNS check Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 20/95] net: check dev->gso_max_size in gso_features_check() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 21/95] keys, dns: Allow key types (eg. DNS) to be reclaimed immediately on expiry Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 22/95] afs: Fix overwriting of result of DNS query Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 23/95] afs: Use refcount_t rather than atomic_t Greg Kroah-Hartman
2024-01-03 16:54 ` Greg Kroah-Hartman [this message]
2024-01-03 16:54 ` [PATCH 5.15 25/95] ASoC: hdmi-codec: fix missing report for jack initial status Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 26/95] i2c: aspeed: Handle the coalesced stop conditions with the start conditions Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 27/95] pinctrl: at91-pio4: use dedicated lock class for IRQ Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 28/95] gpiolib: cdev: add gpio_device locking wrapper around gpio_ioctl() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 29/95] ksmbd: fix wrong name of SMB2_CREATE_ALLOCATION_SIZE Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 30/95] drm/i915/mtl: limit second scaler vertical scaling in ver >= 14 Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 31/95] drm/i915: Relocate intel_atomic_setup_scalers() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 32/95] drm/i915: Fix intel_atomic_setup_scalers() plane_state handling Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 33/95] smb: client: fix NULL deref in asn1_ber_decoder() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 34/95] smb: client: fix OOB in smb2_query_reparse_point() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 35/95] interconnect: Treat xlate() returning NULL node as an error Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 36/95] iio: imu: inv_mpu6050: fix an error code problem in inv_mpu6050_read_raw Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 37/95] interconnect: qcom: sm8250: Enable sync_state Greg Kroah-Hartman
2024-01-03 17:29 ` Konrad Dybcio
2024-01-04 8:51 ` Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 38/95] Input: ipaq-micro-keys - add error handling for devm_kmemdup Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 39/95] scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 40/95] iio: common: ms_sensors: ms_sensors_i2c: fix humidity conversion time table Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 41/95] iio: adc: ti_am335x_adc: Fix return value check of tiadc_request_dma() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 42/95] iio: triggered-buffer: prevent possible freeing of wrong buffer Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 43/95] ALSA: usb-audio: Increase delay in MOTU M quirk Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 44/95] wifi: cfg80211: Add my certificate Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 45/95] wifi: cfg80211: fix certs build to not depend on file order Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 46/95] USB: serial: ftdi_sio: update Actisense PIDs constant names Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 47/95] USB: serial: option: add Quectel EG912Y module support Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 48/95] USB: serial: option: add Foxconn T99W265 with new baseline Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 49/95] USB: serial: option: add Quectel RM500Q R13 firmware support Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 50/95] Bluetooth: hci_event: Fix not checking if HCI_OP_INQUIRY has been sent Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 5.15 51/95] Bluetooth: L2CAP: Send reject on command corrupted request Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 52/95] Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 53/95] Input: soc_button_array - add mapping for airplane mode button Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 54/95] net: 9p: avoid freeing uninit memory in p9pdu_vreadf Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 55/95] net: rfkill: gpio: set GPIO direction Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 56/95] net: ks8851: Fix TX stall caused by TX buffer overrun Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 57/95] dt-bindings: nvmem: mxs-ocotp: Document fsl,ocotp Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 58/95] scsi: core: Always send batch on reset or error handling command Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 59/95] tracing / synthetic: Disable events after testing in synth_event_gen_test_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 60/95] bus: ti-sysc: Flush posted write only after srst_udelay Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 61/95] gpio: dwapb: mask/unmask IRQ when disable/enale it Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 62/95] lib/vsprintf: Fix %pfwf when current node refcount == 0 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 63/95] KVM: arm64: vgic: Force vcpu vgic teardown on vcpu destroy Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 64/95] x86/alternatives: Sync core before enabling interrupts Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 65/95] fuse: share lookup state between submount and its parent Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 66/95] ksmbd: have a dependency on cifs ARC4 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 67/95] ksmbd: set epoch in create context v2 lease Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 68/95] ksmbd: set v2 lease capability Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 69/95] ksmbd: downgrade RWH lease caching state to RH for directory Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 70/95] ksmbd: send v2 lease break notification " Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 71/95] ksmbd: lazy v2 lease break on smb2_write() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 72/95] ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 73/95] ksmbd: fix wrong allocation size update in smb2_open() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 74/95] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 75/95] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 76/95] ethernet: constify references to netdev->dev_addr in drivers Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 77/95] net: usb: ax88179_178a: clean up pm calls Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 78/95] net: usb: ax88179_178a: wol optimizations Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 79/95] net: usb: ax88179_178a: avoid failed operations when device is disconnected Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 80/95] device property: Add const qualifier to device_get_match_data() parameter Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 81/95] spi: Introduce spi_get_device_match_data() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 82/95] iio: imu: adis16475: add spi_device_id table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 83/95] smb: client: fix OOB in SMB2_query_info_init() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 84/95] smb: client: fix OOB in smbCalcSize() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 85/95] Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 86/95] mm/filemap: avoid buffered read/write race to read inconsistent data Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 87/95] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 88/95] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 89/95] ring-buffer: Remove useless update to write_stamp in rb_try_to_discard() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 90/95] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 91/95] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 92/95] ring-buffer: Fix slowpath of interrupted event Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 93/95] dm-integrity: dont modify bios immutable bio_vec in integrity_metadata() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 94/95] device property: Allow const parameter to dev_fwnode() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 5.15 95/95] bpf: Fix prog_array_map_poke_run map poke update Greg Kroah-Hartman
2024-01-03 18:54 ` [PATCH 5.15 00/95] 5.15.146-rc1 review SeongJae Park
2024-01-03 19:15 ` Florian Fainelli
2024-01-03 23:37 ` Kelsey Steele
2024-01-04 0:56 ` Shuah Khan
2024-01-04 6:45 ` Namjae Jeon
2024-01-04 11:28 ` Naresh Kamboju
2024-01-04 11:54 ` Harshit Mogalapalli
2024-01-04 16:52 ` Jon Hunter
2024-01-05 1:05 ` Guenter Roeck
2024-01-05 7:59 ` Ron Economos
2024-01-05 11:13 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164857.740565772@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=jaltman@auristor.com \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox