korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-15 08:14:15 +08:00
Code Issues Packages Projects Releases Wiki Activity
8735c7c84d
linux/fs/afs
History
David Howells 9a6b294ab4 afs: Fix use-after-free due to get/remove race in volume tree 
When an afs_volume struct is put, its refcount is reduced to 0 before
the cell->volume_lock is taken and the volume removed from the
cell->volumes tree.

Unfortunately, this means that the lookup code can race and see a volume
with a zero ref in the tree, resulting in a use-after-free:

    refcount_t: addition on 0; use-after-free.
    WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
    ...
    RIP: 0010:refcount_warn_saturate+0x7a/0xda
    ...
    Call Trace:
     afs_get_volume+0x3d/0x55
     afs_create_volume+0x126/0x1de
     afs_validate_fc+0xfe/0x130
     afs_get_tree+0x20/0x2e5
     vfs_get_tree+0x1d/0xc9
     do_new_mount+0x13b/0x22e
     do_mount+0x5d/0x8a
     __do_sys_mount+0x100/0x12a
     do_syscall_64+0x3a/0x94
     entry_SYSCALL_64_after_hwframe+0x62/0x6a

Fix this by:

 (1) When putting, use a flag to indicate if the volume has been removed
     from the tree and skip the rb_erase if it has.

 (2) When looking up, use a conditional ref increment and if it fails
     because the refcount is 0, replace the node in the tree and set the
     removal flag.

Fixes: 20325960f8 ("afs: Reorganise volume and server trees to be rooted on the cell")
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2023-12-21 10:16:07 -08:00
..
addr_list.c afs: Use kfree_rcu() instead of casting kfree() to rcu_callback_t 2020-03-13 10:47:33 -07:00
afs_cm.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
afs_fs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
afs_vl.h afs: Implement client support for the YFSVL.GetCellName RPC op 2020-06-04 15:37:57 +01:00
afs.h rxrpc: Fix timeout of a call that hasn't yet been granted a channel 2023-05-01 07:43:19 +01:00
callback.c netfs: Fix gcc-12 warning by embedding vfs inode in netfs_i_context 2022-06-09 13:55:00 -07:00
cell.c afs: Fix overwriting of result of DNS query 2023-12-21 09:57:43 -08:00
cmservice.c rxrpc: Tidy up abort generation infrastructure 2023-01-06 09:43:32 +00:00
dir_edit.c afs: fix the afs_dir_get_folio return value 2023-05-06 10:10:08 -07:00
dir_silly.c netfs: Fix gcc-12 warning by embedding vfs inode in netfs_i_context 2022-06-09 13:55:00 -07:00
dir.c afs: Fix setting of mtime when creating a file/dir/symlink 2023-06-07 09:03:12 -07:00
dynroot.c afs: Fix dynamic root lookup DNS check 2023-12-20 11:57:47 +00:00
file.c splice: Use filemap_splice_read() instead of generic_file_splice_read() 2023-05-24 08:42:17 -06:00
flock.c fs: remove locks_inode 2023-01-11 06:52:43 -05:00
fs_operation.c netfs: Fix gcc-12 warning by embedding vfs inode in netfs_i_context 2022-06-09 13:55:00 -07:00
fs_probe.c afs: Fix lost servers_outstanding count 2022-12-22 11:40:35 +00:00
fsclient.c afs: Use the operation issue time instead of the reply time for callbacks 2022-09-01 11:44:13 +01:00
inode.c afs: convert to new timestamp accessors 2023-10-18 13:26:18 +02:00
internal.h afs: Fix use-after-free due to get/remove race in volume tree 2023-12-21 10:16:07 -08:00
Kconfig afs: Convert afs to use the new fscache API 2022-01-07 13:44:47 +00:00
main.c arch: Remove Itanium (IA-64) architecture 2023-09-11 08:13:17 +00:00
Makefile afs: Convert afs to use the new fscache API 2022-01-07 13:44:47 +00:00
misc.c afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked 2022-09-06 21:33:01 -04:00
mntpt.c afs: Remove check of PageError 2022-06-29 08:51:06 -04:00
proc.c afs: Use refcount_t rather than atomic_t 2022-08-02 18:10:11 +01:00
protocol_afs.h afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server 2021-09-13 09:14:21 +01:00
protocol_uae.h afs: Add support for the UAE error table 2019-06-28 18:37:53 +01:00
protocol_yfs.h afs: Fix corruption in reads at fpos 2G-4G from an OpenAFS server 2021-09-13 09:14:21 +01:00
rotate.c afs: Adjust ACK interpretation to try and cope with NAT 2022-05-22 21:03:02 +01:00
rxrpc.c afs: Fix refcount underflow from error handling race 2023-12-11 15:40:41 -08:00
security.c fs: port ->permission() to pass mnt_idmap 2023-01-19 09:24:28 +01:00
server_list.c afs: Fix afs_server_list to be cleaned up with RCU 2023-11-17 07:55:27 +00:00
server.c afs: Fix server->active leak in afs_put_server 2022-11-30 10:02:37 -08:00
super.c afs: Mark a superblock for an R/O or Backup volume as SB_RDONLY 2023-11-24 14:52:24 +00:00
vl_alias.c afs: Add tracing for cell refcount and active user count 2020-10-16 14:39:21 +01:00
vl_list.c afs: Use refcount_t rather than atomic_t 2022-08-02 18:10:11 +01:00
vl_probe.c afs: Fix vlserver probe RTT handling 2023-06-16 14:43:41 -07:00
vl_rotate.c afs: Return ENOENT if no cell DNS record can be found 2023-11-24 14:51:18 +00:00
vlclient.c afs: Fix fall-through warnings for Clang 2021-05-25 07:30:34 -10:00
volume.c afs: Fix use-after-free due to get/remove race in volume tree 2023-12-21 10:16:07 -08:00
write.c afs: convert to new timestamp accessors 2023-10-18 13:26:18 +02:00
xattr.c afs: move afs_xattr_handlers to .rodata 2023-10-09 16:24:16 +02:00
xdr_fs.h afs: Fix directory entry size calculation 2021-01-04 12:25:19 +00:00
yfsclient.c afs: Use the operation issue time instead of the reply time for callbacks 2022-09-01 11:44:13 +01:00