• David Howells's avatar
    afs: Fix rapid cell addition/removal by not using RCU on cells tree · 92e3cc91
    David Howells authored
    There are a number of problems that are being seen by the rapidly mounting
    and unmounting an afs dynamic root with an explicit cell and volume
    specified (which should probably be rejected, but that's a separate issue):
    
    What the tests are doing is to look up/create a cell record for the name
    given and then tear it down again without actually using it to try to talk
    to a server.  This is repeated endlessly, very fast, and the new cell
    collides with the old one if it's not quick enough to reuse it.
    
    It appears (as suggested by Hillf Danton) that the search through the RB
    tree under a read_seqbegin_or_lock() under RCU conditions isn't safe and
    that it's not blocking the write_seqlock(), despite taking two passes at
    it.  He suggested that the code should take a ref on the cell it's
    attempting to look at - but this shouldn't be necessary until we've
    compared the cell names.  It's possible that I'm missing a barrier
    somewhere.
    
    However, using an RCU search for this is overkill, really - we only need to
    access the cell name in a few places, and they're places where we're may
    end up sleeping anyway.
    
    Fix this by switching to an R/W semaphore instead.
    
    Additionally, draw the down_read() call inside the function (renamed to
    afs_find_cell()) since all the callers were taking the RCU read lock (or
    should've been[*]).
    
    [*] afs_probe_cell_name() should have been, but that doesn't appear to be
    involved in the bug reports.
    
    The symptoms of this look like:
    
    	general protection fault, probably for non-canonical address 0xf27d208691691fdb: 0000 [#1] PREEMPT SMP KASAN
    	KASAN: maybe wild-memory-access in range [0x93e924348b48fed8-0x93e924348b48fedf]
    	...
    	RIP: 0010:strncasecmp lib/string.c:52 [inline]
    	RIP: 0010:strncasecmp+0x5f/0x240 lib/string.c:43
    	 afs_lookup_cell_rcu+0x313/0x720 fs/afs/cell.c:88
    	 afs_lookup_cell+0x2ee/0x1440 fs/afs/cell.c:249
    	 afs_parse_source fs/afs/super.c:290 [inline]
    	...
    
    Fixes: 989782dc ("afs: Overhaul cell database management")
    Reported-by: syzbot+459a5dce0b4cb70fd076@syzkaller.appspotmail.com
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    cc: Hillf Danton <hdanton@sina.com>
    cc: syzkaller-bugs@googlegroups.com
    92e3cc91
main.c 6.35 KB