[PATCH AUTOSEL 5.6 14/79] SUNRPC/cache: Fix unsafe traverse caused double-free in cache_purge

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Yihao Wu <wuyihao@linux.alibaba.com>, NeilBrown <neilb@suse.de>,
	Chuck Lever <chuck.lever@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	linux-nfs@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.6 14/79] SUNRPC/cache: Fix unsafe traverse caused double-free in cache_purge
Date: Thu, 30 Apr 2020 09:49:38 -0400	[thread overview]
Message-ID: <20200430135043.19851-14-sashal@kernel.org> (raw)
In-Reply-To: <20200430135043.19851-1-sashal@kernel.org>

From: Yihao Wu <wuyihao@linux.alibaba.com>

[ Upstream commit 43e33924c38e8faeb0c12035481cb150e602e39d ]

Deleting list entry within hlist_for_each_entry_safe is not safe unless
next pointer (tmp) is protected too. It's not, because once hash_lock
is released, cache_clean may delete the entry that tmp points to. Then
cache_purge can walk to a deleted entry and tries to double free it.

Fix this bug by holding only the deleted entry's reference.

Suggested-by: NeilBrown <neilb@suse.de>
Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com>
Reviewed-by: NeilBrown <neilb@suse.de>
[ cel: removed unused variable ]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/cache.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index bd843a81afa0b..d36cea4e270de 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -521,7 +521,6 @@ void cache_purge(struct cache_detail *detail)
 {
 	struct cache_head *ch = NULL;
 	struct hlist_head *head = NULL;
-	struct hlist_node *tmp = NULL;
 	int i = 0;
 
 	spin_lock(&detail->hash_lock);
@@ -533,7 +532,9 @@ void cache_purge(struct cache_detail *detail)
 	dprintk("RPC: %d entries in %s cache\n", detail->entries, detail->name);
 	for (i = 0; i < detail->hash_size; i++) {
 		head = &detail->hash_table[i];
-		hlist_for_each_entry_safe(ch, tmp, head, cache_list) {
+		while (!hlist_empty(head)) {
+			ch = hlist_entry(head->first, struct cache_head,
+					 cache_list);
 			sunrpc_begin_cache_remove_entry(ch, detail);
 			spin_unlock(&detail->hash_lock);
 			sunrpc_end_cache_remove_entry(ch, detail);
-- 
2.20.1

next prev parent reply	other threads:[~2020-04-30 14:12 UTC|newest]

Thread overview: 115+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-30 13:49 [PATCH AUTOSEL 5.6 01/79] ARM: dts: OMAP3: disable RNG on N950/N9 Sasha Levin
2020-04-30 13:49 ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 02/79] drm/bridge: analogix_dp: Split bind() into probe() and real bind() Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 03/79] ARM: dts: bcm283x: Add cells encoding format to firmware bus Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 04/79] iio:ad7797: Use correct attribute_group Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 05/79] iio: imu: st_lsm6dsx: fix read misalignment on untagged FIFO Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 06/79] iio: imu: st_lsm6dsx: specify slave odr in slv_odr Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 07/79] ASoC: topology: Add missing memory checks Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 08/79] ASoC: topology: Check return value of soc_tplg_create_tlv Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 09/79] ASoC: topology: Check return value of soc_tplg_*_create Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 10/79] ASoC: topology: Check soc_tplg_add_route return value Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 11/79] ASoC: topology: Check return value of pcm_new_ver Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 12/79] ASoC: topology: Check return value of soc_tplg_dai_config Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 13/79] nfsd: memory corruption in nfsd4_lock() Sasha Levin
2020-04-30 13:49 ` Sasha Levin [this message]
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 15/79] selftests: vm: Do not override definition of ARCH Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 16/79] selftests: vm: Fix 64-bit test builds for powerpc64le Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 17/79] ASoC: samsung: s3c24xx-i2s: Fix build after removal of DAI suspend/resume Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 18/79] Revert "Kernel selftests: tpm2: check for tpm support" Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 19/79] selftests/ipc: Fix test failure seen after initial test run Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 20/79] drm/bridge: anx6345: set correct BPC for display_info of connector Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 21/79] scsi: sg: add sg_remove_request in sg_write Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 22/79] drivers: soc: xilinx: fix firmware driver Kconfig dependency Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 23/79] drm/scheduler: fix drm_sched_get_cleanup_job Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 24/79] ASoC: sgtl5000: Fix VAG power-on handling Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 25/79] ASoC: q6dsp6: q6afe-dai: add missing channels to MI2S DAIs Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 26/79] ASoC: topology: Fix endianness issue Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 27/79] usb: dwc3: gadget: Properly set maxpacket limit Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 28/79] usb: dwc3: gadget: Do link recovery for SS and SSP Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 29/79] ASoC: rsnd: Fix parent SSI start/stop in multi-SSI mode Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 30/79] ASoC: rsnd: Fix HDMI channel mapping for " Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 31/79] ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 32/79] ARM: dts: bcm283x: Disable dsi0 node Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 33/79] remoteproc: qcom_q6v5_mss: fix a bug in q6v5_probe() Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 34/79] usb: gadget: udc: atmel: Fix vbus disconnect handling Sasha Levin
2020-04-30 13:49   ` Sasha Levin
2020-04-30 13:49 ` [PATCH AUTOSEL 5.6 35/79] svcrdma: Fix trace point use-after-free race Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 36/79] ASoC: stm32: sai: fix sai probe Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 37/79] ASoC: SOF: Intel: add min/max channels for SSP on Baytrail/Broadwell Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 38/79] drm/amd/powerplay: fix resume failed as smu table initialize early exit Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 39/79] drm/amdgpu: Correctly initialize thermal controller for GPUs with Powerplay table v0 (e.g Hawaii) Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 40/79] wimax/i2400m: Fix potential urb refcnt leak Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 41/79] net: stmmac: fix enabling socfpga's ptp_ref_clock Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 42/79] net: stmmac: Fix sub-second increment Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 43/79] netfilter: nat: fix error handling upon registering inet hook Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 44/79] counter: 104-quad-8: Add lock guards - generic interface Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 45/79] ASoC: meson: axg-card: fix codec-to-codec link setup Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:56   ` Mark Brown
2020-04-30 13:56     ` Mark Brown
2020-05-02 13:46     ` Sasha Levin
2020-05-02 13:46       ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 46/79] ASoC: rsnd: Don't treat master SSI in multi SSI setup as parent Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 47/79] ASoC: rsnd: Fix "status check failed" spam for multi-SSI Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 48/79] net/mlx5: Fix failing fw tracer allocation on s390 Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 49/79] net/mlx5e: Don't trigger IRQ multiple times on XSK wakeup to avoid WQ overruns Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 50/79] net/mlx5e: Get the latest values from counters in switchdev mode Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 51/79] cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 52/79] bpf: Forbid XADD on spilled pointers for unprivileged users Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 53/79] bpf: Fix handling of XADD on BTF memory Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 54/79] bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 55/79] iwlwifi: actually check allocated conf_tlv pointer Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 56/79] ASoC: wm8960: Fix wrong clock after suspend & resume Sasha Levin
2020-04-30 13:50   ` Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 57/79] cifs: protect updating server->dstaddr with a spinlock Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 58/79] blk-iocost: Fix error on iocost_ioc_vrate_adj Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 59/79] s390/ftrace: fix potential crashes when switching tracers Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 60/79] scripts/config: allow colons in option strings for sed Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 61/79] sched/core: Fix reset-on-fork from RT with uclamp Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 62/79] perf/core: fix parent pid/tid in task exit events Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 63/79] cifs: do not share tcons with DFS Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 64/79] tracing: Fix memory leaks in trace_events_hist.c Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 65/79] um: ensure `make ARCH=um mrproper` removes arch/$(SUBARCH)/include/generated/ Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 66/79] ftrace: Fix memory leak caused by not freeing entry in unregister_ftrace_direct() Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 67/79] net: phy: bcm84881: clear settings on link down Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 68/79] lib/mpi: Fix building for powerpc with clang Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 69/79] mac80211: sta_info: Add lockdep condition for RCU list usage Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 70/79] afs: Fix to actually set AFS_SERVER_FL_HAVE_EPOCH Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 71/79] afs: Make record checking use TASK_UNINTERRUPTIBLE when appropriate Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 72/79] net: bcmgenet: suppress warnings on failed Rx SKB allocations Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 73/79] net: systemport: " Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 74/79] bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 75/79] bpf, x86_32: Fix clobbering of dst for BPF_JSET Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 76/79] bpf, x86_32: Fix logic error in BPF_LDX zero-extension Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 77/79] bpf: Propagate expected_attach_type when verifying freplace programs Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 78/79] tools/runqslower: Ensure own vmlinux.h is picked up first Sasha Levin
2020-04-30 13:50 ` [PATCH AUTOSEL 5.6 79/79] selftests/bpf: Fix a couple of broken test_btf cases Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
dfblob:bd843a81afa0 dfblob:d36cea4e270d
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200430135043.19851-14-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=neilb@suse.de \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=wuyihao@linux.alibaba.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.