linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Denis Kirjanov <kda@linux-powerpc.org>,
	"Dave Wysochanski" <dwysocha@redhat.com>,
	"Ronnie Sahlberg" <lsahlber@redhat.com>,
	"Pavel Shilovskiy" <pshilov@microsoft.com>,
	"Steve French" <stfrench@microsoft.com>
Subject: [PATCH 3.16 78/83] cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
Date: Wed, 20 Nov 2019 15:38:28 +0000	[thread overview]
Message-ID: <lsq.1574264230.763208181@decadent.org.uk> (raw)
In-Reply-To: <lsq.1574264230.280218497@decadent.org.uk>

3.16.78-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Wysochanski <dwysocha@redhat.com>

commit cb248819d209d113e45fed459773991518e8e80b upstream.

Commit 487317c99477 ("cifs: add spinlock for the openFileList to
cifsInodeInfo") added cifsInodeInfo->open_file_lock spin_lock to protect
the openFileList, but missed a few places where cifs_inode->openFileList
was enumerated.  Change these remaining tcon->open_file_lock to
cifsInodeInfo->open_file_lock to avoid panic in is_size_safe_to_change.

[17313.245641] RIP: 0010:is_size_safe_to_change+0x57/0xb0 [cifs]
[17313.245645] Code: 68 40 48 89 ef e8 19 67 b7 f1 48 8b 43 40 48 8d 4b 40 48 8d 50 f0 48 39 c1 75 0f eb 47 48 8b 42 10 48 8d 50 f0 48 39 c1 74 3a <8b> 80 88 00 00 00 83 c0 01 a8 02 74 e6 48 89 ef c6 07 00 0f 1f 40
[17313.245649] RSP: 0018:ffff94ae1baefa30 EFLAGS: 00010202
[17313.245654] RAX: dead000000000100 RBX: ffff88dc72243300 RCX: ffff88dc72243340
[17313.245657] RDX: dead0000000000f0 RSI: 00000000098f7940 RDI: ffff88dd3102f040
[17313.245659] RBP: ffff88dd3102f040 R08: 0000000000000000 R09: ffff94ae1baefc40
[17313.245661] R10: ffffcdc8bb1c4e80 R11: ffffcdc8b50adb08 R12: 00000000098f7940
[17313.245663] R13: ffff88dc72243300 R14: ffff88dbc8f19600 R15: ffff88dc72243428
[17313.245667] FS:  00007fb145485700(0000) GS:ffff88dd3e000000(0000) knlGS:0000000000000000
[17313.245670] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17313.245672] CR2: 0000026bb46c6000 CR3: 0000004edb110003 CR4: 00000000007606e0
[17313.245753] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17313.245756] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[17313.245759] PKRU: 55555554
[17313.245761] Call Trace:
[17313.245803]  cifs_fattr_to_inode+0x16b/0x580 [cifs]
[17313.245838]  cifs_get_inode_info+0x35c/0xa60 [cifs]
[17313.245852]  ? kmem_cache_alloc_trace+0x151/0x1d0
[17313.245885]  cifs_open+0x38f/0x990 [cifs]
[17313.245921]  ? cifs_revalidate_dentry_attr+0x3e/0x350 [cifs]
[17313.245953]  ? cifsFileInfo_get+0x30/0x30 [cifs]
[17313.245960]  ? do_dentry_open+0x132/0x330
[17313.245963]  do_dentry_open+0x132/0x330
[17313.245969]  path_openat+0x573/0x14d0
[17313.245974]  do_filp_open+0x93/0x100
[17313.245979]  ? __check_object_size+0xa3/0x181
[17313.245986]  ? audit_alloc_name+0x7e/0xd0
[17313.245992]  do_sys_open+0x184/0x220
[17313.245999]  do_syscall_64+0x5b/0x1b0

Fixes: 487317c99477 ("cifs: add spinlock for the openFileList to cifsInodeInfo")

Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Pavel Shilovskiy <pshilov@microsoft.com>
---
 fs/cifs/file.c | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -1756,13 +1756,12 @@ struct cifsFileInfo *find_readable_file(
 {
 	struct cifsFileInfo *open_file = NULL;
 	struct cifs_sb_info *cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb);
-	struct cifs_tcon *tcon = cifs_sb_master_tcon(cifs_sb);
 
 	/* only filter by fsuid on multiuser mounts */
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER))
 		fsuid_only = false;
 
-	spin_lock(&tcon->open_file_lock);
+	spin_lock(&cifs_inode->open_file_lock);
 	/* we could simply get the first_list_entry since write-only entries
 	   are always at the end of the list but since the first entry might
 	   have a close pending, we go through the whole list */
@@ -1774,7 +1773,7 @@ struct cifsFileInfo *find_readable_file(
 				/* found a good file */
 				/* lock it so it will not be closed on us */
 				cifsFileInfo_get(open_file);
-				spin_unlock(&tcon->open_file_lock);
+				spin_unlock(&cifs_inode->open_file_lock);
 				return open_file;
 			} /* else might as well continue, and look for
 			     another, or simply have the caller reopen it
@@ -1782,7 +1781,7 @@ struct cifsFileInfo *find_readable_file(
 		} else /* write only file */
 			break; /* write only files are last so must be done */
 	}
-	spin_unlock(&tcon->open_file_lock);
+	spin_unlock(&cifs_inode->open_file_lock);
 	return NULL;
 }
 
@@ -1791,7 +1790,6 @@ struct cifsFileInfo *find_writable_file(
 {
 	struct cifsFileInfo *open_file, *inv_file = NULL;
 	struct cifs_sb_info *cifs_sb;
-	struct cifs_tcon *tcon;
 	bool any_available = false;
 	int rc;
 	unsigned int refind = 0;
@@ -1807,16 +1805,15 @@ struct cifsFileInfo *find_writable_file(
 	}
 
 	cifs_sb = CIFS_SB(cifs_inode->vfs_inode.i_sb);
-	tcon = cifs_sb_master_tcon(cifs_sb);
 
 	/* only filter by fsuid on multiuser mounts */
 	if (!(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MULTIUSER))
 		fsuid_only = false;
 
-	spin_lock(&tcon->open_file_lock);
+	spin_lock(&cifs_inode->open_file_lock);
 refind_writable:
 	if (refind > MAX_REOPEN_ATT) {
-		spin_unlock(&tcon->open_file_lock);
+		spin_unlock(&cifs_inode->open_file_lock);
 		return NULL;
 	}
 	list_for_each_entry(open_file, &cifs_inode->openFileList, flist) {
@@ -1828,7 +1825,7 @@ refind_writable:
 			if (!open_file->invalidHandle) {
 				/* found a good writable file */
 				cifsFileInfo_get(open_file);
-				spin_unlock(&tcon->open_file_lock);
+				spin_unlock(&cifs_inode->open_file_lock);
 				return open_file;
 			} else {
 				if (!inv_file)
@@ -1847,7 +1844,7 @@ refind_writable:
 		cifsFileInfo_get(inv_file);
 	}
 
-	spin_unlock(&tcon->open_file_lock);
+	spin_unlock(&cifs_inode->open_file_lock);
 
 	if (inv_file) {
 		rc = cifs_reopen_file(inv_file, false);
@@ -1861,7 +1858,7 @@ refind_writable:
 			cifsFileInfo_put(inv_file);
 			++refind;
 			inv_file = NULL;
-			spin_lock(&tcon->open_file_lock);
+			spin_lock(&cifs_inode->open_file_lock);
 			goto refind_writable;
 		}
 	}
@@ -3508,17 +3505,15 @@ static int cifs_readpage(struct file *fi
 static int is_inode_writable(struct cifsInodeInfo *cifs_inode)
 {
 	struct cifsFileInfo *open_file;
-	struct cifs_tcon *tcon =
-		cifs_sb_master_tcon(CIFS_SB(cifs_inode->vfs_inode.i_sb));
 
-	spin_lock(&tcon->open_file_lock);
+	spin_lock(&cifs_inode->open_file_lock);
 	list_for_each_entry(open_file, &cifs_inode->openFileList, flist) {
 		if (OPEN_FMODE(open_file->f_flags) & FMODE_WRITE) {
-			spin_unlock(&tcon->open_file_lock);
+			spin_unlock(&cifs_inode->open_file_lock);
 			return 1;
 		}
 	}
-	spin_unlock(&tcon->open_file_lock);
+	spin_unlock(&cifs_inode->open_file_lock);
 	return 0;
 }
 


  parent reply	other threads:[~2019-11-20 15:42 UTC|newest]

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-20 15:37 [PATCH 3.16 00/83] 3.16.78-rc1 review Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 01/83] hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 02/83] x86/sysfb_efi: Add quirks for some devices with swapped width and height Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 03/83] mmc: mmc_spi: Enable stable writes Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 04/83] ALSA: compress: Fix regression on compressed capture streams Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 05/83] can: peak_usb: fix potential double kfree_skb() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 06/83] usb: pci-quirks: Correct AMD PLL quirk detection Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 07/83] usb: wusbcore: fix unbalanced get/put cluster_id Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 08/83] x86/speculation/mds: Apply more accurate check on hypervisor platform Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 09/83] hpet: Fix division by zero in hpet_time_div() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 10/83] sched/fair: Don't free p->numa_faults with concurrent readers Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 11/83] tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 12/83] bnx2x: Disable multi-cos feature Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 13/83] arm64: compat: Allow single-byte watchpoints on all addresses Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 14/83] net: sched: Fix a possible null-pointer dereference in dequeue_func() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 15/83] net: fix ifindex collision during namespace removal Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 16/83] libata: zpodd: Fix small read overflow in zpodd_get_mech_type() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 17/83] selinux: fix memory leak in policydb_init() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 18/83] net: bridge: mcast: don't delete permanent entries when fast leave is enabled Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 19/83] xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 20/83] s390/dasd: fix endless loop after read unit address configuration Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 21/83] can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 22/83] asm-generic: fix -Wtype-limits compiler warnings Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 23/83] NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 24/83] USB: serial: option: Add support for ZTE MF871A Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 25/83] usb: yurex: Fix use-after-free in yurex_delete Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 26/83] SMB3: Fix deadlock in validate negotiate hits reconnect Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 27/83] smb3: send CAP_DFS capability during session setup Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 28/83] sound: fix a memory leak bug Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 29/83] ALSA: firewire: " Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 30/83] ALSA: hda - Fix " Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 31/83] sh: kernel: hw_breakpoint: Fix missing break in switch statement Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 32/83] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 33/83] staging: comedi: dt3000: Fix signed integer overflow 'divider * base' Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 34/83] staging: comedi: dt3000: Fix rounding up of timer divisor Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 35/83] USB: core: Fix races in character device registration and deregistraion Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 36/83] netfilter: conntrack: Use consistent ct id hash calculation Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 37/83] sctp: fix the transport error_count check Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 38/83] USB: serial: option: Add Motorola modem UARTs Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 39/83] usb: cdc-acm: make sure a refcount is taken early enough Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 40/83] net/packet: fix race in tpacket_snd() Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 41/83] Revert "cfg80211: fix processing world regdomain when non modular" Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 42/83] usb-storage: Add new JMS567 revision to unusual_devs Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 43/83] dm btree: fix order of block initialization in btree_split_beneath Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 44/83] dm space map metadata: fix missing store of apply_bops() return value Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 45/83] dm table: fix invalid memory accesses with too high sector number Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 46/83] x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 47/83] batman-adv: Only read OGM tvlv_len after buffer len check Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 48/83] ALSA: seq: Fix potential concurrent access to the deleted pool Ben Hutchings
2019-11-20 15:37 ` [PATCH 3.16 49/83] ptrace,x86: Make user_64bit_mode() available to 32-bit builds Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 50/83] uprobes/x86: Fix detection of 32-bit user mode Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 51/83] x86/apic: Do not initialize LDR and DFR for bigsmp Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 52/83] x86/apic: Drop logical_smp_processor_id() inline Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 53/83] x86/apic/32: Avoid bogus LDR warnings Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 54/83] usb: host: ohci: fix a race condition between shutdown and irq Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 55/83] USB: storage: ums-realtek: Update module parameter description for auto_delink_en Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 56/83] USB: storage: ums-realtek: Whitelist auto-delink support Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 57/83] USB: cdc-wdm: fix race between write and disconnect due to flag abuse Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 58/83] VMCI: Release resource if the work is already queued Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 59/83] mld: fix memory leak in mld_del_delrec() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 60/83] ALSA: hda - Fix potential endless loop at applying quirks Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 61/83] mmc: core: Fix init of SD cards reporting an invalid VDD range Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 62/83] net: seeq: Fix the function used to release some memory in an error handling path Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 63/83] sched/fair: Don't assign runtime for throttled cfs_rq Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 64/83] vhost/test: fix build for vhost test Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 65/83] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 66/83] genirq: Prevent NULL pointer dereference in resend_irqs() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 67/83] keys: Fix missing null pointer check in request_key_auth_describe() Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 68/83] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 69/83] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 70/83] tun: fix use-after-free when register netdev failed Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 71/83] ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 72/83] net: Fix null de-reference of device refcount Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 73/83] sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 74/83] KVM: nVMX: handle page fault in vmread Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 75/83] KVM: x86: work around leak of uninitialized stack contents Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 76/83] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 77/83] alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP Ben Hutchings
2019-11-20 15:38 ` Ben Hutchings [this message]
2019-11-20 15:38 ` [PATCH 3.16 79/83] CIFS: Fix use after free of file info structures Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 80/83] md/raid: raid5 preserve the writeback action after the parity check Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 81/83] btrfs: partially apply b8b93addde Ben Hutchings
2019-11-20 15:56   ` Hans van Kranenburg
2019-11-21 21:42     ` Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 82/83] btrfs: volumes: Cleanup stripe size calculation Ben Hutchings
2019-11-20 15:38 ` [PATCH 3.16 83/83] btrfs: alloc_chunk: fix more DUP stripe size handling Ben Hutchings
2019-11-20 15:46 ` [PATCH 3.16 00/83] 3.16.78-rc1 review Guenter Roeck
2019-11-20 15:50   ` Ben Hutchings

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=lsq.1574264230.763208181@decadent.org.uk \
    --to=ben@decadent.org.uk \
    --cc=akpm@linux-foundation.org \
    --cc=dwysocha@redhat.com \
    --cc=kda@linux-powerpc.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lsahlber@redhat.com \
    --cc=pshilov@microsoft.com \
    --cc=stable@vger.kernel.org \
    --cc=stfrench@microsoft.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).