From: Yihao Wu <wuyihao@linux.alibaba.com>
To: "J . Bruce Fields" <bfields@fieldses.org>,
Chuck Lever <chuck.lever@oracle.com>, NeilBrown <neilb@suse.de>,
Sasha Levin <sashal@kernel.org>
Cc: linux-nfs@vger.kernel.org
Subject: [PATCH v3] SUNRPC/cache: Fix unsafe traverse caused double-free in cache_purge
Date: Mon, 6 Apr 2020 01:57:22 +0800 [thread overview]
Message-ID: <e0dd0339-a15e-814d-ac5a-5f51bc15d73c@linux.alibaba.com> (raw)
In-Reply-To: <4568a7cf87f110b8e59fda6f53fda34c550ab403.1586108200.git.wuyihao@linux.alibaba.com>
Deleting list entry within hlist_for_each_entry_safe is not safe unless
next pointer (tmp) is protected too. It's not, because once hash_lock
is released, cache_clean may delete the entry that tmp points to. Then
cache_purge can walk to a deleted entry and tries to double free it.
Fix this bug by holding only the deleted entry's reference.
Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com>
---
v1->v2: Use Neil's better solution
v2->v3: Fix a checkscript warning
net/sunrpc/cache.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index af0ddd28b081..b445874e8e2f 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -541,7 +541,9 @@ void cache_purge(struct cache_detail *detail)
dprintk("RPC: %d entries in %s cache\n", detail->entries, detail->name);
for (i = 0; i < detail->hash_size; i++) {
head = &detail->hash_table[i];
- hlist_for_each_entry_safe(ch, tmp, head, cache_list) {
+ while (!hlist_empty(head)) {
+ ch = hlist_entry(head->first, struct cache_head,
+ cache_list);
sunrpc_begin_cache_remove_entry(ch, detail);
spin_unlock(&detail->hash_lock);
sunrpc_end_cache_remove_entry(ch, detail);
--
2.20.1.2432.ga663e714
next prev parent reply other threads:[~2020-04-05 17:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-05 17:38 [PATCH v2] SUNRPC/cache: Fix unsafe traverse caused double-free in cache_purge Yihao Wu
2020-04-05 17:57 ` Yihao Wu [this message]
2020-04-05 18:07 ` [PATCH v3] " Chuck Lever
2020-04-05 18:31 ` Yihao Wu
2020-04-05 18:35 ` Chuck Lever
2020-04-06 0:03 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e0dd0339-a15e-814d-ac5a-5f51bc15d73c@linux.alibaba.com \
--to=wuyihao@linux.alibaba.com \
--cc=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.