evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

RPC: Fix two potential races in put_rpccred

Browse source 
It is possible for rpcauth_destroy_credcache() to cause the rpc credentials
to be unhashed while put_rpccred is waiting for the rpc_credcache_lock on
another cpu. Should this happen, then we can end up calling
hlist_del_rcu(&cred->cr_hash) a second time in put_rpccred, thus causing
list corruption.

Should the credential actually be hashed, it is also possible for
rpcauth_lookup_credcache to find and reference it before we get round to
unhashing it. In this case, the call to rpcauth_unhash_cred will fail, and
so we should just exit without destroying the cred.

Reported-by: Neil Brown <neilb@suse.de>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
Trond Myklebust 2009-12-03 08:10:17 -05:00
parent feb8ca37cc
commit f0380f3d16
1 changed files with 23 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
net/sunrpc/auth.c
View file

@ -123,16 +123,19 @@ rpcauth_unhash_cred_locked(struct rpc_cred *cred)
clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags); clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
} }
static void static int
rpcauth_unhash_cred(struct rpc_cred *cred) rpcauth_unhash_cred(struct rpc_cred *cred)
{ {
spinlock_t *cache_lock; spinlock_t *cache_lock;
int ret;
cache_lock = &cred->cr_auth->au_credcache->lock; cache_lock = &cred->cr_auth->au_credcache->lock;
spin_lock(cache_lock); spin_lock(cache_lock);
if (atomic_read(&cred->cr_count) == 0) ret = atomic_read(&cred->cr_count) == 0;
if (ret)
rpcauth_unhash_cred_locked(cred); rpcauth_unhash_cred_locked(cred);
spin_unlock(cache_lock); spin_unlock(cache_lock);
return ret;
} }
/* /*
@ -446,31 +449,35 @@ void
put_rpccred(struct rpc_cred *cred) put_rpccred(struct rpc_cred *cred)
{ {
/* Fast path for unhashed credentials */ /* Fast path for unhashed credentials */
if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) == 0) {
goto need_lock; if (atomic_dec_and_test(&cred->cr_count))
cred->cr_ops->crdestroy(cred);
if (!atomic_dec_and_test(&cred->cr_count))
return; return;
goto out_destroy; }
need_lock:
if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock)) if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
return; return;
if (!list_empty(&cred->cr_lru)) { if (!list_empty(&cred->cr_lru)) {
number_cred_unused--; number_cred_unused--;
list_del_init(&cred->cr_lru); list_del_init(&cred->cr_lru);
} }
if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) == 0)
rpcauth_unhash_cred(cred);
if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) { if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0) {
cred->cr_expire = jiffies; if (test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags) != 0) {
list_add_tail(&cred->cr_lru, &cred_unused); cred->cr_expire = jiffies;
number_cred_unused++; list_add_tail(&cred->cr_lru, &cred_unused);
spin_unlock(&rpc_credcache_lock); number_cred_unused++;
return; goto out_nodestroy;
}
if (!rpcauth_unhash_cred(cred)) {
/* We were hashed and someone looked us up... */
goto out_nodestroy;
}
} }
spin_unlock(&rpc_credcache_lock); spin_unlock(&rpc_credcache_lock);
out_destroy:
cred->cr_ops->crdestroy(cred); cred->cr_ops->crdestroy(cred);
return;
out_nodestroy:
spin_unlock(&rpc_credcache_lock);
} }
EXPORT_SYMBOL_GPL(put_rpccred); EXPORT_SYMBOL_GPL(put_rpccred);