Commit 1d0e850a authored by David Howells's avatar David Howells
Browse files

afs: Fix cell removal 



Fix cell removal by inserting a more final state than AFS_CELL_FAILED that
indicates that the cell has been unpublished in case the manager is already
requeued and will go through again.  The new AFS_CELL_REMOVED state will
just immediately leave the manager function.

Going through a second time in the AFS_CELL_FAILED state will cause it to
try to remove the cell again, potentially leading to the proc list being
removed.

Fixes: 989782dc ("afs: Overhaul cell database management")
Reported-by: default avatar <syzbot+b994ecf2b023f14832c1@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+0e0db88e1eb44a91ae8d@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+1ecc2f9d3387f1d79d42@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+18d51774588492bf3f69@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+a5e4946b04d6ca8fa5f3@syzkaller.appspotmail.com>
Suggested-by: default avatarHillf Danton <hdanton@sina.com>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
parent 286377f6

fs/afs/cell.c

+10 −6
Original line number Diff line number Diff line
@@ -291,11 +291,11 @@ wait_for_cell: 
	wait_var_event(&cell->state,

		       ({

			       state = smp_load_acquire(&cell->state); /* vs error */

			       state == AFS_CELL_ACTIVE || state == AFS_CELL_FAILED;

			       state == AFS_CELL_ACTIVE || state == AFS_CELL_REMOVED;

		       }));



	/* Check the state obtained from the wait check. */

	if (state == AFS_CELL_FAILED) {

	if (state == AFS_CELL_REMOVED) {

		ret = cell->error;

		goto error;

	}
@@ -700,7 +700,6 @@ static void afs_deactivate_cell(struct afs_net *net, struct afs_cell *cell) 
static void afs_manage_cell(struct afs_cell *cell)

{

	struct afs_net *net = cell->net;

	bool deleted;

	int ret, active;



	_enter("%s", cell->name);
@@ -712,13 +711,15 @@ again: 
	case AFS_CELL_FAILED:

		down_write(&net->cells_lock);

		active = 1;

		deleted = atomic_try_cmpxchg_relaxed(&cell->active, &active, 0);

		if (deleted) {

		if (atomic_try_cmpxchg_relaxed(&cell->active, &active, 0)) {

			rb_erase(&cell->net_node, &net->cells);

			smp_store_release(&cell->state, AFS_CELL_REMOVED);

		}

		up_write(&net->cells_lock);

		if (deleted)

		if (cell->state == AFS_CELL_REMOVED) {

			wake_up_var(&cell->state);

			goto final_destruction;

		}

		if (cell->state == AFS_CELL_FAILED)

			goto done;

		smp_store_release(&cell->state, AFS_CELL_UNSET);
@@ -760,6 +761,9 @@ again: 
		wake_up_var(&cell->state);

		goto again;



	case AFS_CELL_REMOVED:

		goto done;



	default:

		break;

	}

fs/afs/internal.h

+1 −0
Original line number Diff line number Diff line
@@ -326,6 +326,7 @@ enum afs_cell_state { 
	AFS_CELL_DEACTIVATING,

	AFS_CELL_INACTIVE,

	AFS_CELL_FAILED,

	AFS_CELL_REMOVED,

};



/*

CRA Git | Maintained and supported by SUSTech CRA and CCSE