afs: Fix missing cursor clearance

BugLink: http://bugs.launchpad.net/bugs/1751064
commit fe4d774c847398c2a45c10a780ccfde069840793 upstream.

afs_select_fileserver() ends the address cursor it is using in the case in
which we get some sort of network error and run out of addresses to iterate
through, before it jumps to try the next server.  This also needs to be
done when the server aborts with some sort of error that means we should
try the next server.

Fix this by:

 (1) Move the iterate_address afs_end_cursor() call to the next_server
     case.

 (2) End the cursor in the failed case.

 (3) Make afs_end_cursor() clear the ->begun flag and ->addr pointer in the
     address cursor.

 (4) Make afs_end_cursor() able to be called on an already cleared cursor.

Without this, something like the following oops may occur:

	AFS: Assertion failed
	18446612134397189888 == 0 is false
	0xffff88007c279f00 == 0x0 is false
	------------[ cut here ]------------
	kernel BUG at fs/afs/rotate.c:360!
	RIP: 0010:afs_select_fileserver+0x79b/0xa30 [kafs]
	Call Trace:
	 afs_statfs+0xcc/0x180 [kafs]
	 ? p9_client_statfs+0x9e/0x110 [9pnet]
	 ? _cond_resched+0x19/0x40
	 statfs_by_dentry+0x6d/0x90
	 vfs_statfs+0x1b/0xc0
	 user_statfs+0x4b/0x80
	 SYSC_statfs+0x15/0x30
	 SyS_statfs+0xe/0x10
	 entry_SYSCALL_64_fastpath+0x20/0x83

Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

diff --git a/fs/afs/addr_list.c b/fs/afs/addr_list.c
index a537368ba0db9a9df6afb9e800578b4fe966ded6..fd9f28b8a933a9eacff9b17230581ff8bf37f64e 100644 (file)
--- a/fs/afs/addr_list.c
+++ b/fs/afs/addr_list.c
@@ -332,11 +332,18 @@ bool afs_iterate_addresses(struct afs_addr_cursor *ac)
  */
 int afs_end_cursor(struct afs_addr_cursor *ac)
 {
-       if (ac->responded && ac->index != ac->start)
-               WRITE_ONCE(ac->alist->index, ac->index);
+       struct afs_addr_list *alist;
+
+       alist = ac->alist;
+       if (alist) {
+               if (ac->responded && ac->index != ac->start)
+                       WRITE_ONCE(alist->index, ac->index);
+               afs_put_addrlist(alist);
+       }
 
-       afs_put_addrlist(ac->alist);
+       ac->addr = NULL;
        ac->alist = NULL;
+       ac->begun = false;
        return ac->error;
 }
 

diff --git a/fs/afs/rotate.c b/fs/afs/rotate.c
index 0c0f07d34de2a13ef3d097d93df8e274d9e18cee..892a4904fd77de7e8d4eabb5bac848df97c46a7d 100644 (file)
--- a/fs/afs/rotate.c
+++ b/fs/afs/rotate.c
@@ -334,6 +334,7 @@ start:
 
 next_server:
        _debug("next");
+       afs_end_cursor(&fc->ac);
        afs_put_cb_interest(afs_v2net(vnode), fc->cbi);
        fc->cbi = NULL;
        fc->index++;
@@ -408,16 +409,15 @@ iterate_address:
        /* Iterate over the current server's address list to try and find an
         * address on which it will respond to us.
         */
-       if (afs_iterate_addresses(&fc->ac)) {
-               _leave(" = t");
-               return true;
-       }
+       if (!afs_iterate_addresses(&fc->ac))
+               goto next_server;
 
-       afs_end_cursor(&fc->ac);
-       goto next_server;
+       _leave(" = t");
+       return true;
 
 failed:
        fc->flags |= AFS_FS_CURSOR_STOP;
+       afs_end_cursor(&fc->ac);
        _leave(" = f [failed %d]", fc->ac.error);
        return false;
 }