afs: Fix afs_atcell_get_link() to handle RCU pathwalk

The ->get_link() method may be entered under RCU pathwalk conditions (in
which case, the dentry pointer is NULL).  This is not taken account of by
afs_atcell_get_link() and lockdep will complain when it tries to lock an
rwsem.

Fix this by marking net->ws_cell as __rcu and using RCU access macros on it
and by making afs_atcell_get_link() just return a pointer to the name in
RCU pathwalk without taking net->cells_lock or a ref on the cell as RCU
will protect the name storage (the cell is already freed via call_rcu()).

Fixes: 30bca65bbbae ("afs: Make /afs/@cell and /afs/.@cell symlinks")
Reported-by: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20250310094206.801057-2-dhowells@redhat.com/

diff --git a/fs/afs/cell.c b/fs/afs/cell.c
index cee42646736c8684bcf2a172783c5d3bb445a636..96a6781f365303aec029300d9e60e29b13c7daf3 100644 (file)
--- a/fs/afs/cell.c
+++ b/fs/afs/cell.c
@@ -64,7 +64,8 @@ static struct afs_cell *afs_find_cell_locked(struct afs_net *net,
                return ERR_PTR(-ENAMETOOLONG);
 
        if (!name) {
-               cell = net->ws_cell;
+               cell = rcu_dereference_protected(net->ws_cell,
+                                                lockdep_is_held(&net->cells_lock));
                if (!cell)
                        return ERR_PTR(-EDESTADDRREQ);
                goto found;
@@ -388,8 +389,8 @@ int afs_cell_init(struct afs_net *net, const char *rootcell)
        /* install the new cell */
        down_write(&net->cells_lock);
        afs_see_cell(new_root, afs_cell_trace_see_ws);
-       old_root = net->ws_cell;
-       net->ws_cell = new_root;
+       old_root = rcu_replace_pointer(net->ws_cell, new_root,
+                                      lockdep_is_held(&net->cells_lock));
        up_write(&net->cells_lock);
 
        afs_unuse_cell(net, old_root, afs_cell_trace_unuse_ws);
@@ -945,8 +946,8 @@ void afs_cell_purge(struct afs_net *net)
        _enter("");
 
        down_write(&net->cells_lock);
-       ws = net->ws_cell;
-       net->ws_cell = NULL;
+       ws = rcu_replace_pointer(net->ws_cell, NULL,
+                                lockdep_is_held(&net->cells_lock));
        up_write(&net->cells_lock);
        afs_unuse_cell(net, ws, afs_cell_trace_unuse_ws);
 

diff --git a/fs/afs/dynroot.c b/fs/afs/dynroot.c
index d8bf52f77d930228bd5def9cac32b80bf4a26d79..008698d706caa4879074a150d3ae82b7cc3245a2 100644 (file)
--- a/fs/afs/dynroot.c
+++ b/fs/afs/dynroot.c
@@ -314,12 +314,23 @@ static const char *afs_atcell_get_link(struct dentry *dentry, struct inode *inod
        const char *name;
        bool dotted = vnode->fid.vnode == 3;
 
-       if (!net->ws_cell)
+       if (!dentry) {
+               /* We're in RCU-pathwalk. */
+               cell = rcu_dereference(net->ws_cell);
+               if (dotted)
+                       name = cell->name - 1;
+               else
+                       name = cell->name;
+               /* Shouldn't need to set a delayed call. */
+               return name;
+       }
+
+       if (!rcu_access_pointer(net->ws_cell))
                return ERR_PTR(-ENOENT);
 
        down_read(&net->cells_lock);
 
-       cell = net->ws_cell;
+       cell = rcu_dereference_protected(net->ws_cell, lockdep_is_held(&net->cells_lock));
        if (dotted)
                name = cell->name - 1;
        else

diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 90f407774a9a17b490489a1657871dbc9ecf1f9c..df30bd62da79ea31ffd3430269fe1fdc9a8abbac 100644 (file)
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -287,7 +287,7 @@ struct afs_net {
 
        /* Cell database */
        struct rb_root          cells;
-       struct afs_cell         *ws_cell;
+       struct afs_cell __rcu   *ws_cell;
        struct work_struct      cells_manager;
        struct timer_list       cells_timer;
        atomic_t                cells_outstanding;

diff --git a/fs/afs/proc.c b/fs/afs/proc.c
index e7614f4f30c21eb4b1bca3299ad7175dc9bb8c2a..12c88d8be3fe8bb40f49598ce0b7e72801c04e5c 100644 (file)
--- a/fs/afs/proc.c
+++ b/fs/afs/proc.c
@@ -206,7 +206,7 @@ static int afs_proc_rootcell_show(struct seq_file *m, void *v)
 
        net = afs_seq2net_single(m);
        down_read(&net->cells_lock);
-       cell = net->ws_cell;
+       cell = rcu_dereference_protected(net->ws_cell, lockdep_is_held(&net->cells_lock));
        if (cell)
                seq_printf(m, "%s\n", cell->name);
        up_read(&net->cells_lock);
@@ -242,7 +242,7 @@ static int afs_proc_rootcell_write(struct file *file, char *buf, size_t size)
 
        ret = -EEXIST;
        inode_lock(file_inode(file));
-       if (!net->ws_cell)
+       if (!rcu_access_pointer(net->ws_cell))
                ret = afs_cell_init(net, buf);
        else
                printk("busy\n");