afs: Fix cell removal
Fix cell removal by inserting a more final state than AFS_CELL_FAILED that
indicates that the cell has been unpublished in case the manager is already
requeued and will go through again. The new AFS_CELL_REMOVED state will
just immediately leave the manager function.
Going through a second time in the AFS_CELL_FAILED state will cause it to
try to remove the cell again, potentially leading to the proc list being
removed.
Fixes: 989782dcdc ("afs: Overhaul cell database management")
Reported-by: syzbot+b994ecf2b023f14832c1@syzkaller.appspotmail.com
Reported-by: syzbot+0e0db88e1eb44a91ae8d@syzkaller.appspotmail.com
Reported-by: syzbot+2d0585e5efcd43d113c2@syzkaller.appspotmail.com
Reported-by: syzbot+1ecc2f9d3387f1d79d42@syzkaller.appspotmail.com
Reported-by: syzbot+18d51774588492bf3f69@syzkaller.appspotmail.com
Reported-by: syzbot+a5e4946b04d6ca8fa5f3@syzkaller.appspotmail.com
Suggested-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
This commit is contained in:
David Howells
parent
286377f6bd
commit
1d0e850a49
|
|
@ -291,11 +291,11 @@ wait_for_cell:
|
|||
wait_var_event(&cell->state,
|
||||
({
|
||||
state = smp_load_acquire(&cell->state); /* vs error */
|
||||
state == AFS_CELL_ACTIVE || state == AFS_CELL_FAILED;
|
||||
state == AFS_CELL_ACTIVE || state == AFS_CELL_REMOVED;
|
||||
}));
|
||||
|
||||
/* Check the state obtained from the wait check. */
|
||||
if (state == AFS_CELL_FAILED) {
|
||||
if (state == AFS_CELL_REMOVED) {
|
||||
ret = cell->error;
|
||||
goto error;
|
||||
}
|
||||
|
|
@ -700,7 +700,6 @@ static void afs_deactivate_cell(struct afs_net *net, struct afs_cell *cell)
|
|||
static void afs_manage_cell(struct afs_cell *cell)
|
||||
{
|
||||
struct afs_net *net = cell->net;
|
||||
bool deleted;
|
||||
int ret, active;
|
||||
|
||||
_enter("%s", cell->name);
|
||||
|
|
@ -712,13 +711,15 @@ again:
|
|||
case AFS_CELL_FAILED:
|
||||
down_write(&net->cells_lock);
|
||||
active = 1;
|
||||
deleted = atomic_try_cmpxchg_relaxed(&cell->active, &active, 0);
|
||||
if (deleted) {
|
||||
if (atomic_try_cmpxchg_relaxed(&cell->active, &active, 0)) {
|
||||
rb_erase(&cell->net_node, &net->cells);
|
||||
smp_store_release(&cell->state, AFS_CELL_REMOVED);
|
||||
}
|
||||
up_write(&net->cells_lock);
|
||||
if (deleted)
|
||||
if (cell->state == AFS_CELL_REMOVED) {
|
||||
wake_up_var(&cell->state);
|
||||
goto final_destruction;
|
||||
}
|
||||
if (cell->state == AFS_CELL_FAILED)
|
||||
goto done;
|
||||
smp_store_release(&cell->state, AFS_CELL_UNSET);
|
||||
|
|
@ -760,6 +761,9 @@ again:
|
|||
wake_up_var(&cell->state);
|
||||
goto again;
|
||||
|
||||
case AFS_CELL_REMOVED:
|
||||
goto done;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -326,6 +326,7 @@ enum afs_cell_state {
|
|||
AFS_CELL_DEACTIVATING,
|
||||
AFS_CELL_INACTIVE,
|
||||
AFS_CELL_FAILED,
|
||||
AFS_CELL_REMOVED,
|
||||
};
|
||||
|
||||
/*
|
||||
|
|
|
|||
Loading…
Reference in New Issue