fb8b3b44e0
[ Upstream commit 275655d3207b9e65d1561bf21c06a622d9ec1d43 ] In __afs_break_callback() we might check ->cb_nr_mmap and if it's non-zero do queue_work(&vnode->cb_work). In afs_drop_open_mmap() we decrement ->cb_nr_mmap and do flush_work(&vnode->cb_work) if it reaches zero. The trouble is, there's nothing to prevent __afs_break_callback() from seeing ->cb_nr_mmap before the decrement and do queue_work() after both the decrement and flush_work(). If that happens, we might be in trouble - vnode might get freed before the queued work runs. __afs_break_callback() is always done under ->cb_lock, so let's make sure that ->cb_nr_mmap can change from non-zero to zero while holding ->cb_lock (the spinlock component of it - it's a seqlock and we don't need to mess with the counter). Acked-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|---|---|---|
| .. | ||
| addr_list.c | ||
| afs.h | ||
| afs_cm.h | ||
| afs_fs.h | ||
| afs_vl.h | ||
| callback.c | ||
| cell.c | ||
| cmservice.c | ||
| dir.c | ||
| dir_edit.c | ||
| dir_silly.c | ||
| dynroot.c | ||
| file.c | ||
| flock.c | ||
| fs_operation.c | ||
| fs_probe.c | ||
| fsclient.c | ||
| inode.c | ||
| internal.h | ||
| Kconfig | ||
| main.c | ||
| Makefile | ||
| misc.c | ||
| mntpt.c | ||
| proc.c | ||
| protocol_afs.h | ||
| protocol_uae.h | ||
| protocol_yfs.h | ||
| rotate.c | ||
| rxrpc.c | ||
| security.c | ||
| server.c | ||
| server_list.c | ||
| super.c | ||
| vl_alias.c | ||
| vl_list.c | ||
| vl_probe.c | ||
| vl_rotate.c | ||
| vlclient.c | ||
| volume.c | ||
| write.c | ||
| xattr.c | ||
| xdr_fs.h | ||
| yfsclient.c | ||