Patch "sunrpc: only free unix grouplist after RCU settles" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 9 Apr 2023 08:39:00 -0400

This is a note to let you know that I've just added the patch titled

    sunrpc: only free unix grouplist after RCU settles

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sunrpc-only-free-unix-grouplist-after-rcu-settles.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit bda4be90583169a516523c007e95c6b2a1e72c40
Author: Jeff Layton <jlayton@xxxxxxxxxx>
Date:   Thu Mar 30 14:24:27 2023 -0400

    sunrpc: only free unix grouplist after RCU settles
    
    [ Upstream commit 5085e41f9e83a1bec51da1f20b54f2ec3a13a3fe ]
    
    While the unix_gid object is rcu-freed, the group_info list that it
    contains is not. Ensure that we only put the group list reference once
    we are really freeing the unix_gid object.
    
    Reported-by: Zhi Li <yieli@xxxxxxxxxx>
    Link: https://bugzilla.redhat.com/show_bug.cgi?id=2183056
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
    Fixes: fd5d2f78261b ("SUNRPC: Make server side AUTH_UNIX use lockless lookups")
    Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index 5c04ba7d456b2..5b47e33632399 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -428,14 +428,23 @@ static int unix_gid_hash(kuid_t uid)
 	return hash_long(from_kuid(&init_user_ns, uid), GID_HASHBITS);
 }
 
-static void unix_gid_put(struct kref *kref)
+static void unix_gid_free(struct rcu_head *rcu)
 {
-	struct cache_head *item = container_of(kref, struct cache_head, ref);
-	struct unix_gid *ug = container_of(item, struct unix_gid, h);
+	struct unix_gid *ug = container_of(rcu, struct unix_gid, rcu);
+	struct cache_head *item = &ug->h;
+
 	if (test_bit(CACHE_VALID, &item->flags) &&
 	    !test_bit(CACHE_NEGATIVE, &item->flags))
 		put_group_info(ug->gi);
-	kfree_rcu(ug, rcu);
+	kfree(ug);
+}
+
+static void unix_gid_put(struct kref *kref)
+{
+	struct cache_head *item = container_of(kref, struct cache_head, ref);
+	struct unix_gid *ug = container_of(item, struct unix_gid, h);
+
+	call_rcu(&ug->rcu, unix_gid_free);
 }
 
 static int unix_gid_match(struct cache_head *corig, struct cache_head *cnew)






