# git rev-parse -q --verify f0a7d1883d9f78ae7bf15fc258bf9a2b20f35b76^{commit} f0a7d1883d9f78ae7bf15fc258bf9a2b20f35b76 already have revision, skipping fetch # git checkout -q -f -B kisskb f0a7d1883d9f78ae7bf15fc258bf9a2b20f35b76 # git clean -qxdf # < git log -1 # commit f0a7d1883d9f78ae7bf15fc258bf9a2b20f35b76 # Author: David Howells # Date: Mon Oct 15 12:43:02 2018 +0100 # # afs: Fix clearance of reply # # The recent patch to fix the afs_server struct leak didn't actually fix the # bug, but rather fixed some of the symptoms. The problem is that an # asynchronous call that holds a resource pointed to by call->reply[0] will # find the pointer cleared in the call destructor, thereby preventing the # resource from being cleaned up. # # In the case of the server record leak, the afs_fs_get_capabilities() # function in devel code sets up a call with reply[0] pointing at the server # record that should be altered when the result is obtained, but this was # being cleared before the destructor was called, so the put in the # destructor does nothing and the record is leaked. # # Commit f014ffb025c1 removed the additional ref obtained by # afs_install_server(), but the removal of this ref is actually used by the # garbage collector to mark a server record as being defunct after the record # has expired through lack of use. # # The offending clearance of call->reply[0] upon completion in # afs_process_async_call() has been there from the origin of the code, but # none of the asynchronous calls actually use that pointer currently, so it # should be safe to remove (note that synchronous calls don't involve this # function). # # Fix this by the following means: # # (1) Revert commit f014ffb025c1. # # (2) Remove the clearance of reply[0] from afs_process_async_call(). # # Without this, afs_manage_servers() will suffer an assertion failure if it # sees a server record that didn't get used because the usage count is not 1. # # Fixes: f014ffb025c1 ("afs: Fix afs_server struct leak") # Fixes: 08e0e7c82eea ("[AF_RXRPC]: Make the in-kernel AFS filesystem use AF_RXRPC.") # Signed-off-by: David Howells # Cc: stable # Signed-off-by: Greg Kroah-Hartman # < /opt/cross/kisskb/korg/gcc-8.1.0-nolibc/hppa-linux/bin/hppa-linux-gcc --version # < git log --format=%s --max-count=1 f0a7d1883d9f78ae7bf15fc258bf9a2b20f35b76 # < make -s -j 48 ARCH=parisc O=/kisskb/build/linus_parisc-allmodconfig_parisc CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/hppa-linux/bin/hppa-linux- allmodconfig # Added to kconfig CONFIG_BUILD_DOCSRC=n # Added to kconfig CONFIG_MODULE_SIG=n # Added to kconfig CONFIG_SAMPLES=n # yes \n | make -s -j 48 ARCH=parisc O=/kisskb/build/linus_parisc-allmodconfig_parisc CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/hppa-linux/bin/hppa-linux- oldconfig yes: standard output: Broken pipe # make -s -j 48 ARCH=parisc O=/kisskb/build/linus_parisc-allmodconfig_parisc CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.1.0-nolibc/hppa-linux/bin/hppa-linux- :1335:2: warning: #warning syscall rseq not implemented [-Wcpp] /kisskb/src/lib/test_hexdump.c: In function 'test_hexdump_prepare_test.constprop': /kisskb/src/lib/test_hexdump.c:102:3: warning: 'strncpy' specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(p, q, amount); ^~~~~~~~~~~~~~~~~~~~~ /kisskb/src/lib/test_hexdump.c:100:19: note: length computed here size_t amount = strlen(q); ^~~~~~~~~ /kisskb/src/kernel/trace/trace_hwlat.c: In function 'kthread_fn': /kisskb/src/kernel/trace/trace_hwlat.c:341:1: warning: the frame size of 1696 bytes is larger than 1280 bytes [-Wframe-larger-than=] } ^ /kisskb/src/lib/xxhash.c: In function 'xxh64': /kisskb/src/lib/xxhash.c:236:1: warning: the frame size of 1624 bytes is larger than 1280 bytes [-Wframe-larger-than=] } ^ /kisskb/src/drivers/input/joystick/analog.c:172:2: warning: #warning Precise timer not defined for this architecture. [-Wcpp] #warning Precise timer not defined for this architecture. ^~~~~~~ In file included from /kisskb/src/arch/parisc/include/asm/atomic.h:10, from /kisskb/src/include/linux/atomic.h:7, from /kisskb/src/arch/parisc/include/asm/bitops.h:13, from /kisskb/src/include/linux/bitops.h:19, from /kisskb/src/include/linux/kernel.h:11, from /kisskb/src/include/linux/list.h:9, from /kisskb/src/include/linux/wait.h:7, from /kisskb/src/include/linux/wait_bit.h:8, from /kisskb/src/include/linux/fs.h:6, from /kisskb/src/fs/ocfs2/file.c:27: /kisskb/src/fs/ocfs2/file.c: In function 'ocfs2_file_write_iter': /kisskb/src/arch/parisc/include/asm/cmpxchg.h:48:3: warning: value computed is not used [-Wunused-value] ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)))) ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/fs/ocfs2/file.c:2386:3: note: in expansion of macro 'xchg' xchg(&iocb->ki_complete, saved_ki_complete); ^~~~ /kisskb/src/drivers/gpu/drm/nouveau/nvkm/engine/device/ctrl.c: In function 'nvkm_control_mthd_pstate_info': /kisskb/src/drivers/gpu/drm/nouveau/nvkm/engine/device/ctrl.c:60:21: warning: overflow in conversion from 'int' to '__s8' {aka 'signed char'} changes value from '-251' to '5' [-Woverflow] args->v0.pwrsrc = -ENOSYS; ^ In file included from /kisskb/src/drivers/net/phy/dp83640.c:36: /kisskb/src/drivers/net/phy/dp83640_reg.h:8: warning: "PAGE0" redefined #define PAGE0 0x0000 In file included from /kisskb/src/include/linux/mm_types_task.h:16, from /kisskb/src/include/linux/mm_types.h:5, from /kisskb/src/include/linux/fs.h:23, from /kisskb/src/include/linux/compat.h:17, from /kisskb/src/include/linux/ethtool.h:17, from /kisskb/src/drivers/net/phy/dp83640.c:24: /kisskb/src/arch/parisc/include/asm/page.h:182: note: this is the location of the previous definition #define PAGE0 ((struct zeropage *)__PAGE_OFFSET) In file included from /kisskb/src/arch/parisc/include/asm/atomic.h:10, from /kisskb/src/include/linux/atomic.h:7, from /kisskb/src/arch/parisc/include/asm/bitops.h:13, from /kisskb/src/include/linux/bitops.h:19, from /kisskb/src/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c:11: /kisskb/src/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c: In function 'ixgbevf_xdp_setup': /kisskb/src/arch/parisc/include/asm/cmpxchg.h:48:3: warning: value computed is not used [-Wunused-value] ((__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), sizeof(*(ptr)))) ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c:4430:4: note: in expansion of macro 'xchg' xchg(&adapter->rx_ring[i]->xdp_prog, adapter->xdp_prog); ^~~~ /kisskb/src/net/sched/sch_cake.c: In function 'cake_dump_stats': /kisskb/src/net/sched/sch_cake.c:2854:1: warning: the frame size of 1480 bytes is larger than 1280 bytes [-Wframe-larger-than=] } ^ /kisskb/src/drivers/scsi/esas2r/esas2r_ioctl.c: In function 'esas2r_write_vda': /kisskb/src/drivers/scsi/esas2r/esas2r_ioctl.c:1910:19: warning: 'dma_addr' may be used uninitialized in this function [-Wmaybe-uninitialized] a->ppvda_buffer = dma_addr; ~~~~~~~~~~~~~~~~^~~~~~~~~~ /kisskb/src/net/tipc/topsrv.c: In function 'tipc_topsrv_start': /kisskb/src/net/tipc/topsrv.c:660:2: warning: 'strncpy' specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(srv->name, name, strlen(name) + 1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /kisskb/src/net/tipc/topsrv.c:660:27: note: length computed here strncpy(srv->name, name, strlen(name) + 1); ^~~~~~~~~~~~ /kisskb/src/scripts/unifdef.c: In function 'Mpass': /kisskb/src/scripts/unifdef.c:453:28: warning: 'strncpy' output truncated before terminating nul copying 4 bytes from a string of the same length [-Wstringop-truncation] static void Mpass (void) { strncpy(keyword, "if ", 4); Pelif(); } ^~~~~~~~~~~~~~~~~~~~~~~~~~~ Completed OK # rm -rf /kisskb/build/linus_parisc-allmodconfig_parisc # Build took: 0:11:58.104957