# git rev-parse -q --verify 9a6b294ab496650e9f270123730df37030911b55^{commit}
9a6b294ab496650e9f270123730df37030911b55
already have revision, skipping fetch
# git checkout -q -f -B kisskb 9a6b294ab496650e9f270123730df37030911b55
# git clean -qxdf
# < git log -1
# commit 9a6b294ab496650e9f270123730df37030911b55
# Author: David Howells <dhowells@redhat.com>
# Date:   Thu Dec 21 13:57:31 2023 +0000
# 
#     afs: Fix use-after-free due to get/remove race in volume tree
#     
#     When an afs_volume struct is put, its refcount is reduced to 0 before
#     the cell->volume_lock is taken and the volume removed from the
#     cell->volumes tree.
#     
#     Unfortunately, this means that the lookup code can race and see a volume
#     with a zero ref in the tree, resulting in a use-after-free:
#     
#         refcount_t: addition on 0; use-after-free.
#         WARNING: CPU: 3 PID: 130782 at lib/refcount.c:25 refcount_warn_saturate+0x7a/0xda
#         ...
#         RIP: 0010:refcount_warn_saturate+0x7a/0xda
#         ...
#         Call Trace:
#          afs_get_volume+0x3d/0x55
#          afs_create_volume+0x126/0x1de
#          afs_validate_fc+0xfe/0x130
#          afs_get_tree+0x20/0x2e5
#          vfs_get_tree+0x1d/0xc9
#          do_new_mount+0x13b/0x22e
#          do_mount+0x5d/0x8a
#          __do_sys_mount+0x100/0x12a
#          do_syscall_64+0x3a/0x94
#          entry_SYSCALL_64_after_hwframe+0x62/0x6a
#     
#     Fix this by:
#     
#      (1) When putting, use a flag to indicate if the volume has been removed
#          from the tree and skip the rb_erase if it has.
#     
#      (2) When looking up, use a conditional ref increment and if it fails
#          because the refcount is 0, replace the node in the tree and set the
#          removal flag.
#     
#     Fixes: 20325960f875 ("afs: Reorganise volume and server trees to be rooted on the cell")
#     Signed-off-by: David Howells <dhowells@redhat.com>
#     Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
#     cc: Marc Dionne <marc.dionne@auristor.com>
#     cc: linux-afs@lists.infradead.org
#     Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
# < /opt/cross/kisskb/korg/gcc-8.5.0-nolibc/x86_64-linux/bin/x86_64-linux-gcc --version
# < /opt/cross/kisskb/korg/gcc-8.5.0-nolibc/x86_64-linux/bin/x86_64-linux-ld --version
# < git log --format=%s --max-count=1 9a6b294ab496650e9f270123730df37030911b55
# make -s -j 40 ARCH=x86 O=/kisskb/build/linus_x86_64_defconfig_x86_64-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.5.0-nolibc/x86_64-linux/bin/x86_64-linux-  x86_64_defconfig
# < make -s -j 40 ARCH=x86 O=/kisskb/build/linus_x86_64_defconfig_x86_64-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.5.0-nolibc/x86_64-linux/bin/x86_64-linux-  help
# make -s -j 40 ARCH=x86 O=/kisskb/build/linus_x86_64_defconfig_x86_64-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.5.0-nolibc/x86_64-linux/bin/x86_64-linux-  olddefconfig
# make -s -j 40 ARCH=x86 O=/kisskb/build/linus_x86_64_defconfig_x86_64-gcc8 CROSS_COMPILE=/opt/cross/kisskb/korg/gcc-8.5.0-nolibc/x86_64-linux/bin/x86_64-linux-  
Completed OK
# rm -rf /kisskb/build/linus_x86_64_defconfig_x86_64-gcc8
# Build took: 0:01:29.709878