[PATCH] nfsd: validate the nfsd_serv pointer before calling svc_wake_up

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeff Layton <jlayton@kernel.org>
To: Chuck Lever <chuck.lever@oracle.com>, Neil Brown <neilb@suse.de>,
	 Olga Kornievskaia <okorniev@redhat.com>,
	Dai Ngo <Dai.Ngo@oracle.com>,  Tom Talpey <tom@talpey.com>
Cc: Salvatore Bonaccorso <carnil@debian.org>,
	linux-nfs@vger.kernel.org,  linux-kernel@vger.kernel.org,
	Jeff Layton <jlayton@kernel.org>
Subject: [PATCH] nfsd: validate the nfsd_serv pointer before calling svc_wake_up
Date: Sat, 25 Jan 2025 20:13:18 -0500	[thread overview]
Message-ID: <20250125-kdevops-v1-1-a76cf79127b8@kernel.org> (raw)

nfsd_file_dispose_list_delayed can be called from the filecache
laundrette, which is shut down after the nfsd threads are shut down and
the nfsd_serv pointer is cleared. If nn->nfsd_serv is NULL then there
are no threads to wake.

Ensure that the nn->nfsd_serv pointer is non-NULL before calling
svc_wake_up in nfsd_file_dispose_list_delayed. This is safe since the
svc_serv is not freed until after the filecache laundrette is cancelled.

Fixes: ffb402596147 ("nfsd: Don't leave work of closing files to a work queue")
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Closes: https://lore.kernel.org/linux-nfs/7d9f2a8aede4f7ca9935a47e1d405643220d7946.camel@kernel.org/
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
This is only lightly tested, but I think it will fix the bug that
Salvatore reported.
---
 fs/nfsd/filecache.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
index e91c164b5ea21507659904690533a19ca43b1b64..fb2a4469b7a3c077de2dd750f43239b4af6d37b0 100644
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -445,11 +445,20 @@ nfsd_file_dispose_list_delayed(struct list_head *dispose)
 						struct nfsd_file, nf_gc);
 		struct nfsd_net *nn = net_generic(nf->nf_net, nfsd_net_id);
 		struct nfsd_fcache_disposal *l = nn->fcache_disposal;
+		struct svc_serv *serv;
 
 		spin_lock(&l->lock);
 		list_move_tail(&nf->nf_gc, &l->freeme);
 		spin_unlock(&l->lock);
-		svc_wake_up(nn->nfsd_serv);
+
+		/*
+		 * The filecache laundrette is shut down after the
+		 * nn->nfsd_serv pointer is cleared, but before the
+		 * svc_serv is freed.
+		 */
+		serv = nn->nfsd_serv;
+		if (serv)
+			svc_wake_up(serv);
 	}
 }
 

---
base-commit: 7541a5b8073cf0d9e2d288cac581f1aa6c11671d
change-id: 20250125-kdevops-0989825ae8db

Best regards,
-- 
Jeff Layton <jlayton@kernel.org>

next             reply	other threads:[~2025-01-26  1:13 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-26  1:13 Jeff Layton [this message]
2025-01-26  2:39 ` [PATCH] nfsd: validate the nfsd_serv pointer before calling svc_wake_up NeilBrown
2025-01-26 12:36   ` Jeff Layton
2025-01-26 21:53     ` NeilBrown
2025-01-26 22:48       ` Jeff Layton
2025-01-27  0:15         ` NeilBrown
2025-01-27 13:07           ` Jeff Layton
2025-01-27 13:22             ` Chuck Lever
2025-01-27 13:32               ` Jeff Layton
2025-01-27 13:39                 ` Chuck Lever
2025-01-27 14:03                   ` Chuck Lever
2025-01-27 14:34                     ` Jeff Layton
2025-01-27 22:11                       ` NeilBrown
2025-01-27 22:16                     ` NeilBrown
2025-01-26 18:58 ` cel
2025-01-28 17:07 ` cel
2025-01-29 21:13   ` NeilBrown

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e91c164b5ea21507659904690533a19ca43b1b6
dfblob:fb2a4469b7a3c077de2dd750f43239b4af6d37b )
 OR (
bs:"[PATCH] nfsd: validate the nfsd_serv pointer before calling svc_wake_up" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250125-kdevops-v1-1-a76cf79127b8@kernel.org \
    --to=jlayton@kernel.org \
    --cc=Dai.Ngo@oracle.com \
    --cc=carnil@debian.org \
    --cc=chuck.lever@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=neilb@suse.de \
    --cc=okorniev@redhat.com \
    --cc=tom@talpey.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.