From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Zorro Lang <zlang@redhat.com>,
Mike Snitzer <snitzer@kernel.org>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Christian Brauner <brauner@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 6.18 5/5] nfs/localio: fix regression due to out-of-order __put_cred
Date: Fri, 9 Jan 2026 12:44:07 +0100 [thread overview]
Message-ID: <20260109111950.550738956@linuxfoundation.org> (raw)
In-Reply-To: <20260109111950.344681501@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@kernel.org>
commit 3af870aedbff10bfed220e280b57a405e972229f upstream.
Commit f2060bdc21d7 ("nfs/localio: add refcounting for each iocb IO
associated with NFS pgio header") inadvertantly reintroduced the same
potential for __put_cred() triggering BUG_ON(cred == current->cred) that
commit 992203a1fba5 ("nfs/localio: restore creds before releasing pageio
data") fixed.
Fix this by saving and restoring the cred around each {read,write}_iter
call within the respective for loop of nfs_local_call_{read,write} using
scoped_with_creds().
NOTE: this fix started by first reverting the following commits:
94afb627dfc2 ("nfs: use credential guards in nfs_local_call_read()")
bff3c841f7bd ("nfs: use credential guards in nfs_local_call_write()")
1d18101a644e ("Merge tag 'kernel-6.19-rc1.cred' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs")
followed by narrowly fixing the cred lifetime issue by using
scoped_with_creds(). In doing so, this commit's changes appear more
extensive than they really are (as evidenced by comparing to v6.18's
fs/nfs/localio.c).
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Acked-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Link: https://lore.kernel.org/linux-next/20251205111942.4150b06f@canb.auug.org.au/
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/localio.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/fs/nfs/localio.c
+++ b/fs/nfs/localio.c
@@ -623,8 +623,6 @@ static void nfs_local_call_read(struct w
ssize_t status;
int n_iters;
- save_cred = override_creds(filp->f_cred);
-
n_iters = atomic_read(&iocb->n_iters);
for (int i = 0; i < n_iters ; i++) {
if (iocb->iter_is_dio_aligned[i]) {
@@ -637,7 +635,10 @@ static void nfs_local_call_read(struct w
} else
iocb->kiocb.ki_flags &= ~IOCB_DIRECT;
+ save_cred = override_creds(filp->f_cred);
status = filp->f_op->read_iter(&iocb->kiocb, &iocb->iters[i]);
+ revert_creds(save_cred);
+
if (status != -EIOCBQUEUED) {
if (unlikely(status >= 0 && status < iocb->iters[i].count))
force_done = true; /* Partial read */
@@ -647,8 +648,6 @@ static void nfs_local_call_read(struct w
}
}
}
-
- revert_creds(save_cred);
}
static int
@@ -830,7 +829,6 @@ static void nfs_local_call_write(struct
int n_iters;
current->flags |= PF_LOCAL_THROTTLE | PF_MEMALLOC_NOIO;
- save_cred = override_creds(filp->f_cred);
file_start_write(filp);
n_iters = atomic_read(&iocb->n_iters);
@@ -845,7 +843,10 @@ static void nfs_local_call_write(struct
} else
iocb->kiocb.ki_flags &= ~IOCB_DIRECT;
+ save_cred = override_creds(filp->f_cred);
status = filp->f_op->write_iter(&iocb->kiocb, &iocb->iters[i]);
+ revert_creds(save_cred);
+
if (status != -EIOCBQUEUED) {
if (unlikely(status >= 0 && status < iocb->iters[i].count))
force_done = true; /* Partial write */
@@ -857,7 +858,6 @@ static void nfs_local_call_write(struct
}
file_end_write(filp);
- revert_creds(save_cred);
current->flags = old_flags;
}
next prev parent reply other threads:[~2026-01-09 11:45 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-09 11:44 [PATCH 6.18 0/5] 6.18.5-rc1 review Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.18 1/5] mptcp: ensure context reset on disconnect() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.18 2/5] sched/fair: Small cleanup to sched_balance_newidle() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.18 3/5] sched/fair: Small cleanup to update_newidle_cost() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.18 4/5] sched/fair: Proportional newidle balance Greg Kroah-Hartman
2026-01-09 11:44 ` Greg Kroah-Hartman [this message]
2026-01-09 13:17 ` [PATCH 6.18 0/5] 6.18.5-rc1 review Ronald Warsow
2026-01-09 13:55 ` Slade Watkins
2026-01-09 16:26 ` Achill Gilgenast
2026-01-09 17:32 ` Jon Hunter
2026-01-09 19:01 ` Brett A C Sheffield
2026-01-09 21:53 ` Brett Mastbergen
2026-01-09 22:06 ` Florian Fainelli
2026-01-09 23:56 ` Shuah Khan
2026-01-10 1:56 ` Peter Schneider
2026-01-10 4:17 ` Takeshi Ogasawara
2026-01-10 6:45 ` Ron Economos
2026-01-10 9:53 ` Jeffrin Thalakkottoor
2026-01-10 11:28 ` Mark Brown
2026-01-10 21:25 ` Miguel Ojeda
2026-01-12 10:23 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260109111950.550738956@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=brauner@kernel.org \
--cc=patches@lists.linux.dev \
--cc=snitzer@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=trond.myklebust@hammerspace.com \
--cc=zlang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.