[PATCH v2 2/2] NFS: Fix RCU dereference of cl_xprt in nfs_compare_super_address

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sean Chang <seanwascoding@gmail.com>
To: Benjamin Coddington <ben.coddington@hammerspace.com>
Cc: Jeff Layton <jlayton@kernel.org>,
	trondmy@kernel.org, anna@kernel.org, linux-nfs@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Sean Chang <seanwascoding@gmail.com>
Subject: [PATCH v2 2/2] NFS: Fix RCU dereference of cl_xprt in nfs_compare_super_address
Date: Sun, 19 Apr 2026 18:01:28 +0800	[thread overview]
Message-ID: <20260419100128.20546-3-seanwascoding@gmail.com> (raw)
In-Reply-To: <20260419100128.20546-1-seanwascoding@gmail.com>

The cl_xprt pointer in struct rpc_clnt is marked as __rcu. Accessing
it directly in nfs_compare_super_address() is unsafe and triggers
Sparse warnings.

Fix this by wrapping the access with rcu_read_lock() and using
rcu_dereference() to safely retrieve the transport pointer. This
ensures the xprt structure remains memory-safe during the comparison
of network namespaces and addresses.

Additionally, add a check for the XPRT_CONNECTED state bit. While RCU
guarantees the memory remains valid, checking XPRT_CONNECTED ensures
the transport is still logically active, preventing operations on a
transport that is already undergoing teardown.

Fixes: 7e3fcf61abde ("nfs: don't share mounts between network namespaces")
Signed-off-by: Sean Chang <seanwascoding@gmail.com>
---
 fs/nfs/super.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 7a318581f85b..c9044d9d64cc 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1166,12 +1166,23 @@ static int nfs_set_super(struct super_block *s, struct fs_context *fc)
 static int nfs_compare_super_address(struct nfs_server *server1,
 				     struct nfs_server *server2)
 {
+	struct rpc_xprt *xprt1, *xprt2;
 	struct sockaddr *sap1, *sap2;
-	struct rpc_xprt *xprt1 = server1->client->cl_xprt;
-	struct rpc_xprt *xprt2 = server2->client->cl_xprt;
+
+	rcu_read_lock();
+
+	xprt1 = rcu_dereference(server1->client->cl_xprt);
+	xprt2 = rcu_dereference(server2->client->cl_xprt);
+
+	if (!xprt1 || !xprt2 ||
+	    !test_bit(XPRT_CONNECTED, &xprt1->state) ||
+	    !test_bit(XPRT_CONNECTED, &xprt2->state))
+		goto out_unlock;
 
 	if (!net_eq(xprt1->xprt_net, xprt2->xprt_net))
-		return 0;
+		goto out_unlock;
+
+	rcu_read_unlock();
 
 	sap1 = (struct sockaddr *)&server1->nfs_client->cl_addr;
 	sap2 = (struct sockaddr *)&server2->nfs_client->cl_addr;
@@ -1203,6 +1214,10 @@ static int nfs_compare_super_address(struct nfs_server *server1,
 	}
 
 	return 1;
+
+out_unlock:
+	rcu_read_unlock();
+	return 0;
 }
 
 static int nfs_compare_userns(const struct nfs_server *old,
-- 
2.43.0

next prev parent reply	other threads:[~2026-04-19 10:01 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-19 10:01 [PATCH v2 0/2] NFS: fix RCU and tracing pointer safety Sean Chang
2026-04-19 10:01 ` [PATCH v2 1/2] NFS: remove redundant __private attribute from nfs_page_class Sean Chang
2026-04-19 13:42   ` Benjamin Coddington
2026-04-19 10:01 ` Sean Chang [this message]
2026-04-19 13:52   ` [PATCH v2 2/2] NFS: Fix RCU dereference of cl_xprt in nfs_compare_super_address Benjamin Coddington
2026-04-19 16:06     ` Sean Chang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7a318581f85 dfblob:c9044d9d64c )
 OR (
bs:"[PATCH v2 2/2] NFS: Fix RCU dereference of cl_xprt in nfs_compare_super_address" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260419100128.20546-3-seanwascoding@gmail.com \
    --to=seanwascoding@gmail.com \
    --cc=anna@kernel.org \
    --cc=ben.coddington@hammerspace.com \
    --cc=jlayton@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trondmy@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.