* Re: [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
[not found] ` <1424699484-74025-1-git-send-email-aweits-H6Ufl4FQnQQ@public.gmane.org>
@ 2015-02-23 20:54 ` J. Bruce Fields
[not found] ` <20150223205435.GA28635-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: J. Bruce Fields @ 2015-02-23 20:54 UTC (permalink / raw)
To: Andrew Elble
Cc: linux-nfs-u79uwXL29TY76Z2rM5mHXA, etmsys-H6Ufl4FQnQQ, Al Viro,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
Looks OK to me. I think it would go through Al.--b.
Acked-by: J. Bruce Fields <bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Mon, Feb 23, 2015 at 08:51:24AM -0500, Andrew Elble wrote:
> We have observed a BUG() crash in fs/attr.c:notify_change(). The crash
> occurs during an rsync into a filesystem that is exported via NFS.
>
> 1.) fs/attr.c:notify_change() modifies the caller's version of attr.
> 2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to
> setattr operations") introduced a BUG() restriction such that "no
> function will ever call notify_change() with both ATTR_MODE and
> ATTR_KILL_S*ID set". Under some circumstances though, it will have
> assisted in setting the caller's version of attr to this very
> combination.
> 3.) 27ac0ffeac80 ("locks: break delegations on any attribute
> modification") introduced code to handle breaking
> delegations. This can result in notify_change() being re-called. attr
> _must_ be explicitly reset to avoid triggering the BUG() established
> in #2.
> 4.) The path that that triggers this is via fs/open.c:chmod_common().
> The combination of attr flags set here and in the first call to
> notify_change() along with a later failed break_deleg_wait()
> results in notify_change() being called again via retry_deleg
> without resetting attr.
>
> Solution is to move retry_deleg in chmod_common() a bit further up to
> ensure attr is completely reset.
>
> There are other places where this seemingly could occur, such as
> fs/utimes.c:utimes_common(), but the attr flags are not initially
> set in such a way to trigger this.
>
> Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification")
> Reported-by: Eric Meddaugh <etmsys-H6Ufl4FQnQQ@public.gmane.org>
> Tested-by: Eric Meddaugh <etmsys-H6Ufl4FQnQQ@public.gmane.org>
> Signed-off-by: Andrew Elble <aweits-H6Ufl4FQnQQ@public.gmane.org>
> ---
> fs/open.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/open.c b/fs/open.c
> index 33f9cbf2610b..44a3be145bfe 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -570,6 +570,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
> uid = make_kuid(current_user_ns(), user);
> gid = make_kgid(current_user_ns(), group);
>
> +retry_deleg:
> newattrs.ia_valid = ATTR_CTIME;
> if (user != (uid_t) -1) {
> if (!uid_valid(uid))
> @@ -586,7 +587,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
> if (!S_ISDIR(inode->i_mode))
> newattrs.ia_valid |=
> ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
> -retry_deleg:
> mutex_lock(&inode->i_mutex);
> error = security_path_chown(path, uid, gid);
> if (!error)
> --
> 1.9.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
@ 2015-03-04 16:41 Andrew Elble
0 siblings, 0 replies; 7+ messages in thread
From: Andrew Elble @ 2015-03-04 16:41 UTC (permalink / raw)
To: linux-fsdevel; +Cc: Andrew Elble, stable
We have observed a BUG() crash in fs/attr.c:notify_change(). The crash
occurs during an rsync into a filesystem that is exported via NFS.
1.) fs/attr.c:notify_change() modifies the caller's version of attr.
2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to
setattr operations") introduced a BUG() restriction such that "no
function will ever call notify_change() with both ATTR_MODE and
ATTR_KILL_S*ID set". Under some circumstances though, it will have
assisted in setting the caller's version of attr to this very
combination.
3.) 27ac0ffeac80 ("locks: break delegations on any attribute
modification") introduced code to handle breaking
delegations. This can result in notify_change() being re-called. attr
_must_ be explicitly reset to avoid triggering the BUG() established
in #2.
4.) The path that that triggers this is via fs/open.c:chmod_common().
The combination of attr flags set here and in the first call to
notify_change() along with a later failed break_deleg_wait()
results in notify_change() being called again via retry_deleg
without resetting attr.
Solution is to move retry_deleg in chmod_common() a bit further up to
ensure attr is completely reset.
There are other places where this seemingly could occur, such as
fs/utimes.c:utimes_common(), but the attr flags are not initially
set in such a way to trigger this.
Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification")
Reported-by: Eric Meddaugh <etmsys@rit.edu>
Tested-by: Eric Meddaugh <etmsys@rit.edu>
Signed-off-by: Andrew Elble <aweits@rit.edu>
Cc: stable@vger.kernel.org
Acked-by: J. Bruce Fields <bfields@redhat.com>
---
fs/open.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/open.c b/fs/open.c
index 33f9cbf2610b..44a3be145bfe 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -570,6 +570,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
uid = make_kuid(current_user_ns(), user);
gid = make_kgid(current_user_ns(), group);
+retry_deleg:
newattrs.ia_valid = ATTR_CTIME;
if (user != (uid_t) -1) {
if (!uid_valid(uid))
@@ -586,7 +587,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
if (!S_ISDIR(inode->i_mode))
newattrs.ia_valid |=
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
-retry_deleg:
mutex_lock(&inode->i_mutex);
error = security_path_chown(path, uid, gid);
if (!error)
--
1.9.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
[not found] ` <20150223205435.GA28635-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
@ 2015-03-20 14:28 ` Andrew W Elble
2015-03-20 14:50 ` J. Bruce Fields
0 siblings, 1 reply; 7+ messages in thread
From: Andrew W Elble @ 2015-03-20 14:28 UTC (permalink / raw)
To: J. Bruce Fields
Cc: linux-nfs-u79uwXL29TY76Z2rM5mHXA, etmsys-H6Ufl4FQnQQ, Al Viro,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
Any update/feedback?
"J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org> writes:
> Looks OK to me. I think it would go through Al.--b.
>
> Acked-by: J. Bruce Fields <bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>
> On Mon, Feb 23, 2015 at 08:51:24AM -0500, Andrew Elble wrote:
>> We have observed a BUG() crash in fs/attr.c:notify_change(). The crash
>> occurs during an rsync into a filesystem that is exported via NFS.
>>
>> 1.) fs/attr.c:notify_change() modifies the caller's version of attr.
>> 2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to
>> setattr operations") introduced a BUG() restriction such that "no
>> function will ever call notify_change() with both ATTR_MODE and
>> ATTR_KILL_S*ID set". Under some circumstances though, it will have
>> assisted in setting the caller's version of attr to this very
>> combination.
>> 3.) 27ac0ffeac80 ("locks: break delegations on any attribute
>> modification") introduced code to handle breaking
>> delegations. This can result in notify_change() being re-called. attr
>> _must_ be explicitly reset to avoid triggering the BUG() established
>> in #2.
>> 4.) The path that that triggers this is via fs/open.c:chmod_common().
>> The combination of attr flags set here and in the first call to
>> notify_change() along with a later failed break_deleg_wait()
>> results in notify_change() being called again via retry_deleg
>> without resetting attr.
>>
>> Solution is to move retry_deleg in chmod_common() a bit further up to
>> ensure attr is completely reset.
>>
>> There are other places where this seemingly could occur, such as
>> fs/utimes.c:utimes_common(), but the attr flags are not initially
>> set in such a way to trigger this.
>>
>> Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification")
>> Reported-by: Eric Meddaugh <etmsys-H6Ufl4FQnQQ@public.gmane.org>
>> Tested-by: Eric Meddaugh <etmsys-H6Ufl4FQnQQ@public.gmane.org>
>> Signed-off-by: Andrew Elble <aweits-H6Ufl4FQnQQ@public.gmane.org>
>> ---
>> fs/open.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/fs/open.c b/fs/open.c
>> index 33f9cbf2610b..44a3be145bfe 100644
>> --- a/fs/open.c
>> +++ b/fs/open.c
>> @@ -570,6 +570,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
>> uid = make_kuid(current_user_ns(), user);
>> gid = make_kgid(current_user_ns(), group);
>>
>> +retry_deleg:
>> newattrs.ia_valid = ATTR_CTIME;
>> if (user != (uid_t) -1) {
>> if (!uid_valid(uid))
>> @@ -586,7 +587,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
>> if (!S_ISDIR(inode->i_mode))
>> newattrs.ia_valid |=
>> ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
>> -retry_deleg:
>> mutex_lock(&inode->i_mutex);
>> error = security_path_chown(path, uid, gid);
>> if (!error)
>> --
>> 1.9.2
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
Andrew W. Elble
aweits-AzKTfQcKJ+UHTWTJ7q3cEje48wsgrGvP@public.gmane.org
Infrastructure Engineer, Communications Technical Lead
Rochester Institute of Technology
PGP: BFAD 8461 4CCF DC95 DA2C B0EB 965B 082E 863E C912
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
2015-03-20 14:28 ` Andrew W Elble
@ 2015-03-20 14:50 ` J. Bruce Fields
[not found] ` <20150320145013.GB2036-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
0 siblings, 1 reply; 7+ messages in thread
From: J. Bruce Fields @ 2015-03-20 14:50 UTC (permalink / raw)
To: Andrew W Elble; +Cc: linux-nfs, etmsys, Al Viro, linux-fsdevel
On Fri, Mar 20, 2015 at 10:28:31AM -0400, Andrew W Elble wrote:
>
> Any update/feedback?
If you haven't already: could you resend it, To: Al, and a "Cc:
stable@vger.kernel.org" line?
--b.
>
> "J. Bruce Fields" <bfields@fieldses.org> writes:
>
> > Looks OK to me. I think it would go through Al.--b.
> >
> > Acked-by: J. Bruce Fields <bfields@redhat.com>
> >
> > On Mon, Feb 23, 2015 at 08:51:24AM -0500, Andrew Elble wrote:
> >> We have observed a BUG() crash in fs/attr.c:notify_change(). The crash
> >> occurs during an rsync into a filesystem that is exported via NFS.
> >>
> >> 1.) fs/attr.c:notify_change() modifies the caller's version of attr.
> >> 2.) 6de0ec00ba8d ("VFS: make notify_change pass ATTR_KILL_S*ID to
> >> setattr operations") introduced a BUG() restriction such that "no
> >> function will ever call notify_change() with both ATTR_MODE and
> >> ATTR_KILL_S*ID set". Under some circumstances though, it will have
> >> assisted in setting the caller's version of attr to this very
> >> combination.
> >> 3.) 27ac0ffeac80 ("locks: break delegations on any attribute
> >> modification") introduced code to handle breaking
> >> delegations. This can result in notify_change() being re-called. attr
> >> _must_ be explicitly reset to avoid triggering the BUG() established
> >> in #2.
> >> 4.) The path that that triggers this is via fs/open.c:chmod_common().
> >> The combination of attr flags set here and in the first call to
> >> notify_change() along with a later failed break_deleg_wait()
> >> results in notify_change() being called again via retry_deleg
> >> without resetting attr.
> >>
> >> Solution is to move retry_deleg in chmod_common() a bit further up to
> >> ensure attr is completely reset.
> >>
> >> There are other places where this seemingly could occur, such as
> >> fs/utimes.c:utimes_common(), but the attr flags are not initially
> >> set in such a way to trigger this.
> >>
> >> Fixes: 27ac0ffeac80 ("locks: break delegations on any attribute modification")
> >> Reported-by: Eric Meddaugh <etmsys@rit.edu>
> >> Tested-by: Eric Meddaugh <etmsys@rit.edu>
> >> Signed-off-by: Andrew Elble <aweits@rit.edu>
> >> ---
> >> fs/open.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/fs/open.c b/fs/open.c
> >> index 33f9cbf2610b..44a3be145bfe 100644
> >> --- a/fs/open.c
> >> +++ b/fs/open.c
> >> @@ -570,6 +570,7 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
> >> uid = make_kuid(current_user_ns(), user);
> >> gid = make_kgid(current_user_ns(), group);
> >>
> >> +retry_deleg:
> >> newattrs.ia_valid = ATTR_CTIME;
> >> if (user != (uid_t) -1) {
> >> if (!uid_valid(uid))
> >> @@ -586,7 +587,6 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
> >> if (!S_ISDIR(inode->i_mode))
> >> newattrs.ia_valid |=
> >> ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
> >> -retry_deleg:
> >> mutex_lock(&inode->i_mutex);
> >> error = security_path_chown(path, uid, gid);
> >> if (!error)
> >> --
> >> 1.9.2
> >>
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> --
> Andrew W. Elble
> aweits@discipline.rit.edu
> Infrastructure Engineer, Communications Technical Lead
> Rochester Institute of Technology
> PGP: BFAD 8461 4CCF DC95 DA2C B0EB 965B 082E 863E C912
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
[not found] ` <20150320145013.GB2036-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
@ 2015-03-20 14:53 ` Al Viro
2015-03-20 14:54 ` J. Bruce Fields
0 siblings, 1 reply; 7+ messages in thread
From: Al Viro @ 2015-03-20 14:53 UTC (permalink / raw)
To: J. Bruce Fields
Cc: Andrew W Elble, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
etmsys-H6Ufl4FQnQQ, linux-fsdevel-u79uwXL29TY76Z2rM5mHXA
On Fri, Mar 20, 2015 at 10:50:13AM -0400, J. Bruce Fields wrote:
> On Fri, Mar 20, 2015 at 10:28:31AM -0400, Andrew W Elble wrote:
> >
> > Any update/feedback?
>
> If you haven't already: could you resend it, To: Al, and a "Cc:
> stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" line?
It's in the local queue; will push when I reorder it tonight...
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
2015-03-20 14:53 ` Al Viro
@ 2015-03-20 14:54 ` J. Bruce Fields
2015-03-20 15:13 ` Andrew W Elble
0 siblings, 1 reply; 7+ messages in thread
From: J. Bruce Fields @ 2015-03-20 14:54 UTC (permalink / raw)
To: Al Viro; +Cc: Andrew W Elble, linux-nfs, etmsys, linux-fsdevel
On Fri, Mar 20, 2015 at 02:53:51PM +0000, Al Viro wrote:
> On Fri, Mar 20, 2015 at 10:50:13AM -0400, J. Bruce Fields wrote:
> > On Fri, Mar 20, 2015 at 10:28:31AM -0400, Andrew W Elble wrote:
> > >
> > > Any update/feedback?
> >
> > If you haven't already: could you resend it, To: Al, and a "Cc:
> > stable@vger.kernel.org" line?
>
> It's in the local queue; will push when I reorder it tonight...
Thanks!
--b.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common()
2015-03-20 14:54 ` J. Bruce Fields
@ 2015-03-20 15:13 ` Andrew W Elble
0 siblings, 0 replies; 7+ messages in thread
From: Andrew W Elble @ 2015-03-20 15:13 UTC (permalink / raw)
To: J. Bruce Fields; +Cc: Al Viro, linux-nfs, etmsys, linux-fsdevel
>> It's in the local queue; will push when I reorder it tonight...
>
> Thanks!
>
> --b.
>
Thank you!
--
Andrew W. Elble
aweits@discipline.rit.edu
Infrastructure Engineer, Communications Technical Lead
Rochester Institute of Technology
PGP: BFAD 8461 4CCF DC95 DA2C B0EB 965B 082E 863E C912
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2015-03-20 15:13 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1424699484-74025-1-git-send-email-aweits@rit.edu>
[not found] ` <1424699484-74025-1-git-send-email-aweits-H6Ufl4FQnQQ@public.gmane.org>
2015-02-23 20:54 ` [PATCH] NFS: fix BUG() crash in notify_change() with patch to chown_common() J. Bruce Fields
[not found] ` <20150223205435.GA28635-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-03-20 14:28 ` Andrew W Elble
2015-03-20 14:50 ` J. Bruce Fields
[not found] ` <20150320145013.GB2036-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2015-03-20 14:53 ` Al Viro
2015-03-20 14:54 ` J. Bruce Fields
2015-03-20 15:13 ` Andrew W Elble
2015-03-04 16:41 Andrew Elble
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).