From: Jeff Layton <jlayton@primarydata.com>
To: bfields@fieldses.org
Cc: linux-nfs@vger.kernel.org, hch@infradead.org
Subject: [PATCH 38/40] nfsd: close potential race in nfsd4_free_stateid
Date: Mon, 21 Jul 2014 11:02:50 -0400 [thread overview]
Message-ID: <1405954972-28904-39-git-send-email-jlayton@primarydata.com> (raw)
In-Reply-To: <1405954972-28904-1-git-send-email-jlayton@primarydata.com>
Once we remove the client_mutex, it'll be possible for the sc_type of a
lock stateid to change after it's found and checked, but before we can
go to destroy it. If that happens, we can end up putting the persistent
reference to the stateid more than once, and unhash it more than once.
Fix this by unhashing the lock stateid prior to dropping the cl_lock but
after finding it.
Signed-off-by: Jeff Layton <jlayton@primarydata.com>
---
fs/nfsd/nfs4state.c | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 63ee3ebea21c..181c4cc36711 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -4416,17 +4416,6 @@ unlock_state:
return status;
}
-static __be32
-nfsd4_free_lock_stateid(struct nfs4_ol_stateid *stp)
-{
- struct nfs4_lockowner *lo = lockowner(stp->st_stateowner);
-
- if (check_for_locks(stp->st_stid.sc_file, lo))
- return nfserr_locks_held;
- release_lock_stateid(stp);
- return nfs_ok;
-}
-
/*
* Test if the stateid is valid
*/
@@ -4453,6 +4442,7 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
stateid_t *stateid = &free_stateid->fr_stateid;
struct nfs4_stid *s;
struct nfs4_delegation *dp;
+ struct nfs4_ol_stateid *stp;
struct nfs4_client *cl = cstate->session->se_client;
__be32 ret = nfserr_bad_stateid;
@@ -4470,12 +4460,16 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
ret = check_stateid_generation(stateid, &s->sc_stateid, 1);
if (ret)
break;
- if (s->sc_type != NFS4_LOCK_STID) {
- ret = nfserr_locks_held;
+ stp = openlockstateid(s);
+ ret = nfserr_locks_held;
+ if (s->sc_type == NFS4_OPEN_STID ||
+ check_for_locks(s->sc_file,
+ lockowner(stp->st_stateowner)))
break;
- }
+ unhash_lock_stateid(stp);
spin_unlock(&cl->cl_lock);
- ret = nfsd4_free_lock_stateid(openlockstateid(s));
+ put_generic_stateid(stp);
+ ret = nfs_ok;
goto out;
case NFS4_REVOKED_DELEG_STID:
dp = delegstateid(s);
--
1.9.3
next prev parent reply other threads:[~2014-07-21 15:03 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-21 15:02 [PATCH 00/40] nfsd: stateid and stateowner refcounting overhaul Jeff Layton
2014-07-21 15:02 ` [PATCH 01/40] nfsd4: use cl_lock to synchronize all stateid idr calls Jeff Layton
2014-07-27 13:21 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 02/40] nfsd: Add reference counting to the lock and open stateids Jeff Layton
2014-07-27 13:23 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 03/40] nfsd: Add a struct nfs4_file field to struct nfs4_stid Jeff Layton
2014-07-27 13:24 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 04/40] nfsd: Replace nfs4_ol_stateid->st_file with the st_stid.sc_file Jeff Layton
2014-07-27 13:25 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 05/40] nfsd: Ensure atomicity of stateid destruction and idr tree removal Jeff Layton
2014-07-27 13:28 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 06/40] nfsd: Cleanup the freeing of stateids Jeff Layton
2014-07-27 13:35 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 07/40] nfsd: do filp_close in sc_free callback for lock stateids Jeff Layton
2014-07-27 13:37 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 08/40] nfsd: Add locking to protect the state owner lists Jeff Layton
2014-07-27 13:42 ` Christoph Hellwig
2014-07-29 11:42 ` Jeff Layton
2014-07-21 15:02 ` [PATCH 09/40] nfsd: clean up races in lock stateid searching and creation Jeff Layton
2014-07-27 13:44 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 10/40] nfsd: Slight cleanup of find_stateid() Jeff Layton
2014-07-27 13:38 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 11/40] nfsd: ensure atomicity in nfsd4_free_stateid and nfsd4_validate_stateid Jeff Layton
2014-07-27 13:46 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 12/40] nfsd: Add reference counting to lock stateids Jeff Layton
2014-07-21 15:02 ` [PATCH 13/40] nfsd: nfsd4_locku() must reference the lock stateid Jeff Layton
2014-07-21 15:02 ` [PATCH 14/40] nfsd: Ensure that nfs4_open_delegation() references the delegation stateid Jeff Layton
2014-07-21 15:02 ` [PATCH 15/40] nfsd: nfsd4_process_open2() must reference " Jeff Layton
2014-07-21 15:02 ` [PATCH 16/40] nfsd: nfsd4_process_open2() must reference the open stateid Jeff Layton
2014-07-21 15:02 ` [PATCH 17/40] nfsd: Prepare nfsd4_close() for open stateid referencing Jeff Layton
2014-07-21 15:02 ` [PATCH 18/40] nfsd: nfsd4_open_confirm() must reference the open stateid Jeff Layton
2014-07-21 15:02 ` [PATCH 19/40] nfsd: Add reference counting to nfs4_preprocess_confirmed_seqid_op Jeff Layton
2014-07-21 15:02 ` [PATCH 20/40] nfsd: Migrate the stateid reference into nfs4_preprocess_seqid_op Jeff Layton
2014-07-21 15:02 ` [PATCH 21/40] nfsd: Migrate the stateid reference into nfs4_lookup_stateid() Jeff Layton
2014-07-21 15:02 ` [PATCH 22/40] nfsd: Migrate the stateid reference into nfs4_find_stateid_by_type() Jeff Layton
2014-07-21 15:02 ` [PATCH 23/40] nfsd: Add reference counting to state owners Jeff Layton
2014-07-27 13:58 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 24/40] nfsd: Add a mutex to protect the NFSv4.0 open owner replay cache Jeff Layton
2014-07-21 15:02 ` [PATCH 25/40] nfsd: Keep a reference to the open stateid for the NFSv4.0 " Jeff Layton
2014-07-27 13:59 ` Christoph Hellwig
2014-07-21 15:02 ` [PATCH 26/40] nfsd: clean up lockowner refcounting when finding them Jeff Layton
2014-07-21 15:02 ` [PATCH 27/40] nfsd: add an operation for unhashing a stateowner Jeff Layton
2014-07-21 15:02 ` [PATCH 28/40] nfsd: Make lock stateid take a reference to the lockowner Jeff Layton
2014-07-21 15:02 ` [PATCH 29/40] nfsd: clean up refcounting for lockowners Jeff Layton
2014-07-21 15:02 ` [PATCH 30/40] nfsd: make openstateids hold references to their openowners Jeff Layton
2014-07-21 15:02 ` [PATCH 31/40] nfsd: don't allow CLOSE to proceed until refcount on stateid drops Jeff Layton
2014-07-21 15:02 ` [PATCH 32/40] nfsd: Protect adding/removing open state owners using client_lock Jeff Layton
2014-07-21 15:02 ` [PATCH 33/40] nfsd: Protect adding/removing lock " Jeff Layton
2014-07-21 15:02 ` [PATCH 34/40] nfsd: Move the open owner hash table into struct nfs4_client Jeff Layton
2014-07-21 15:02 ` [PATCH 35/40] nfsd: clean up and reorganize release_lockowner Jeff Layton
2014-07-21 15:02 ` [PATCH 36/40] nfsd: add locking to stateowner release Jeff Layton
2014-07-21 15:02 ` [PATCH 37/40] nfsd: optimize destroy_lockowner cl_lock thrashing Jeff Layton
2014-07-21 15:02 ` Jeff Layton [this message]
2014-07-21 15:02 ` [PATCH 39/40] nfsd: reduce cl_lock thrashing in release_openowner Jeff Layton
2014-07-21 15:02 ` [PATCH 40/40] nfsd: don't thrash the cl_lock while freeing an open stateid Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1405954972-28904-39-git-send-email-jlayton@primarydata.com \
--to=jlayton@primarydata.com \
--cc=bfields@fieldses.org \
--cc=hch@infradead.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).