From: Christoph Hellwig <hch@lst.de>
To: Trond Myklebust <trondmy@kernel.org>, Anna Schumaker <anna@kernel.org>
Cc: linux-nfs@vger.kernel.org
Subject: [PATCH 19/24] NFS: use refcount_inc_not_zero nfs_start_delegation_return
Date: Thu, 18 Dec 2025 06:56:23 +0100 [thread overview]
Message-ID: <20251218055633.1532159-20-hch@lst.de> (raw)
In-Reply-To: <20251218055633.1532159-1-hch@lst.de>
Using the unconditional reference increment means we can take a
reference to a delegation already in the RCU grace period, which could
cause a use after free under very unlikely conditions. Switch to use
refcount_inc_not_zero instead.
Signed-off-by: Christoph Hellwig <hch@lst.de>
---
fs/nfs/delegation.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c
index 5fb48a140169..5d9dba7ab430 100644
--- a/fs/nfs/delegation.c
+++ b/fs/nfs/delegation.c
@@ -60,12 +60,6 @@ static void nfs_mark_delegation_revoked(struct nfs_server *server,
}
}
-static struct nfs_delegation *nfs_get_delegation(struct nfs_delegation *delegation)
-{
- refcount_inc(&delegation->refcount);
- return delegation;
-}
-
void nfs_put_delegation(struct nfs_delegation *delegation)
{
if (refcount_dec_and_test(&delegation->refcount))
@@ -312,25 +306,29 @@ static struct inode *nfs_delegation_grab_inode(struct nfs_delegation *delegation
static struct nfs_delegation *
nfs_start_delegation_return(struct nfs_inode *nfsi)
{
- struct nfs_delegation *ret = NULL;
struct nfs_delegation *delegation;
+ bool return_now = false;
lockdep_assert_in_rcu_read_lock();
delegation = rcu_dereference(nfsi->delegation);
- if (!delegation)
+ if (!delegation || !refcount_inc_not_zero(&delegation->refcount))
return NULL;
spin_lock(&delegation->lock);
if (delegation->inode &&
!test_and_set_bit(NFS_DELEGATION_RETURNING, &delegation->flags)) {
clear_bit(NFS_DELEGATION_RETURN_DELAYED, &delegation->flags);
- ret = nfs_get_delegation(delegation);
+ return_now = true;
}
spin_unlock(&delegation->lock);
- if (ret)
- nfs_clear_verifier_delegated(&nfsi->vfs_inode);
- return ret;
+
+ if (!return_now) {
+ nfs_put_delegation(delegation);
+ return NULL;
+ }
+ nfs_clear_verifier_delegated(&nfsi->vfs_inode);
+ return delegation;
}
static void nfs_abort_delegation_return(struct nfs_delegation *delegation,
--
2.47.3
next prev parent reply other threads:[~2025-12-18 5:58 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 5:56 add a LRU for delegations Christoph Hellwig
2025-12-18 5:56 ` [PATCH 01/24] NFS: remove __nfs_client_for_each_server Christoph Hellwig
2025-12-18 5:56 ` [PATCH 02/24] NFS: remove nfs_client_mark_return_unused_delegation_types Christoph Hellwig
2025-12-18 5:56 ` [PATCH 03/24] NFS: remove nfs_client_mark_return_all_delegations Christoph Hellwig
2025-12-18 5:56 ` [PATCH 04/24] NFS: remove the NULL inode check in nfs4_inode_return_delegation_on_close Christoph Hellwig
2025-12-18 5:56 ` [PATCH 05/24] NFS: remove nfs_inode_detach_delegation Christoph Hellwig
2025-12-18 5:56 ` [PATCH 06/24] NFS: remove nfs_start_delegation_return Christoph Hellwig
2025-12-18 5:56 ` [PATCH 07/24] NFS: assert rcu_read_lock is held in nfs_start_delegation_return_locked Christoph Hellwig
2025-12-18 5:56 ` [PATCH 08/24] NFS: drop the _locked postfix from nfs_start_delegation_return Christoph Hellwig
2025-12-18 5:56 ` [PATCH 09/24] NFS: remove NFS_DELEGATION_INODE_FREEING Christoph Hellwig
2025-12-18 5:56 ` [PATCH 10/24] NFS: open code nfs_delegation_need_return Christoph Hellwig
2025-12-18 5:56 ` [PATCH 11/24] NFS: remove nfs_free_delegation Christoph Hellwig
2025-12-18 5:56 ` [PATCH 12/24] NFS: rewrite nfs_delegations_present in terms of nr_active_delegations Christoph Hellwig
2025-12-18 5:56 ` [PATCH 13/24] NFS: move delegation lookup into can_open_delegated Christoph Hellwig
2025-12-18 5:56 ` [PATCH 14/24] NFS: return bool from nfs_detach_delegation{,_locked} Christoph Hellwig
2025-12-18 5:56 ` [PATCH 15/24] NFS: move the deleg_cur check out of nfs_detach_delegation_locked Christoph Hellwig
2025-12-18 5:56 ` [PATCH 16/24] NFS: simplify the detached delegation check in update_open_stateid Christoph Hellwig
2025-12-18 5:56 ` [PATCH 17/24] NFS: take a delegation reference in nfs4_get_valid_delegation Christoph Hellwig
2025-12-18 5:56 ` [PATCH 18/24] NFS: don't consume a delegation reference in nfs_end_delegation_return Christoph Hellwig
2025-12-18 5:56 ` Christoph Hellwig [this message]
2025-12-18 5:56 ` [PATCH 20/24] NFS: use a local RCU critical section in nfs_start_delegation_return Christoph Hellwig
2025-12-18 5:56 ` [PATCH 21/24] NFS: reformat nfs_mark_delegation_revoked Christoph Hellwig
2025-12-18 5:56 ` [PATCH 22/24] NFS: add a separate delegation return list Christoph Hellwig
2025-12-18 5:56 ` [PATCH 23/24] NFS: return delegations from the end of a LRU when over the watermark Christoph Hellwig
2025-12-18 22:02 ` Anna Schumaker
2025-12-19 5:21 ` Christoph Hellwig
2025-12-19 11:14 ` Christoph Hellwig
2025-12-19 14:29 ` Anna Schumaker
2025-12-18 5:56 ` [PATCH 24/24] NFS: make nfs_mark_return_unreferenced_delegations less aggressive Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2026-01-07 7:26 add a LRU for delegations Christoph Hellwig
2026-01-07 7:27 ` [PATCH 19/24] NFS: use refcount_inc_not_zero nfs_start_delegation_return Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251218055633.1532159-20-hch@lst.de \
--to=hch@lst.de \
--cc=anna@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=trondmy@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox