From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Harshula Jayasuriya <harshula@redhat.com>,
"J. Bruce Fields" <bfields@redhat.com>
Subject: [ 54/99] nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file
Date: Fri, 2 Aug 2013 18:08:07 +0800 [thread overview]
Message-ID: <20130802100233.573049076@linuxfoundation.org> (raw)
In-Reply-To: <20130802100225.478715166@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshula Jayasuriya <harshula@redhat.com>
commit e4daf1ffbe6cc3b12aab4d604e627829e93e9914 upstream.
The following call chain:
------------------------------------------------------------
nfs4_get_vfs_file
- nfsd_open
- dentry_open
- do_dentry_open
- __get_file_write_access
- get_write_access
- return atomic_inc_unless_negative(&inode->i_writecount) ? 0 : -ETXTBSY;
------------------------------------------------------------
can result in the following state:
------------------------------------------------------------
struct nfs4_file {
...
fi_fds = {0xffff880c1fa65c80, 0xffffffffffffffe6, 0x0},
fi_access = {{
counter = 0x1
}, {
counter = 0x0
}},
...
------------------------------------------------------------
1) First time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
NULL, hence nfsd_open() is called where we get status set to an error
and fp->fi_fds[O_WRONLY] to -ETXTBSY. Thus we do not reach
nfs4_file_get_access() and fi_access[O_WRONLY] is not incremented.
2) Second time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is
NOT NULL (-ETXTBSY), so nfsd_open() is NOT called, but
nfs4_file_get_access() IS called and fi_access[O_WRONLY] is incremented.
Thus we leave a landmine in the form of the nfs4_file data structure in
an incorrect state.
3) Eventually, when __nfs4_file_put_access() is called it finds
fi_access[O_WRONLY] being non-zero, it decrements it and calls
nfs4_file_put_fd() which tries to fput -ETXTBSY.
------------------------------------------------------------
...
[exception RIP: fput+0x9]
RIP: ffffffff81177fa9 RSP: ffff88062e365c90 RFLAGS: 00010282
RAX: ffff880c2b3d99cc RBX: ffff880c2b3d9978 RCX: 0000000000000002
RDX: dead000000100101 RSI: 0000000000000001 RDI: ffffffffffffffe6
RBP: ffff88062e365c90 R8: ffff88041fe797d8 R9: ffff88062e365d58
R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#9 [ffff88062e365c98] __nfs4_file_put_access at ffffffffa0562334 [nfsd]
#10 [ffff88062e365cc8] nfs4_file_put_access at ffffffffa05623ab [nfsd]
#11 [ffff88062e365ce8] free_generic_stateid at ffffffffa056634d [nfsd]
#12 [ffff88062e365d18] release_open_stateid at ffffffffa0566e4b [nfsd]
#13 [ffff88062e365d38] nfsd4_close at ffffffffa0567401 [nfsd]
#14 [ffff88062e365d88] nfsd4_proc_compound at ffffffffa0557f28 [nfsd]
#15 [ffff88062e365dd8] nfsd_dispatch at ffffffffa054543e [nfsd]
#16 [ffff88062e365e18] svc_process_common at ffffffffa04ba5a4 [sunrpc]
#17 [ffff88062e365e98] svc_process at ffffffffa04babe0 [sunrpc]
#18 [ffff88062e365eb8] nfsd at ffffffffa0545b62 [nfsd]
#19 [ffff88062e365ee8] kthread at ffffffff81090886
#20 [ffff88062e365f48] kernel_thread at ffffffff8100c14a
------------------------------------------------------------
Signed-off-by: Harshula Jayasuriya <harshula@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/vfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -802,9 +802,10 @@ nfsd_open(struct svc_rqst *rqstp, struct
flags = O_WRONLY|O_LARGEFILE;
}
*filp = dentry_open(&path, flags, current_cred());
- if (IS_ERR(*filp))
+ if (IS_ERR(*filp)) {
host_err = PTR_ERR(*filp);
- else {
+ *filp = NULL;
+ } else {
host_err = ima_file_check(*filp, may_flags);
if (may_flags & NFSD_MAY_64BIT_COOKIE)
next prev parent reply other threads:[~2013-08-02 10:10 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-02 10:07 [ 00/99] 3.10.5-stable review Greg Kroah-Hartman
2013-08-02 10:07 ` [ 01/99] mm: fix the TLB range flushed when __tlb_remove_page() runs out of slots Greg Kroah-Hartman
2013-08-02 10:07 ` [ 02/99] iser-target: Fix isert_put_reject payload buffer post Greg Kroah-Hartman
2013-08-02 10:07 ` [ 03/99] iscsi-target: Fix tfc_tpg_nacl_auth_cit configfs length overflow Greg Kroah-Hartman
2013-08-02 10:07 ` [ 04/99] iser-target: Fix session reset bug with RDMA_CM_EVENT_DISCONNECTED Greg Kroah-Hartman
2013-08-02 10:07 ` [ 05/99] iscsi-target: Fix ISCSI_OP_SCSI_TMFUNC handling for iser Greg Kroah-Hartman
2013-08-02 10:07 ` [ 06/99] USB: storage: Add MicroVault Flash Drive to unusual_devs Greg Kroah-Hartman
2013-08-02 10:07 ` [ 07/99] ALSA: hda - Yet another Dell headset mic quirk Greg Kroah-Hartman
2013-08-02 10:07 ` [ 08/99] ALSA: hda - Guess what, its two more Dell headset mic quirks Greg Kroah-Hartman
2013-08-02 10:07 ` [ 09/99] firewire: fix libdc1394/FlyCap2 iso event regression Greg Kroah-Hartman
2013-08-02 10:07 ` [ 10/99] ASoC: sglt5000: Fix the default value of CHIP_SSS_CTRL Greg Kroah-Hartman
2013-08-02 10:07 ` [ 11/99] ASoC: max98088 - fix element type of the register cache Greg Kroah-Hartman
2013-08-02 10:07 ` [ 12/99] ASoC: tegra: correct playback_dma_data setup Greg Kroah-Hartman
2013-08-02 10:07 ` [ 13/99] ASoC: wm8962: Remove remaining direct register cache accesses Greg Kroah-Hartman
2013-08-02 10:07 ` [ 14/99] ARM: 7722/1: zImage: Convert 32bits memory size and address from ATAG to 64bits DTB Greg Kroah-Hartman
2013-08-02 10:07 ` [ 15/99] SCSI: isci: Fix a race condition in the SSP task management path Greg Kroah-Hartman
2013-08-02 10:07 ` [ 16/99] SCSI: sd: fix crash when UA received on DIF enabled device Greg Kroah-Hartman
2013-08-02 10:07 ` [ 17/99] SCSI: qla2xxx: Properly set the tagging for commands Greg Kroah-Hartman
2013-08-02 10:07 ` [ 18/99] tracing: Fix error handling to ensure instances can always be removed Greg Kroah-Hartman
2013-08-02 10:07 ` [ 19/99] tracing: Miscellaneous fixes for trace_array ref counting Greg Kroah-Hartman
2013-08-02 10:07 ` [ 20/99] tracing: Kill the unbalanced tr->ref++ in tracing_buffers_open() Greg Kroah-Hartman
2013-08-02 10:07 ` [ 21/99] tracing: Remove locking trace_types_lock from tracing_reset_all_online_cpus() Greg Kroah-Hartman
2013-08-02 10:07 ` [ 22/99] usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 Greg Kroah-Hartman
2013-08-02 10:07 ` [ 23/99] xhci: fix null pointer dereference on ring_doorbell_for_active_rings Greg Kroah-Hartman
2013-08-02 10:07 ` [ 24/99] xhci: Avoid NULL pointer deref when host dies Greg Kroah-Hartman
2013-08-02 10:07 ` [ 25/99] USB: EHCI: Fix resume signalling on remote wakeup Greg Kroah-Hartman
2013-08-02 10:07 ` [ 26/99] USB: mos7840: fix memory leak in open Greg Kroah-Hartman
2013-08-02 10:07 ` [ 27/99] usb: dwc3: fix the error returned with usb3_phy failure Greg Kroah-Hartman
2013-08-02 10:07 ` [ 28/99] usb: dwc3: fix wrong bit mask in dwc3_event_type Greg Kroah-Hartman
2013-08-02 10:07 ` [ 29/99] usb: dwc3: gadget: dont prevent gadget from being probed if we fail Greg Kroah-Hartman
2013-08-02 10:07 ` [ 30/99] USB: ti_usb_3410_5052: fix dynamic-id matching Greg Kroah-Hartman
2013-08-02 10:07 ` [ 31/99] USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga Greg Kroah-Hartman
2013-08-02 10:07 ` [ 32/99] usb: Clear both buffers when clearing a control transfer TT buffer Greg Kroah-Hartman
2013-08-02 10:07 ` [ 33/99] USB: global suspend and remote wakeup dont mix Greg Kroah-Hartman
2013-08-02 10:07 ` [ 34/99] staging: comedi: fix a race between do_cmd_ioctl() and read/write Greg Kroah-Hartman
2013-08-02 10:07 ` [ 35/99] staging: comedi: COMEDI_CANCEL ioctl should wake up read/write Greg Kroah-Hartman
2013-08-02 10:07 ` [ 36/99] staging: android: logger: Correct write offset reset on error Greg Kroah-Hartman
2013-08-02 10:07 ` [ 37/99] cpufreq / intel_pstate: Change to scale off of max P-state Greg Kroah-Hartman
2013-08-02 10:07 ` [ 38/99] Btrfs: fix wrong write offset when replacing a device Greg Kroah-Hartman
2013-08-02 10:07 ` [ 39/99] Btrfs: fix lock leak when resuming snapshot deletion Greg Kroah-Hartman
2013-08-02 10:07 ` [ 40/99] Btrfs: re-add root to dead root list if we stop dropping it Greg Kroah-Hartman
2013-08-02 10:07 ` [ 41/99] xen-netfront: pull on receive skb may need to happen earlier Greg Kroah-Hartman
2013-08-02 10:07 ` [ 42/99] xen/blkback: Check device permissions before allowing OP_DISCARD Greg Kroah-Hartman
2013-08-02 10:07 ` [ 43/99] x86, suspend: Handle CPUs which fail to #GP on RDMSR Greg Kroah-Hartman
2013-08-02 10:07 ` [ 44/99] x86: make sure IDT is page aligned Greg Kroah-Hartman
2013-08-02 10:07 ` [ 45/99] md: Remove recent change which allows devices to skip recovery Greg Kroah-Hartman
2013-08-02 10:07 ` [ 46/99] md/raid1: fix bio handling problems in process_checks() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 47/99] md/raid5: fix interaction of replace and recovery Greg Kroah-Hartman
2013-08-02 10:08 ` [ 48/99] md/raid10: remove use-after-free bug Greg Kroah-Hartman
2013-08-02 10:08 ` [ 49/99] ata: Fix DVD not dectected at some platform with Wellsburg PCH Greg Kroah-Hartman
2013-08-02 10:08 ` [ 50/99] libata: make it clear that sata_inic162x is experimental Greg Kroah-Hartman
2013-08-02 10:08 ` [ 51/99] svcrdma: underflow issue in decode_write_list() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 52/99] crypto: caam - Fixed the memory out of bound overwrite issue Greg Kroah-Hartman
2013-08-02 10:08 ` [ 53/99] powerpc/modules: Module CRC relocation fix causes perf issues Greg Kroah-Hartman
2013-08-02 10:08 ` Greg Kroah-Hartman [this message]
2013-08-02 10:08 ` [ 55/99] Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration Greg Kroah-Hartman
2013-08-02 10:08 ` [ 56/99] Drivers: hv: balloon: Fix a bug in the hot-add code Greg Kroah-Hartman
2013-08-02 10:08 ` [ 57/99] Drivers: hv: balloon: Do not post pressure status if interrupted Greg Kroah-Hartman
2013-08-02 10:08 ` [ 58/99] regmap: cache: bail in regmap_async_complete() for bus-less maps Greg Kroah-Hartman
2013-08-02 10:08 ` [ 59/99] ACPI / scan: Always call acpi_bus_scan() for bus check notifications Greg Kroah-Hartman
2013-08-02 10:08 ` [ 60/99] ACPI / scan: Do not try to attach scan handlers to devices having them Greg Kroah-Hartman
2013-08-02 10:08 ` [ 61/99] ACPI / memhotplug: Fix a stale pointer in error path Greg Kroah-Hartman
2013-08-02 10:08 ` [ 62/99] ACPI / video: ignore BIOS initial backlight value for Fujitsu E753 Greg Kroah-Hartman
2013-08-02 10:08 ` [ 63/99] dm mpath: fix ioctl deadlock when no paths Greg Kroah-Hartman
2013-08-02 10:08 ` [ 64/99] dm ioctl: set noio flag to avoid __vmalloc deadlock Greg Kroah-Hartman
2013-08-02 10:08 ` [ 65/99] dm verity: fix inability to use a few specific devices sizes Greg Kroah-Hartman
2013-08-02 10:08 ` [ 66/99] drm/radeon/hdmi: make sure we have an afmt block assigned Greg Kroah-Hartman
2013-08-02 10:08 ` [ 67/99] drm/radeon: fix UVD fence emit Greg Kroah-Hartman
2013-08-02 10:08 ` [ 68/99] drm/radeon: allow selection of alignment in the sub-allocator Greg Kroah-Hartman
2013-08-02 10:08 ` [ 69/99] drm/radeon: fix endian issues with DP handling (v3) Greg Kroah-Hartman
2013-08-02 10:08 ` [ 70/99] drm/radeon: Another card with wrong primary dac adj Greg Kroah-Hartman
2013-08-02 10:08 ` [ 71/99] drm/radeon: fix combios tables on older cards Greg Kroah-Hartman
2013-08-02 10:08 ` [ 72/99] drm/radeon: improve dac adjust heuristics for legacy pdac Greg Kroah-Hartman
2013-08-02 10:08 ` [ 73/99] drm/i915: fix up ring cleanup for the i830/i845 CS tlb w/a Greg Kroah-Hartman
2013-08-02 10:08 ` [ 74/99] drm/i915: Fix write-read race with multiple rings Greg Kroah-Hartman
2013-08-02 10:08 ` [ 75/99] Partially revert "drm/i915: unconditionally use mt forcewake on hsw/ivb" Greg Kroah-Hartman
2013-08-02 10:08 ` [ 76/99] drm/i915: Fix incoherence with fence updates on Sandybridge+ Greg Kroah-Hartman
2013-08-02 10:08 ` [ 77/99] drm/i915: fix long-standing SNB regression in power consumption after resume v2 Greg Kroah-Hartman
2013-08-02 10:08 ` [ 78/99] drm/i915: Fix dereferencing invalid connectors in is_crtc_connector_off() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 79/99] drm/i915: correctly restore fences with objects attached Greg Kroah-Hartman
2013-08-02 10:08 ` [ 80/99] drm/i915: quirk no PCH_PWM_ENABLE for Dell XPS13 backlight Greg Kroah-Hartman
2013-08-02 10:08 ` [ 81/99] drm/i915: Serialize almost all register access Greg Kroah-Hartman
2013-08-02 10:08 ` [ 82/99] drm/i915: fix up gt init sequence fallout Greg Kroah-Hartman
2013-08-02 10:08 ` [ 83/99] drm/i915: fix missed hunk after GT access breakage Greg Kroah-Hartman
2013-08-02 10:08 ` [ 84/99] drm/nouveau: fix semaphore dmabuf obj Greg Kroah-Hartman
2013-08-02 10:08 ` [ 85/99] drm/radeon: fix audio dto programming on DCE4+ Greg Kroah-Hartman
2013-08-02 10:08 ` [ 86/99] drm/radeon/atom: initialize more atom interpretor elements to 0 Greg Kroah-Hartman
2013-08-02 10:08 ` [ 87/99] rtlwifi: Initialize power-setting callback for USB devices Greg Kroah-Hartman
2013-08-02 10:08 ` [ 88/99] USB: serial: ftdi_sio: add more RT Systems ftdi devices Greg Kroah-Hartman
2013-08-02 10:08 ` [ 89/99] usb: gadget: udc-core: fix the typo of udc state attribute Greg Kroah-Hartman
2013-08-02 10:08 ` [ 90/99] mm: mempolicy: fix mbind_range() && vma_adjust() interaction Greg Kroah-Hartman
2013-08-02 10:08 ` [ 91/99] tty_port: Fix refcounting leak in tty_port_tty_hangup() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 92/99] livelock avoidance in sget() Greg Kroah-Hartman
2013-08-02 10:08 ` [ 93/99] xen/evtchn: avoid a deadlock when unbinding an event channel Greg Kroah-Hartman
2013-08-02 10:08 ` [ 94/99] radeon kms: do not flush uninitialized hotplug work Greg Kroah-Hartman
2013-08-02 10:08 ` [ 95/99] iscsi-target: Fix iscsit_add_reject* usage for iser Greg Kroah-Hartman
2013-08-02 10:08 ` [ 96/99] iscsi-target: Fix iscsit_sequence_cmd reject handling " Greg Kroah-Hartman
2013-08-02 10:08 ` [ 97/99] perf tools: Revert regression in configuration of Python support Greg Kroah-Hartman
2013-08-02 10:08 ` [ 98/99] drm/i915: Correct obj->mm_list link to dev_priv->dev_priv->mm.inactive_list Greg Kroah-Hartman
2013-08-02 10:08 ` [ 99/99] x86: Fix /proc/mtrr with base/size more than 44bits Greg Kroah-Hartman
2013-08-02 19:57 ` [ 00/99] 3.10.5-stable review Shuah Khan
2013-08-02 21:24 ` Greg Kroah-Hartman
2013-08-02 22:05 ` Willy Tarreau
2013-08-03 14:02 ` Guenter Roeck
2013-08-03 23:03 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130802100233.573049076@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bfields@redhat.com \
--cc=harshula@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox