[PATCH 03/19] nfsd: add missing read barrier to rpc_status_get dumpit seqcount retry

Netdev List
 help / color / mirror / Atom feed

From: Jeff Layton <jlayton@kernel.org>
To: Trond Myklebust <trondmy@kernel.org>,
	Anna Schumaker <anna@kernel.org>,
	 Chuck Lever <chuck.lever@oracle.com>,
	NeilBrown <neil@brown.name>,
	 Olga Kornievskaia <okorniev@redhat.com>,
	Dai Ngo <Dai.Ngo@oracle.com>,  Tom Talpey <tom@talpey.com>,
	"David S. Miller" <davem@davemloft.net>,
	 Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>,
	 Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
	 Christian Brauner <brauner@kernel.org>,
	 Benjamin Coddington <bcodding@redhat.com>,
	 Donald Hunter <donald.hunter@gmail.com>,
	 Lorenzo Bianconi <lorenzo@kernel.org>,
	Qi Zheng <qi.zheng@linux.dev>,
	 Andrew Morton <akpm@linux-foundation.org>,
	 Muchun Song <muchun.song@linux.dev>
Cc: linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org,
	 netdev@vger.kernel.org, Jeff Layton <jlayton@kernel.org>
Subject: [PATCH 03/19] nfsd: add missing read barrier to rpc_status_get dumpit seqcount retry
Date: Tue, 09 Jun 2026 13:47:24 -0400	[thread overview]
Message-ID: <20260609-nfsd-testing-v1-3-e83acead2ae8@kernel.org> (raw)
In-Reply-To: <20260609-nfsd-testing-v1-0-e83acead2ae8@kernel.org>

The hand-rolled seqcount-like protocol in nfsd_nl_rpc_status_get_dumpit()
is missing a read memory barrier (smp_rmb) before its second counter
check.  The standard kernel read_seqcount_retry() includes smp_rmb()
to ensure that all data reads complete before the counter is re-checked.

Without this barrier, on weakly-ordered architectures (ARM, POWER),
the CPU may reorder field reads past the second counter check, making
the retry logic ineffective: it could observe a consistent counter pair
while reading fields that have been concurrently modified by the writer.

Add smp_rmb() before the second smp_load_acquire() to match the
barrier semantics of the standard seqcount read-side.

Fixes: ac18892ea3f7 ("NFSD: add rpc_status netlink support")
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/nfsd/nfsctl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index c06d25c06f06..a4b5b1467fe2 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1576,9 +1576,11 @@ int nfsd_nl_rpc_status_get_dumpit(struct sk_buff *skb,
 #endif /* CONFIG_NFSD_V4 */
 
 			/*
-			 * Acquire rq_status_counter before reporting the rqst
-			 * fields to the user.
+			 * Ensure all field reads complete before re-checking
+			 * the status counter. Pairs with the smp_store_release
+			 * in nfsd_dispatch to form a seq-lock like protocol.
 			 */
+			smp_rmb();
 			if (smp_load_acquire(&rqstp->rq_status_counter) !=
 			    status_counter)
 				continue;

-- 
2.54.0

next prev parent reply	other threads:[~2026-06-09 17:47 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-09 17:47 [PATCH 00/19] nfsd: more bugfixes Jeff Layton
2026-06-09 17:47 ` [PATCH 01/19] nfs/localio: fix nfsd_file ref leak on nfs_local_doio() init failure Jeff Layton
2026-06-09 17:47 ` [PATCH 02/19] nfsd: clear opcnt on compound arg release to prevent OOB read Jeff Layton
2026-06-09 17:47 ` Jeff Layton [this message]
2026-06-09 17:47 ` [PATCH 04/19] nfsd: fix netlink dumpit error handling for rpc_status_get Jeff Layton
2026-06-09 17:47 ` [PATCH 05/19] sunrpc: defer rq_argp and rq_resp free until after RCU grace period Jeff Layton
2026-06-09 17:47 ` [PATCH 06/19] nfsd: check nfsd4_acl_to_attr() return value in nfsd4_create() Jeff Layton
2026-06-09 17:47 ` [PATCH 07/19] nfsd: add filehandle match check to nfsd4_delegreturn() Jeff Layton
2026-06-09 17:47 ` [PATCH 08/19] nfsd: validate nseconds in TIME_DELEG decode paths Jeff Layton
2026-06-09 17:47 ` [PATCH 09/19] nfsd: remove premature NFS4_OO_CONFIRMED in CLAIM_PREVIOUS path Jeff Layton
2026-06-09 17:47 ` [PATCH 10/19] nfsd: fix version mismatch loops in nfsd_acl_init_request() Jeff Layton
2026-06-09 17:47 ` [PATCH 11/19] nfsd: fix FL_SLEEP being set unconditionally for all LOCK types Jeff Layton
2026-06-09 17:47 ` [PATCH 12/19] nfsd: add fh_want_write() for early-verified SETATTR in nfsd_proc_setattr() Jeff Layton
2026-06-09 17:47 ` [PATCH 13/19] nfsd: fix clock domain mismatch in clients_still_reclaiming() Jeff Layton
2026-06-09 17:47 ` [PATCH 14/19] nfsd: use test_and_clear_bit for somebody_reclaimed to prevent lost update Jeff Layton
2026-06-09 17:47 ` [PATCH 15/19] nfsd: reject reclaim LOCK after RECLAIM_COMPLETE Jeff Layton
2026-06-09 17:47 ` [PATCH 16/19] nfsd: validate sockaddr length per family in listener_set Jeff Layton
2026-06-09 17:47 ` [PATCH 17/19] lockd, nfsd: RCU-protect nlmsvc_ops dispatch Jeff Layton
2026-06-09 17:47 ` [PATCH 18/19] nfsd: move nfsd_debugfs_init() after nfsd4_init_slabs() in init_nfsd() Jeff Layton
2026-06-09 17:47 ` [PATCH 19/19] nfsd: initialize DRC hash table before registering shrinker Jeff Layton

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c06d25c06f0 dfblob:a4b5b1467fe )
 OR (
bs:"[PATCH 03/19] nfsd: add missing read barrier to rpc_status_get dumpit seqcount retry" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260609-nfsd-testing-v1-3-e83acead2ae8@kernel.org \
    --to=jlayton@kernel.org \
    --cc=Dai.Ngo@oracle.com \
    --cc=akpm@linux-foundation.org \
    --cc=anna@kernel.org \
    --cc=bcodding@redhat.com \
    --cc=brauner@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=davem@davemloft.net \
    --cc=donald.hunter@gmail.com \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    --cc=lorenzo@kernel.org \
    --cc=muchun.song@linux.dev \
    --cc=neil@brown.name \
    --cc=netdev@vger.kernel.org \
    --cc=okorniev@redhat.com \
    --cc=pabeni@redhat.com \
    --cc=qi.zheng@linux.dev \
    --cc=tom@talpey.com \
    --cc=trondmy@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox