* [PATCH] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode
@ 2020-11-25 18:52 trondmy
2020-11-25 21:42 ` kernel test robot
0 siblings, 1 reply; 3+ messages in thread
From: trondmy @ 2020-11-25 18:52 UTC (permalink / raw)
To: linux-nfs
From: Trond Myklebust <trond.myklebust@hammerspace.com>
When returning the layout in nfs4_evict_inode(), we need to ensure that
the layout is actually done being freed before we can proceed to free the
inode itself.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
---
fs/nfs/nfs4super.c | 2 +-
fs/nfs/pnfs.c | 22 ++++++++++++++++++++--
fs/nfs/pnfs.h | 1 +
3 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/nfs4super.c b/fs/nfs/nfs4super.c
index 93f5c1678ec2..984cc42ee54d 100644
--- a/fs/nfs/nfs4super.c
+++ b/fs/nfs/nfs4super.c
@@ -67,7 +67,7 @@ static void nfs4_evict_inode(struct inode *inode)
nfs_inode_evict_delegation(inode);
/* Note that above delegreturn would trigger pnfs return-on-close */
pnfs_return_layout(inode);
- pnfs_destroy_layout(NFS_I(inode));
+ pnfs_destroy_layout_final(NFS_I(inode));
/* First call standard NFS clear_inode() code */
nfs_clear_inode(inode);
nfs4_xattr_cache_zap(inode);
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 0e50b9d45c32..b4cc2059a5ba 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -294,6 +294,7 @@ void
pnfs_put_layout_hdr(struct pnfs_layout_hdr *lo)
{
struct inode *inode;
+ unsigned long i_state;
if (!lo)
return;
@@ -304,8 +305,12 @@ pnfs_put_layout_hdr(struct pnfs_layout_hdr *lo)
if (!list_empty(&lo->plh_segs))
WARN_ONCE(1, "NFS: BUG unfreed layout segments.\n");
pnfs_detach_layout_hdr(lo);
+ i_state = inode->i_state;
spin_unlock(&inode->i_lock);
pnfs_free_layout_hdr(lo);
+ /* Notify pnfs_destroy_layout_final() that we're done */
+ if (i_state & (I_FREEING | I_CLEAR))
+ wake_up_var(lo);
}
}
@@ -734,8 +739,7 @@ pnfs_free_lseg_list(struct list_head *free_me)
}
}
-void
-pnfs_destroy_layout(struct nfs_inode *nfsi)
+static struct pnfs_layout_hdr *__pnfs_destroy_layout(struct nfs_inode *nfsi)
{
struct pnfs_layout_hdr *lo;
LIST_HEAD(tmp_list);
@@ -753,9 +757,23 @@ pnfs_destroy_layout(struct nfs_inode *nfsi)
pnfs_put_layout_hdr(lo);
} else
spin_unlock(&nfsi->vfs_inode.i_lock);
+ return lo;
+}
+
+void pnfs_destroy_layout(struct nfs_inode *nfsi)
+{
+ __pnfs_destroy_layout(nfsi);
}
EXPORT_SYMBOL_GPL(pnfs_destroy_layout);
+void pnfs_destroy_layout_final(struct nfs_inode *nfsi)
+{
+ struct pnfs_layout_hdr *lo = __pnfs_destroy_layout(nfsi);
+
+ if (lo)
+ wait_var_event(lo, nfsi->layout != lo);
+}
+
static bool
pnfs_layout_add_bulk_destroy_list(struct inode *inode,
struct list_head *layout_list)
diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
index f618c49697bb..ef19499e1e0f 100644
--- a/fs/nfs/pnfs.h
+++ b/fs/nfs/pnfs.h
@@ -268,6 +268,7 @@ struct pnfs_layout_segment *pnfs_layout_process(struct nfs4_layoutget *lgp);
void pnfs_layoutget_free(struct nfs4_layoutget *lgp);
void pnfs_free_lseg_list(struct list_head *tmp_list);
void pnfs_destroy_layout(struct nfs_inode *);
+void pnfs_destroy_layout_final(struct nfs_inode *);
void pnfs_destroy_all_layouts(struct nfs_client *);
int pnfs_destroy_layouts_byfsid(struct nfs_client *clp,
struct nfs_fsid *fsid,
--
2.28.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode
2020-11-25 18:52 [PATCH] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode trondmy
@ 2020-11-25 21:42 ` kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2020-11-25 21:42 UTC (permalink / raw)
To: trondmy, linux-nfs; +Cc: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 2715 bytes --]
Hi,
I love your patch! Yet something to improve:
[auto build test ERROR on nfs/linux-next]
[also build test ERROR on v5.10-rc5 next-20201125]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/trondmy-kernel-org/NFSv4-Fix-a-pNFS-layout-related-use-after-free-race-when-freeing-the-inode/20201126-025547
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
config: i386-randconfig-s001-20201125 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.3-151-g540c2c4b-dirty
# https://github.com/0day-ci/linux/commit/1152b7349ba4ede4340756f56f5f21808d987a86
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review trondmy-kernel-org/NFSv4-Fix-a-pNFS-layout-related-use-after-free-race-when-freeing-the-inode/20201126-025547
git checkout 1152b7349ba4ede4340756f56f5f21808d987a86
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
fs/nfs/nfs4super.c: In function 'nfs4_evict_inode':
>> fs/nfs/nfs4super.c:70:2: error: implicit declaration of function 'pnfs_destroy_layout_final'; did you mean 'pnfs_destroy_layout'? [-Werror=implicit-function-declaration]
70 | pnfs_destroy_layout_final(NFS_I(inode));
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| pnfs_destroy_layout
cc1: some warnings being treated as errors
vim +70 fs/nfs/nfs4super.c
56
57 /*
58 * Clean out any remaining NFSv4 state that might be left over due
59 * to open() calls that passed nfs_atomic_lookup, but failed to call
60 * nfs_open().
61 */
62 static void nfs4_evict_inode(struct inode *inode)
63 {
64 truncate_inode_pages_final(&inode->i_data);
65 clear_inode(inode);
66 /* If we are holding a delegation, return and free it */
67 nfs_inode_evict_delegation(inode);
68 /* Note that above delegreturn would trigger pnfs return-on-close */
69 pnfs_return_layout(inode);
> 70 pnfs_destroy_layout_final(NFS_I(inode));
71 /* First call standard NFS clear_inode() code */
72 nfs_clear_inode(inode);
73 nfs4_xattr_cache_zap(inode);
74 }
75
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 39329 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode
@ 2020-11-25 21:42 ` kernel test robot
0 siblings, 0 replies; 3+ messages in thread
From: kernel test robot @ 2020-11-25 21:42 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 2779 bytes --]
Hi,
I love your patch! Yet something to improve:
[auto build test ERROR on nfs/linux-next]
[also build test ERROR on v5.10-rc5 next-20201125]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/trondmy-kernel-org/NFSv4-Fix-a-pNFS-layout-related-use-after-free-race-when-freeing-the-inode/20201126-025547
base: git://git.linux-nfs.org/projects/trondmy/linux-nfs.git linux-next
config: i386-randconfig-s001-20201125 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
reproduce:
# apt-get install sparse
# sparse version: v0.6.3-151-g540c2c4b-dirty
# https://github.com/0day-ci/linux/commit/1152b7349ba4ede4340756f56f5f21808d987a86
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review trondmy-kernel-org/NFSv4-Fix-a-pNFS-layout-related-use-after-free-race-when-freeing-the-inode/20201126-025547
git checkout 1152b7349ba4ede4340756f56f5f21808d987a86
# save the attached .config to linux build tree
make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=i386
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
fs/nfs/nfs4super.c: In function 'nfs4_evict_inode':
>> fs/nfs/nfs4super.c:70:2: error: implicit declaration of function 'pnfs_destroy_layout_final'; did you mean 'pnfs_destroy_layout'? [-Werror=implicit-function-declaration]
70 | pnfs_destroy_layout_final(NFS_I(inode));
| ^~~~~~~~~~~~~~~~~~~~~~~~~
| pnfs_destroy_layout
cc1: some warnings being treated as errors
vim +70 fs/nfs/nfs4super.c
56
57 /*
58 * Clean out any remaining NFSv4 state that might be left over due
59 * to open() calls that passed nfs_atomic_lookup, but failed to call
60 * nfs_open().
61 */
62 static void nfs4_evict_inode(struct inode *inode)
63 {
64 truncate_inode_pages_final(&inode->i_data);
65 clear_inode(inode);
66 /* If we are holding a delegation, return and free it */
67 nfs_inode_evict_delegation(inode);
68 /* Note that above delegreturn would trigger pnfs return-on-close */
69 pnfs_return_layout(inode);
> 70 pnfs_destroy_layout_final(NFS_I(inode));
71 /* First call standard NFS clear_inode() code */
72 nfs_clear_inode(inode);
73 nfs4_xattr_cache_zap(inode);
74 }
75
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 39329 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-25 21:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-25 18:52 [PATCH] NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode trondmy
2020-11-25 21:42 ` kernel test robot
2020-11-25 21:42 ` kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.