linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	Trond Myklebust <trond.myklebust@primarydata.com>,
	"J. Bruce Fields" <bfields@redhat.com>
Subject: [PATCH 4.9 08/38] nfsd: Fix stateid races between OPEN and CLOSE
Date: Mon,  4 Dec 2017 16:59:48 +0100	[thread overview]
Message-ID: <20171204160007.785132825@linuxfoundation.org> (raw)
In-Reply-To: <20171204160007.448534903@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Trond Myklebust <trond.myklebust@primarydata.com>

commit 15ca08d3299682dc49bad73251677b2c5017ef08 upstream.

Open file stateids can linger on the nfs4_file list of stateids even
after they have been closed. In order to avoid reusing such a
stateid, and confusing the client, we need to recheck the
nfs4_stid's type after taking the mutex.
Otherwise, we risk reusing an old stateid that was already closed,
which will confuse clients that expect new stateids to conform to
RFC7530 Sections 9.1.4.2 and 16.2.5 or RFC5661 Sections 8.2.2 and 18.2.4.

Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/nfsd/nfs4state.c |   67 +++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 59 insertions(+), 8 deletions(-)

--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -3513,7 +3513,9 @@ nfsd4_find_existing_open(struct nfs4_fil
 		/* ignore lock owners */
 		if (local->st_stateowner->so_is_open_owner == 0)
 			continue;
-		if (local->st_stateowner == &oo->oo_owner) {
+		if (local->st_stateowner != &oo->oo_owner)
+			continue;
+		if (local->st_stid.sc_type == NFS4_OPEN_STID) {
 			ret = local;
 			atomic_inc(&ret->st_stid.sc_count);
 			break;
@@ -3522,6 +3524,52 @@ nfsd4_find_existing_open(struct nfs4_fil
 	return ret;
 }
 
+static __be32
+nfsd4_verify_open_stid(struct nfs4_stid *s)
+{
+	__be32 ret = nfs_ok;
+
+	switch (s->sc_type) {
+	default:
+		break;
+	case NFS4_CLOSED_STID:
+	case NFS4_CLOSED_DELEG_STID:
+		ret = nfserr_bad_stateid;
+		break;
+	case NFS4_REVOKED_DELEG_STID:
+		ret = nfserr_deleg_revoked;
+	}
+	return ret;
+}
+
+/* Lock the stateid st_mutex, and deal with races with CLOSE */
+static __be32
+nfsd4_lock_ol_stateid(struct nfs4_ol_stateid *stp)
+{
+	__be32 ret;
+
+	mutex_lock(&stp->st_mutex);
+	ret = nfsd4_verify_open_stid(&stp->st_stid);
+	if (ret != nfs_ok)
+		mutex_unlock(&stp->st_mutex);
+	return ret;
+}
+
+static struct nfs4_ol_stateid *
+nfsd4_find_and_lock_existing_open(struct nfs4_file *fp, struct nfsd4_open *open)
+{
+	struct nfs4_ol_stateid *stp;
+	for (;;) {
+		spin_lock(&fp->fi_lock);
+		stp = nfsd4_find_existing_open(fp, open);
+		spin_unlock(&fp->fi_lock);
+		if (!stp || nfsd4_lock_ol_stateid(stp) == nfs_ok)
+			break;
+		nfs4_put_stid(&stp->st_stid);
+	}
+	return stp;
+}
+
 static struct nfs4_openowner *
 alloc_init_open_stateowner(unsigned int strhashval, struct nfsd4_open *open,
 			   struct nfsd4_compound_state *cstate)
@@ -3566,6 +3614,7 @@ init_open_stateid(struct nfs4_file *fp,
 	mutex_init(&stp->st_mutex);
 	mutex_lock(&stp->st_mutex);
 
+retry:
 	spin_lock(&oo->oo_owner.so_client->cl_lock);
 	spin_lock(&fp->fi_lock);
 
@@ -3590,7 +3639,11 @@ out_unlock:
 	spin_unlock(&fp->fi_lock);
 	spin_unlock(&oo->oo_owner.so_client->cl_lock);
 	if (retstp) {
-		mutex_lock(&retstp->st_mutex);
+		/* Handle races with CLOSE */
+		if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) {
+			nfs4_put_stid(&retstp->st_stid);
+			goto retry;
+		}
 		/* To keep mutex tracking happy */
 		mutex_unlock(&stp->st_mutex);
 		stp = retstp;
@@ -4411,9 +4464,7 @@ nfsd4_process_open2(struct svc_rqst *rqs
 		status = nfs4_check_deleg(cl, open, &dp);
 		if (status)
 			goto out;
-		spin_lock(&fp->fi_lock);
-		stp = nfsd4_find_existing_open(fp, open);
-		spin_unlock(&fp->fi_lock);
+		stp = nfsd4_find_and_lock_existing_open(fp, open);
 	} else {
 		open->op_file = NULL;
 		status = nfserr_bad_stateid;
@@ -4427,7 +4478,6 @@ nfsd4_process_open2(struct svc_rqst *rqs
 	 */
 	if (stp) {
 		/* Stateid was found, this is an OPEN upgrade */
-		mutex_lock(&stp->st_mutex);
 		status = nfs4_upgrade_open(rqstp, fp, current_fh, stp, open);
 		if (status) {
 			mutex_unlock(&stp->st_mutex);
@@ -5314,7 +5364,6 @@ static void nfsd4_close_open_stateid(str
 	bool unhashed;
 	LIST_HEAD(reaplist);
 
-	s->st_stid.sc_type = NFS4_CLOSED_STID;
 	spin_lock(&clp->cl_lock);
 	unhashed = unhash_open_stateid(s, &reaplist);
 
@@ -5353,10 +5402,12 @@ nfsd4_close(struct svc_rqst *rqstp, stru
 	nfsd4_bump_seqid(cstate, status);
 	if (status)
 		goto out; 
+
+	stp->st_stid.sc_type = NFS4_CLOSED_STID;
 	nfs4_inc_and_copy_stateid(&close->cl_stateid, &stp->st_stid);
-	mutex_unlock(&stp->st_mutex);
 
 	nfsd4_close_open_stateid(stp);
+	mutex_unlock(&stp->st_mutex);
 
 	/* put reference from nfs4_preprocess_seqid_op */
 	nfs4_put_stid(&stp->st_stid);

  parent reply	other threads:[~2017-12-04 16:31 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-04 15:59 [PATCH 4.9 00/38] 4.9.67-stable review Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 01/38] ARM: dts: LogicPD Torpedo: Fix camera pin mux Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 02/38] ARM: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 03/38] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 04/38] mm/cma: fix alloc_contig_range ret code/potential leak Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 05/38] mm, hugetlbfs: introduce ->split() to vm_operations_struct Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 06/38] mm/madvise.c: fix madvise() infinite loop under special circumstances Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 07/38] btrfs: clear space cache inode generation always Greg Kroah-Hartman
2017-12-04 15:59 ` Greg Kroah-Hartman [this message]
2017-12-04 15:59 ` [PATCH 4.9 09/38] nfsd: Fix another OPEN stateid race Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 10/38] nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 11/38] mfd: twl4030-power: Fix pmic for boards that need vmmc1 on reboot Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 12/38] ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 16/38] KVM: lapic: Split out x2apic ldr calculation Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 17/38] KVM: lapic: Fixup LDR on load in x2apic Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 18/38] mmc: core: Do not leave the block driver in a suspended state Greg Kroah-Hartman
2017-12-04 15:59 ` [PATCH 4.9 19/38] mmc: core: prepend 0x to OCR entry in sysfs Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 20/38] eeprom: at24: fix reading from 24MAC402/24MAC602 Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 21/38] eeprom: at24: correctly set the size for at24mac402 Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 22/38] eeprom: at24: check at24_read/write arguments Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 23/38] i2c: i801: Fix Failed to allocate irq -2147483648 error Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 24/38] bcache: Fix building error on MIPS Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 25/38] hwmon: (jc42) optionally try to disable the SMBUS timeout Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 26/38] nvme-pci: add quirk for delay before CHK RDY for WDC SN200 Greg Kroah-Hartman
2017-12-04 16:42   ` Jeffrey Lien
2017-12-04 16:00 ` [PATCH 4.9 30/38] drm/radeon: fix atombios on big endian Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 31/38] drm/panel: simple: Add missing panel_simple_unprepare() calls Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 32/38] drm/hisilicon: Ensure LDI regs are properly configured Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 34/38] drm/amd/pp: fix typecast error in powerplay Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 35/38] Revert "x86/entry/64: Add missing irqflags tracing to native_load_gs_index()" Greg Kroah-Hartman
2017-12-04 16:00 ` [PATCH 4.9 36/38] NFS: revalidate "." etc correctly on "open" Greg Kroah-Hartman
2017-12-04 20:26 ` [PATCH 4.9 00/38] 4.9.67-stable review Shuah Khan
2017-12-04 23:46 ` Guenter Roeck
2017-12-05  7:09 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171204160007.785132825@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=bfields@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=trond.myklebust@primarydata.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).