Skip to content

Commit b112324

Browse files
torvaldstorvalds
committed
Merge tag 'nfsd-4.8-1' of git://linux-nfs.org/~bfields/linux
Pull nfsd fixes from Bruce Fields: "Fixes for the dentry refcounting leak I introduced in 4.8-rc1, and for races in the LOCK code which appear to go back to the big nfsd state lock removal from 3.17" * tag 'nfsd-4.8-1' of git://linux-nfs.org/~bfields/linux: nfsd: don't return an unhashed lock stateid after taking mutex nfsd: Fix race between FREE_STATEID and LOCK nfsd: fix dentry refcounting on create
2 parents 9710cb6 + dd25793 commit b112324

File tree

2 files changed

+54
-20
lines changed

2 files changed

+54
-20
lines changed

fs/nfsd/nfs4state.c

Lines changed: 48 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -4903,14 +4903,39 @@ nfsd4_test_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
49034903
return nfs_ok;
49044904
}
49054905

4906+
static __be32
4907+
nfsd4_free_lock_stateid(stateid_t *stateid, struct nfs4_stid *s)
4908+
{
4909+
struct nfs4_ol_stateid *stp = openlockstateid(s);
4910+
__be32 ret;
4911+
4912+
mutex_lock(&stp->st_mutex);
4913+
4914+
ret = check_stateid_generation(stateid, &s->sc_stateid, 1);
4915+
if (ret)
4916+
goto out;
4917+
4918+
ret = nfserr_locks_held;
4919+
if (check_for_locks(stp->st_stid.sc_file,
4920+
lockowner(stp->st_stateowner)))
4921+
goto out;
4922+
4923+
release_lock_stateid(stp);
4924+
ret = nfs_ok;
4925+
4926+
out:
4927+
mutex_unlock(&stp->st_mutex);
4928+
nfs4_put_stid(s);
4929+
return ret;
4930+
}
4931+
49064932
__be32
49074933
nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
49084934
struct nfsd4_free_stateid *free_stateid)
49094935
{
49104936
stateid_t *stateid = &free_stateid->fr_stateid;
49114937
struct nfs4_stid *s;
49124938
struct nfs4_delegation *dp;
4913-
struct nfs4_ol_stateid *stp;
49144939
struct nfs4_client *cl = cstate->session->se_client;
49154940
__be32 ret = nfserr_bad_stateid;
49164941

@@ -4929,18 +4954,9 @@ nfsd4_free_stateid(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
49294954
ret = nfserr_locks_held;
49304955
break;
49314956
case NFS4_LOCK_STID:
4932-
ret = check_stateid_generation(stateid, &s->sc_stateid, 1);
4933-
if (ret)
4934-
break;
4935-
stp = openlockstateid(s);
4936-
ret = nfserr_locks_held;
4937-
if (check_for_locks(stp->st_stid.sc_file,
4938-
lockowner(stp->st_stateowner)))
4939-
break;
4940-
WARN_ON(!unhash_lock_stateid(stp));
4957+
atomic_inc(&s->sc_count);
49414958
spin_unlock(&cl->cl_lock);
4942-
nfs4_put_stid(s);
4943-
ret = nfs_ok;
4959+
ret = nfsd4_free_lock_stateid(stateid, s);
49444960
goto out;
49454961
case NFS4_REVOKED_DELEG_STID:
49464962
dp = delegstateid(s);
@@ -5507,15 +5523,17 @@ static __be32
55075523
lookup_or_create_lock_state(struct nfsd4_compound_state *cstate,
55085524
struct nfs4_ol_stateid *ost,
55095525
struct nfsd4_lock *lock,
5510-
struct nfs4_ol_stateid **lst, bool *new)
5526+
struct nfs4_ol_stateid **plst, bool *new)
55115527
{
55125528
__be32 status;
55135529
struct nfs4_file *fi = ost->st_stid.sc_file;
55145530
struct nfs4_openowner *oo = openowner(ost->st_stateowner);
55155531
struct nfs4_client *cl = oo->oo_owner.so_client;
55165532
struct inode *inode = d_inode(cstate->current_fh.fh_dentry);
55175533
struct nfs4_lockowner *lo;
5534+
struct nfs4_ol_stateid *lst;
55185535
unsigned int strhashval;
5536+
bool hashed;
55195537

55205538
lo = find_lockowner_str(cl, &lock->lk_new_owner);
55215539
if (!lo) {
@@ -5531,12 +5549,27 @@ lookup_or_create_lock_state(struct nfsd4_compound_state *cstate,
55315549
goto out;
55325550
}
55335551

5534-
*lst = find_or_create_lock_stateid(lo, fi, inode, ost, new);
5535-
if (*lst == NULL) {
5552+
retry:
5553+
lst = find_or_create_lock_stateid(lo, fi, inode, ost, new);
5554+
if (lst == NULL) {
55365555
status = nfserr_jukebox;
55375556
goto out;
55385557
}
5558+
5559+
mutex_lock(&lst->st_mutex);
5560+
5561+
/* See if it's still hashed to avoid race with FREE_STATEID */
5562+
spin_lock(&cl->cl_lock);
5563+
hashed = !list_empty(&lst->st_perfile);
5564+
spin_unlock(&cl->cl_lock);
5565+
5566+
if (!hashed) {
5567+
mutex_unlock(&lst->st_mutex);
5568+
nfs4_put_stid(&lst->st_stid);
5569+
goto retry;
5570+
}
55395571
status = nfs_ok;
5572+
*plst = lst;
55405573
out:
55415574
nfs4_put_stateowner(&lo->lo_owner);
55425575
return status;
@@ -5603,8 +5636,6 @@ nfsd4_lock(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
56035636
goto out;
56045637
status = lookup_or_create_lock_state(cstate, open_stp, lock,
56055638
&lock_stp, &new);
5606-
if (status == nfs_ok)
5607-
mutex_lock(&lock_stp->st_mutex);
56085639
} else {
56095640
status = nfs4_preprocess_seqid_op(cstate,
56105641
lock->lk_old_lock_seqid,

fs/nfsd/vfs.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1252,10 +1252,13 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
12521252
if (IS_ERR(dchild))
12531253
return nfserrno(host_err);
12541254
err = fh_compose(resfhp, fhp->fh_export, dchild, fhp);
1255-
if (err) {
1256-
dput(dchild);
1255+
/*
1256+
* We unconditionally drop our ref to dchild as fh_compose will have
1257+
* already grabbed its own ref for it.
1258+
*/
1259+
dput(dchild);
1260+
if (err)
12571261
return err;
1258-
}
12591262
return nfsd_create_locked(rqstp, fhp, fname, flen, iap, type,
12601263
rdev, resfhp);
12611264
}

0 commit comments

Comments
 (0)