1. 15 5月, 2010 36 次提交
  2. 02 5月, 2010 2 次提交
    • D
      NFS: Fix RCU issues in the NFSv4 delegation code · 17d2c0a0
      David Howells 提交于
      Fix a number of RCU issues in the NFSv4 delegation code.
      
       (1) delegation->cred doesn't need to be RCU protected as it's essentially an
           invariant refcounted structure.
      
           By the time we get to nfs_free_delegation(), the delegation is being
           released, so no one else should be attempting to use the saved
           credentials, and they can be cleared.
      
           However, since the list of delegations could still be under traversal at
           this point by such as nfs_client_return_marked_delegations(), the cred
           should be released in nfs_do_free_delegation() rather than in
           nfs_free_delegation().  Simply using rcu_assign_pointer() to clear it is
           insufficient as that doesn't stop the cred from being destroyed, and nor
           does calling put_rpccred() after call_rcu(), given that the latter is
           asynchronous.
      
       (2) nfs_detach_delegation_locked() and nfs_inode_set_delegation() should use
           rcu_derefence_protected() because they can only be called if
           nfs_client::cl_lock is held, and that guards against anyone changing
           nfsi->delegation under it.  Furthermore, the barrier imposed by
           rcu_dereference() is superfluous, given that the spin_lock() is also a
           barrier.
      
       (3) nfs_detach_delegation_locked() is now passed a pointer to the nfs_client
           struct so that it can issue lockdep advice based on clp->cl_lock for (2).
      
       (4) nfs_inode_return_delegation_noreclaim() and nfs_inode_return_delegation()
           should use rcu_access_pointer() outside the spinlocked region as they
           merely examine the pointer and don't follow it, thus rendering unnecessary
           the need to impose a partial ordering over the one item of interest.
      
           These result in an RCU warning like the following:
      
      [ INFO: suspicious rcu_dereference_check() usage. ]
      ---------------------------------------------------
      fs/nfs/delegation.c:332 invoked rcu_dereference_check() without protection!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 1, debug_locks = 0
      2 locks held by mount.nfs4/2281:
       #0:  (&type->s_umount_key#34){+.+...}, at: [<ffffffff810b25b4>] deactivate_super+0x60/0x80
       #1:  (iprune_sem){+.+...}, at: [<ffffffff810c332a>] invalidate_inodes+0x39/0x13a
      
      stack backtrace:
      Pid: 2281, comm: mount.nfs4 Not tainted 2.6.34-rc1-cachefs #110
      Call Trace:
       [<ffffffff8105149f>] lockdep_rcu_dereference+0xaa/0xb2
       [<ffffffffa00b4591>] nfs_inode_return_delegation_noreclaim+0x5b/0xa0 [nfs]
       [<ffffffffa0095d63>] nfs4_clear_inode+0x11/0x1e [nfs]
       [<ffffffff810c2d92>] clear_inode+0x9e/0xf8
       [<ffffffff810c3028>] dispose_list+0x67/0x10e
       [<ffffffff810c340d>] invalidate_inodes+0x11c/0x13a
       [<ffffffff810b1dc1>] generic_shutdown_super+0x42/0xf4
       [<ffffffff810b1ebe>] kill_anon_super+0x11/0x4f
       [<ffffffffa009893c>] nfs4_kill_super+0x3f/0x72 [nfs]
       [<ffffffff810b25bc>] deactivate_super+0x68/0x80
       [<ffffffff810c6744>] mntput_no_expire+0xbb/0xf8
       [<ffffffff810c681b>] release_mounts+0x9a/0xb0
       [<ffffffff810c689b>] put_mnt_ns+0x6a/0x79
       [<ffffffffa00983a1>] nfs_follow_remote_path+0x5a/0x146 [nfs]
       [<ffffffffa0098334>] ? nfs_do_root_mount+0x82/0x95 [nfs]
       [<ffffffffa00985a9>] nfs4_try_mount+0x75/0xaf [nfs]
       [<ffffffffa0098874>] nfs4_get_sb+0x291/0x31a [nfs]
       [<ffffffff810b2059>] vfs_kern_mount+0xb8/0x177
       [<ffffffff810b2176>] do_kern_mount+0x48/0xe8
       [<ffffffff810c810b>] do_mount+0x782/0x7f9
       [<ffffffff810c8205>] sys_mount+0x83/0xbe
       [<ffffffff81001eeb>] system_call_fastpath+0x16/0x1b
      
      Also on:
      
      fs/nfs/delegation.c:215 invoked rcu_dereference_check() without protection!
       [<ffffffff8105149f>] lockdep_rcu_dereference+0xaa/0xb2
       [<ffffffffa00b4223>] nfs_inode_set_delegation+0xfe/0x219 [nfs]
       [<ffffffffa00a9c6f>] nfs4_opendata_to_nfs4_state+0x2c2/0x30d [nfs]
       [<ffffffffa00aa15d>] nfs4_do_open+0x2a6/0x3a6 [nfs]
       ...
      
      And:
      
      fs/nfs/delegation.c:40 invoked rcu_dereference_check() without protection!
       [<ffffffff8105149f>] lockdep_rcu_dereference+0xaa/0xb2
       [<ffffffffa00b3bef>] nfs_free_delegation+0x3d/0x6e [nfs]
       [<ffffffffa00b3e71>] nfs_do_return_delegation+0x26/0x30 [nfs]
       [<ffffffffa00b406a>] __nfs_inode_return_delegation+0x1ef/0x1fe [nfs]
       [<ffffffffa00b448a>] nfs_client_return_marked_delegations+0xc9/0x124 [nfs]
       ...
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      17d2c0a0
    • T
      NFSv4: Fix the locking in nfs_inode_reclaim_delegation() · 8f649c37
      Trond Myklebust 提交于
      Ensure that we correctly rcu-dereference the delegation itself, and that we
      protect against removal while we're changing the contents.
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      8f649c37
  3. 29 4月, 2010 2 次提交
    • A
      nfs d_revalidate() is too trigger-happy with d_drop() · d9e80b7d
      Al Viro 提交于
      If dentry found stale happens to be a root of disconnected tree, we
      can't d_drop() it; its d_hash is actually part of s_anon and d_drop()
      would simply hide it from shrink_dcache_for_umount(), leading to
      all sorts of fun, including busy inodes on umount and oopsen after
      that.
      
      Bug had been there since at least 2006 (commit c636eb already has it),
      so it's definitely -stable fodder.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Cc: stable@kernel.org
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d9e80b7d
    • X
      nfs: fix memory leak in nfs_get_sb with CONFIG_NFS_V4 · 9699eda6
      Xiaotian Feng 提交于
      With CONFIG_NFS_V4 and data version 4, nfs_get_sb will allocate memory for
      export_path in nfs4_validate_text_mount_data, so we need to free it then.
      This is addressed in following kmemleak report:
      
      unreferenced object 0xffff88016bf48a50 (size 16):
        comm "mount.nfs", pid 22567, jiffies 4651574704 (age 175471.200s)
        hex dump (first 16 bytes):
          2f 6f 70 74 2f 77 6f 72 6b 00 6b 6b 6b 6b 6b a5  /opt/work.kkkkk.
        backtrace:
          [<ffffffff814b34f9>] kmemleak_alloc+0x60/0xa7
          [<ffffffff81102c76>] kmemleak_alloc_recursive.clone.5+0x1b/0x1d
          [<ffffffff811046b3>] __kmalloc_track_caller+0x18f/0x1b7
          [<ffffffff810e1b08>] kstrndup+0x37/0x54
          [<ffffffffa0336971>] nfs_parse_devname+0x152/0x204 [nfs]
          [<ffffffffa0336af3>] nfs4_validate_text_mount_data+0xd0/0xdc [nfs]
          [<ffffffffa0338deb>] nfs_get_sb+0x325/0x736 [nfs]
          [<ffffffff81113671>] vfs_kern_mount+0xbd/0x17c
          [<ffffffff81113798>] do_kern_mount+0x4d/0xed
          [<ffffffff81129a87>] do_mount+0x787/0x7fe
          [<ffffffff81129b86>] sys_mount+0x88/0xc2
          [<ffffffff81009b42>] system_call_fastpath+0x16/0x1b
      Signed-off-by: NXiaotian Feng <dfeng@redhat.com>
      Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
      Cc: Chuck Lever <chuck.lever@oracle.com>
      Cc: Benny Halevy <bhalevy@panasas.com>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Cc: Andy Adamson <andros@netapp.com>
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      9699eda6