Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2829916ybl;
        Sun, 25 Aug 2019 03:13:21 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwkE/QLPuiDcn/90wIqXEziRJytYKBboYGAGsJs1N0MaJMkcWb9+PMNgmIl8xqJXa2KAkNV
X-Received: by 2002:a17:90a:cc0e:: with SMTP id b14mr13900559pju.126.1566728000919;
        Sun, 25 Aug 2019 03:13:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566728000; cv=none;
        d=google.com; s=arc-20160816;
        b=rJXaQigeluI2KL8PuW3ICxpcwJDFbWXR4p+kXMkIb8NU32JRiCIBHxw6JZtoAh95aF
         Gyl9CYWejAiCzjjnqnfq9aIYtgZL75XXZ/p0hI3lSmjscY/ND4gvo/P8BikYELZ4M33J
         yDRLH7sRZo6Q9jhGhPtHu16Kosd9wNnZKg7YqXGG7goBRirqGDTZvv1bvcWahdU1VXWI
         RZ8gpaXM06DujVjDlR0+8rtk1xR+PoWbSLWCENaAvW0Faob9Sx/eHocMo0NV1eOITrDy
         R1XnsRR9yW+bA/6CzVnxPcPpy3UX/QiHKqr3H/Wg01O3UryVXFStCZa/wIQzKJ20YCjJ
         mz6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=fMpyQvF6VzughydnrGZHt+I7Ql6B0+O3aZ99w06rrB0=;
        b=BOGeKBUYJY4V+/8lT1eQUyPOJ1XQfSrRusck+scLR4NsyQzgmM9+dq3wGY81gRvpRM
         pIwiWyBL0S4g1pUfjdrZ97J+zb4LLrSPR6vmguFGpjTfydMng2f7ZaRpJ2a00mahRCYs
         BoDiraHSI+iX7dDsMEygfHbyiQuNNx3xMr3cCxFDkShw21bam7BCnziueu4dvTbrie3s
         4K2vD/uP4hhFOYpPTXR8nijVYgmM3bMSO4Juz24eEltFxXv4pu606V8tQ/tSa4ZS1/jE
         ao5T0/I3aGFS1aBNzVQPx0iBtKw0a1fcPf3NeD5utNv2SToodpZG4L4P+WtseOB2trbq
         wmdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zadara-com.20150623.gappssmtp.com header.s=20150623 header.b=WRMep0Sf;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a95si6965097pla.2.2019.08.25.03.12.49;
        Sun, 25 Aug 2019 03:13:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zadara-com.20150623.gappssmtp.com header.s=20150623 header.b=WRMep0Sf;
       spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726182AbfHYKMq (ORCPT <rfc822;rosenp@gmail.com> + 99 others);
        Sun, 25 Aug 2019 06:12:46 -0400
Received: from mail-io1-f65.google.com ([209.85.166.65]:33262 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725995AbfHYKMq (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Sun, 25 Aug 2019 06:12:46 -0400
Received: by mail-io1-f65.google.com with SMTP id z3so30463378iog.0
        for <linux-nfs@vger.kernel.org>; Sun, 25 Aug 2019 03:12:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=zadara-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=fMpyQvF6VzughydnrGZHt+I7Ql6B0+O3aZ99w06rrB0=;
        b=WRMep0SfYrMDheaLekaO6LNsHOt0YTl0JHu32AtcogB8IE0Z7iIUvr8W48sMCW+qmM
         wb8+vpr/pdO5Gaz/dqA48yD9ho8XMbgAxHTOTzb7OUpmbG9XsH+fCAysroGb5UgGgrPq
         roIPdCnMho4fLhYpBqoXp/2dboGv35kxLWKOXu7DQTofp1H6QJb+QDTm2Q3tjeaSYvzD
         K30hGbw/+mTXH8kYfi5hZZhkVMGcMUcHq/WfIZcA3yjDvWouGqk1UlZj6mynvHPrNyga
         FGLAQEtDrIKGYcGNnX3SBqcnTTVI42QZT0aqvBUxuRP4H7F8afjfkT2wx5N79yRxTTId
         y0iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=fMpyQvF6VzughydnrGZHt+I7Ql6B0+O3aZ99w06rrB0=;
        b=tmv3QgyBED3lIHDfHks8P2NK5SHGUmx2h8u/yM5Ut3CW7sUWqNqB1nOKKEKtOfMvzT
         U7Nv4lf1XI5mjlVw3nishGxwdqGbCtMDzbQKs6FoHadjSslz0k51wrwAglaZPQmKE7DV
         a5CKCMhFfqa55uTqV2xWDOxbbkF0N+5y/cIeeEJD50m3lg5zGT87QSceWMQTb6/fbtQT
         mIzx+mpfjYpEDRMh1tHjeyR33yVu/nTgHKE5ucOLI5Sw126PwQN4S3fmrm8ZEBZXmk/d
         rLaV9XLfrOcYH5pFZkQFT4BzgtyZwjzFTTLCM7BbNFBZmjI9BDlx/g2R/HlF+/svUHBs
         TVAQ==
X-Gm-Message-State: APjAAAWkxAOW29AM9QERyVTtApYDjwZuYrounz7t+TKYmrwR3De2ayN3
        KkrJWc+wEFWfHAVBFEoI2YsASh3KfHJgE1cej1Fwtg==
X-Received: by 2002:a02:3e86:: with SMTP id s128mr12524010jas.14.1566727965414;
 Sun, 25 Aug 2019 03:12:45 -0700 (PDT)
MIME-Version: 1.0
References: <1566406146-7887-1-git-send-email-alex@zadara.com>
In-Reply-To: <1566406146-7887-1-git-send-email-alex@zadara.com>
From:   Alex Lyakas <alex@zadara.com>
Date:   Sun, 25 Aug 2019 13:12:34 +0300
Message-ID: <CAOcd+r0bXefi79dnwrwsDN1OecScfTjc8DYS5_9A8D5XKrh7QQ@mail.gmail.com>
Subject: Re: [RFC-PATCH] nfsd: when unhashing openowners, increment
 openowner's refcount
To:     bfields@fieldses.org, chuck.lever@oracle.com
Cc:     linux-nfs@vger.kernel.org, Shyam Kaushik <shyam@zadara.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

Hi Bruce, Chuck,

You are listed as maintainers of nfsd. Can you please take a look at
the below patch?

Thanks,
Alex.

On Wed, Aug 21, 2019 at 7:50 PM Alex Lyakas <alex@zadara.com> wrote:
>
> release_openowner() expects an extra refcnt taken for the openowner,
> which it is releasing.
>
>  With nfsd_inject_forget_client_openowners() and nfsd_inject_forget_openowners(),
> we unhash openowners and collect them into a reaplist. Later we call
> nfsd_reap_openowners(), which calls release_openowner(), which releases all openowner's stateids.
> Each OPEN stateid holds a refcnt on the openowner. Therefore, after releasing
> the last OPEN stateid via its sc_free function, which is nfs4_free_ol_stateid,
> nfs4_put_stateowner() will be called, which will realize its the last
> refcnt for the openowner. As a result, openowner will be freed.
> But later, release_openowner() will go ahead and call release_last_closed_stateid()
> and nfs4_put_stateowner() on the same openowner which was just released.
> This corrupts memory and causes random crashes.
>
> After we fixed this, we confirmed that the openowner is not freed
> prematurely. It is freed by release_openowner() final call
> to nfs4_put_stateowner().
>
> However, we still get (other) random crashes and memory corruptions
> when nfsd_inject_forget_client_openowners() and
> nfsd_inject_forget_openowners().
> According to our analysis, we don't see any other refcount issues.
> Can anybody from the community review these flows for other potentials issues?
>
> Signed-off-by: Alex Lyakas <alex@zadara.com>
> ---
>  fs/nfsd/nfs4state.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> index 7857942..4e9afca 100644
> --- a/fs/nfsd/nfs4state.c
> +++ b/fs/nfsd/nfs4state.c
> @@ -7251,6 +7251,7 @@ static u64 nfsd_foreach_client_lock(struct nfs4_client *clp, u64 max,
>                         func(oop);
>                         if (collect) {
>                                 atomic_inc(&clp->cl_rpc_users);
> +                               nfs4_get_stateowner(&oop->oo_owner);
>                                 list_add(&oop->oo_perclient, collect);
>                         }
>                 }
> --
> 1.9.1
>