Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp896467ybm; Fri, 29 May 2020 15:06:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy1Q/8zmC89qDFv46KbvXoDZK4z/GM004AKBcFYKzR4cwkfGLqhqDTcQZE5rM9zoKXiwsRY X-Received: by 2002:a17:906:b2c6:: with SMTP id cf6mr9655148ejb.210.1590790008998; Fri, 29 May 2020 15:06:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590790008; cv=none; d=google.com; s=arc-20160816; b=DwvuUvZnZOmwPASIpR2RHHV5JRyZlODG3BWJhbCAhOmBgu4rq7e9Od1cEuhUmnDEqJ 1sCUm4hc5CVqfS/oODK2LGMkYs1OJJGLbNpHpwcUHa5TCeY0vE4GxEWfrd4rZzywMVcA qp53oE05l6UgNSx8JKsx4TQSGg0Bmiwx40wbsx0rLdbJyusJmqQhmWJ81JJhEH1yMZK6 rKZzAXuzbeQg+XLJIUcI72/ux9W8ham1nT7sbE9/FFdEPQltNp3VFw3zP+Eze/mfx2ga xduHZwOdpCWRpnoj+KqHK4amjcw0GUAcIH/w6zTiPtYedtfVMWV8joKyq+TM6kblUeww lCig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=+Y8l5uyeJAe8x4uqUa7GvvqFR3Dsju7uoqVtCED+Vm0=; b=IPKAYlQoAYA8R/GVBxLEZz6i1zhUnFo6+xN0VZTjxXp3gFo/LV+FQQqiAKqzFfpdwN osxSrRFK7qaL5ptRItMoepdBKiOR/+2sxq4nsJzQm2ZqOxlDMVcaxhMankQZkqSIqqBj ByUDiIY7vfMPwFl3GsH/4BXYo0IEfxPU43tBOt93r+cIR+bcxHw7E3bjJOC1yeZN8NuM 6pP3scxGY2j8pUHicHfw1WT+TwUK101GhSfhWRfnTpJNeGYaVSw8NjlBF0nNXO7EOdkL hgzVkUHMkDkj5QB9BZO8+4Rijsxd+J4xAinhHRhw974un8IdB+QAuhF6lDLG8jUnnDgF CqZQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ds15si2362813ejc.14.2020.05.29.15.06.16; Fri, 29 May 2020 15:06:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726975AbgE2WGO (ORCPT + 99 others); Fri, 29 May 2020 18:06:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55382 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727964AbgE2WGN (ORCPT ); Fri, 29 May 2020 18:06:13 -0400 Received: from fieldses.org (fieldses.org [IPv6:2600:3c00::f03c:91ff:fe50:41d6]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8607DC03E969 for ; Fri, 29 May 2020 15:06:09 -0700 (PDT) Received: by fieldses.org (Postfix, from userid 2815) id 0DADB1BE7; Fri, 29 May 2020 18:06:08 -0400 (EDT) Date: Fri, 29 May 2020 18:06:08 -0400 From: "J. Bruce Fields" To: NeilBrown Cc: Jeff Layton , linux-nfs@vger.kernel.org Subject: Re: nfs4_show_superblock considered harmful :-) Message-ID: <20200529220608.GA22758@fieldses.org> References: <871rn38suc.fsf@notabene.neil.brown.name> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <871rn38suc.fsf@notabene.neil.brown.name> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, May 29, 2020 at 10:53:15AM +1000, NeilBrown wrote: > I've received a report of a 5.3 kernel crashing in > nfs4_show_superblock(). > I was part way through preparing a patch when I concluded that > the problem wasn't as straight forward as I thought. > > In the crash, the 'struct file *' passed to nfs4_show_superblock() > was NULL. > This file was acquired from find_any_file(), and every other caller > of find_any_file() checks that the returned value is not NULL (though > one BUGs if it is NULL - another WARNs). > But nfs4_show_open() and nfs4_show_lock() don't. > Maybe they should. I didn't double check, but I suspect they don't > hold enough locks to ensure that the files don't get removed. I think the only lock held is cl_lock, acquired in states_start. We're starting here with an nfs4_stid that was found in the cl_stateids idr. A struct nfs4_stid is freed by nfs4_put_stid(), which removes it from that idr under cl_lock before freeing the nfs4_stid and anything it points to. I think that was the theory.... One possible problem is downgrades, like nfs4_stateid_downgrade. I'll keep mulling it over, thanks. --b. > > > Then I noticed that nfs4_show_deleg() accesses fi_deleg_file without > checking if it is NULL - Should it take fi_lock and make sure it is > not NULL - and get a counted reference? > And maybe nfs4_show_layout() has the same problem? > > I could probably have worked my way through fixing all of these, but > then I discovered that these things are now 'struct nfsd_file *' rather > than 'struct file *' and that the helpful documentation says: > > * Note that this object doesn't > * hold a reference to the inode by itself, so the nf_inode pointer should > * never be dereferenced, only used for comparison. > > and yet nfs4_show_superblock() contains: > > struct inode *inode = f->nf_inode; > > seq_printf(s, "superblock: \"%02x:%02x:%ld\"", > MAJOR(inode->i_sb->s_dev), > MINOR(inode->i_sb->s_dev), > inode->i_ino); > > do you see my problem? > > Is this really safe and the doco wrong? (I note that the use of nf_inode > in nfsd_file_mark_find_or_create() looks wrong, but is actually safe). > Or should we check if nf_file is non-NULL and use that? > > In short: > - We should check find_any_file() return value - correct? > - Do we need extra locking to stabilize fi_deleg_file? > - ditto for ->ls_file > - how can nfs4_show_superblock safely get s_dev and i_ino from a > nfsd_file? > > Thanks, > > NeilBrown