Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp2160657imn;
        Mon, 1 Aug 2022 13:30:09 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1tTc6knXU2DwlhG8+odAGz5rv2LgCbShHkPPSY70TCJ0nuBz5OwCEtlb5WeZl8fEhhyjfkQ
X-Received: by 2002:a05:6402:2756:b0:43b:fda4:abc6 with SMTP id z22-20020a056402275600b0043bfda4abc6mr17272525edd.274.1659385809423;
        Mon, 01 Aug 2022 13:30:09 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1659385809; cv=pass;
        d=google.com; s=arc-20160816;
        b=Kn4z4pJlJJySY9beokLkDwmEfXRh/vQPofn3qvi7Zf8B8U1Q98Ez+/B0XvsnhqRfRY
         S8ahkq/KZQx6yP6EDT05KhBzj2FkibCYNDc6pupLMSTm8baLzIpGHWzflYOsB0HH+d6Q
         lSQkQ0fJ/2UiCdJ7wv54nt93s+JqT9AQ8J598MjTf9V0+0MkmvHZFzeBOuiK2lEuY//1
         xPyMjeCNqTcvqtJWqzvBxyh1Xv+gpK3KnPD3QBSctp3uqBN/igw1+P1+UvXhBiWBC+zk
         Bk7bHSbdYT1i1M8L67DLSw4fTeR8EUQ+anI/LFWGHR3lNNmy1lw8zjOTUxIh26K57KqM
         zt3w==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :in-reply-to:from:references:cc:to:content-language:subject
         :user-agent:date:message-id:dkim-signature:dkim-signature;
        bh=mKiuF9pY8zsVncsqlToE9xKVZH13FYRSEjYJjn3I8wY=;
        b=N6kUfbLhZ+6iBJUwpxurbIEiXO1Ob7VlAVi8ou/UoN4BakX/+MA5nDhDftM+nB82YO
         RKCi63Opni7/Rw+yB3L9jaxuUvnYffCOH6+UQ/VA0Y59BEysLSAVtLgrRE6bJHy0zr5o
         71u4mR2KcvvGbFvSbc9DQJntTn4kviJ9Q9JDdYi38Ms0pV8kecah+LLelzvfSqwPhVwS
         wmqQtcjofR66Z+OCq8fcxVX9f8Oh6Zo2W/PPRS1yGPuIr6sb/fF1snkws9j3KJyOmUoB
         UW67cQmDUHAXM4lJ2ejSuv/Y8xB9wBZvoFf0XZ5d40Tl5U3je76YWixQnKvugKvGa6Hw
         31/w==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=nwJOxvBi;
       dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=gGwQSwqe;
       arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-nfs-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id mm6-20020a170906cc4600b00711f646bb8csi8958051ejb.916.2022.08.01.13.29.31;
        Mon, 01 Aug 2022 13:30:09 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2022-7-12 header.b=nwJOxvBi;
       dkim=pass header.i=@oracle.onmicrosoft.com header.s=selector2-oracle-onmicrosoft-com header.b=gGwQSwqe;
       arc=pass (i=1 spf=pass spfdomain=oracle.com dkim=pass dkdomain=oracle.com dmarc=pass fromdomain=oracle.com);
       spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232882AbiHAUZt (ORCPT <rfc822;jx.jiangxin@gmail.com>
        + 99 others); Mon, 1 Aug 2022 16:25:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39882 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234388AbiHAUZq (ORCPT
        <rfc822;linux-nfs@vger.kernel.org>); Mon, 1 Aug 2022 16:25:46 -0400
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1F8CD17ABD
        for <linux-nfs@vger.kernel.org>; Mon,  1 Aug 2022 13:25:45 -0700 (PDT)
Received: from pps.filterd (m0246617.ppops.net [127.0.0.1])
        by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 271KPcYa026860;
        Mon, 1 Aug 2022 20:25:38 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=message-id : date :
 subject : to : cc : references : from : in-reply-to : content-type :
 content-transfer-encoding : mime-version; s=corp-2022-7-12;
 bh=mKiuF9pY8zsVncsqlToE9xKVZH13FYRSEjYJjn3I8wY=;
 b=nwJOxvBiG/FdwDhZ/Xy86Wu8pKzFnsf8rq9VcoVGMC5GbVnDFJEz9Q+SlRFmW0N33rW2
 nqufQN6M+ZkkJSQqLHIwMCtDQytMATFkvurP1zykY3V+yRN4exbXXQj65Rt+YwFMhx9F
 jDteaaP+V9ztu0cVC4Bg97F5IGIe0C1KIEPkcss/1NCSOQfNZt2+zKELh5YdhcJMTU3i
 7dw3hG8YOgC7sBYjqN4UGDKzJJeyhA5PIsYKk+S5D9Gja+1zIoHwus39CgZ6k7eoxHzL
 2gjJJ78coTC8wfT+7v40O08087NF6wJZ8i1zHPuBt6F80SQj9w3A5sxNeT8Stv2HpyXR Og== 
Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2])
        by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3hmw6tcuqc-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Mon, 01 Aug 2022 20:25:38 +0000
Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
        by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 271KN8bZ010793;
        Mon, 1 Aug 2022 20:25:37 GMT
Received: from nam04-mw2-obe.outbound.protection.outlook.com (mail-mw2nam04lp2171.outbound.protection.outlook.com [104.47.73.171])
        by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3hmu31ky28-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Mon, 01 Aug 2022 20:25:37 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=SAOz99NCQn3M5rkah3aFPmdWvSxU8dYtTPHOycX7Ug8v3rnpq3Lxz3/XcDKKH0Tb4fgjjaR/eXcVcZVXLS6IZqfW+XxSTu/423RoTVY0SaXluLtAa6YozyzY4avdEKjaTbpdczw5pZPxJTugq54CM4yKquQWpIXbJuyhWoEyKvsMapVOITidjT+Q38bexP0gNiRaXhJn8t/JG8Gk5VOU9Fv+ODrkN69iQdy7z6RKhkF1fPlrm1/C9kku6Ue7StgLhLfWW3eB/zkGhyDdpL1HJeuYkNbZU0h7wv9vmGLTiEc9BIv9nsprgKuYtEVcES9nzXPSPHNvpXpLhyuxTIpDTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=mKiuF9pY8zsVncsqlToE9xKVZH13FYRSEjYJjn3I8wY=;
 b=kIFrt3kqJ6rPUxqtn9ERv0cwUEUeXQfVYKZFMbwJcXqmiz8RDJ0uof501+X1i/kUgXCJ8jxSGI5JZx3l3u1EzbTvt/xQ5ibJOnTFuGh4JX+Dap9A+9ByNp7hr/sS4SZxcTiJhVZPEbmeurFwKK1mf8UzKRdQk/ozJjJFt+NfVQmoAHDD2cmIIRyOwq120CYE3IlnSOgZKwy7qsbcJHbIxriIC8Z/gapXhR6rDQsW0oaxwuRZWWsZOW4/uZXqVyqOFoNo83PmwsHthJcjjwJz6GCf/izTFZkfVXtSl3GDjFpSxNJzP7PUkLOhLKYY8+wN1iR4sz6pS/rKkN48o8A64w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com;
 dkim=pass header.d=oracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=mKiuF9pY8zsVncsqlToE9xKVZH13FYRSEjYJjn3I8wY=;
 b=gGwQSwqePNuiZdt5MyV3lagpaOcN5YWrSKocT5Nunf9PTxBE5/bM/Bv4BB1IHyI3989O5EB7tuY7852fMPKQyNsg1ywsNrpnXnVcYRApr5nBpjA1ZXULyajAa8snajOM25X8a6RHXCeR15PvROi3Ka6+L17DRVBaj9nOD8SVN2w=
Received: from BY5PR10MB4257.namprd10.prod.outlook.com (2603:10b6:a03:211::21)
 by CY4PR1001MB2375.namprd10.prod.outlook.com (2603:10b6:910:47::35) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.23; Mon, 1 Aug
 2022 20:25:33 +0000
Received: from BY5PR10MB4257.namprd10.prod.outlook.com
 ([fe80::d90f:4bba:3e6c:ebfd]) by BY5PR10MB4257.namprd10.prod.outlook.com
 ([fe80::d90f:4bba:3e6c:ebfd%5]) with mapi id 15.20.5482.016; Mon, 1 Aug 2022
 20:25:33 +0000
Message-ID: <984ba48c-c437-fd8e-e034-903d06b34164@oracle.com>
Date:   Mon, 1 Aug 2022 13:25:31 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
 Gecko/20100101 Thunderbird/91.11.0
Subject: Re: [PATCH] NFSD: fix use-after-free on source server when doing
 inter-server copy
Content-Language: en-US
To:     Jeff Layton <jlayton@kernel.org>, chuck.lever@oracle.com,
        olga.kornievskaia@gmail.com
Cc:     linux-nfs@vger.kernel.org
References: <1659298792-5735-1-git-send-email-dai.ngo@oracle.com>
 <ea6d0556198dd6b77f1ab711401ca65bc39e9912.camel@kernel.org>
 <c969d149-36be-a161-2b2a-469dbf7b9bcf@oracle.com>
 <eec78149840c74bd7b8f2ac18c9f27efb5bcd54d.camel@kernel.org>
 <e8bd29c6-7d68-716f-1ed0-9f58436371c5@oracle.com>
 <71591d59a463ec90e5687788a6e1f9ee9c72bf1c.camel@kernel.org>
From:   dai.ngo@oracle.com
In-Reply-To: <71591d59a463ec90e5687788a6e1f9ee9c72bf1c.camel@kernel.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: SJ0PR13CA0210.namprd13.prod.outlook.com
 (2603:10b6:a03:2c3::35) To BY5PR10MB4257.namprd10.prod.outlook.com
 (2603:10b6:a03:211::21)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fef4bcf0-5a0d-4832-7994-08da73fbfc36
X-MS-TrafficTypeDiagnostic: CY4PR1001MB2375:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: DH8lkmQOdjtjR3f34VkxxZWqcMpQdkKaeEDF/i361viQvnwgv5iNbrJPx+T8pmLMeLLCmHQlT98PnYwILpzSTlMnz4p+hljj/STLxsTyL0MKKQ6R84DVAl60a6xvTOvlr23Q4co/4rtyuTH4sBDrwdVbS5KHn23chcUtPCaxWd5fz2O0Ws8ZWI4bHlM7LOkH8nlMxaAPAEYQ1OdmKIdD6/sm85BNY+LPtEG+jE4ZDd9/yIUnEcL0ul0h77YWA9F0HJTFtOitHCQZpb/2VxRg/YJ4kDRySG/voEybwlGU+noadQmNIr41q9ivfM+ZcI+30HoyNBnwp4Awl717iUhAc+/lFcL6D7oSFxeOFUKhHJlQpp1Zld9eaRgABkf1tw2Ezr/8bRJ9ufpFqvtrcWPzq38UaA9NVhu1/4D+4xUrGJZquNof8NwJ+VRDauNMK3R5hQAZFI3cv6eLN+DYv4fdCv+PVT2hR50M03kgGkaHWA26lwXRs8PJ89RbrJoo1rq/l1x+oRDNLryBFskstTrMc0A0Db0v/KkA7KqolgTBmXUrkHXdQ93k8bXRGcPnMK4Dzvzxd42TmZ4Ok4+m7Iwc795YXSJAr6o+0Pfu0mEPEsLYY/EHh26aWNiQ2GaEOPkhjzsg/4WKhdnnVjBHXTIV+q95X3AFys2Dq7NQSyjhvzBmgk4pt1WjzMszGEygYNYS9vLqkkGbxcgFUwhulh7Bsrqma7BHMv+30P24vRM3GzC/TqwxT/MQ7QlgKW0Bs1jrr2VAcP5MIkVxM5jwXd0IKlhFLxkxZX15LeRU3QUxJ+g=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BY5PR10MB4257.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(376002)(346002)(136003)(39860400002)(396003)(366004)(316002)(41300700001)(53546011)(478600001)(6512007)(26005)(6506007)(9686003)(6486002)(31696002)(86362001)(2906002)(66476007)(4326008)(66556008)(66946007)(36756003)(8676002)(8936002)(5660300002)(38100700002)(31686004)(83380400001)(2616005)(186003)(43740500002);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?WUV0cDRweVJFRDF5RkNRSTZYbVBOYXZMV29PYnozTm8ySVl6UkhHcGdjYXZK?=
 =?utf-8?B?MkNOb3JJQStLdVA2RGN3MkhOdjlmTWJ0bUdEdUhPSnZLVHJjK1ZSa2Y3Z291?=
 =?utf-8?B?VndUcU9QNUhoMGxHWEhRK2dpcTRzd0ZGWDFVaVVjR1g2SzFoN2xFTUxjTEFo?=
 =?utf-8?B?MVNlWCtJRTFpVTRoVVJzSHZuRHNSZmQxR01OMzFOY0FHZk1URXNmaWE3Uy9M?=
 =?utf-8?B?WDIvWDRMUjZ2dlUrdDM3VnZrYllVSGF4VFdMakpTczBCUzd1U24xYVFzcnln?=
 =?utf-8?B?Z0d4Yk9ZUXd0ajBGZUpHZk9jWS9aN3dmaEFPbU5aaGsvRG9adFN0TzdZRkxy?=
 =?utf-8?B?a05Za0Q4OFpDNFdvK0RMT1NlbW9wZjAvM2NsK1g3T2RvdWRSS2hGTmtlaVFn?=
 =?utf-8?B?b2lKUVZQTlFvbTJTNFNadEJvOTNCbkNhV21wNXQrN0M2bkRidStmcm5ZTjEv?=
 =?utf-8?B?THcvT3RuOWZSdEM0WFN0aDdyZVRab1RVYkJSVUs3ZEdxalZBUFAvU1kxWTBR?=
 =?utf-8?B?RDFoRzg0UWVLY2JRS1NFYlE0YXExQ25FZTFSSjlEQkNZNkVRVjZjYUtLRVZU?=
 =?utf-8?B?NDdNWExoNjBMMmFxQmxTYUlRY1FzNituNWh5Mm45a08yM1lqSjA2WHZHajdW?=
 =?utf-8?B?UHVvbmZ5TldqMlFlUkI0UEY5WmVhdjRhb2VIVXU0RTRNTHpmRWxxRmVqTkwz?=
 =?utf-8?B?WnFabHlGQmIrQ3hKTDBPZnQ0YUJuT1VBbzR5anRubk9mL1VIVENaTVpVRzNP?=
 =?utf-8?B?QnM1eDh2NTVsblNiUk5YUHJwdy9OUXZzeDZlVitnMk53OGxhNnczTEkwQXd1?=
 =?utf-8?B?QXk2Y1ZxNHFabVB1dDFPaFB6cmtCa0tncHRlWG5mN3JUaXBMNGYyN1IrcHVh?=
 =?utf-8?B?ek5jV2owVEp1Y2ExMUVJUmNrVnVLWGxVNkhKeU9qalNsaHVMZDN6TDltWTY2?=
 =?utf-8?B?cjg1RStDQ1BiekdSdjFjODlTM1BkMXdZZWs4N0RmZWgzU1dDMlpuSVUzYzRo?=
 =?utf-8?B?SzJ5V0xKTTRhcDNvMnZTOFRVcDNhaFBUOEY0MzZjWWRaN2ljTm41a2ZpM2pL?=
 =?utf-8?B?MlY1Zi9FZXhod1FsV0JVZnpFSSt4SkJCOGJTaVMrc1FOeTdacEtKai9XMXI3?=
 =?utf-8?B?NDBEU3dMOEQvOFRaTllUMlVDNWl4RklTWDZncFF1dncyUVErci96eVlvN2to?=
 =?utf-8?B?L0xoUnpQRzZWNUVnYlpDNXh0bXlpTXEvaWQ4MVhGUzFUNEoxcUZXamszc3pK?=
 =?utf-8?B?aVJ6Y01zb3F6TDFnaEJoc3JMTHBuajk4VGtEZGRxWnFDUWIwd1hhakhoVFNG?=
 =?utf-8?B?MUNFbE1QVkFyVzZ4bjhWd1dZRU9QSVBQYXFqMHphcFhIR1RVY0pDUytnSGZ3?=
 =?utf-8?B?VkZtdXRmR0xoT3dCazVzNTdFTzZ2aUl1clYyM21hbkxqNTRDSHZUeG93d0Mx?=
 =?utf-8?B?S1JwcmhtNm44cjE3VXlVak5pMDJ1YUQxL1JPb1BmTW9TeUFYQml6dk14anhj?=
 =?utf-8?B?VW9uUXA0ektmZkJZZUFSTm1oUjRScmtPTWdnb092c1pYaktuYzdVNkpPS3ZS?=
 =?utf-8?B?ZUF0eTZZeWlSbEJOcm1uMmdVWTBaZ2IxS0oyL2hOaHJJRUErMnRMTTV0NEZK?=
 =?utf-8?B?KzdvUFBLOURyS0RRYXhXQ0pwSUlRaWc3bzRnQVJVdGNYdEE4VkRoL0s2Q3Bs?=
 =?utf-8?B?MDRVcmpycjl6VFRxYnd2M0lZRzVjZml0SnAwbkZETVlSU2NaSU5VOFFtditV?=
 =?utf-8?B?VWUvVkNIYWlZc3d3ZUd6WG50NFdBaTliSzZnMmJFRy9Xa2sxSkxoYngrRlVm?=
 =?utf-8?B?RkgzVEMwbUczNFgrL01hSGNub21Gd0FpeUttYTZkVXlDemhjSE0wMUFvQU10?=
 =?utf-8?B?cFRwLy9LTllzSjBaSlBFUGU3bVRRaG5sQlZMVkdDeE90QXIvaGNYV1JkRjBi?=
 =?utf-8?B?WkJxclAyVWpGN0haSjYvVEY2T0JFc1A1RDNiY3FwYisydUdyVENkNEo5MGFO?=
 =?utf-8?B?dFA2eURKSUNVVkJhT0tHTUlqRVhtSHZ4aVY2R2xQZXROaVdQVmtIRnBxcEJo?=
 =?utf-8?B?NWFxV0J3QU52N1pnV1ExaERpS25uYkhuUXE2RG9zZ0JUbHcrNXpLUm5qWFZ4?=
 =?utf-8?Q?5ZzT2dbAZIUQi628oY2ZfwMCV?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fef4bcf0-5a0d-4832-7994-08da73fbfc36
X-MS-Exchange-CrossTenant-AuthSource: BY5PR10MB4257.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2022 20:25:33.3791
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: kEanEtoxVIMwApYa2fV4D/eArj1zlhqiWWGNyXly5rbzcVXdi+m54Si2CJeCt9Sy6TWRhrEogU4UkfNAJ8DCgg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1001MB2375
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1
 definitions=2022-08-01_11,2022-08-01_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999
 malwarescore=0 bulkscore=0 spamscore=0 phishscore=0 mlxscore=0
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2206140000 definitions=main-2208010101
X-Proofpoint-GUID: e1chsTXHAFNeaQ1hTnpFYB3093ylDbwR
X-Proofpoint-ORIG-GUID: e1chsTXHAFNeaQ1hTnpFYB3093ylDbwR
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org


On 8/1/22 12:26 PM, Jeff Layton wrote:
> On Mon, 2022-08-01 at 12:22 -0700, dai.ngo@oracle.com wrote:
>> On 8/1/22 12:10 PM, Jeff Layton wrote:
>>> On Mon, 2022-08-01 at 11:52 -0700, dai.ngo@oracle.com wrote:
>>>> On 8/1/22 4:47 AM, Jeff Layton wrote:
>>>>> On Sun, 2022-07-31 at 13:19 -0700, Dai Ngo wrote:
>>>>>> Use-after-free occurred when the laundromat tried to free expired
>>>>>> cpntf_state entry on the s2s_cp_stateids list after inter-server
>>>>>> copy completed. The sc_cp_list that the expired copy state was
>>>>>> inserted on was already freed.
>>>>>>
>>>>>> When COPY completes, the Linux client normally sends LOCKU(lock_state x),
>>>>>> FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server.
>>>>>> The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state
>>>>>> from the s2s_cp_stateids list before freeing the lock state's stid.
>>>>>>
>>>>>> However, sometimes the CLOSE was sent before the FREE_STATEID request.
>>>>>> When this happens, the nfsd4_close_open_stateid call from nfsd4_close
>>>>>> frees all lock states on its st_locks list without cleaning up the copy
>>>>>> state on the sc_cp_list list. When the time the FREE_STATEID arrives the
>>>>>> server returns BAD_STATEID since the lock state was freed. This causes
>>>>>> the use-after-free error to occur when the laundromat tries to free
>>>>>> the expired cpntf_state.
>>>>>>
>>>>>> This patch adds a call to nfs4_free_cpntf_statelist in
>>>>>> nfsd4_close_open_stateid to clean up the copy state before calling
>>>>>> free_ol_stateid_reaplist to free the lock state's stid on the reaplist.
>>>>>>
>>>>>> Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
>>>>>> ---
>>>>>>     fs/nfsd/nfs4state.c | 3 +++
>>>>>>     1 file changed, 3 insertions(+)
>>>>>>
>>>>>> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
>>>>>> index 9409a0dc1b76..749f51dff5c7 100644
>>>>>> --- a/fs/nfsd/nfs4state.c
>>>>>> +++ b/fs/nfsd/nfs4state.c
>>>>>> @@ -6608,6 +6608,7 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s)
>>>>>>     	struct nfs4_client *clp = s->st_stid.sc_client;
>>>>>>     	bool unhashed;
>>>>>>     	LIST_HEAD(reaplist);
>>>>>> +	struct nfs4_ol_stateid *stp;
>>>>>>     
>>>>>>     	spin_lock(&clp->cl_lock);
>>>>>>     	unhashed = unhash_open_stateid(s, &reaplist);
>>>>>> @@ -6616,6 +6617,8 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s)
>>>>>>     		if (unhashed)
>>>>>>     			put_ol_stateid_locked(s, &reaplist);
>>>>>>     		spin_unlock(&clp->cl_lock);
>>>>>> +		list_for_each_entry(stp, &reaplist, st_locks)
>>>>>> +			nfs4_free_cpntf_statelist(clp->net, &stp->st_stid);
>>>>>>     		free_ol_stateid_reaplist(&reaplist);
>>>>>>     	} else {
>>>>>>     		spin_unlock(&clp->cl_lock);
>>>>> Nice catch.
>>>>>
>>>>> There are a number of places that call free_ol_stateid_reaplist. Is it
>>>>> really only in nfsd4_close_open_stateid that we need to do this? I
>>>>> wonder if it would be better to do this inside free_ol_stateid_reaplist
>>>>> instead so that all of those callers clean up the copy states as well?
>>>> Yes, we can do this in free_ol_stateid_reaplist too, I tested it.
>>>>
>>>> The linux client uses either delegation state or lock state to send with
>>>> the COPY_NOTIFY to the source server. If the server grants the delegation
>>>> in the OPEN then the client uses the delegation state, otherwise it sends
>>>> the LOCK to the source and uses the lock state for the COPY_NOTIFY. This
>>>> problem happens only when the lock state is used *and* the client sends
>>>> the CLOSE and FREE_STATEID out of order.
>>>>
>>>> free_ol_stateid_reaplist is called from release_open_stateid, release_openowner,
>>>> nfsd4_close_open_stateid and nfsd4_release_lockowner. Among these functions,
>>>> only nfsd4_close_open_stateid deals with lock state that may have cpntf_state
>>>> associated with it and only for the minorversion > 1 case.
>>>>
>>>> nfsd4_release_lockowner will free the lock states but if the client has
>>>> not send LOCKU yet then put_ol_stateid_locked would fail to add the lock
>>>> state on the reaplist.
>>>>
>>>> I'm ok to move it to free_ol_stateid_reaplist if you still think we should
>>>> and don't mind a little overhead on the unneeded cases.
>>>>
>>> If you think this is the only way this can happen, then the patch you
>>> have is fine. In that case though, it might be good to have something
>>> like this in free_ol_stateid_reaplist():
>>>
>>>       WARN_ON(!list_empty(&stp->sc_cp_list));
>>>
>>> ...to try and catch cases where these objects slip through the cracks
>>> after future changes.
>> Good suggestion, I'll add it to v2.
>>
> Actually, it might be better to put it in nfs4_free_ol_stateid. If we're
> freeing an open or lock stateid and this list isn't empty, then
> something is wrong.

The linux client uses only delegation or lock state for COPY_NOTIFY.
However the protocol allows for using open state with COPY_NOTIFY too,
so adding the warning in nfs4_free_ol_stateid would cover behavior of
other clients. I'll add this to v2.

-Dai
  

>