Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp575808rwb; Thu, 11 Aug 2022 06:40:21 -0700 (PDT) X-Google-Smtp-Source: AA6agR7XoV8EkC2+7Pa2Aizny8WKFRjB5KGY4+EZ8pjrM9m1zM9gtsjTXuC/GmDHH48IkCfKfOXC X-Received: by 2002:a05:6a00:1c53:b0:52d:d673:2241 with SMTP id s19-20020a056a001c5300b0052dd6732241mr31246643pfw.71.1660225221759; Thu, 11 Aug 2022 06:40:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660225221; cv=none; d=google.com; s=arc-20160816; b=0z283lHOCF/alDjWRvVf55bPlCtw2hpyMQinB75GAtTWP/1cLg0q4BthvUNkU0X0Es TySuHKemP05iTp6gW6juSJltTCZc9f09rDMRrkrJZl6Bij7puMWfpTn9K72Ik9yMhGQA icC2hKxVTXlRKtQvA5WB/j8c6wyCev/Jb0mvHwDaMNaZqicqsXeRA3i4StTgAXaslO+y ZQSZtSvXpMtjIl6tUbPnu61jQZl2iOCehEHILhun0SHPv6BIHGoUZKn0edeRlxXzeMpT catGqrVCjfcYQdHedzrH4JeNj8X8h0g706fqDGz5Gdusi8dXyp1mOM5a9SP1oTWm9hhK sJvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=y6Vt/S1iljw7JHJYhlxz+L1o5662gbz5xScq1/L4AaA=; b=ev19ezNuJaH+ss522e+aapCeWS4LN4+Sfi5bnYIuH1zB+ruO7myG9kEzLRiUx/Ay// 6oNAVBISpsmbmPaRyLndukrRpul1R27uRLqNkNHq/UsuzUzdHv1GaT/eXoNJWe1KHP61 fRSEYgfYAh2zKKM30o4/+sRUHrVhu77CJgbngqPiE/IP0r3Azs1iQ1PKm2W1Wepb1Chz lMvsFGKu1Kb8jhcgl0t2vCOJRp3RtWvsdZqt/sDvNcfjPKFDVmU96KAgIBteMNaQ0HXF NMDHoFJg8HdzCMxK6edfOY7obsjUQyhAFNeLB8DM/py9bBgw3r+NUbu5sXJx01r4/rqN gN3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nbWz787D; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u15-20020a63f64f000000b0041c8682116esi2811727pgj.348.2022.08.11.06.40.02; Thu, 11 Aug 2022 06:40:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=nbWz787D; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229591AbiHKNe2 (ORCPT + 99 others); Thu, 11 Aug 2022 09:34:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229594AbiHKNe0 (ORCPT ); Thu, 11 Aug 2022 09:34:26 -0400 Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B4B68991D for ; Thu, 11 Aug 2022 06:34:25 -0700 (PDT) Received: by mail-ed1-x533.google.com with SMTP id b96so23064964edf.0 for ; Thu, 11 Aug 2022 06:34:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=y6Vt/S1iljw7JHJYhlxz+L1o5662gbz5xScq1/L4AaA=; b=nbWz787DAeP6JdhX7PHaWS7kvTqXWN10POPmCrChMFQvuR05pTr4frDVqEvgBx3bPi mEsElBLgn/qsF1Aiepu36I7TnYgCT5/Olfadny3bcE+JbhSUWd+jYj8LYaO/on8+u8Cf Hm/SxQKUgt5xnBA8NBNue84HZXEViE98BSqRI0uhSOH/W7zTiJy3NYZ0WsCvpaLVozWi CyPy/G+TXHtovqgfnazbQdi2wI/z/JqkjLtmesDMlvg4jypepJZDNIq+rnA9L7lH7CPp 39WJb2IG9WkCuoowEO54nYvfq9PKaNDgb88GMED0Q7bQUAC1AahSvPP7bbRAwF8yvR8c DLbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=y6Vt/S1iljw7JHJYhlxz+L1o5662gbz5xScq1/L4AaA=; b=R2gTClsubcKqpClwN13/0dB5LuNB4JejoWEvZdc9OLMlLs1jp//lVlN+Qj4MgT87IC 5to1KNLupJpaYMHN2AzDI2RNf1+3dtCqRm7lL2kNfwgBzDxYCKf7HIldPN2/0f3JQ2ZP TxKT8vdptrebbNu2UimSEImUCeMl9dlNNNhQDJ0uV84GKg/Hh0nxMdxFe90FDUWgJ/m1 E8OUkWpEFHZ3Jq+WTpkR5M9RUXaTz4dbLBE3zfx/zqvBvZWZuq9QZVyWc9aJf/9r6fLt evlsm65iI5HJXBWTvI1/LnC6yAMD+m2fq7He+a0CHCjbUDym2ilKeWyQiIdKEXx9+Eub 4ZMg== X-Gm-Message-State: ACgBeo230LOssjZJDUNF88PgAvqG35ReLsOtz4HoxkRDPPXfEAgnF1rQ 6JN8cKDOOPuQcRQOcBuXtAWzKyszT7gghGWCemPnshHe X-Received: by 2002:a05:6402:40c2:b0:440:4ecd:f75f with SMTP id z2-20020a05640240c200b004404ecdf75fmr23384643edb.405.1660224863516; Thu, 11 Aug 2022 06:34:23 -0700 (PDT) MIME-Version: 1.0 References: <1659298792-5735-1-git-send-email-dai.ngo@oracle.com> <37585D43-78F3-4132-8ADF-D11BD11DDCD4@oracle.com> In-Reply-To: <37585D43-78F3-4132-8ADF-D11BD11DDCD4@oracle.com> From: Olga Kornievskaia Date: Thu, 11 Aug 2022 09:34:12 -0400 Message-ID: Subject: Re: [PATCH] NFSD: fix use-after-free on source server when doing inter-server copy To: Chuck Lever III Cc: Dai Ngo , Linux NFS Mailing List Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Mon, Aug 1, 2022 at 12:29 PM Chuck Lever III wrote: > > > > > On Jul 31, 2022, at 4:19 PM, Dai Ngo wrote: > > > > Use-after-free occurred when the laundromat tried to free expired > > cpntf_state entry on the s2s_cp_stateids list after inter-server > > copy completed. The sc_cp_list that the expired copy state was > > inserted on was already freed. > > > > When COPY completes, the Linux client normally sends LOCKU(lock_state x), > > FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. > > The nfs4_put_stid call from nfsd4_free_stateid cleans up the copy state > > from the s2s_cp_stateids list before freeing the lock state's stid. > > > > However, sometimes the CLOSE was sent before the FREE_STATEID request. > > When this happens, the nfsd4_close_open_stateid call from nfsd4_close > > frees all lock states on its st_locks list without cleaning up the copy > > state on the sc_cp_list list. When the time the FREE_STATEID arrives the > > server returns BAD_STATEID since the lock state was freed. This causes > > the use-after-free error to occur when the laundromat tries to free > > the expired cpntf_state. > > > > This patch adds a call to nfs4_free_cpntf_statelist in > > nfsd4_close_open_stateid to clean up the copy state before calling > > free_ol_stateid_reaplist to free the lock state's stid on the reaplist. > > > > Signed-off-by: Dai Ngo > > I'm interested in Olga's comments as well, so I'm going to > wait a bit before applying this one. Sorry folks, I totally missed this thread.... I was on vacation, came back and started working on this after running into the oops with Chuck's new patch set.. Well as you saw from my other post that my solution is different and suggests putting cleanup of the copy_notify states together with idr_remove() of the stateid it was associated with. > Also, did you figure out where this crash started to occur? > I'd like to have a precise sense of whether this should be > backported. I'm not going to claim this is the first occurrence but Jorge first ran into this while testing ssc over iwarp on the 5.15-rc4 kernel. > > > > --- > > fs/nfsd/nfs4state.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c > > index 9409a0dc1b76..749f51dff5c7 100644 > > --- a/fs/nfsd/nfs4state.c > > +++ b/fs/nfsd/nfs4state.c > > @@ -6608,6 +6608,7 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) > > struct nfs4_client *clp = s->st_stid.sc_client; > > bool unhashed; > > LIST_HEAD(reaplist); > > + struct nfs4_ol_stateid *stp; > > > > spin_lock(&clp->cl_lock); > > unhashed = unhash_open_stateid(s, &reaplist); > > @@ -6616,6 +6617,8 @@ static void nfsd4_close_open_stateid(struct nfs4_ol_stateid *s) > > if (unhashed) > > put_ol_stateid_locked(s, &reaplist); > > spin_unlock(&clp->cl_lock); > > + list_for_each_entry(stp, &reaplist, st_locks) > > + nfs4_free_cpntf_statelist(clp->net, &stp->st_stid); > > free_ol_stateid_reaplist(&reaplist); > > } else { > > spin_unlock(&clp->cl_lock); > > -- > > 2.9.5 > > > > -- > Chuck Lever > > >