Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp5407934rwb; Tue, 17 Jan 2023 13:23:43 -0800 (PST) X-Google-Smtp-Source: AMrXdXudpggIxcqdAGHtx92r/OJdqHw2ZoiGVJujxZTahdTCalnBk35sT6yDGMaX+zICe8GuaikV X-Received: by 2002:a17:90a:cf8c:b0:229:111:1b07 with SMTP id i12-20020a17090acf8c00b0022901111b07mr4691608pju.48.1673990623309; Tue, 17 Jan 2023 13:23:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673990623; cv=none; d=google.com; s=arc-20160816; b=aXtpIx6+dy25AXQfmgvhtP6xYtin8tU9v9yQ/q9Xic5tDG+FNNTLYhjB2965a4bEFq nGFPY9ZcOWv/a+ikyvt5XgcBHVr5iZQG5QEL+Jb6m/YPUWtP+YtdWh87+CtsBetEHgxl +sAjG+hnIaSPdkVp1NImDRDq3LS2Oxm1lDu+ZL76IArozWspCjo3AAPK6V51E2v6iTsE ysAv6nmKZXjvIrpWbd2IuxmkEXNEqYHQNoIvuvezRoZpbJAn1F9XnARDE9vkSOViEdIH 5ReoJ2w0Et4CoIOiWgyx4rfZ/rEBKwPxwfR/4QWU2VeE5T/S9RKT85XJ4KmE8e/2jcaP ED5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=R4OcvMiyCsnORdhbHg+ZvpLnTJf29DvifFbzZ+GWJuw=; b=ctWgv9Pe6CcQMluknp1CSFVuoqNns6MFF0mPO0biP2uiLwzTs3lXD6XRkasE2W4/F2 j7JmJw+rBRUNkZ54BCWoUHK8nFR7i/AUfQT0jmfC2A+gs4g/o/zz3v7dgjU93gizm50C h+sb+W9W1qjLa2yc3CX9YU74dfyXXKeJVgpfdo5jYYwIpR0pP1E0nuUl+ZqvLk0i2G9S t+gGPnBRTAcO8LPBxb06943v5/8ZVq9oevctJdRPl4cpzdGVaJpYoN5ra1pBhG2lF22O Fc3Hw1ohm0T5IWPwHS5WC+csf5D4b72GbVlqq3X5ih+35fNo1ipzoo4nm6qUAEVK4EE7 MJGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="t3al05i/"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w8-20020a63f508000000b0043c5d3dc0d4si37575577pgh.332.2023.01.17.13.23.23; Tue, 17 Jan 2023 13:23:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="t3al05i/"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229473AbjAQVSB (ORCPT + 99 others); Tue, 17 Jan 2023 16:18:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229721AbjAQVRL (ORCPT ); Tue, 17 Jan 2023 16:17:11 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDAE04B75C for ; Tue, 17 Jan 2023 11:38:37 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id AA38DB81992 for ; Tue, 17 Jan 2023 19:38:36 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D7C38C433F1; Tue, 17 Jan 2023 19:38:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1673984315; bh=T5lK+NPIRx7X0mTlAdotEjzQ5bcPVIRt0meH2TVidBQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=t3al05i/3D+QFeX9WliBzM7qOK+JOq+9oSOkmHM2Fuxvuku4HBZlIafJSlsLbEoTQ nz2V8d49HhHd9p+nc2tZFUlZ1Ledp+xZdzQYiNLuERd70AK/bQvd8CSp6GPiFABYb/ ixigeiSzxUuEkaXngiKoQE2OMco6fgFtGaBElzcNqa4N15/MbUTc/v2fkoeKpP6v3x W6J4HRasc3svkQhpqFrajoXOgp90KjvZbCTipropITk7K5/j8CC03Z7YTDBPaIgCdn slixjKk+id/csQXv/nvak3CzI83IPE5OluSoUUoBpUjnDE5h1laE4sqL34QB07VPT8 k2+cPOuvyxiLw== From: Jeff Layton To: chuck.lever@oracle.com Cc: linux-nfs@vger.kernel.org, dai.ngo@oracle.com, aglo@umich.edu Subject: [PATCH 2/2] nfsd: clean up potential nfsd_file refcount leaks in COPY codepath Date: Tue, 17 Jan 2023 14:38:31 -0500 Message-Id: <20230117193831.75201-3-jlayton@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230117193831.75201-1-jlayton@kernel.org> References: <20230117193831.75201-1-jlayton@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org There are two different flavors of the nfsd4_copy struct. One is embedded in the compound and is used directly in synchronous copies. The other is dynamically allocated, refcounted and tracked in the client struture. For the embedded one, the cleanup just involves releasing any nfsd_files held on its behalf. For the async one, the cleanup is a bit more involved, and we need to dequeue it from lists, unhash it, etc. There is at least one potential refcount leak in this code now. If the kthread_create call fails, then both the src and dst nfsd_files in the original nfsd4_copy object are leaked. The cleanup in this codepath is also sort of weird. In the async copy case, we'll have up to four nfsd_file references (src and dst for both flavors of copy structure). They are both put at the end of nfsd4_do_async_copy, even though the ones held on behalf of the embedded one outlive that structure. Change it so that we always clean up the nfsd_file refs held by the embedded copy structure before nfsd4_copy returns. Rework cleanup_async_copy to handle both inter and intra copies. Eliminate nfsd4_cleanup_intra_ssc since it now becomes a no-op. Signed-off-by: Jeff Layton --- fs/nfsd/nfs4proc.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c index 37a9cc8ae7ae..62b9d6c1b18b 100644 --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1512,7 +1512,6 @@ nfsd4_cleanup_inter_ssc(struct nfsd4_ssc_umount_item *nsui, struct file *filp, long timeout = msecs_to_jiffies(nfsd4_ssc_umount_timeout); nfs42_ssc_close(filp); - nfsd_file_put(dst); fput(filp); spin_lock(&nn->nfsd_ssc_lock); @@ -1562,13 +1561,6 @@ nfsd4_setup_intra_ssc(struct svc_rqst *rqstp, ©->nf_dst); } -static void -nfsd4_cleanup_intra_ssc(struct nfsd_file *src, struct nfsd_file *dst) -{ - nfsd_file_put(src); - nfsd_file_put(dst); -} - static void nfsd4_cb_offload_release(struct nfsd4_callback *cb) { struct nfsd4_cb_offload *cbo = @@ -1683,12 +1675,18 @@ static void dup_copy_fields(struct nfsd4_copy *src, struct nfsd4_copy *dst) dst->ss_nsui = src->ss_nsui; } +static void release_copy_files(struct nfsd4_copy *copy) +{ + if (copy->nf_src) + nfsd_file_put(copy->nf_src); + if (copy->nf_dst) + nfsd_file_put(copy->nf_dst); +} + static void cleanup_async_copy(struct nfsd4_copy *copy) { nfs4_free_copy_state(copy); - nfsd_file_put(copy->nf_dst); - if (!nfsd4_ssc_is_inter(copy)) - nfsd_file_put(copy->nf_src); + release_copy_files(copy); spin_lock(©->cp_clp->async_lock); list_del(©->copies); spin_unlock(©->cp_clp->async_lock); @@ -1748,7 +1746,6 @@ static int nfsd4_do_async_copy(void *data) } else { nfserr = nfsd4_do_copy(copy, copy->nf_src->nf_file, copy->nf_dst->nf_file, false); - nfsd4_cleanup_intra_ssc(copy->nf_src, copy->nf_dst); } do_callback: @@ -1811,9 +1808,9 @@ nfsd4_copy(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, } else { status = nfsd4_do_copy(copy, copy->nf_src->nf_file, copy->nf_dst->nf_file, true); - nfsd4_cleanup_intra_ssc(copy->nf_src, copy->nf_dst); } out: + release_copy_files(copy); return status; out_err: if (async_copy) -- 2.39.0