linux-next

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git synced 2025-01-01 10:42:11 +00:00

The linux-next integration testing tree

Go to file

Yang Erkun 98100e88dd nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur The action force umount(umount -f) will attempt to kill all rpc_task even umount operation may ultimately fail if some files remain open. Consequently, if an action attempts to open a file, it can potentially send two rpc_task to nfs server. NFS CLIENT thread1 thread2 open("file") ... nfs4_do_open _nfs4_do_open _nfs4_open_and_get_state _nfs4_proc_open nfs4_run_open_task /* rpc_task1 / rpc_run_task rpc_wait_for_completion_task umount -f nfs_umount_begin rpc_killall_tasks rpc_signal_task rpc_task1 been wakeup and return -512 _nfs4_do_open // while loop ... nfs4_run_open_task / rpc_task2 */ rpc_run_task rpc_wait_for_completion_task While processing an open request, nfsd will first attempt to find or allocate an nfs4_openowner. If it finds an nfs4_openowner that is not marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since two rpc_task can attempt to open the same file simultaneously from the client to server, and because two instances of nfsd can run concurrently, this situation can lead to lots of memory leak. Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be triggered. NFS SERVER nfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // alloc oo1, stateid1 nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // find oo1, without NFS4_OO_CONFIRMED release_openowner unhash_openowner_locked list_del_init(&oo->oo_perclient) // cannot find this oo // from client, LEAK!!! alloc_stateowner // alloc oo2 nfsd4_process_open2 init_open_stateid // associate oo1 // with stateid1, stateid1 LEAK!!! nfs4_get_vfs_file // alloc nfsd_file1 and nfsd_file_mark1 // all LEAK!!! nfsd4_process_open2 ... write_threads ... nfsd_destroy_serv nfsd_shutdown_net nfs4_state_shutdown_net nfs4_state_destroy_net destroy_client __destroy_client // won't find oo1!!! nfsd_shutdown_generic nfsd_file_cache_shutdown kmem_cache_destroy for nfsd_file_slab and nfsd_file_mark_slab // bark since nfsd_file1 // and nfsd_file_mark1 // still alive ======================================================================= BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown() ----------------------------------------------------------------------- Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28 flags=0x17ffffc0000240(workingset\|head\|node=0\|zone=2\|lastcpupid=0x1fffff) CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 slab_err+0xb0/0xf0 __kmem_cache_shutdown+0x15c/0x310 kmem_cache_destroy+0x66/0x160 nfsd_file_cache_shutdown+0xac/0x210 [nfsd] nfsd_destroy_serv+0x251/0x2a0 [nfsd] nfsd_svc+0x125/0x1e0 [nfsd] write_threads+0x16a/0x2a0 [nfsd] nfsctl_transaction_write+0x74/0xa0 [nfsd] vfs_write+0x1ae/0x6d0 ksys_write+0xc1/0x160 do_syscall_64+0x5f/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Disabling lock debugging due to kernel taint Object 0xff11000110e2ac38 @offset=3128 Allocated in nfsd_file_do_acquire+0x20f/0xa30 [nfsd] age=1635 cpu=3 pid=800 nfsd_file_do_acquire+0x20f/0xa30 [nfsd] nfsd_file_acquire_opened+0x5f/0x90 [nfsd] nfs4_get_vfs_file+0x4c9/0x570 [nfsd] nfsd4_process_open2+0x713/0x1070 [nfsd] nfsd4_open+0x74b/0x8b0 [nfsd] nfsd4_proc_compound+0x70b/0xc20 [nfsd] nfsd_dispatch+0x1b4/0x3a0 [nfsd] svc_process_common+0x5b8/0xc50 [sunrpc] svc_process+0x2ab/0x3b0 [sunrpc] svc_handle_xprt+0x681/0xa20 [sunrpc] nfsd+0x183/0x220 [nfsd] kthread+0x199/0x1e0 ret_from_fork+0x31/0x60 ret_from_fork_asm+0x1a/0x30 Add nfs4_openowner_unhashed to help found unhashed nfs4_openowner, and break nfsd4_open process to fix this problem. Cc: stable@vger.kernel.org # v5.4+ Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Yang Erkun <yangerkun@huawei.com> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>		2024-11-18 20:23:12 -05:00
arch	20 hotfixes, 14 of which are cc:stable.	2024-11-10 09:04:27 -08:00
block	block-6.12-20241101	2024-11-01 13:41:55 -10:00
certs	sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3	2024-09-20 19:52:48 +03:00
crypto	This push fixes the following issues:	2024-10-16 08:42:54 -07:00
Documentation	20 hotfixes, 14 of which are cc:stable.	2024-11-10 09:04:27 -08:00
drivers	A handful of Qualcomm clk driver fixes:	2024-11-10 14:16:28 -08:00
fs	nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur	2024-11-18 20:23:12 -05:00
include	lockd: Remove unused parameter to nlmsvc_testlock()	2024-11-18 20:23:04 -05:00
init	cfi: fix conditions for HAVE_CFI_ICALL_NORMALIZE_INTEGERS	2024-10-13 22:23:13 +02:00
io_uring	io_uring/rw: fix missing NOWAIT check for O_DIRECT start write	2024-10-31 08:21:02 -06:00
ipc	struct fd layout change (and conversion to accessor helpers)	2024-09-23 09:35:36 -07:00
kernel	20 hotfixes, 14 of which are cc:stable.	2024-11-10 09:04:27 -08:00
lib	objpool: fix to make percpu slot allocation more robust	2024-11-07 14:14:58 -08:00
LICENSES	LICENSES: add 0BSD license text	2024-09-01 20:43:24 -07:00
mm	filemap: Fix bounds checking in filemap_read()	2024-11-10 14:07:08 -08:00
net	svcrdma: fix miss destroy percpu_counter in svc_rdma_proc_init()	2024-11-18 20:23:07 -05:00
rust	Driver core fix for 6.12-rc3	2024-10-13 09:10:52 -07:00
samples	[tree-wide] finally take no_llseek out	2024-09-27 08:18:43 -07:00
scripts	Kbuild fixes for v6.12 (2nd)	2024-11-03 08:29:02 -10:00
security	KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation	2024-11-04 21:24:24 +02:00
sound	ASoC: Fixes for v6.12	2024-11-08 09:25:33 +01:00
tools	xdrgen: Remove program_stat_to_errno() call sites	2024-11-18 20:23:07 -05:00
usr	initramfs: shorten cmd_initfs in usr/Makefile	2024-07-16 01:07:52 +09:00
virt	ARM64:	2024-10-21 11:22:04 -07:00
.clang-format	clang-format: Update with v6.11-rc1's `for_each` macro list	2024-08-02 13:20:31 +02:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.editorconfig	.editorconfig: remove trim_trailing_whitespace option	2024-06-13 16:47:52 +02:00
.get_maintainer.ignore	Add Jeff Kirsher to .get_maintainer.ignore	2024-03-08 11:36:54 +00:00
.gitattributes	.gitattributes: set diff driver for Rust source code files	2023-05-31 17:48:25 +02:00
.gitignore	Kbuild updates for v6.12	2024-09-24 13:02:06 -07:00
.mailmap	mailmap: add entry for Thorsten Blum	2024-11-07 14:14:59 -08:00
.rustfmt.toml	rust: add `.rustfmt.toml`	2022-09-28 09:02:20 +02:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Remove self from DSA entry	2024-11-03 12:52:38 -08:00
Kbuild	Kbuild updates for v6.1	2022-10-10 12:00:45 -07:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	xdrgen: Add a utility for extracting XDR from RFCs	2024-11-18 20:22:59 -05:00
Makefile	Linux 6.12-rc7	2024-11-10 14:19:35 -08:00
README	README: Fix spelling	2024-03-18 03:36:32 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.