tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'nfs-for-3.14-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

Pull NFS client bugfixes from Trond Myklebust:
"Highlights include stable fixes for the following bugs:

- General performance regression due to NFS_INO_INVALID_LABEL being
set when the server doesn't support labeled NFS
- Hang in the RPC code due to a socket out-of-buffer race
- Infinite loop when trying to establish the NFSv4 lease
- Use-after-free bug in the RPCSEC gss code.
- nfs4_select_rw_stateid is returning with a non-zero error value on
success

Other bug fixes:

- Potential memory scribble in the RPC bi-directional RPC code
- Pipe version reference leak
- Use the correct net namespace in the new NFSv4 migration code"

* tag 'nfs-for-3.14-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFS fix error return in nfs4_select_rw_stateid
NFSv4: Use the correct net namespace in nfs4_update_server
SUNRPC: Fix a pipe_version reference leak
SUNRPC: Ensure that gss_auth isn't freed before its upcall messages
SUNRPC: Fix potential memory scribble in xprt_free_bc_request()
SUNRPC: Fix races in xs_nospace()
SUNRPC: Don't create a gss auth cache unless rpc.gssd is running
NFS: Do not set NFS_INO_INVALID_LABEL unless server supports labeled NFS

Linus Torvalds e95003c3 981adacd

+60 -21
+10 -4
fs/nfs/inode.c
··· 164 164 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode)) { 165 165 nfs_fscache_invalidate(inode); 166 166 nfsi->cache_validity |= NFS_INO_INVALID_ATTR 167 - | NFS_INO_INVALID_LABEL 168 167 | NFS_INO_INVALID_DATA 169 168 | NFS_INO_INVALID_ACCESS 170 169 | NFS_INO_INVALID_ACL 171 170 | NFS_INO_REVAL_PAGECACHE; 172 171 } else 173 172 nfsi->cache_validity |= NFS_INO_INVALID_ATTR 174 - | NFS_INO_INVALID_LABEL 175 173 | NFS_INO_INVALID_ACCESS 176 174 | NFS_INO_INVALID_ACL 177 175 | NFS_INO_REVAL_PAGECACHE; 176 + nfs_zap_label_cache_locked(nfsi); 178 177 } 179 178 180 179 void nfs_zap_caches(struct inode *inode) ··· 265 266 } 266 267 267 268 #ifdef CONFIG_NFS_V4_SECURITY_LABEL 269 + static void nfs_clear_label_invalid(struct inode *inode) 270 + { 271 + spin_lock(&inode->i_lock); 272 + NFS_I(inode)->cache_validity &= ~NFS_INO_INVALID_LABEL; 273 + spin_unlock(&inode->i_lock); 274 + } 275 + 268 276 void nfs_setsecurity(struct inode *inode, struct nfs_fattr *fattr, 269 277 struct nfs4_label *label) 270 278 { ··· 289 283 __func__, 290 284 (char *)label->label, 291 285 label->len, error); 286 + nfs_clear_label_invalid(inode); 292 287 } 293 288 } 294 289 ··· 1655 1648 inode->i_blocks = fattr->du.nfs2.blocks; 1656 1649 1657 1650 /* Update attrtimeo value if we're out of the unstable period */ 1658 - if (invalid & (NFS_INO_INVALID_ATTR|NFS_INO_INVALID_LABEL)) { 1651 + if (invalid & NFS_INO_INVALID_ATTR) { 1659 1652 nfs_inc_stats(inode, NFSIOS_ATTRINVALIDATE); 1660 1653 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode); 1661 1654 nfsi->attrtimeo_timestamp = now; ··· 1668 1661 } 1669 1662 } 1670 1663 invalid &= ~NFS_INO_INVALID_ATTR; 1671 - invalid &= ~NFS_INO_INVALID_LABEL; 1672 1664 /* Don't invalidate the data if we were to blame */ 1673 1665 if (!(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode) 1674 1666 || S_ISLNK(inode->i_mode)))
+11 -1
fs/nfs/internal.h
··· 176 176 extern struct nfs_server *nfs4_create_referral_server(struct nfs_clone_mount *, 177 177 struct nfs_fh *); 178 178 extern int nfs4_update_server(struct nfs_server *server, const char *hostname, 179 - struct sockaddr *sap, size_t salen); 179 + struct sockaddr *sap, size_t salen, 180 + struct net *net); 180 181 extern void nfs_free_server(struct nfs_server *server); 181 182 extern struct nfs_server *nfs_clone_server(struct nfs_server *, 182 183 struct nfs_fh *, ··· 280 279 } 281 280 return; 282 281 } 282 + 283 + static inline void nfs_zap_label_cache_locked(struct nfs_inode *nfsi) 284 + { 285 + if (nfs_server_capable(&nfsi->vfs_inode, NFS_CAP_SECURITY_LABEL)) 286 + nfsi->cache_validity |= NFS_INO_INVALID_LABEL; 287 + } 283 288 #else 284 289 static inline struct nfs4_label *nfs4_label_alloc(struct nfs_server *server, gfp_t flags) { return NULL; } 285 290 static inline void nfs4_label_free(void *label) {} 291 + static inline void nfs_zap_label_cache_locked(struct nfs_inode *nfsi) 292 + { 293 + } 286 294 #endif /* CONFIG_NFS_V4_SECURITY_LABEL */ 287 295 288 296 /* proc.c */
+4 -3
fs/nfs/nfs4client.c
··· 1135 1135 * @hostname: new end-point's hostname 1136 1136 * @sap: new end-point's socket address 1137 1137 * @salen: size of "sap" 1138 + * @net: net namespace 1138 1139 * 1139 1140 * The nfs_server must be quiescent before this function is invoked. 1140 1141 * Either its session is drained (NFSv4.1+), or its transport is ··· 1144 1143 * Returns zero on success, or a negative errno value. 1145 1144 */ 1146 1145 int nfs4_update_server(struct nfs_server *server, const char *hostname, 1147 - struct sockaddr *sap, size_t salen) 1146 + struct sockaddr *sap, size_t salen, struct net *net) 1148 1147 { 1149 1148 struct nfs_client *clp = server->nfs_client; 1150 1149 struct rpc_clnt *clnt = server->client; 1151 1150 struct xprt_create xargs = { 1152 1151 .ident = clp->cl_proto, 1153 - .net = &init_net, 1152 + .net = net, 1154 1153 .dstaddr = sap, 1155 1154 .addrlen = salen, 1156 1155 .servername = hostname, ··· 1190 1189 error = nfs4_set_client(server, hostname, sap, salen, buf, 1191 1190 clp->cl_rpcclient->cl_auth->au_flavor, 1192 1191 clp->cl_proto, clnt->cl_timeout, 1193 - clp->cl_minorversion, clp->cl_net); 1192 + clp->cl_minorversion, net); 1194 1193 nfs_put_client(clp); 1195 1194 if (error != 0) { 1196 1195 nfs_server_insert_lists(server);
+6 -6
fs/nfs/nfs4namespace.c
··· 121 121 } 122 122 123 123 static size_t nfs_parse_server_name(char *string, size_t len, 124 - struct sockaddr *sa, size_t salen, struct nfs_server *server) 124 + struct sockaddr *sa, size_t salen, struct net *net) 125 125 { 126 - struct net *net = rpc_net_ns(server->client); 127 126 ssize_t ret; 128 127 129 128 ret = rpc_pton(net, string, len, sa, salen); ··· 222 223 const struct nfs4_fs_location *location) 223 224 { 224 225 const size_t addr_bufsize = sizeof(struct sockaddr_storage); 226 + struct net *net = rpc_net_ns(NFS_SB(mountdata->sb)->client); 225 227 struct vfsmount *mnt = ERR_PTR(-ENOENT); 226 228 char *mnt_path; 227 229 unsigned int maxbuflen; ··· 248 248 continue; 249 249 250 250 mountdata->addrlen = nfs_parse_server_name(buf->data, buf->len, 251 - mountdata->addr, addr_bufsize, 252 - NFS_SB(mountdata->sb)); 251 + mountdata->addr, addr_bufsize, net); 253 252 if (mountdata->addrlen == 0) 254 253 continue; 255 254 ··· 418 419 const struct nfs4_fs_location *location) 419 420 { 420 421 const size_t addr_bufsize = sizeof(struct sockaddr_storage); 422 + struct net *net = rpc_net_ns(server->client); 421 423 struct sockaddr *sap; 422 424 unsigned int s; 423 425 size_t salen; ··· 440 440 continue; 441 441 442 442 salen = nfs_parse_server_name(buf->data, buf->len, 443 - sap, addr_bufsize, server); 443 + sap, addr_bufsize, net); 444 444 if (salen == 0) 445 445 continue; 446 446 rpc_set_port(sap, NFS_PORT); ··· 450 450 if (hostname == NULL) 451 451 break; 452 452 453 - error = nfs4_update_server(server, hostname, sap, salen); 453 + error = nfs4_update_server(server, hostname, sap, salen, net); 454 454 kfree(hostname); 455 455 if (error == 0) 456 456 break;
+4 -1
fs/nfs/nfs4state.c
··· 1015 1015 if (ret == -EIO) 1016 1016 /* A lost lock - don't even consider delegations */ 1017 1017 goto out; 1018 - if (nfs4_copy_delegation_stateid(dst, state->inode, fmode)) 1018 + /* returns true if delegation stateid found and copied */ 1019 + if (nfs4_copy_delegation_stateid(dst, state->inode, fmode)) { 1020 + ret = 0; 1019 1021 goto out; 1022 + } 1020 1023 if (ret != -ENOENT) 1021 1024 /* nfs4_copy_delegation_stateid() didn't over-write 1022 1025 * dst, so it still has the lock stateid which we now
+16 -3
net/sunrpc/auth_gss/auth_gss.c
··· 108 108 static DEFINE_SPINLOCK(pipe_version_lock); 109 109 static struct rpc_wait_queue pipe_version_rpc_waitqueue; 110 110 static DECLARE_WAIT_QUEUE_HEAD(pipe_version_waitqueue); 111 + static void gss_put_auth(struct gss_auth *gss_auth); 111 112 112 113 static void gss_free_ctx(struct gss_cl_ctx *); 113 114 static const struct rpc_pipe_ops gss_upcall_ops_v0; ··· 321 320 if (gss_msg->ctx != NULL) 322 321 gss_put_ctx(gss_msg->ctx); 323 322 rpc_destroy_wait_queue(&gss_msg->rpc_waitqueue); 323 + gss_put_auth(gss_msg->auth); 324 324 kfree(gss_msg); 325 325 } 326 326 ··· 500 498 default: 501 499 err = gss_encode_v1_msg(gss_msg, service_name, gss_auth->target_name); 502 500 if (err) 503 - goto err_free_msg; 501 + goto err_put_pipe_version; 504 502 }; 503 + kref_get(&gss_auth->kref); 505 504 return gss_msg; 505 + err_put_pipe_version: 506 + put_pipe_version(gss_auth->net); 506 507 err_free_msg: 507 508 kfree(gss_msg); 508 509 err: ··· 996 991 gss_auth->service = gss_pseudoflavor_to_service(gss_auth->mech, flavor); 997 992 if (gss_auth->service == 0) 998 993 goto err_put_mech; 994 + if (!gssd_running(gss_auth->net)) 995 + goto err_put_mech; 999 996 auth = &gss_auth->rpc_auth; 1000 997 auth->au_cslack = GSS_CRED_SLACK >> 2; 1001 998 auth->au_rslack = GSS_VERF_SLACK >> 2; ··· 1069 1062 } 1070 1063 1071 1064 static void 1065 + gss_put_auth(struct gss_auth *gss_auth) 1066 + { 1067 + kref_put(&gss_auth->kref, gss_free_callback); 1068 + } 1069 + 1070 + static void 1072 1071 gss_destroy(struct rpc_auth *auth) 1073 1072 { 1074 1073 struct gss_auth *gss_auth = container_of(auth, ··· 1095 1082 gss_auth->gss_pipe[1] = NULL; 1096 1083 rpcauth_destroy_credcache(auth); 1097 1084 1098 - kref_put(&gss_auth->kref, gss_free_callback); 1085 + gss_put_auth(gss_auth); 1099 1086 } 1100 1087 1101 1088 /* ··· 1266 1253 call_rcu(&cred->cr_rcu, gss_free_cred_callback); 1267 1254 if (ctx) 1268 1255 gss_put_ctx(ctx); 1269 - kref_put(&gss_auth->kref, gss_free_callback); 1256 + gss_put_auth(gss_auth); 1270 1257 } 1271 1258 1272 1259 static void
+4 -2
net/sunrpc/backchannel_rqst.c
··· 64 64 free_page((unsigned long)xbufp->head[0].iov_base); 65 65 xbufp = &req->rq_snd_buf; 66 66 free_page((unsigned long)xbufp->head[0].iov_base); 67 - list_del(&req->rq_bc_pa_list); 68 67 kfree(req); 69 68 } 70 69 ··· 167 168 /* 168 169 * Memory allocation failed, free the temporary list 169 170 */ 170 - list_for_each_entry_safe(req, tmp, &tmp_list, rq_bc_pa_list) 171 + list_for_each_entry_safe(req, tmp, &tmp_list, rq_bc_pa_list) { 172 + list_del(&req->rq_bc_pa_list); 171 173 xprt_free_allocation(req); 174 + } 172 175 173 176 dprintk("RPC: setup backchannel transport failed\n"); 174 177 return -ENOMEM; ··· 199 198 xprt_dec_alloc_count(xprt, max_reqs); 200 199 list_for_each_entry_safe(req, tmp, &xprt->bc_pa_list, rq_bc_pa_list) { 201 200 dprintk("RPC: req=%p\n", req); 201 + list_del(&req->rq_bc_pa_list); 202 202 xprt_free_allocation(req); 203 203 if (--max_reqs == 0) 204 204 break;
+5 -1
net/sunrpc/xprtsock.c
··· 510 510 struct rpc_rqst *req = task->tk_rqstp; 511 511 struct rpc_xprt *xprt = req->rq_xprt; 512 512 struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt); 513 + struct sock *sk = transport->inet; 513 514 int ret = -EAGAIN; 514 515 515 516 dprintk("RPC: %5u xmit incomplete (%u left of %u)\n", ··· 528 527 * window size 529 528 */ 530 529 set_bit(SOCK_NOSPACE, &transport->sock->flags); 531 - transport->inet->sk_write_pending++; 530 + sk->sk_write_pending++; 532 531 /* ...and wait for more buffer space */ 533 532 xprt_wait_for_buffer_space(task, xs_nospace_callback); 534 533 } ··· 538 537 } 539 538 540 539 spin_unlock_bh(&xprt->transport_lock); 540 + 541 + /* Race breaker in case memory is freed before above code is called */ 542 + sk->sk_write_space(sk); 541 543 return ret; 542 544 } 543 545