On Mon, 7 Jul 2014 15:03:38 -0400
Jeff Layton <jlayton@xxxxxxxxxxxxxxx> wrote:
> Bruce says:
>
> There's also a preexisting expire_client/laundromat vs break race:
>
> - expire_client/laundromat adds a delegation to its local
> reaplist using the same dl_recall_lru field that a delegation
> uses to track its position on the recall lru and drops the
> state lock.
>
> - a concurrent break_lease adds the delegation to the lru.
>
> - expire/client/laundromat then walks it reaplist and sees the
> lru head as just another delegation on the list....
>
> Fix this race by checking the dl_time under the state_lock. If we find
> that it's not 0, then we know that it has already been queued to the
> LRU list and that we shouldn't queue it again.
>
> In the case of destroy_client, we also have some similar races there.
> Just bump the dl_time by one before we drop the state_lock. We're
> destroying the delegations anyway, so a 1s difference there won't
> matter.
>
> The fault injection code also requires a bit of surgery here:
>
> First, in the case of nfsd_forget_client_delegations, we must prevent
> the same sort of race vs. the delegation break callback. For that, we
> just increment the dl_time to ensure that a delegation callback can't
> race in while we're working on it.
>
> We can't do that for nfsd_recall_client_delegations, as we need to have
> it actually queue the delegation, and that won't happen if we increment
> the dl_time. The state lock is held over that function, so we don't need
> to worry about these sorts of races there.
>
> There is one other potential bug nfsd_recall_client_delegations though.
> Entries on the victims list are not dequeued before calling
> nfsd_break_one_deleg. That's a potential list corruptor, so ensure that
> we do that there.
>
> Reported-by: "J. Bruce Fields" <bfields@xxxxxxxxxxxx>
> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxxxxxxx>
> ---
> fs/nfsd/nfs4state.c | 34 +++++++++++++++++++++++-----------
> 1 file changed, 23 insertions(+), 11 deletions(-)
>
> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> index c400ec17915e..2a7d7176ed30 100644
> --- a/fs/nfsd/nfs4state.c
> +++ b/fs/nfsd/nfs4state.c
> @@ -1287,6 +1287,7 @@ destroy_client(struct nfs4_client *clp)
> while (!list_empty(&clp->cl_delegations)) {
> dp = list_entry(clp->cl_delegations.next, struct nfs4_delegation, dl_perclnt);
> list_del_init(&dp->dl_perclnt);
> + ++dp->dl_time;
> list_move(&dp->dl_recall_lru, &reaplist);
> }
> spin_unlock(&state_lock);
> @@ -2933,10 +2934,14 @@ static void nfsd_break_one_deleg(struct nfs4_delegation *dp)
> * it's safe to take a reference: */
> atomic_inc(&dp->dl_count);
>
> - list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru);
> -
> - /* Only place dl_time is set; protected by i_lock: */
> - dp->dl_time = get_seconds();
> + /*
> + * If the dl_time != 0, then we know that it has already been
> + * queued for a lease break. Don't queue it again.
> + */
> + if (dp->dl_time == 0) {
> + list_add_tail(&dp->dl_recall_lru, &nn->del_recall_lru);
> + dp->dl_time = get_seconds();
> + }
>
> block_delegations(&dp->dl_fh);
>
> @@ -5069,15 +5074,18 @@ u64 nfsd_print_client_openowners(struct nfs4_client *clp, u64 max)
> }
>
> static u64 nfsd_find_all_delegations(struct nfs4_client *clp, u64 max,
> - struct list_head *victims)
> + struct list_head *victims, bool revoke)
> {
> struct nfs4_delegation *dp, *next;
> u64 count = 0;
>
> lockdep_assert_held(&state_lock);
> list_for_each_entry_safe(dp, next, &clp->cl_delegations, dl_perclnt) {
> - if (victims)
> + if (victims) {
> + if (revoke)
> + ++dp->dl_time;
Sigh...after staring at this patch all day, I think I now see a
potential problem with the fault injection piece.
In the "recall" case, we may find a delegation on the cl_delegations
list that has already been recalled. If that's the case, then we
probably should just skip it.
I'll fix this patch, retest and resend. Sorry for the noise...
> list_move(&dp->dl_recall_lru, victims);
> + }
> if (++count == max)
> break;
> }
> @@ -5091,7 +5099,7 @@ u64 nfsd_forget_client_delegations(struct
> nfs4_client *clp, u64 max) u64 count;
>
> spin_lock(&state_lock);
> - count = nfsd_find_all_delegations(clp, max, &victims);
> + count = nfsd_find_all_delegations(clp, max, &victims, true);
> spin_unlock(&state_lock);
>
> list_for_each_entry_safe(dp, next, &victims, dl_recall_lru)
> @@ -5102,14 +5110,18 @@ u64 nfsd_forget_client_delegations(struct
> nfs4_client *clp, u64 max)
> u64 nfsd_recall_client_delegations(struct nfs4_client *clp, u64 max)
> {
> - struct nfs4_delegation *dp, *next;
> + struct nfs4_delegation *dp;
> LIST_HEAD(victims);
> u64 count;
>
> spin_lock(&state_lock);
> - count = nfsd_find_all_delegations(clp, max, &victims);
> - list_for_each_entry_safe(dp, next, &victims, dl_recall_lru)
> + count = nfsd_find_all_delegations(clp, max, &victims, false);
> + while (!list_empty(&victims)) {
> + dp = list_first_entry(&victims, struct
> nfs4_delegation,
> + dl_recall_lru);
> + list_del_init(&dp->dl_recall_lru);
> nfsd_break_one_deleg(dp);
> + }
> spin_unlock(&state_lock);
>
> return count;
> @@ -5120,7 +5132,7 @@ u64 nfsd_print_client_delegations(struct
> nfs4_client *clp, u64 max) u64 count = 0;
>
> spin_lock(&state_lock);
> - count = nfsd_find_all_delegations(clp, max, NULL);
> + count = nfsd_find_all_delegations(clp, max, NULL, false);
> spin_unlock(&state_lock);
>
> nfsd_print_count(clp, count, "delegations");
--
Jeff Layton <jlayton@xxxxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
