Patch "NFSv4.1: Fix a race in nfs4_proc_layoutget" has been added to the 4.11-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 03 Jul 2017 09:57:54 +0200

This is a note to let you know that I've just added the patch titled

    NFSv4.1: Fix a race in nfs4_proc_layoutget

to the 4.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch
and it can be found in the queue-4.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From bd171930e6a3de4f5cffdafbb944e50093dfb59b Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
Date: Tue, 27 Jun 2017 17:33:38 -0400
Subject: NFSv4.1: Fix a race in nfs4_proc_layoutget

From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>

commit bd171930e6a3de4f5cffdafbb944e50093dfb59b upstream.

If the task calling layoutget is signalled, then it is possible for the
calls to nfs4_sequence_free_slot() and nfs4_layoutget_prepare() to race,
in which case we leak a slot.
The fix is to move the call to nfs4_sequence_free_slot() into the
nfs4_layoutget_release() so that it gets called at task teardown time.

Fixes: 2e80dbe7ac51 ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...")
Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/nfs/nfs4proc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -8430,6 +8430,7 @@ static void nfs4_layoutget_release(void
 	size_t max_pages = max_response_pages(server);
 
 	dprintk("--> %s\n", __func__);
+	nfs4_sequence_free_slot(&lgp->res.seq_res);
 	nfs4_free_pages(lgp->args.layout.pages, max_pages);
 	pnfs_put_layout_hdr(NFS_I(inode)->layout);
 	put_nfs_open_context(lgp->args.ctx);
@@ -8504,7 +8505,6 @@ nfs4_proc_layoutget(struct nfs4_layoutge
 	/* if layoutp->len is 0, nfs4_layoutget_prepare called rpc_exit */
 	if (status == 0 && lgp->res.layoutp->len)
 		lseg = pnfs_layout_process(lgp);
-	nfs4_sequence_free_slot(&lgp->res.seq_res);
 	rpc_put_task(task);
 	dprintk("<-- %s status=%d\n", __func__, status);
 	if (status)


Patches currently in stable-queue which might be from trond.myklebust@xxxxxxxxxxxxxxx are

queue-4.11/revert-nfs-nfs_rename-handle-erestartsys-dentry-left-behind.patch
queue-4.11/nfsv4.2-don-t-send-mode-again-in-post-exclusive4_1-setattr-with-umask.patch
queue-4.11/nfsv4.1-fix-a-race-in-nfs4_proc_layoutget.patch






