Re: [PATCH] nfs: callback_proc: fix an incorrect NULL check on list iterator

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 28 Mar 2022 13:24:57 +0000, Trond Myklebust wrote:
> Let's just do the following.
> 
> 8<-----------------------------------------------
> From 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 Mon Sep 17 00:00:00 2001
> From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
> Date: Mon, 28 Mar 2022 08:36:34 -0400
> Subject: [PATCH] NFSv4/pNFS: Fix another issue with a list iterator pointing
>  to the head
> 
> In nfs4_callback_devicenotify(), if we don't find a matching entry for
> the deviceid, we're left with a pointer to 'struct nfs_server' that
> actually points to the list of super blocks associated with our struct
> nfs_client.
> Furthermore, even if we have a valid pointer, nothing pins the super
> block, and so the struct nfs_server could end up getting freed while
> we're using it.
> 
> Since all we want is a pointer to the struct pnfs_layoutdriver_type,
> let's skip all the iteration over super blocks, and just use APIs to
> find the layout driver directly.
> 
> Reported-by: Xiaomeng Tong <xiam0nd.tong@xxxxxxxxx>
> Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID")
> Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
> ---
>  fs/nfs/callback_proc.c | 27 +++++++++------------------
>  fs/nfs/pnfs.c          | 11 +++++++++++
>  fs/nfs/pnfs.h          |  2 ++
>  3 files changed, 22 insertions(+), 18 deletions(-)
> 
> diff --git a/fs/nfs/callback_proc.c b/fs/nfs/callback_proc.c
> index 39d1ec870d90..c8520284dda7 100644
> --- a/fs/nfs/callback_proc.c
> +++ b/fs/nfs/callback_proc.c
> @@ -358,12 +358,11 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp,
>  				  struct cb_process_state *cps)
>  {
>  	struct cb_devicenotifyargs *args = argp;
> +	const struct pnfs_layoutdriver_type *ld = NULL;
>  	uint32_t i;
>  	__be32 res = 0;
> -	struct nfs_client *clp = cps->clp;
> -	struct nfs_server *server = NULL;
>  
> -	if (!clp) {
> +	if (!cps->clp) {
>  		res = cpu_to_be32(NFS4ERR_OP_NOT_IN_SESSION);
>  		goto out;
>  	}
> @@ -371,23 +370,15 @@ __be32 nfs4_callback_devicenotify(void *argp, void *resp,
>  	for (i = 0; i < args->ndevs; i++) {
>  		struct cb_devicenotifyitem *dev = &args->devs[i];
>  
> -		if (!server ||
> -		    server->pnfs_curr_ld->id != dev->cbd_layout_type) {
> -			rcu_read_lock();
> -			list_for_each_entry_rcu(server, &clp->cl_superblocks, client_link)
> -				if (server->pnfs_curr_ld &&
> -				    server->pnfs_curr_ld->id == dev->cbd_layout_type) {
> -					rcu_read_unlock();
> -					goto found;
> -				}
> -			rcu_read_unlock();
> -			continue;
> +		if (!ld || ld->id != dev->cbd_layout_type) {
> +			pnfs_put_layoutdriver(ld);
> +			ld = pnfs_find_layoutdriver(dev->cbd_layout_type);
> +			if (!ld)
> +				continue;
>  		}
> -
> -	found:
> -		nfs4_delete_deviceid(server->pnfs_curr_ld, clp, &dev->cbd_dev_id);
> +		nfs4_delete_deviceid(ld, cps->clp, &dev->cbd_dev_id);
>  	}
> -
> +	pnfs_put_layoutdriver(ld);
>  out:
>  	kfree(args->devs);
>  	return res;
> diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
> index de318bb5d349..856c962273c7 100644
> --- a/fs/nfs/pnfs.c
> +++ b/fs/nfs/pnfs.c
> @@ -92,6 +92,17 @@ find_pnfs_driver(u32 id)
>  	return local;
>  }
>  
> +const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id)
> +{
> +	return find_pnfs_driver(id);
> +}
> +
> +void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld)
> +{
> +	if (ld)
> +		module_put(ld->owner);
> +}
> +
>  void
>  unset_pnfs_layoutdriver(struct nfs_server *nfss)
>  {
> diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
> index f4d7548d67b2..07f11489e4e9 100644
> --- a/fs/nfs/pnfs.h
> +++ b/fs/nfs/pnfs.h
> @@ -234,6 +234,8 @@ struct pnfs_devicelist {
>  
>  extern int pnfs_register_layoutdriver(struct pnfs_layoutdriver_type *);
>  extern void pnfs_unregister_layoutdriver(struct pnfs_layoutdriver_type *);
> +extern const struct pnfs_layoutdriver_type *pnfs_find_layoutdriver(u32 id);
> +extern void pnfs_put_layoutdriver(const struct pnfs_layoutdriver_type *ld);
>  
>  /* nfs4proc.c */
>  extern size_t max_response_pages(struct nfs_server *server);
> -- 

Thank you, i have resend a PATCH v2 with fix as you suggested, and also with
some changes, please check it.

--
Xiaomeng Tong



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux