linux/fs/nfs
Oleg Drokin cea7f829d3 nfs4: Fix potential use after free of state in nfs4_do_reclaim.
Commit e8d975e73e ("fixing infinite OPEN loop in 4.0 stateid recovery")
introduced access to state after it was just potentially freed by
nfs4_put_open_state leading to a random data corruption somewhere.

BUG: unable to handle kernel paging request at ffff88004941ee40
IP: [<ffffffff813baf01>] nfs4_do_reclaim+0x461/0x740
PGD 3501067 PUD 3504067 PMD 6ff37067 PTE 800000004941e060
Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
Modules linked in: loop rpcsec_gss_krb5 acpi_cpufreq tpm_tis joydev i2c_piix4 pcspkr tpm virtio_console nfsd ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops floppy serio_raw virtio_blk drm
CPU: 6 PID: 2161 Comm: 192.168.10.253- Not tainted 4.7.0-rc1-vm-nfs+ #112
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff8800463dcd00 ti: ffff88003ff48000 task.ti: ffff88003ff48000
RIP: 0010:[<ffffffff813baf01>]  [<ffffffff813baf01>] nfs4_do_reclaim+0x461/0x740
RSP: 0018:ffff88003ff4bd68  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff81a49900 RCX: 00000000000000e8
RDX: 00000000000000e8 RSI: ffff8800418b9930 RDI: ffff880040c96c88
RBP: ffff88003ff4bdf8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff880040c96c98
R13: ffff88004941ee20 R14: ffff88004941ee40 R15: ffff88004941ee00
FS:  0000000000000000(0000) GS:ffff88006d000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88004941ee40 CR3: 0000000060b0b000 CR4: 00000000000006e0
Stack:
 ffffffff813baad5 ffff8800463dcd00 ffff880000000001 ffffffff810e6b68
 ffff880043ddbc88 ffff8800418b9800 ffff8800418b98c8 ffff88004941ee48
 ffff880040c96c90 ffff880040c96c00 ffff880040c96c20 ffff880040c96c40
Call Trace:
 [<ffffffff813baad5>] ? nfs4_do_reclaim+0x35/0x740
 [<ffffffff810e6b68>] ? trace_hardirqs_on_caller+0x128/0x1b0
 [<ffffffff813bb7cd>] nfs4_run_state_manager+0x5ed/0xa40
 [<ffffffff813bb1e0>] ? nfs4_do_reclaim+0x740/0x740
 [<ffffffff813bb1e0>] ? nfs4_do_reclaim+0x740/0x740
 [<ffffffff810af0d1>] kthread+0x101/0x120
 [<ffffffff810e6b68>] ? trace_hardirqs_on_caller+0x128/0x1b0
 [<ffffffff818843af>] ret_from_fork+0x1f/0x40
 [<ffffffff810aefd0>] ? kthread_create_on_node+0x250/0x250
Code: 65 80 4c 8b b5 78 ff ff ff e8 fc 88 4c 00 48 8b 7d 88 e8 13 67 d2 ff 49 8b 47 40 a8 02 0f 84 d3 01 00 00 4c 89 ff e8 7f f9 ff ff <f0> 41 80 26 7f 48 8b 7d c8 e8 b1 84 4c 00 e9 39 fd ff ff 3d e6
RIP  [<ffffffff813baf01>] nfs4_do_reclaim+0x461/0x740
 RSP <ffff88003ff4bd68>
CR2: ffff88004941ee40

Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2016-06-24 12:01:00 -04:00
..
blocklayout mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
filelayout pnfs: pnfs_update_layout needs to consider if strict iomode checking is on 2016-05-26 08:40:56 -04:00
flexfilelayout pnfs: pnfs_update_layout needs to consider if strict iomode checking is on 2016-05-26 08:40:56 -04:00
objlayout mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
cache_lib.c
cache_lib.h
callback_proc.c pnfs: only tear down lsegs that precede seqid in LAYOUTRETURN args 2016-05-17 15:48:10 -04:00
callback_xdr.c NFSv4: Label stateids with the type 2016-05-17 15:48:06 -04:00
callback.c NFS: Enable client side NFSv4.1 backchannel to use other transports 2015-11-02 16:29:13 -05:00
callback.h NFSv4.x: Allow multiple callbacks in flight 2016-01-25 09:36:21 -05:00
client.c mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
delegation.c NFSv4: Use the right stateid for delegations in setattr, read and write 2016-05-17 15:48:07 -04:00
delegation.h NFSv4: Use the right stateid for delegations in setattr, read and write 2016-05-17 15:48:07 -04:00
dir.c nfs: per-name sillyunlink exclusion 2016-05-09 11:39:45 -04:00
direct.c NFS: Fix up O_DIRECT results 2016-06-24 12:01:00 -04:00
dns_resolve.c NFS: Enabling v4.2 should not recompile nfsd and lockd 2013-11-19 16:20:40 -05:00
dns_resolve.h
file.c direct-io: eliminate the offset argument to ->direct_IO 2016-05-01 19:58:39 -04:00
fscache-index.c NFS: Fabricate fscache server index key correctly 2014-09-25 21:25:18 -04:00
fscache.c nfs: define nfs_inc_fscache_stats and using it as possible 2014-11-24 20:08:47 -05:00
fscache.h NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
getroot.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
inode.c nfs: per-name sillyunlink exclusion 2016-05-09 11:39:45 -04:00
internal.h NFS: Add nfs_commit_file() 2016-05-17 15:47:55 -04:00
iostat.h nfs: define nfs_inc_fscache_stats and using it as possible 2014-11-24 20:08:47 -05:00
Kconfig kernel: conditionally support non-root users, groups and capabilities 2015-04-15 16:35:22 -07:00
Makefile NFS: Rename idmap.c to nfs4idmap.c 2015-04-23 15:16:14 -04:00
mount_clnt.c NFS: Remove unneeded NFS_DEBUG checking before define NFSDBG_FACILITY 2015-10-21 15:49:23 -05:00
namespace.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
netns.h pnfs/blocklayout: serialize GETDEVICEINFO calls 2014-11-12 14:22:52 -05:00
nfs2super.c
nfs2xdr.c nfs: save server READ/WRITE/COMMIT status 2015-02-03 11:06:40 -08:00
nfs3_fs.h nfsv3: introduce nfs3_set_ds_client 2015-02-03 11:06:34 -08:00
nfs3acl.c posix_acl: Inode acl caching fixes 2016-03-31 00:30:15 -04:00
nfs3client.c nfs: set hostname when creating nfsv3 ds connection 2015-02-03 11:06:38 -08:00
nfs3proc.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
nfs3super.c nfsv3: introduce nfs3_set_ds_client 2015-02-03 11:06:34 -08:00
nfs3xdr.c xprtrdma: Fix large NFS SYMLINK calls 2015-08-05 16:21:28 -04:00
nfs4_fs.h NFSv4: Use the right stateid for delegations in setattr, read and write 2016-05-17 15:48:07 -04:00
nfs4client.c nfs4: start callback_ident at idr 1 2015-11-23 21:59:42 -05:00
nfs4file.c NFS: Add COPY nfs operation 2016-05-17 15:47:55 -04:00
nfs4getroot.c nfs: Remove invalid NFS_ATTR_FATTR_V4_REFERRAL checking in nfs4_get_rootfh 2015-07-01 11:31:22 -04:00
nfs4idmap.c KEYS: Add a facility to restrict new links into a keyring 2016-04-11 22:37:37 +01:00
nfs4idmap.h NFS: Move nfs_idmap.h into fs/nfs/ 2015-04-23 15:16:14 -04:00
nfs4namespace.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
nfs4proc.c NFS/pnfs: handle bad delegation stateids in nfs4_layoutget_handle_exception 2016-06-24 12:01:00 -04:00
nfs4renewd.c NFSv4.1: Fix an NFSv4.1 state renewal regression 2014-09-30 17:18:42 -04:00
nfs4session.c NFSv4.x: Allow multiple callbacks in flight 2016-01-25 09:36:21 -05:00
nfs4session.h NFSv4.x: Allow multiple callbacks in flight 2016-01-25 09:36:21 -05:00
nfs4state.c nfs4: Fix potential use after free of state in nfs4_do_reclaim. 2016-06-24 12:01:00 -04:00
nfs4super.c NFS: Move nfs_idmap.h into fs/nfs/ 2015-04-23 15:16:14 -04:00
nfs4sysctl.c nfs: do not initialise statics to 0 2015-12-28 09:57:15 -05:00
nfs4trace.c pNFS: Modify pnfs_update_layout tracepoints to use layout stateid 2015-12-28 09:57:14 -05:00
nfs4trace.h pnfs: rework LAYOUTGET retry handling 2016-05-17 15:48:12 -04:00
nfs4xdr.c NFSv4: Label stateids with the type 2016-05-17 15:48:06 -04:00
nfs42.h NFS: Add COPY nfs operation 2016-05-17 15:47:55 -04:00
nfs42proc.c NFS client updates for Linux 4.7 2016-05-26 10:33:33 -07:00
nfs42xdr.c NFS: Add COPY nfs operation 2016-05-17 15:47:55 -04:00
nfs.h
nfsroot.c nfsroot: make nfsroot to accept the 1024 bytes long directory name 2015-10-21 15:49:19 -05:00
nfstrace.c NFSv4: Allow tracing of NFSv4 fsync calls 2015-03-27 12:39:34 -04:00
nfstrace.h nfs: per-name sillyunlink exclusion 2016-05-09 11:39:45 -04:00
pagelist.c NFS: Add nfs_commit_file() 2016-05-17 15:47:55 -04:00
pnfs_dev.c NFSv4.1: Don't cache deviceids that have no notifications 2015-03-27 12:32:24 -04:00
pnfs_nfs.c nfs: avoid race that crashes nfs_init_commit 2016-05-25 12:59:01 -04:00
pnfs.c NFSv4.1/pnfs: Add sparse lock annotations for pnfs_find_alloc_layout 2016-06-24 12:01:00 -04:00
pnfs.h pnfs: pnfs_update_layout needs to consider if strict iomode checking is on 2016-05-26 08:40:56 -04:00
proc.c VFS: normal filesystems (and lustre): d_inode() annotations 2015-04-15 15:06:57 -04:00
read.c mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
super.c xprtrdma: Add rdma6 option to support NFS/RDMA IPv6 2016-05-17 15:47:56 -04:00
symlink.c switch ->get_link() to delayed_call, kill ->put_link() 2015-12-30 13:01:03 -05:00
sysctl.c nfs: convert use of typedef ctl_table to struct ctl_table 2014-06-06 16:08:16 -07:00
unlink.c nfs: per-name sillyunlink exclusion 2016-05-09 11:39:45 -04:00
write.c nfs: avoid race that crashes nfs_init_commit 2016-05-25 12:59:01 -04:00