nfs_common: fix race in NFS calls to nfsd_file_put_local() and nfsd_serv_put()

Mike Snitzer · Anna Schumaker · commit 65f2a5c36635 · 2024-10-03T16:19:43.000-04:00
Add nfs_to_nfsd_file_put_local() interface to fix race with nfsd
module unload.  Similarly, use RCU around nfs_open_local_fh()'s error
path call to nfs_to-&gt;nfsd_serv_put().  Holding RCU ensures that NFS
will safely _call and return_ from its nfs_to calls into the NFSD
functions nfsd_file_put_local() and nfsd_serv_put().

Otherwise, if RCU isn't used then there is a narrow window when NFS's
reference for the nfsd_file and nfsd_serv are dropped and the NFSD
module could be unloaded, which could result in a crash from the
return instruction for either nfs_to-&gt;nfsd_file_put_local() or
nfs_to-&gt;nfsd_serv_put().

Reported-by: NeilBrown &lt;neilb@suse.de&gt;
Signed-off-by: Mike Snitzer &lt;snitzer@kernel.org&gt;
Signed-off-by: Anna Schumaker &lt;anna.schumaker@oracle.com&gt;
diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c
@@ -340,7 +340,7 @@ nfs_local_pgio_release(struct nfs_local_kiocb *iocb)
 {
 	struct nfs_pgio_header *hdr = iocb->hdr;
 
-	nfs_to->nfsd_file_put_local(iocb->localio);
+	nfs_to_nfsd_file_put_local(iocb->localio);
 	nfs_local_iocb_free(iocb);
 	nfs_local_hdr_release(hdr, hdr->task.tk_ops);
 }
@@ -621,7 +621,7 @@ int nfs_local_doio(struct nfs_client *clp, struct nfsd_file *localio,
 	}
 out:
 	if (status != 0) {
-		nfs_to->nfsd_file_put_local(localio);
+		nfs_to_nfsd_file_put_local(localio);
 		hdr->task.tk_status = status;
 		nfs_local_hdr_release(hdr, call_ops);
 	}
@@ -672,7 +672,7 @@ nfs_local_release_commit_data(struct nfsd_file *localio,
 		struct nfs_commit_data *data,
 		const struct rpc_call_ops *call_ops)
 {
-	nfs_to->nfsd_file_put_local(localio);
+	nfs_to_nfsd_file_put_local(localio);
 	call_ops->rpc_call_done(&data->task, data);
 	call_ops->rpc_release(data);
 }
diff --git a/fs/nfs_common/nfslocalio.c b/fs/nfs_common/nfslocalio.c
@@ -142,8 +142,11 @@ struct nfsd_file *nfs_open_local_fh(nfs_uuid_t *uuid,
 	/* We have an implied reference to net thanks to nfsd_serv_try_get */
 	localio = nfs_to->nfsd_open_local_fh(net, uuid->dom, rpc_clnt,
 					     cred, nfs_fh, fmode);
-	if (IS_ERR(localio))
+	if (IS_ERR(localio)) {
+		rcu_read_lock();
 		nfs_to->nfsd_serv_put(net);
+		rcu_read_unlock();
+	}
 	return localio;
 }
 EXPORT_SYMBOL_GPL(nfs_open_local_fh);
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
@@ -398,7 +398,7 @@ nfsd_file_put(struct nfsd_file *nf)
  * reference to the associated nn->nfsd_serv.
  */
 void
-nfsd_file_put_local(struct nfsd_file *nf)
+nfsd_file_put_local(struct nfsd_file *nf) __must_hold(rcu)
 {
 	struct net *net = nf->nf_net;
 
diff --git a/fs/nfsd/localio.c b/fs/nfsd/localio.c
@@ -53,7 +53,7 @@ void nfsd_localio_ops_init(void)
  *
  * On successful return, returned nfsd_file will have its nf_net member
  * set. Caller (NFS client) is responsible for calling nfsd_serv_put and
- * nfsd_file_put (via nfs_to->nfsd_file_put_local).
+ * nfsd_file_put (via nfs_to_nfsd_file_put_local).
  */
 struct nfsd_file *
 nfsd_open_local_fh(struct net *net, struct auth_domain *dom,
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
@@ -214,14 +214,14 @@ int nfsd_minorversion(struct nfsd_net *nn, u32 minorversion, enum vers_op change
 	return 0;
 }
 
-bool nfsd_serv_try_get(struct net *net)
+bool nfsd_serv_try_get(struct net *net) __must_hold(rcu)
 {
 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
 
 	return (nn && percpu_ref_tryget_live(&nn->nfsd_serv_ref));
 }
 
-void nfsd_serv_put(struct net *net)
+void nfsd_serv_put(struct net *net) __must_hold(rcu)
 {
 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
 
diff --git a/include/linux/nfslocalio.h b/include/linux/nfslocalio.h
@@ -65,10 +65,25 @@ struct nfsd_file *nfs_open_local_fh(nfs_uuid_t *,
 		   struct rpc_clnt *, const struct cred *,
 		   const struct nfs_fh *, const fmode_t);
 
+static inline void nfs_to_nfsd_file_put_local(struct nfsd_file *localio)
+{
+	/*
+	 * Once reference to nfsd_serv is dropped, NFSD could be
+	 * unloaded, so ensure safe return from nfsd_file_put_local()
+	 * by always taking RCU.
+	 */
+	rcu_read_lock();
+	nfs_to->nfsd_file_put_local(localio);
+	rcu_read_unlock();
+}
+
 #else   /* CONFIG_NFS_LOCALIO */
 static inline void nfsd_localio_ops_init(void)
 {
 }
+static inline void nfs_to_nfsd_file_put_local(struct nfsd_file *localio)
+{
+}
 #endif  /* CONFIG_NFS_LOCALIO */
 
 #endif  /* __LINUX_NFSLOCALIO_H */

Original file line number	Diff line number	Diff line change
`@@ -340,7 +340,7 @@ nfs_local_pgio_release(struct nfs_local_kiocb *iocb)`
`340`	`340`	`{`
`341`	`341`	`struct nfs_pgio_header *hdr = iocb->hdr;`
`342`	`342`
`343`		`- nfs_to->nfsd_file_put_local(iocb->localio);`
	`343`	`+ nfs_to_nfsd_file_put_local(iocb->localio);`
`344`	`344`	`nfs_local_iocb_free(iocb);`
`345`	`345`	`nfs_local_hdr_release(hdr, hdr->task.tk_ops);`
`346`	`346`	`}`
`@@ -621,7 +621,7 @@ int nfs_local_doio(struct nfs_client clp, struct nfsd_file localio,`
`621`	`621`	`}`
`622`	`622`	`out:`
`623`	`623`	`if (status != 0) {`
`624`		`- nfs_to->nfsd_file_put_local(localio);`
	`624`	`+ nfs_to_nfsd_file_put_local(localio);`
`625`	`625`	`hdr->task.tk_status = status;`
`626`	`626`	`nfs_local_hdr_release(hdr, call_ops);`
`627`	`627`	`}`
`@@ -672,7 +672,7 @@ nfs_local_release_commit_data(struct nfsd_file *localio,`
`672`	`672`	`struct nfs_commit_data *data,`
`673`	`673`	`const struct rpc_call_ops *call_ops)`
`674`	`674`	`{`
`675`		`- nfs_to->nfsd_file_put_local(localio);`
	`675`	`+ nfs_to_nfsd_file_put_local(localio);`
`676`	`676`	`call_ops->rpc_call_done(&data->task, data);`
`677`	`677`	`call_ops->rpc_release(data);`
`678`	`678`	`}`
Original file line number	Diff line number	Diff line change
`@@ -398,7 +398,7 @@ nfsd_file_put(struct nfsd_file *nf)`
`398`	`398`	`* reference to the associated nn->nfsd_serv.`
`399`	`399`	`*/`
`400`	`400`	`void`
`401`		`-nfsd_file_put_local(struct nfsd_file *nf)`
	`401`	`+nfsd_file_put_local(struct nfsd_file *nf) __must_hold(rcu)`
`402`	`402`	`{`
`403`	`403`	`struct net *net = nf->nf_net;`
`404`	`404`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ void nfsd_localio_ops_init(void)`
`53`	`53`	`*`
`54`	`54`	`* On successful return, returned nfsd_file will have its nf_net member`
`55`	`55`	`* set. Caller (NFS client) is responsible for calling nfsd_serv_put and`
`56`		`- * nfsd_file_put (via nfs_to->nfsd_file_put_local).`
	`56`	`+ * nfsd_file_put (via nfs_to_nfsd_file_put_local).`
`57`	`57`	`*/`
`58`	`58`	`struct nfsd_file *`
`59`	`59`	`nfsd_open_local_fh(struct net net, struct auth_domain dom,`
Original file line number	Diff line number	Diff line change
`@@ -214,14 +214,14 @@ int nfsd_minorversion(struct nfsd_net *nn, u32 minorversion, enum vers_op change`
`214`	`214`	`return 0;`
`215`	`215`	`}`
`216`	`216`
`217`		`-bool nfsd_serv_try_get(struct net *net)`
	`217`	`+bool nfsd_serv_try_get(struct net *net) __must_hold(rcu)`
`218`	`218`	`{`
`219`	`219`	`struct nfsd_net *nn = net_generic(net, nfsd_net_id);`
`220`	`220`
`221`	`221`	`return (nn && percpu_ref_tryget_live(&nn->nfsd_serv_ref));`
`222`	`222`	`}`
`223`	`223`
`224`		`-void nfsd_serv_put(struct net *net)`
	`224`	`+void nfsd_serv_put(struct net *net) __must_hold(rcu)`
`225`	`225`	`{`
`226`	`226`	`struct nfsd_net *nn = net_generic(net, nfsd_net_id);`
`227`	`227`