[thirdparty/kernel/stable-queue.git] / releases / 4.9.68 / nfs-don-t-take-a-reference-on-fl-fl_file-for-lock-operation.patch

From foo@baz Wed Dec  6 17:39:55 CET 2017
From: Benjamin Coddington <bcodding@redhat.com>
Date: Thu, 5 Jan 2017 10:20:16 -0500
Subject: nfs: Don't take a reference on fl->fl_file for LOCK operation

From: Benjamin Coddington <bcodding@redhat.com>


[ Upstream commit 4b09ec4b14a168bf2c687e1f598140c3c11e9222 ]

I have reports of a crash that look like __fput() was called twice for
a NFSv4.0 file.  It seems possible that the state manager could try to
reclaim a lock and take a reference on the fl->fl_file at the same time the
file is being released if, during the close(), a signal interrupts the wait
for outstanding IO while removing locks which then skips the removal
of that lock.

Since 83bfff23e9ed ("nfs4: have do_vfs_lock take an inode pointer") has
removed the need to traverse fl->fl_file->f_inode in nfs4_lock_done(),
taking that reference is no longer necessary.

Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs4proc.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -38,7 +38,6 @@
 #include <linux/mm.h>
 #include <linux/delay.h>
 #include <linux/errno.h>
-#include <linux/file.h>
 #include <linux/string.h>
 #include <linux/ratelimit.h>
 #include <linux/printk.h>
@@ -6006,7 +6005,6 @@ static struct nfs4_lockdata *nfs4_alloc_
 	p->server = server;
 	atomic_inc(&lsp->ls_count);
 	p->ctx = get_nfs_open_context(ctx);
-	get_file(fl->fl_file);
 	memcpy(&p->fl, fl, sizeof(p->fl));
 	return p;
 out_free_seqid:
@@ -6119,7 +6117,6 @@ static void nfs4_lock_release(void *call
 		nfs_free_seqid(data->arg.lock_seqid);
 	nfs4_put_lock_state(data->lsp);
 	put_nfs_open_context(data->ctx);
-	fput(data->fl.fl_file);
 	kfree(data);
 	dprintk("%s: done!\n", __func__);
 }
Commit	Line	Data
95244f99 GKH	1	From foo@baz Wed Dec 6 17:39:55 CET 2017
	2	From: Benjamin Coddington <bcodding@redhat.com>
	3	Date: Thu, 5 Jan 2017 10:20:16 -0500
	4	Subject: nfs: Don't take a reference on fl->fl_file for LOCK operation
	5
	6	From: Benjamin Coddington <bcodding@redhat.com>
	7
	8
	9	[ Upstream commit 4b09ec4b14a168bf2c687e1f598140c3c11e9222 ]
	10
	11	I have reports of a crash that look like __fput() was called twice for
	12	a NFSv4.0 file. It seems possible that the state manager could try to
	13	reclaim a lock and take a reference on the fl->fl_file at the same time the
	14	file is being released if, during the close(), a signal interrupts the wait
	15	for outstanding IO while removing locks which then skips the removal
	16	of that lock.
	17
	18	Since 83bfff23e9ed ("nfs4: have do_vfs_lock take an inode pointer") has
	19	removed the need to traverse fl->fl_file->f_inode in nfs4_lock_done(),
	20	taking that reference is no longer necessary.
	21
	22	Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
	23	Reviewed-by: Jeff Layton <jlayton@redhat.com>
	24	Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
	25	Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
	26	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	27	---
	28	fs/nfs/nfs4proc.c \| 3 ---
	29	1 file changed, 3 deletions(-)
	30
	31	--- a/fs/nfs/nfs4proc.c
	32	+++ b/fs/nfs/nfs4proc.c
	33	@@ -38,7 +38,6 @@
	34	#include <linux/mm.h>
	35	#include <linux/delay.h>
	36	#include <linux/errno.h>
	37	-#include <linux/file.h>
	38	#include <linux/string.h>
	39	#include <linux/ratelimit.h>
	40	#include <linux/printk.h>
	41	@@ -6006,7 +6005,6 @@ static struct nfs4_lockdata *nfs4_alloc_
	42	p->server = server;
	43	atomic_inc(&lsp->ls_count);
	44	p->ctx = get_nfs_open_context(ctx);
	45	- get_file(fl->fl_file);
	46	memcpy(&p->fl, fl, sizeof(p->fl));
	47	return p;
	48	out_free_seqid:
	49	@@ -6119,7 +6117,6 @@ static void nfs4_lock_release(void *call
	50	nfs_free_seqid(data->arg.lock_seqid);
	51	nfs4_put_lock_state(data->lsp);
	52	put_nfs_open_context(data->ctx);
	53	- fput(data->fl.fl_file);
	54	kfree(data);
	55	dprintk("%s: done!\n", __func__);
	56	}