NFSD: fix nfs4_file access extra count in nfsd4_add_rdaccess_to_wrdeleg

In nfsd4_add_rdaccess_to_wrdeleg, if fp->fi_fds[O_RDONLY] is already
set by another thread, __nfs4_file_get_access should not be called
to increment the nfs4_file access count since that was already done
by the thread that added READ access to the file. The extra fi_access
count in nfs4_file can prevent the corresponding nfsd_file from being
freed.

When stopping nfs-server service, these extra access counts trigger a
BUG in kmem_cache_destroy() that shows nfsd_file object remaining on
__kmem_cache_shutdown.

This problem can be reproduced by running the Git project's test
suite over NFS.

Fixes: 8072e34e1387 ("nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg()")
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index a767b562f991d47040cffdf68acef9b64a286b60..1b4c101ff04b9f1dda6ce0d40f9cc0a68c61f6a9 100644 (file)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -6266,12 +6266,12 @@ nfsd4_add_rdaccess_to_wrdeleg(struct svc_rqst *rqstp, struct nfsd4_open *open,
                        return (false);
                fp = stp->st_stid.sc_file;
                spin_lock(&fp->fi_lock);
-               __nfs4_file_get_access(fp, NFS4_SHARE_ACCESS_READ);
                if (!fp->fi_fds[O_RDONLY]) {
+                       __nfs4_file_get_access(fp, NFS4_SHARE_ACCESS_READ);
                        fp->fi_fds[O_RDONLY] = nf;
+                       fp->fi_rdeleg_file = nfsd_file_get(fp->fi_fds[O_RDONLY]);
                        nf = NULL;
                }
-               fp->fi_rdeleg_file = nfsd_file_get(fp->fi_fds[O_RDONLY]);
                spin_unlock(&fp->fi_lock);
                if (nf)
                        nfsd_file_put(nf);