From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 30 Dec 2024 14:34:32 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v6.1.123~9
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=80e5d33e1f9406c8d87552f4518ac7b56170916d;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	nfsd-cancel-nfsd_shrinker_work-using-sync-mode-in-nfs4_state_shutdown_net.patch
---

diff --git a/queue-5.10/nfsd-cancel-nfsd_shrinker_work-using-sync-mode-in-nfs4_state_shutdown_net.patch b/queue-5.10/nfsd-cancel-nfsd_shrinker_work-using-sync-mode-in-nfs4_state_shutdown_net.patch
new file mode 100644
index 00000000000..0521736ec93
--- /dev/null
+++ b/queue-5.10/nfsd-cancel-nfsd_shrinker_work-using-sync-mode-in-nfs4_state_shutdown_net.patch
@@ -0,0 +1,97 @@
+From d5ff2fb2e7167e9483846e34148e60c0c016a1f6 Mon Sep 17 00:00:00 2001
+From: Yang Erkun <yangerkun@huaweicloud.com>
+Date: Mon, 21 Oct 2024 16:25:40 +0800
+Subject: nfsd: cancel nfsd_shrinker_work using sync mode in nfs4_state_shutdown_net
+
+From: Yang Erkun <yangerkun@huaweicloud.com>
+
+commit d5ff2fb2e7167e9483846e34148e60c0c016a1f6 upstream.
+
+In the normal case, when we excute `echo 0 > /proc/fs/nfsd/threads`, the
+function `nfs4_state_destroy_net` in `nfs4_state_shutdown_net` will
+release all resources related to the hashed `nfs4_client`. If the
+`nfsd_client_shrinker` is running concurrently, the `expire_client`
+function will first unhash this client and then destroy it. This can
+lead to the following warning. Additionally, numerous use-after-free
+errors may occur as well.
+
+nfsd_client_shrinker         echo 0 > /proc/fs/nfsd/threads
+
+expire_client                nfsd_shutdown_net
+  unhash_client                ...
+                               nfs4_state_shutdown_net
+                                 /* won't wait shrinker exit */
+  /*                             cancel_work(&nn->nfsd_shrinker_work)
+   * nfsd_file for this          /* won't destroy unhashed client1 */
+   * client1 still alive         nfs4_state_destroy_net
+   */
+
+                               nfsd_file_cache_shutdown
+                                 /* trigger warning */
+                                 kmem_cache_destroy(nfsd_file_slab)
+                                 kmem_cache_destroy(nfsd_file_mark_slab)
+  /* release nfsd_file and mark */
+  __destroy_client
+
+====================================================================
+BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on
+__kmem_cache_shutdown()
+--------------------------------------------------------------------
+CPU: 4 UID: 0 PID: 764 Comm: sh Not tainted 6.12.0-rc3+ #1
+
+ dump_stack_lvl+0x53/0x70
+ slab_err+0xb0/0xf0
+ __kmem_cache_shutdown+0x15c/0x310
+ kmem_cache_destroy+0x66/0x160
+ nfsd_file_cache_shutdown+0xac/0x210 [nfsd]
+ nfsd_destroy_serv+0x251/0x2a0 [nfsd]
+ nfsd_svc+0x125/0x1e0 [nfsd]
+ write_threads+0x16a/0x2a0 [nfsd]
+ nfsctl_transaction_write+0x74/0xa0 [nfsd]
+ vfs_write+0x1a5/0x6d0
+ ksys_write+0xc1/0x160
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+====================================================================
+BUG nfsd_file_mark (Tainted: G    B   W         ): Objects remaining
+nfsd_file_mark on __kmem_cache_shutdown()
+--------------------------------------------------------------------
+
+ dump_stack_lvl+0x53/0x70
+ slab_err+0xb0/0xf0
+ __kmem_cache_shutdown+0x15c/0x310
+ kmem_cache_destroy+0x66/0x160
+ nfsd_file_cache_shutdown+0xc8/0x210 [nfsd]
+ nfsd_destroy_serv+0x251/0x2a0 [nfsd]
+ nfsd_svc+0x125/0x1e0 [nfsd]
+ write_threads+0x16a/0x2a0 [nfsd]
+ nfsctl_transaction_write+0x74/0xa0 [nfsd]
+ vfs_write+0x1a5/0x6d0
+ ksys_write+0xc1/0x160
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+To resolve this issue, cancel `nfsd_shrinker_work` using synchronous
+mode in nfs4_state_shutdown_net.
+
+Fixes: 7c24fa225081 ("NFSD: replace delayed_work with work_struct for nfsd_client_shrinker")
+Signed-off-by: Yang Erkun <yangerkun@huaweicloud.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -8220,7 +8220,7 @@ nfs4_state_shutdown_net(struct net *net)
+ 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
+ 
+ 	unregister_shrinker(&nn->nfsd_client_shrinker);
+-	cancel_work(&nn->nfsd_shrinker_work);
++	cancel_work_sync(&nn->nfsd_shrinker_work);
+ 	cancel_delayed_work_sync(&nn->laundromat_work);
+ 	locks_end_grace(&nn->nfsd4_manager);
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index ad5b2f077cf..803250313ac 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -78,3 +78,4 @@ arm64-ensure-bits-asid-15-8-are-masked-out-when-the-.patch
 tracing-constify-string-literal-data-member-in-struct-trace_event_call.patch
 power-supply-gpio-charger-fix-set-charge-current-limits.patch
 btrfs-avoid-monopolizing-a-core-when-activating-a-swap-file.patch
+nfsd-cancel-nfsd_shrinker_work-using-sync-mode-in-nfs4_state_shutdown_net.patch