1. 10 Mar, 2011 4 commits
    • Stanislav Fomichev's avatar
      nfs: add kmalloc return value check in decode_and_add_ds · b9f81057
      Stanislav Fomichev authored
      add kmalloc return value check in decode_and_add_ds
      Signed-off-by: default avatarStanislav Fomichev <kernel@fomichev.me>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      b9f81057
    • Jesper Juhl's avatar
      SUNRPC: Remove resource leak in svc_rdma_send_error() · a5e50268
      Jesper Juhl authored
      We leak the memory allocated to 'ctxt' when we return after
      'ib_dma_mapping_error()' returns !=0.
      Signed-off-by: default avatarJesper Juhl <jj@chaosbits.net>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      a5e50268
    • Jeff Layton's avatar
      nfs: close NFSv4 COMMIT vs. CLOSE race · d2224e7a
      Jeff Layton authored
      I've been adding in more artificial delays in the NFSv4 commit and close
      codepaths to uncover races. The kernel I'm testing has the patch to
      close the race in __rpc_wait_for_completion_task that's in Trond's
      cthon2011 branch. The reproducer I've been using does this in a loop:
      
      	mkdir("DIR");
      	fd = open("DIR/FILE", O_WRONLY|O_CREAT|O_EXCL, 0644);
      	write(fd, "abcdefg", 7);
      	close(fd);
      	unlink("DIR/FILE");
      	rmdir("DIR");
      
      The above reproducer shouldn't result in any silly-renaming. However,
      when I add a "msleep(100)" just after the nfs_commit_clear_lock call in
      nfs_commit_release, I can almost always force one to occur. If I can
      force it to occur with that, then it can happen without that delay
      given the right timing.
      
      nfs_commit_inode waits for the NFS_INO_COMMIT bit to clear when called
      with FLUSH_SYNC set. nfs_commit_rpcsetup on the other hand does not wait
      for the task to complete before putting its reference to it, so the last
      reference get put in rpc_release task and gets queued to a workqueue.
      
      In this situation, the last open context reference may be put by the
      COMMIT release instead of the close() syscall. The close() syscall
      returns too quickly and the unlink runs while the d_count is still
      high since the COMMIT release hasn't put its dentry reference yet.
      
      Fix this by having rpc_commit_rpcsetup wait for the RPC call to complete
      before putting the task reference when FLUSH_SYNC is set. With this, the
      last reference is put by the process that's initiating the FLUSH_SYNC
      commit and the race is closed.
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      d2224e7a
    • Trond Myklebust's avatar
      SUNRPC: Close a race in __rpc_wait_for_completion_task() · bf294b41
      Trond Myklebust authored
      Although they run as rpciod background tasks, under normal operation
      (i.e. no SIGKILL), functions like nfs_sillyrename(), nfs4_proc_unlck()
      and nfs4_do_close() want to be fully synchronous. This means that when we
      exit, we want all references to the rpc_task to be gone, and we want
      any dentry references etc. held by that task to be released.
      
      For this reason these functions call __rpc_wait_for_completion_task(),
      followed by rpc_put_task() in the expectation that the latter will be
      releasing the last reference to the rpc_task, and thus ensuring that the
      callback_ops->rpc_release() has been called synchronously.
      
      This patch fixes a race which exists due to the fact that
      rpciod calls rpc_complete_task() (in order to wake up the callers of
      __rpc_wait_for_completion_task()) and then subsequently calls
      rpc_put_task() without ensuring that these two steps are done atomically.
      
      In order to avoid adding new spin locks, the patch uses the existing
      waitqueue spin lock to order the rpc_task reference count releases between
      the waiting process and rpciod.
      The common case where nobody is waiting for completion is optimised for by
      checking if the RPC_TASK_ASYNC flag is cleared and/or if the rpc_task
      reference count is 1: in those cases we drop trying to grab the spin lock,
      and immediately free up the rpc_task.
      
      Those few processes that need to put the rpc_task from inside an
      asynchronous context and that do not care about ordering are given a new
      helper: rpc_put_task_async().
      Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
      bf294b41
  2. 07 Mar, 2011 2 commits
  3. 06 Mar, 2011 3 commits
  4. 05 Mar, 2011 17 commits
  5. 04 Mar, 2011 11 commits
  6. 03 Mar, 2011 3 commits