list_del corruption / unhash_ol_stateid()

Commit Message

Andrew W Elble July 29, 2015, 3:17 p.m. UTC

Updates: slub_debug seems to interfere with this manifesting.

> so might be worth adding a WARN_ON_ONCE() or two here in
> nfsd4_process_open2 to confirm whether either the upgrade or
> release_open_stateid cases are dealing with a partially setup stateid.

I started with this - not completely sure this covers all the cases
we're interested in.



...and quickly got the warning at the usual place, and inside of nfs4_upgrade_open()

[  836.784251] WARNING: CPU: 0 PID: 12114 at fs/nfsd/nfs4state.c:3869 nfsd4_process_open2+0xffd/0x1200 [nfsd]()
[  930.708782] WARNING: CPU: 2 PID: 12114 at fs/nfsd/nfs4state.c:3939 nfsd4_process_open2+0xe5a/0x1200 [nfsd]()
[ 1331.966806] WARNING: CPU: 2 PID: 12108 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0()
[ 1332.294149] WARNING: CPU: 2 PID: 12108 at lib/list_debug.c:53 __list_del_entry+0x63/0xd0()

Comments

Andrew W Elble July 29, 2015, 7:52 p.m. UTC | #1

> I started with this - not completely sure this covers all the cases
> we're interested in.

Oops. Apparently I like to take lots of extra refs on files. Will redo this tomorrow.

Patch

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 039f9c8a95e8..bb54c7d7b787 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -3866,6 +3866,8 @@  nfs4_upgrade_open(struct svc_rqst *rqstp, struct nfs4_file *fp, struct svc_fh *c
 	if (!test_access(open->op_share_access, stp))
 		return nfs4_get_vfs_file(rqstp, fp, cur_fh, stp, open);
 
+	WARN_ON_ONCE(!find_readable_file(fp));
+
 	/* test and set deny mode */
 	spin_lock(&fp->fi_lock);
 	status = nfs4_file_check_deny(fp, open->op_share_deny);
@@ -4171,6 +4173,7 @@  nfsd4_process_open2(struct svc_rqst *rqstp, struct svc_fh *current_fh, struct nf
 		init_open_stateid(stp, fp, open);
 		status = nfs4_get_vfs_file(rqstp, fp, current_fh, stp, open);
 		if (status) {
+		        WARN_ON_ONCE(!find_readable_file(fp));
 			release_open_stateid(stp);
 			goto out;
 		}