NFSv4: Fix callback server shutdown

We want to use kthread_stop() in order to ensure the threads are
shut down before we tear down the nfs_callback_info in nfs_callback_down.

Tested-and-reviewed-by: Kinglong Mee <kinglongmee@gmail.com>
Reported-by: Kinglong Mee <kinglongmee@gmail.com>
Fixes: bb6aeba736ba9 ("NFSv4.x: Switch to using svc_set_num_threads()...")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
(cherry picked from commit ed6473ddc704a2005b9900ca08e236ebb2d8540a)

Orabug: 26143102
CVE-2017-9059

Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
 Conflicts:
	fs/nfs/callback.c

diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
index df57bdcb4d5057b273b8f3387b8e391154fb6420..8481d457c36da53bc4e7d2d22410dcc7c99b5a90 100644 (file)
--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -77,7 +77,10 @@ nfs4_callback_svc(void *vrqstp)
 
        set_freezable();
 
-       while (!kthread_should_stop()) {
+       while (!kthread_freezable_should_stop(NULL)) {
+
+               if (signal_pending(current))
+                       flush_signals(current);
                /*
                 * Listen for a request on the socket
                 */
@@ -86,6 +89,8 @@ nfs4_callback_svc(void *vrqstp)
                        continue;
                svc_process(rqstp);
        }
+       svc_exit_thread(rqstp);
+       module_put_and_exit(0);
        return 0;
 }
 
@@ -131,9 +136,10 @@ nfs41_callback_svc(void *vrqstp)
 
        set_freezable();
 
-       while (!kthread_should_stop()) {
-               if (try_to_freeze())
-                       continue;
+       while (!kthread_freezable_should_stop(NULL)) {
+
+               if (signal_pending(current))
+                       flush_signals(current);
 
                prepare_to_wait(&serv->sv_cb_waitq, &wq, TASK_INTERRUPTIBLE);
                spin_lock_bh(&serv->sv_cb_lock);
@@ -149,11 +155,13 @@ nfs41_callback_svc(void *vrqstp)
                                error);
                } else {
                        spin_unlock_bh(&serv->sv_cb_lock);
-                       schedule();
+                       if (!kthread_should_stop())
+                               schedule();
                        finish_wait(&serv->sv_cb_waitq, &wq);
                }
-               flush_signals(current);
        }
+       svc_exit_thread(rqstp);
+       module_put_and_exit(0);
        return 0;
 }
 

diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
index fae6fb947fc8671e238d4db1d9acd6ff9b59098a..1e1a55c71036655edc6e37a69a223ab193c46d74 100644 (file)
--- a/include/linux/sunrpc/svc.h
+++ b/include/linux/sunrpc/svc.h
@@ -437,6 +437,7 @@ struct svc_serv *  svc_create_pooled(struct svc_program *, unsigned int,
                        void (*shutdown)(struct svc_serv *, struct net *net),
                        svc_thread_fn, struct module *);
 int               svc_set_num_threads(struct svc_serv *, struct svc_pool *, int);
+int               svc_set_num_threads_sync(struct svc_serv *, struct svc_pool *, int);
 int               svc_pool_stats_open(struct svc_serv *serv, struct file *file);
 void              svc_destroy(struct svc_serv *);
 void              svc_shutdown_net(struct svc_serv *, struct net *);

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index ec97d7985859b2bed89ba61e45197bc49f35c83f..b9a699ca38948e3f5c210f7d11faa1e1a3548b4e 100644 (file)
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -787,6 +787,44 @@ svc_set_num_threads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
 }
 EXPORT_SYMBOL_GPL(svc_set_num_threads);
 
+/* destroy old threads */
+static int
+svc_stop_kthreads(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+       struct task_struct *task;
+       unsigned int state = serv->sv_nrthreads-1;
+
+       /* destroy old threads */
+       do {
+               task = choose_victim(serv, pool, &state);
+               if (task == NULL)
+                       break;
+               kthread_stop(task);
+               nrservs++;
+       } while (nrservs < 0);
+       return 0;
+}
+
+int
+svc_set_num_threads_sync(struct svc_serv *serv, struct svc_pool *pool, int nrservs)
+{
+       if (pool == NULL) {
+               /* The -1 assumes caller has done a svc_get() */
+               nrservs -= (serv->sv_nrthreads-1);
+       } else {
+               spin_lock_bh(&pool->sp_lock);
+               nrservs -= pool->sp_nrthreads;
+               spin_unlock_bh(&pool->sp_lock);
+       }
+
+       if (nrservs > 0)
+               return svc_start_kthreads(serv, pool, nrservs);
+       if (nrservs < 0)
+               return svc_stop_kthreads(serv, pool, nrservs);
+       return 0;
+}
+EXPORT_SYMBOL_GPL(svc_set_num_threads_sync);
+
 /*
  * Called from a server thread as it's exiting. Caller must hold the "service
  * mutex" for the service.