Hide Forgot
Upstream patch description from Josef: http://marc.info/?l=linux-kernel&m=129013218025663&w=2 While trying to track down some NFS problems with BTRFS, I kept noticing I was getting -EACCESS for no apparent reason. Eric Paris and printk() helped me figure out that it was SELinux that was giving me grief, with the following denial type=AVC msg=audit(1290013638.413:95): avc: denied { 0x800000 } for pid=1772 comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file Turns out this is because in d_obtain_alias if we can't find an alias we create one and do all the normal instantiation stuff, but we don't do the security_d_instantiate. Usually we are protected from getting a hashed dentry that hasn't yet run security_d_instantiate() by the parent's i_mutex, but obviously this isn't an option there, so in order to deal with the case that a second thread comes in and finds our new dentry before we get to run security_d_instantiate(), we go ahead and call it if we find a dentry already. Eric assures me that this is ok as the code checks to see if the dentry has been initialized already so calling security_d_instantiate() against the same dentry multiple times is ok. With this patch I'm no longer getting errant -EACCESS values. Signed-off-by: Josef Bacik <josef@redhat.com> In RHEL6 we get a slightly different AVC: type=AVC msg=audit(1289847582.957:112814): avc: denied { 0x400000 } for pid=6055 comm="nfsd" name="" dev=md0 ino=1505857 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file but it is very likely the same root cause.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.
Hi Eric, Is this still an issue with RHEL6.1?
I believe it is. Josef?
Yeah I've not brought it in, waiting for it to land upstream.
How critical is this issue for 6.1? Can it get bumped back to 6.2? Thanks!
Well, I don't know how hard/easy this is to trigger in the wild. I know that you need memory pressure on the NFSD server to kick inodes out of cache and you need an open file handle on the client to a directory inode (that was kicked out). In this situation the server will be unable to perform certain operations on that open handle, such as addname, removename, search, reparent.....
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Patch(es) available on kernel-2.6.32-175.el6
I'm unable to reproduce following http://marc.info/?l=linux-fsdevel&m=129035432531716&w=2 on 2.6.32-131.17.1.el6 kernel. Confirmed patch listed in comment 15 is applied in 2.6.32-206.el6 kernel. -206 kernel also passed fs regression tests Set SanityOnly
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1530.html
*** Bug 749181 has been marked as a duplicate of this bug. ***