diff mbox

NFS: Fix Oopses in nfs_lookup_revalidate and nfs4_lookup_revalidate

Message ID 1345666097-14815-1-git-send-email-Trond.Myklebust@netapp.com (mailing list archive)
State New, archived
Headers show

Commit Message

Trond Myklebust Aug. 22, 2012, 8:08 p.m. UTC 
Fix the following Oops in 3.5.1:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
 IP: [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
 PGD 337c63067 PUD 0
 Oops: 0000 [#1] SMP
 CPU 5
 Modules linked in: nfs fscache nfsd lockd nfs_acl auth_rpcgss sunrpc af_packet binfmt_misc cpufreq_conservative cpufreq_userspace cpufreq_powersave dm_mod acpi_cpufreq mperf coretemp gpio_ich kvm_intel joydev kvm ioatdma hid_generic igb lpc_ich i7core_edac edac_core ptp serio_raw dca pcspkr i2c_i801 mfd_core sg pps_core usbhid crc32c_intel microcode button autofs4 uhci_hcd ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect syscopyarea ehci_hcd usbcore usb_common scsi_dh_rdac scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh edd fan ata_piix thermal processor thermal_sys

 Pid: 30431, comm: java Not tainted 3.5.1-2-default #1 Supermicro X8DTT/X8DTT
 RIP: 0010:[<ffffffffa03789cd>]  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
 RSP: 0018:ffff8801b418bd38  EFLAGS: 00010292
 RAX: 00000000fffffff6 RBX: ffff88032016d800 RCX: 0000000000000020
 RDX: ffffffff00000000 RSI: 0000000000000000 RDI: ffff8801824a7b00
 RBP: ffff8801b418bdf8 R08: 7fffff0034323030 R09: fffffffff04c03ed
 R10: ffff8801824a7b00 R11: 0000000000000002 R12: ffff8801824a7b00
 R13: ffff8801824a7b00 R14: 0000000000000000 R15: ffff8803201725d0
 FS:  00002b53a46cb700(0000) GS:ffff88033fc20000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000038 CR3: 000000020a426000 CR4: 00000000000007e0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 Process java (pid: 30431, threadinfo ffff8801b418a000, task ffff8801b5d20600)
 Stack:
  ffff8801b418be44 ffff88032016d800 ffff8801b418bdf8 0000000000000000
  ffff8801824a7b00 ffff8801b418bdd7 ffff8803201725d0 ffffffff8116a9c0
  ffff8801b5c38dc0 0000000000000007 ffff88032016d800 0000000000000000
 Call Trace:
  [<ffffffff8116a9c0>] lookup_dcache+0x80/0xe0
  [<ffffffff8116aa43>] __lookup_hash+0x23/0x90
  [<ffffffff8116b4a5>] lookup_one_len+0xc5/0x100
  [<ffffffffa03869a3>] nfs_sillyrename+0xe3/0x210 [nfs]
  [<ffffffff8116cadf>] vfs_unlink.part.25+0x7f/0xe0
  [<ffffffff8116f22c>] do_unlinkat+0x1ac/0x1d0
  [<ffffffff815717b9>] system_call_fastpath+0x16/0x1b
  [<00002b5348b5f527>] 0x2b5348b5f526
 Code: ec 38 b8 f6 ff ff ff 4c 89 64 24 18 4c 89 74 24 28 49 89 fc 48 89 5c 24 08 48 89 6c 24 10 49 89 f6 4c 89 6c 24 20 4c 89 7c 24 30 <f6> 46 38 40 0f 85 d1 00 00 00 e8 c4 c4 df e0 48 8b 58 30 49 89
 RIP  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
  RSP <ffff8801b418bd38>
 CR2: 0000000000000038
 ---[ end trace 845113ed191985dd ]---

This Oops affects 3.5 kernels and older, and is due to lookup_one_len()
calling down to the dentry revalidation code with a NULL pointer
to struct nameidata.

It is fixed upstream by commit 0b728e1911c (stop passing nameidata *
to ->d_revalidate())

Reported-by: Richard Ems <richard.ems@cape-horn-eng.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
---
 fs/nfs/dir.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Greg KH Aug. 27, 2012, 8:09 p.m. UTC | #1 
On Wed, Aug 22, 2012 at 04:08:17PM -0400, Trond Myklebust wrote:
> Fix the following Oops in 3.5.1:
> 
>  BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
>  IP: [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
>  PGD 337c63067 PUD 0
>  Oops: 0000 [#1] SMP
>  CPU 5
>  Modules linked in: nfs fscache nfsd lockd nfs_acl auth_rpcgss sunrpc af_packet binfmt_misc cpufreq_conservative cpufreq_userspace cpufreq_powersave dm_mod acpi_cpufreq mperf coretemp gpio_ich kvm_intel joydev kvm ioatdma hid_generic igb lpc_ich i7core_edac edac_core ptp serio_raw dca pcspkr i2c_i801 mfd_core sg pps_core usbhid crc32c_intel microcode button autofs4 uhci_hcd ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect syscopyarea ehci_hcd usbcore usb_common scsi_dh_rdac scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh edd fan ata_piix thermal processor thermal_sys
> 
>  Pid: 30431, comm: java Not tainted 3.5.1-2-default #1 Supermicro X8DTT/X8DTT
>  RIP: 0010:[<ffffffffa03789cd>]  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
>  RSP: 0018:ffff8801b418bd38  EFLAGS: 00010292
>  RAX: 00000000fffffff6 RBX: ffff88032016d800 RCX: 0000000000000020
>  RDX: ffffffff00000000 RSI: 0000000000000000 RDI: ffff8801824a7b00
>  RBP: ffff8801b418bdf8 R08: 7fffff0034323030 R09: fffffffff04c03ed
>  R10: ffff8801824a7b00 R11: 0000000000000002 R12: ffff8801824a7b00
>  R13: ffff8801824a7b00 R14: 0000000000000000 R15: ffff8803201725d0
>  FS:  00002b53a46cb700(0000) GS:ffff88033fc20000(0000) knlGS:0000000000000000
>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>  CR2: 0000000000000038 CR3: 000000020a426000 CR4: 00000000000007e0
>  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
>  Process java (pid: 30431, threadinfo ffff8801b418a000, task ffff8801b5d20600)
>  Stack:
>   ffff8801b418be44 ffff88032016d800 ffff8801b418bdf8 0000000000000000
>   ffff8801824a7b00 ffff8801b418bdd7 ffff8803201725d0 ffffffff8116a9c0
>   ffff8801b5c38dc0 0000000000000007 ffff88032016d800 0000000000000000
>  Call Trace:
>   [<ffffffff8116a9c0>] lookup_dcache+0x80/0xe0
>   [<ffffffff8116aa43>] __lookup_hash+0x23/0x90
>   [<ffffffff8116b4a5>] lookup_one_len+0xc5/0x100
>   [<ffffffffa03869a3>] nfs_sillyrename+0xe3/0x210 [nfs]
>   [<ffffffff8116cadf>] vfs_unlink.part.25+0x7f/0xe0
>   [<ffffffff8116f22c>] do_unlinkat+0x1ac/0x1d0
>   [<ffffffff815717b9>] system_call_fastpath+0x16/0x1b
>   [<00002b5348b5f527>] 0x2b5348b5f526
>  Code: ec 38 b8 f6 ff ff ff 4c 89 64 24 18 4c 89 74 24 28 49 89 fc 48 89 5c 24 08 48 89 6c 24 10 49 89 f6 4c 89 6c 24 20 4c 89 7c 24 30 <f6> 46 38 40 0f 85 d1 00 00 00 e8 c4 c4 df e0 48 8b 58 30 49 89
>  RIP  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
>   RSP <ffff8801b418bd38>
>  CR2: 0000000000000038
>  ---[ end trace 845113ed191985dd ]---
> 
> This Oops affects 3.5 kernels and older, and is due to lookup_one_len()
> calling down to the dentry revalidation code with a NULL pointer
> to struct nameidata.
> 
> It is fixed upstream by commit 0b728e1911c (stop passing nameidata *
> to ->d_revalidate())

So this is just a nfs-only backport of the larger patch 0b728e1911c,
right?  Should we also do this for other filesystems as well?  Or just
backport the whole commit?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Trond Myklebust Aug. 27, 2012, 8:16 p.m. UTC | #2 
T24gTW9uLCAyMDEyLTA4LTI3IGF0IDEzOjA5IC0wNzAwLCBHcmVnIEtIIHdyb3RlOg0KPiBPbiBX
ZWQsIEF1ZyAyMiwgMjAxMiBhdCAwNDowODoxN1BNIC0wNDAwLCBUcm9uZCBNeWtsZWJ1c3Qgd3Jv
dGU6DQo+ID4gRml4IHRoZSBmb2xsb3dpbmcgT29wcyBpbiAzLjUuMToNCj4gPiANCj4gPiAgQlVH
OiB1bmFibGUgdG8gaGFuZGxlIGtlcm5lbCBOVUxMIHBvaW50ZXIgZGVyZWZlcmVuY2UgYXQgMDAw
MDAwMDAwMDAwMDAzOA0KPiA+ICBJUDogWzxmZmZmZmZmZmEwMzc4OWNkPl0gbmZzX2xvb2t1cF9y
ZXZhbGlkYXRlKzB4MmQvMHg0ODAgW25mc10NCj4gPiAgUEdEIDMzN2M2MzA2NyBQVUQgMA0KPiA+
ICBPb3BzOiAwMDAwIFsjMV0gU01QDQo+ID4gIENQVSA1DQo+ID4gIE1vZHVsZXMgbGlua2VkIGlu
OiBuZnMgZnNjYWNoZSBuZnNkIGxvY2tkIG5mc19hY2wgYXV0aF9ycGNnc3Mgc3VucnBjIGFmX3Bh
Y2tldCBiaW5mbXRfbWlzYyBjcHVmcmVxX2NvbnNlcnZhdGl2ZSBjcHVmcmVxX3VzZXJzcGFjZSBj
cHVmcmVxX3Bvd2Vyc2F2ZSBkbV9tb2QgYWNwaV9jcHVmcmVxIG1wZXJmIGNvcmV0ZW1wIGdwaW9f
aWNoIGt2bV9pbnRlbCBqb3lkZXYga3ZtIGlvYXRkbWEgaGlkX2dlbmVyaWMgaWdiIGxwY19pY2gg
aTdjb3JlX2VkYWMgZWRhY19jb3JlIHB0cCBzZXJpb19yYXcgZGNhIHBjc3BrciBpMmNfaTgwMSBt
ZmRfY29yZSBzZyBwcHNfY29yZSB1c2JoaWQgY3JjMzJjX2ludGVsIG1pY3JvY29kZSBidXR0b24g
YXV0b2ZzNCB1aGNpX2hjZCB0dG0gZHJtX2ttc19oZWxwZXIgZHJtIGkyY19hbGdvX2JpdCBzeXNp
bWdibHQgc3lzZmlsbHJlY3Qgc3lzY29weWFyZWEgZWhjaV9oY2QgdXNiY29yZSB1c2JfY29tbW9u
IHNjc2lfZGhfcmRhYyBzY3NpX2RoX2VtYyBzY3NpX2RoX2hwX3N3IHNjc2lfZGhfYWx1YSBzY3Np
X2RoIGVkZCBmYW4gYXRhX3BpaXggdGhlcm1hbCBwcm9jZXNzb3IgdGhlcm1hbF9zeXMNCj4gPiAN
Cj4gPiAgUGlkOiAzMDQzMSwgY29tbTogamF2YSBOb3QgdGFpbnRlZCAzLjUuMS0yLWRlZmF1bHQg
IzEgU3VwZXJtaWNybyBYOERUVC9YOERUVA0KPiA+ICBSSVA6IDAwMTA6WzxmZmZmZmZmZmEwMzc4
OWNkPl0gIFs8ZmZmZmZmZmZhMDM3ODljZD5dIG5mc19sb29rdXBfcmV2YWxpZGF0ZSsweDJkLzB4
NDgwIFtuZnNdDQo+ID4gIFJTUDogMDAxODpmZmZmODgwMWI0MThiZDM4ICBFRkxBR1M6IDAwMDEw
MjkyDQo+ID4gIFJBWDogMDAwMDAwMDBmZmZmZmZmNiBSQlg6IGZmZmY4ODAzMjAxNmQ4MDAgUkNY
OiAwMDAwMDAwMDAwMDAwMDIwDQo+ID4gIFJEWDogZmZmZmZmZmYwMDAwMDAwMCBSU0k6IDAwMDAw
MDAwMDAwMDAwMDAgUkRJOiBmZmZmODgwMTgyNGE3YjAwDQo+ID4gIFJCUDogZmZmZjg4MDFiNDE4
YmRmOCBSMDg6IDdmZmZmZjAwMzQzMjMwMzAgUjA5OiBmZmZmZmZmZmYwNGMwM2VkDQo+ID4gIFIx
MDogZmZmZjg4MDE4MjRhN2IwMCBSMTE6IDAwMDAwMDAwMDAwMDAwMDIgUjEyOiBmZmZmODgwMTgy
NGE3YjAwDQo+ID4gIFIxMzogZmZmZjg4MDE4MjRhN2IwMCBSMTQ6IDAwMDAwMDAwMDAwMDAwMDAg
UjE1OiBmZmZmODgwMzIwMTcyNWQwDQo+ID4gIEZTOiAgMDAwMDJiNTNhNDZjYjcwMCgwMDAwKSBH
UzpmZmZmODgwMzNmYzIwMDAwKDAwMDApIGtubEdTOjAwMDAwMDAwMDAwMDAwMDANCj4gPiAgQ1M6
ICAwMDEwIERTOiAwMDAwIEVTOiAwMDAwIENSMDogMDAwMDAwMDA4MDA1MDAzMw0KPiA+ICBDUjI6
IDAwMDAwMDAwMDAwMDAwMzggQ1IzOiAwMDAwMDAwMjBhNDI2MDAwIENSNDogMDAwMDAwMDAwMDAw
MDdlMA0KPiA+ICBEUjA6IDAwMDAwMDAwMDAwMDAwMDAgRFIxOiAwMDAwMDAwMDAwMDAwMDAwIERS
MjogMDAwMDAwMDAwMDAwMDAwMA0KPiA+ICBEUjM6IDAwMDAwMDAwMDAwMDAwMDAgRFI2OiAwMDAw
MDAwMGZmZmYwZmYwIERSNzogMDAwMDAwMDAwMDAwMDQwMA0KPiA+ICBQcm9jZXNzIGphdmEgKHBp
ZDogMzA0MzEsIHRocmVhZGluZm8gZmZmZjg4MDFiNDE4YTAwMCwgdGFzayBmZmZmODgwMWI1ZDIw
NjAwKQ0KPiA+ICBTdGFjazoNCj4gPiAgIGZmZmY4ODAxYjQxOGJlNDQgZmZmZjg4MDMyMDE2ZDgw
MCBmZmZmODgwMWI0MThiZGY4IDAwMDAwMDAwMDAwMDAwMDANCj4gPiAgIGZmZmY4ODAxODI0YTdi
MDAgZmZmZjg4MDFiNDE4YmRkNyBmZmZmODgwMzIwMTcyNWQwIGZmZmZmZmZmODExNmE5YzANCj4g
PiAgIGZmZmY4ODAxYjVjMzhkYzAgMDAwMDAwMDAwMDAwMDAwNyBmZmZmODgwMzIwMTZkODAwIDAw
MDAwMDAwMDAwMDAwMDANCj4gPiAgQ2FsbCBUcmFjZToNCj4gPiAgIFs8ZmZmZmZmZmY4MTE2YTlj
MD5dIGxvb2t1cF9kY2FjaGUrMHg4MC8weGUwDQo+ID4gICBbPGZmZmZmZmZmODExNmFhNDM+XSBf
X2xvb2t1cF9oYXNoKzB4MjMvMHg5MA0KPiA+ICAgWzxmZmZmZmZmZjgxMTZiNGE1Pl0gbG9va3Vw
X29uZV9sZW4rMHhjNS8weDEwMA0KPiA+ICAgWzxmZmZmZmZmZmEwMzg2OWEzPl0gbmZzX3NpbGx5
cmVuYW1lKzB4ZTMvMHgyMTAgW25mc10NCj4gPiAgIFs8ZmZmZmZmZmY4MTE2Y2FkZj5dIHZmc191
bmxpbmsucGFydC4yNSsweDdmLzB4ZTANCj4gPiAgIFs8ZmZmZmZmZmY4MTE2ZjIyYz5dIGRvX3Vu
bGlua2F0KzB4MWFjLzB4MWQwDQo+ID4gICBbPGZmZmZmZmZmODE1NzE3Yjk+XSBzeXN0ZW1fY2Fs
bF9mYXN0cGF0aCsweDE2LzB4MWINCj4gPiAgIFs8MDAwMDJiNTM0OGI1ZjUyNz5dIDB4MmI1MzQ4
YjVmNTI2DQo+ID4gIENvZGU6IGVjIDM4IGI4IGY2IGZmIGZmIGZmIDRjIDg5IDY0IDI0IDE4IDRj
IDg5IDc0IDI0IDI4IDQ5IDg5IGZjIDQ4IDg5IDVjIDI0IDA4IDQ4IDg5IDZjIDI0IDEwIDQ5IDg5
IGY2IDRjIDg5IDZjIDI0IDIwIDRjIDg5IDdjIDI0IDMwIDxmNj4gNDYgMzggNDAgMGYgODUgZDEg
MDAgMDAgMDAgZTggYzQgYzQgZGYgZTAgNDggOGIgNTggMzAgNDkgODkNCj4gPiAgUklQICBbPGZm
ZmZmZmZmYTAzNzg5Y2Q+XSBuZnNfbG9va3VwX3JldmFsaWRhdGUrMHgyZC8weDQ4MCBbbmZzXQ0K
PiA+ICAgUlNQIDxmZmZmODgwMWI0MThiZDM4Pg0KPiA+ICBDUjI6IDAwMDAwMDAwMDAwMDAwMzgN
Cj4gPiAgLS0tWyBlbmQgdHJhY2UgODQ1MTEzZWQxOTE5ODVkZCBdLS0tDQo+ID4gDQo+ID4gVGhp
cyBPb3BzIGFmZmVjdHMgMy41IGtlcm5lbHMgYW5kIG9sZGVyLCBhbmQgaXMgZHVlIHRvIGxvb2t1
cF9vbmVfbGVuKCkNCj4gPiBjYWxsaW5nIGRvd24gdG8gdGhlIGRlbnRyeSByZXZhbGlkYXRpb24g
Y29kZSB3aXRoIGEgTlVMTCBwb2ludGVyDQo+ID4gdG8gc3RydWN0IG5hbWVpZGF0YS4NCj4gPiAN
Cj4gPiBJdCBpcyBmaXhlZCB1cHN0cmVhbSBieSBjb21taXQgMGI3MjhlMTkxMWMgKHN0b3AgcGFz
c2luZyBuYW1laWRhdGEgKg0KPiA+IHRvIC0+ZF9yZXZhbGlkYXRlKCkpDQo+IA0KPiBTbyB0aGlz
IGlzIGp1c3QgYSBuZnMtb25seSBiYWNrcG9ydCBvZiB0aGUgbGFyZ2VyIHBhdGNoIDBiNzI4ZTE5
MTFjLA0KPiByaWdodD8gIFNob3VsZCB3ZSBhbHNvIGRvIHRoaXMgZm9yIG90aGVyIGZpbGVzeXN0
ZW1zIGFzIHdlbGw/ICBPciBqdXN0DQo+IGJhY2twb3J0IHRoZSB3aG9sZSBjb21taXQ/DQoNClRo
ZSBsYXJnZXIgcGF0Y2ggaW52b2x2ZXMgYSBWRlMgYXBpIGNoYW5nZSAodGhlIGF0b21pYyBvcGVu
IGNvZGUpIHdoaWNoDQpoYXMgYSBidW5jaCBvZiBwcmUtIGFuZCBwb3N0LXJlcXVpcmVtZW50cy4g
SSdkIGFzc3VtZSB0aGF0IGlzIGEgdG9vDQpsYXJnZSBjaGFuZ2UgZm9yIHN0YWJsZS4gSSB0aGlu
ayB0aGF0IHRoZSBzbWFsbGVyIHBlci1maWxlc3lzdGVtIGNoYW5nZXMNCmFyZSBwcm9iYWJseSBt
b3JlIGFwcHJvcHJpYXRlLiBUaGUgbGlzdCBvZiBmaWxlc3lzdGVtcyB0aGF0IGNhcmUgYXJlDQps
aWtlbHkgdG8gYmUgc21hbGwuIE9mZiB0aGUgdG9wIG9mIG15IGhlYWQsIEkgY2FuIG9ubHkgdGhp
bmsgb2YgTkZTLA0KQ0lGUywgRlVTRSBhbmQgcG9zc2libHkgY2VwaC4NCg0KQ2hlZXJzDQogIFRy
b25kDQoNCi0tIA0KVHJvbmQgTXlrbGVidXN0DQpMaW51eCBORlMgY2xpZW50IG1haW50YWluZXIN
Cg0KTmV0QXBwDQpUcm9uZC5NeWtsZWJ1c3RAbmV0YXBwLmNvbQ0Kd3d3Lm5ldGFwcC5jb20NCg0K
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg KH Aug. 27, 2012, 8:23 p.m. UTC | #3 
On Mon, Aug 27, 2012 at 08:16:09PM +0000, Myklebust, Trond wrote:
> On Mon, 2012-08-27 at 13:09 -0700, Greg KH wrote:
> > On Wed, Aug 22, 2012 at 04:08:17PM -0400, Trond Myklebust wrote:
> > > Fix the following Oops in 3.5.1:
> > > 
> > >  BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
> > >  IP: [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
> > >  PGD 337c63067 PUD 0
> > >  Oops: 0000 [#1] SMP
> > >  CPU 5
> > >  Modules linked in: nfs fscache nfsd lockd nfs_acl auth_rpcgss sunrpc af_packet binfmt_misc cpufreq_conservative cpufreq_userspace cpufreq_powersave dm_mod acpi_cpufreq mperf coretemp gpio_ich kvm_intel joydev kvm ioatdma hid_generic igb lpc_ich i7core_edac edac_core ptp serio_raw dca pcspkr i2c_i801 mfd_core sg pps_core usbhid crc32c_intel microcode button autofs4 uhci_hcd ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect syscopyarea ehci_hcd usbcore usb_common scsi_dh_rdac scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh edd fan ata_piix thermal processor thermal_sys
> > > 
> > >  Pid: 30431, comm: java Not tainted 3.5.1-2-default #1 Supermicro X8DTT/X8DTT
> > >  RIP: 0010:[<ffffffffa03789cd>]  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
> > >  RSP: 0018:ffff8801b418bd38  EFLAGS: 00010292
> > >  RAX: 00000000fffffff6 RBX: ffff88032016d800 RCX: 0000000000000020
> > >  RDX: ffffffff00000000 RSI: 0000000000000000 RDI: ffff8801824a7b00
> > >  RBP: ffff8801b418bdf8 R08: 7fffff0034323030 R09: fffffffff04c03ed
> > >  R10: ffff8801824a7b00 R11: 0000000000000002 R12: ffff8801824a7b00
> > >  R13: ffff8801824a7b00 R14: 0000000000000000 R15: ffff8803201725d0
> > >  FS:  00002b53a46cb700(0000) GS:ffff88033fc20000(0000) knlGS:0000000000000000
> > >  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > >  CR2: 0000000000000038 CR3: 000000020a426000 CR4: 00000000000007e0
> > >  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > >  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > >  Process java (pid: 30431, threadinfo ffff8801b418a000, task ffff8801b5d20600)
> > >  Stack:
> > >   ffff8801b418be44 ffff88032016d800 ffff8801b418bdf8 0000000000000000
> > >   ffff8801824a7b00 ffff8801b418bdd7 ffff8803201725d0 ffffffff8116a9c0
> > >   ffff8801b5c38dc0 0000000000000007 ffff88032016d800 0000000000000000
> > >  Call Trace:
> > >   [<ffffffff8116a9c0>] lookup_dcache+0x80/0xe0
> > >   [<ffffffff8116aa43>] __lookup_hash+0x23/0x90
> > >   [<ffffffff8116b4a5>] lookup_one_len+0xc5/0x100
> > >   [<ffffffffa03869a3>] nfs_sillyrename+0xe3/0x210 [nfs]
> > >   [<ffffffff8116cadf>] vfs_unlink.part.25+0x7f/0xe0
> > >   [<ffffffff8116f22c>] do_unlinkat+0x1ac/0x1d0
> > >   [<ffffffff815717b9>] system_call_fastpath+0x16/0x1b
> > >   [<00002b5348b5f527>] 0x2b5348b5f526
> > >  Code: ec 38 b8 f6 ff ff ff 4c 89 64 24 18 4c 89 74 24 28 49 89 fc 48 89 5c 24 08 48 89 6c 24 10 49 89 f6 4c 89 6c 24 20 4c 89 7c 24 30 <f6> 46 38 40 0f 85 d1 00 00 00 e8 c4 c4 df e0 48 8b 58 30 49 89
> > >  RIP  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
> > >   RSP <ffff8801b418bd38>
> > >  CR2: 0000000000000038
> > >  ---[ end trace 845113ed191985dd ]---
> > > 
> > > This Oops affects 3.5 kernels and older, and is due to lookup_one_len()
> > > calling down to the dentry revalidation code with a NULL pointer
> > > to struct nameidata.
> > > 
> > > It is fixed upstream by commit 0b728e1911c (stop passing nameidata *
> > > to ->d_revalidate())
> > 
> > So this is just a nfs-only backport of the larger patch 0b728e1911c,
> > right?  Should we also do this for other filesystems as well?  Or just
> > backport the whole commit?
> 
> The larger patch involves a VFS api change (the atomic open code) which
> has a bunch of pre- and post-requirements. I'd assume that is a too
> large change for stable. I think that the smaller per-filesystem changes
> are probably more appropriate. The list of filesystems that care are
> likely to be small. Off the top of my head, I can only think of NFS,
> CIFS, FUSE and possibly ceph.

Ok, I'll take this one for NFS, care to break this up also for FUSE and
CIFS and send me a patch for it?

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Ben Hutchings Aug. 27, 2012, 9:34 p.m. UTC | #4 
On Mon, 2012-08-27 at 20:16 +0000, Myklebust, Trond wrote:
> On Mon, 2012-08-27 at 13:09 -0700, Greg KH wrote:
> > On Wed, Aug 22, 2012 at 04:08:17PM -0400, Trond Myklebust wrote:
> > > Fix the following Oops in 3.5.1:
[...]
> > > This Oops affects 3.5 kernels and older, and is due to lookup_one_len()
> > > calling down to the dentry revalidation code with a NULL pointer
> > > to struct nameidata.
> > > 
> > > It is fixed upstream by commit 0b728e1911c (stop passing nameidata *
> > > to ->d_revalidate())
> > 
> > So this is just a nfs-only backport of the larger patch 0b728e1911c,
> > right?  Should we also do this for other filesystems as well?  Or just
> > backport the whole commit?
> 
> The larger patch involves a VFS api change (the atomic open code) which
> has a bunch of pre- and post-requirements. I'd assume that is a too
> large change for stable. I think that the smaller per-filesystem changes
> are probably more appropriate. The list of filesystems that care are
> likely to be small. Off the top of my head, I can only think of NFS,
> CIFS, FUSE and possibly ceph.

What is the earliest version that needs this fix?

Ben.
Jeff Layton Aug. 28, 2012, 6:56 p.m. UTC | #5 
On Mon, 27 Aug 2012 13:23:11 -0700
Greg KH <gregkh@linuxfoundation.org> wrote:

> On Mon, Aug 27, 2012 at 08:16:09PM +0000, Myklebust, Trond wrote:
> > On Mon, 2012-08-27 at 13:09 -0700, Greg KH wrote:
> > > On Wed, Aug 22, 2012 at 04:08:17PM -0400, Trond Myklebust wrote:
> > > > Fix the following Oops in 3.5.1:
> > > > 
> > > >  BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
> > > >  IP: [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
> > > >  PGD 337c63067 PUD 0
> > > >  Oops: 0000 [#1] SMP
> > > >  CPU 5
> > > >  Modules linked in: nfs fscache nfsd lockd nfs_acl auth_rpcgss sunrpc af_packet binfmt_misc cpufreq_conservative cpufreq_userspace cpufreq_powersave dm_mod acpi_cpufreq mperf coretemp gpio_ich kvm_intel joydev kvm ioatdma hid_generic igb lpc_ich i7core_edac edac_core ptp serio_raw dca pcspkr i2c_i801 mfd_core sg pps_core usbhid crc32c_intel microcode button autofs4 uhci_hcd ttm drm_kms_helper drm i2c_algo_bit sysimgblt sysfillrect syscopyarea ehci_hcd usbcore usb_common scsi_dh_rdac scsi_dh_emc scsi_dh_hp_sw scsi_dh_alua scsi_dh edd fan ata_piix thermal processor thermal_sys
> > > > 
> > > >  Pid: 30431, comm: java Not tainted 3.5.1-2-default #1 Supermicro X8DTT/X8DTT
> > > >  RIP: 0010:[<ffffffffa03789cd>]  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
> > > >  RSP: 0018:ffff8801b418bd38  EFLAGS: 00010292
> > > >  RAX: 00000000fffffff6 RBX: ffff88032016d800 RCX: 0000000000000020
> > > >  RDX: ffffffff00000000 RSI: 0000000000000000 RDI: ffff8801824a7b00
> > > >  RBP: ffff8801b418bdf8 R08: 7fffff0034323030 R09: fffffffff04c03ed
> > > >  R10: ffff8801824a7b00 R11: 0000000000000002 R12: ffff8801824a7b00
> > > >  R13: ffff8801824a7b00 R14: 0000000000000000 R15: ffff8803201725d0
> > > >  FS:  00002b53a46cb700(0000) GS:ffff88033fc20000(0000) knlGS:0000000000000000
> > > >  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > >  CR2: 0000000000000038 CR3: 000000020a426000 CR4: 00000000000007e0
> > > >  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > >  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > > >  Process java (pid: 30431, threadinfo ffff8801b418a000, task ffff8801b5d20600)
> > > >  Stack:
> > > >   ffff8801b418be44 ffff88032016d800 ffff8801b418bdf8 0000000000000000
> > > >   ffff8801824a7b00 ffff8801b418bdd7 ffff8803201725d0 ffffffff8116a9c0
> > > >   ffff8801b5c38dc0 0000000000000007 ffff88032016d800 0000000000000000
> > > >  Call Trace:
> > > >   [<ffffffff8116a9c0>] lookup_dcache+0x80/0xe0
> > > >   [<ffffffff8116aa43>] __lookup_hash+0x23/0x90
> > > >   [<ffffffff8116b4a5>] lookup_one_len+0xc5/0x100
> > > >   [<ffffffffa03869a3>] nfs_sillyrename+0xe3/0x210 [nfs]
> > > >   [<ffffffff8116cadf>] vfs_unlink.part.25+0x7f/0xe0
> > > >   [<ffffffff8116f22c>] do_unlinkat+0x1ac/0x1d0
> > > >   [<ffffffff815717b9>] system_call_fastpath+0x16/0x1b
> > > >   [<00002b5348b5f527>] 0x2b5348b5f526
> > > >  Code: ec 38 b8 f6 ff ff ff 4c 89 64 24 18 4c 89 74 24 28 49 89 fc 48 89 5c 24 08 48 89 6c 24 10 49 89 f6 4c 89 6c 24 20 4c 89 7c 24 30 <f6> 46 38 40 0f 85 d1 00 00 00 e8 c4 c4 df e0 48 8b 58 30 49 89
> > > >  RIP  [<ffffffffa03789cd>] nfs_lookup_revalidate+0x2d/0x480 [nfs]
> > > >   RSP <ffff8801b418bd38>
> > > >  CR2: 0000000000000038
> > > >  ---[ end trace 845113ed191985dd ]---
> > > > 
> > > > This Oops affects 3.5 kernels and older, and is due to lookup_one_len()
> > > > calling down to the dentry revalidation code with a NULL pointer
> > > > to struct nameidata.
> > > > 
> > > > It is fixed upstream by commit 0b728e1911c (stop passing nameidata *
> > > > to ->d_revalidate())
> > > 
> > > So this is just a nfs-only backport of the larger patch 0b728e1911c,
> > > right?  Should we also do this for other filesystems as well?  Or just
> > > backport the whole commit?
> > 
> > The larger patch involves a VFS api change (the atomic open code) which
> > has a bunch of pre- and post-requirements. I'd assume that is a too
> > large change for stable. I think that the smaller per-filesystem changes
> > are probably more appropriate. The list of filesystems that care are
> > likely to be small. Off the top of my head, I can only think of NFS,
> > CIFS, FUSE and possibly ceph.
> 
> Ok, I'll take this one for NFS, care to break this up also for FUSE and
> CIFS and send me a patch for it?
> 

A similar problem was already fixed quite some time ago in cifs in
commit f5bc1e755d, shortly after the RCU lookup code went in.
diff mbox

Patch

diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index f430057..b1f3675 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1123,7 +1123,7 @@  static int nfs_lookup_revalidate(struct dentry *dentry, struct nameidata *nd)
 	struct nfs_fattr *fattr = NULL;
 	int error;
 
-	if (nd->flags & LOOKUP_RCU)
+	if (nd && (nd->flags & LOOKUP_RCU))
 		return -ECHILD;
 
 	parent = dget_parent(dentry);
@@ -1526,7 +1526,7 @@  static int nfs4_lookup_revalidate(struct dentry *dentry, struct nameidata *nd)
 	struct inode *dir;
 	int openflags, ret = 0;
 
-	if (nd->flags & LOOKUP_RCU)
+	if (nd && (nd->flags & LOOKUP_RCU))
 		return -ECHILD;
 
 	inode = dentry->d_inode;