From patchwork Mon Mar 3 03:18:06 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Trond Myklebust X-Patchwork-Id: 3750771 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id D3640BF13A for ; Mon, 3 Mar 2014 03:18:13 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9258C20374 for ; Mon, 3 Mar 2014 03:18:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 63F9820304 for ; Mon, 3 Mar 2014 03:18:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751759AbaCCDSJ (ORCPT ); Sun, 2 Mar 2014 22:18:09 -0500 Received: from mail-ie0-f182.google.com ([209.85.223.182]:38140 "EHLO mail-ie0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751452AbaCCDSI (ORCPT ); Sun, 2 Mar 2014 22:18:08 -0500 Received: by mail-ie0-f182.google.com with SMTP id y20so2844658ier.41 for ; Sun, 02 Mar 2014 19:18:08 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:organization:content-type:mime-version :content-transfer-encoding; bh=SpNG2YaGFW3NLZ0oX1NXwQbWbitJpxWkwc8FtWcBTyU=; b=Jf1PP3WjPCHB3/e96xNZVLBqC5fu+sJCFMS02hfpCE9QpSPROJoAnfwe5FTVHkSCFH m2WEJEdYgr4DG4+bhhYdgO1KyprkULEF+7MShmA3Kv9I+g9Ovx/rw1biO8dJZKQGozhG wR83gt3MebBZFk0Kff+B8vLHNWF/LayRp9SkoajXzOUWE/dH7W/uBu7ORXlU28MYq0Ad B1a3fQizfIp144ed/vOjhpYMIbsbD7jWgAKvuF7l56M1LxCyJohqEtWdYFiXm/Hj+/pf cAk6OGR5RfobCu5tTAMftuD/iM95j7I+WCbo2xjYRlat+eAtF/Qgrm9HuTeguLyBnv+Z aCoA== X-Gm-Message-State: ALoCoQmUsYOk76Lr7P9VHfhjutiHx718NcDnMaPK8jNGtg8440kHdODLJakzaNAly1HYPQsjmGVe X-Received: by 10.43.138.210 with SMTP id it18mr10412253icc.23.1393816688371; Sun, 02 Mar 2014 19:18:08 -0800 (PST) Received: from [172.16.74.153] (c-98-209-19-95.hsd1.mi.comcast.net. [98.209.19.95]) by mx.google.com with ESMTPSA id m6sm34929610igx.9.2014.03.02.19.18.07 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 02 Mar 2014 19:18:07 -0800 (PST) Message-ID: <1393816686.6850.0.camel@leira.trondhjem.org> Subject: Re: [BUG] NULL pointer dereference in nfs4_match_stateid() From: Trond Myklebust To: "Yan, Zheng" Cc: linux-nfs@vger.kernel.org Date: Sun, 02 Mar 2014 22:18:06 -0500 In-Reply-To: <5313E9F6.2020405@intel.com> References: <5313E9F6.2020405@intel.com> Organization: PrimaryData Inc X-Mailer: Evolution 3.10.4 (3.10.4-1.fc20) Mime-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On Mon, 2014-03-03 at 10:33 +0800, Yan, Zheng wrote: > Hi, > > I got following Oops when running fsstress > --- > [ 2536.142216] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 > [ 2536.143110] IP: [] memcmp+0x9/0x50 > [ 2536.143110] PGD 0 > [ 2536.143110] Oops: 0000 [#1] SMP > [ 2536.143110] Modules linked in: rpcsec_gss_krb5(F) auth_rpcgss(F) nfsv4(F) dns_resolver(F) nfs(F) fscache(F) ceph(F) libceph(F) libcrc32c(F) netconsole(F) ip6table_filter(F) ip6_tables(F) ebtable_nat(F) ebtables(F) ipt_MASQUERADE(F) iptable_nat(F) nf_nat_ipv4(F) nf_nat(F) nf_conntrack_ipv4(F) nf_defrag_ipv4(F) xt_state(F) nf_conntrack(F) xt_CHECKSUM(F) iptable_mangle(F) bnep(F) bluetooth(F) 6lowpan_iphc(F) bridge(F) lockd(F) sunrpc(F) rfkill(F) be2iscsi(F) iscsi_boot_sysfs(F) stp(F) llc(F) bnx2i(F) cnic(F) uio(F) cxgb4i(F) cxgb4(F) cxgb3i(F) cxgb3(F) mdio(F) libcxgbi(F) ib_iser(F) rdma_cm(F) iw_cm(F) ib_cm(F) ib_sa(F) ib_mad(F) ib_core(F) ib_addr(F) iscsi_tcp(F) libiscsi_tcp(F) libiscsi(F) scsi_transport_iscsi(F) virtio_net(F) virtio_balloon(F) pcspkr(F) microcode(F) uinput(F) cirrus(F) drm_kms_helper(F) ttm(F) drm(F) i2c_core(F) > [ 2536.143110] CPU: 1 PID: 2925 Comm: nfsv4.0-svc Tainted: GF 3.14.0-rc4+ #50 > [ 2536.143110] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > [ 2536.143110] task: ffff88003cd55aa0 ti: ffff88003c9a8000 task.ti: ffff88003c9a8000 > [ 2536.143110] RIP: 0010:[] [] memcmp+0x9/0x50 > [ 2536.143110] RSP: 0018:ffff88003c9a9ca8 EFLAGS: 00010202 > [ 2536.143110] RAX: ffffffffa04842c0 RBX: 0000000000000000 RCX: 0000000000000036 > [ 2536.143110] RDX: 0000000000000010 RSI: ffff880035ee808a RDI: 0000000000000020 > [ 2536.143110] RBP: ffff88003c9a9ca8 R08: 8020000000000000 R09: 00231b6840100000 > [ 2536.143110] R10: ffbee4a086ca1004 R11: 0000000000000000 R12: ffff88003751e000 > [ 2536.143110] R13: ffff880034afa000 R14: ffff880035ee808a R15: 0000000000000004 > [ 2536.143110] FS: 0000000000000000(0000) GS:ffff88003fc80000(0000) knlGS:0000000000000000 > [ 2536.143110] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > [ 2536.143110] CR2: 0000000000000020 CR3: 0000000034bc0000 CR4: 00000000000006e0 > [ 2536.143110] Stack: > [ 2536.143110] ffff88003c9a9cb8 ffffffffa0455883 ffff88003c9a9cf0 ffffffffa0472b98 > [ 2536.143110] ffff880035ee8000 ffff880035ee8000 ffff8800231b6970 0000000011270000 > [ 2536.143110] 0000000000000000 ffff88003c9a9d28 ffffffffa0475fc9 ffff88003c9a9d28 > [ 2536.143110] Call Trace: > [ 2536.143110] [] nfs4_match_stateid+0x13/0x20 [nfsv4] > [ 2536.143110] [] nfs_async_inode_return_delegation+0x48/0x90 [nfsv4] > [ 2536.143110] [] nfs4_callback_recall+0x59/0x130 [nfsv4] > [ 2536.143110] [] nfs4_callback_compound+0x465/0x6a0 [nfsv4] > [ 2536.143110] [] ? svcauth_unix_accept+0x14a/0x270 [sunrpc] > [ 2536.143110] [] svc_process_common+0x5e7/0x6e0 [sunrpc] > [ 2536.143110] [] ? nfs_callback_authenticate+0x50/0x50 [nfsv4] > [ 2536.143110] [] svc_process+0x107/0x170 [sunrpc] > [ 2536.143110] [] ? nfs_callback_authenticate+0x50/0x50 [nfsv4] > [ 2536.143110] [] nfs4_callback_svc+0x45/0x60 [nfsv4] > [ 2536.143110] [] kthread+0xd2/0xf0 > [ 2536.143110] [] ? insert_kthread_work+0x40/0x40 > [ 2536.143110] [] ret_from_fork+0x7c/0xb0 > [ 2536.143110] [] ? insert_kthread_work+0x40/0x40 > [ 2536.143110] Code: 75 e9 31 c0 c6 06 01 5d c3 66 0f 1f 84 00 00 00 00 00 31 c0 c6 06 00 5d c3 66 0f 1f 84 00 00 00 00 00 55 48 85 d2 48 89 e5 74 3c <0f> b6 07 0f b6 0e 29 c8 75 27 48 83 ea 01 31 c9 eb 1a 0f 1f 44 > [ 2536.143110] RIP [] memcmp+0x9/0x50 > [ 2536.143110] RSP > [ 2536.143110] CR2: 0000000000000020 > [ 2536.143110] ---[ end trace 145a1eb5268045c7 ]--- Does the following patch help? Cheers Trond 8<--------------------------------------------------------------- From 755a48a7a4eb05b9c8424e3017d947b2961a60e0 Mon Sep 17 00:00:00 2001 From: Trond Myklebust Date: Sun, 2 Mar 2014 22:03:12 -0500 Subject: [PATCH] NFS: Fix a delegation callback race The clean-up in commit 36281caa839f ended up removing a NULL pointer check that is needed in order to prevent an Oops in nfs_async_inode_return_delegation(). Reported-by: "Yan, Zheng" Link: http://lkml.kernel.org/r/5313E9F6.2020405@intel.com Fixes: 36281caa839f (NFSv4: Further clean-ups of delegation stateid validation) Cc: stable@vger.kernel.org # 3.4+ Signed-off-by: Trond Myklebust --- fs/nfs/delegation.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/nfs/delegation.c b/fs/nfs/delegation.c index ef792f29f831..5d8ccecf5f5c 100644 --- a/fs/nfs/delegation.c +++ b/fs/nfs/delegation.c @@ -659,16 +659,19 @@ int nfs_async_inode_return_delegation(struct inode *inode, rcu_read_lock(); delegation = rcu_dereference(NFS_I(inode)->delegation); + if (delegation == NULL) + goto out_enoent; - if (!clp->cl_mvops->match_stateid(&delegation->stateid, stateid)) { - rcu_read_unlock(); - return -ENOENT; - } + if (!clp->cl_mvops->match_stateid(&delegation->stateid, stateid)) + goto out_enoent; nfs_mark_return_delegation(server, delegation); rcu_read_unlock(); nfs_delegation_run_state_manager(clp); return 0; +out_enoent: + rcu_read_unlock(); + return -ENOENT; } static struct inode *