[PATCH] nfsd: handle empty list in move_to_close_lru

J. Bruce Fields bfields at fieldses.org
Wed Jan 23 15:04:36 EST 2008 

On Wed, Jan 23, 2008 at 03:01:42PM +0200, Benny Halevy wrote:
> Apparently, fs/nfsd/nfs4state.c:move_to_close_lru
> may be called when sop->so_close_lru is empty.
> Without retruning early list_move_tail on the empty
> list crashes.

The list_move functions are just list_del's followed by list_add's, and
list_del's should be completely safe on empty lists.

How did you decide the bad pointer deference was in move_to_close_lru()?

--b.

> 
> Here's an oops trace for example: (note that move_to_close_lru
> is inlined by the compiler into nfsd4_close)
> 
> Jan 23 12:37:16 bh-testlin1 kernel: Unable to handle kernel paging request at 0000000000100108 RIP:
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff8824c604>] :nfsd:nfsd4_close+0xd3/0x123
> Jan 23 12:37:16 bh-testlin1 kernel: PGD 73827067 PUD 79cee067 PMD 0
> Jan 23 12:37:16 bh-testlin1 kernel: Oops: 0002 [1] SMP
> Jan 23 12:37:16 bh-testlin1 kernel: CPU 0
> Jan 23 12:37:16 bh-testlin1 kernel: Modules linked in: panfs(P) panlayoutdriver vmnet(P) parport_pc parport vmmon(P) nfsd auth_rpcgss exportfs autofs4 nfs lockd nfs_acl sunrpc ipv6 video output sbs sbshc battery ac sr_mod k8temp i2c_nforce2 hwmon i2c_core pcspkr forcedeth button cdrom pata_amd ata_generic sata_nv libata sd_mod scsi_mod ext3 jbd mbcache ehci_hcd ohci_hcd uhci_hcd
> Jan 23 12:37:16 bh-testlin1 kernel: Pid: 2163, comm: nfsd Tainted: P        2.6.24-rc8-panlayout #8
> Jan 23 12:37:16 bh-testlin1 kernel: RIP: 0010:[<ffffffff8824c604>]  [<ffffffff8824c604>] :nfsd:nfsd4_close+0xd3/0x123
> Jan 23 12:37:16 bh-testlin1 kernel: RSP: 0018:ffff81007d947dc0  EFLAGS: 00010246
> Jan 23 12:37:16 bh-testlin1 kernel: RAX: 0000000000200200 RBX: ffff810028118000 RCX: ffffffff8824c5d0
> Jan 23 12:37:16 bh-testlin1 kernel: RDX: 0000000000100100 RSI: ffffe20000909cd0 RDI: ffff810028118058
> Jan 23 12:37:16 bh-testlin1 kernel: RBP: ffff81007c524290 R08: 0000000000000166 R09: ffff810029516000
> Jan 23 12:37:16 bh-testlin1 kernel: R10: 0000000000000000 R11: ffff81007c524290 R12: ffff81007c4f0400
> Jan 23 12:37:16 bh-testlin1 kernel: R13: 0000000000000000 R14: ffff81007c4f0400 R15: ffff81007c4c4000
> Jan 23 12:37:16 bh-testlin1 kernel: FS:  00002ab8fd1ea6f0(0000) GS:ffffffff81371000(0000) knlGS:00000000f3a2cb90
> Jan 23 12:37:16 bh-testlin1 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> Jan 23 12:37:16 bh-testlin1 kernel: CR2: 0000000000100108 CR3: 0000000073838000 CR4: 00000000000006e0
> Jan 23 12:37:16 bh-testlin1 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> Jan 23 12:37:16 bh-testlin1 kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Jan 23 12:37:16 bh-testlin1 kernel: Process nfsd (pid: 2163, threadinfo ffff81007d946000, task ffff81007d944000)
> Jan 23 12:37:16 bh-testlin1 kernel: Stack:  0000000000000000 ffffffff88264ec0 ffff810029516000 ffffffff88264da0
> Jan 23 12:37:16 bh-testlin1 kernel:  ffff81007c525000 ffff81007c524000 ffff81007c4f0400 ffffffff8823fef0
> Jan 23 12:37:16 bh-testlin1 kernel:  ffffffff882650f8 ffff81007c524288 ffff81007b8892c0 ffff81007c4c4000
> Jan 23 12:37:16 bh-testlin1 kernel: Call Trace:
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff8823fef0>] :nfsd:nfsd4_proc_compound+0x2b1/0x476
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff88231245>] :nfsd:nfsd_dispatch+0xde/0x1b6
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff88187b9d>] :sunrpc:svc_process_common+0x2fc/0x5bd
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff88188cce>] :sunrpc:svc_process+0x101/0x143
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff88231819>] :nfsd:nfsd+0x1a1/0x2bc
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff8100ccd8>] child_rip+0xa/0x12
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff88231678>] :nfsd:nfsd+0x0/0x2bc
> Jan 23 12:37:16 bh-testlin1 kernel:  [<ffffffff8100ccce>] child_rip+0x0/0x12
> Jan 23 12:37:16 bh-testlin1 kernel:
> Jan 23 12:37:16 bh-testlin1 kernel:
> Jan 23 12:37:16 bh-testlin1 kernel: Code: 48 89 42 08 48 8b 35 69 53 02 00 48 89 10 48 c7 c2 70 19 27
> Jan 23 12:37:16 bh-testlin1 kernel: RIP  [<ffffffff8824c604>] :nfsd:nfsd4_close+0xd3/0x123
> Jan 23 12:37:16 bh-testlin1 kernel:  RSP <ffff81007d947dc0>
> Jan 23 12:37:16 bh-testlin1 kernel: CR2: 0000000000100108
> Jan 23 12:37:16 bh-testlin1 kernel: ---[ end trace 90ea1dfbd28e9e52 ]---
> 
> Signed-off-by: Benny Halevy <bhalevy at panasas.com>
> ---
>  fs/nfsd/nfs4state.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> index 27f284f..d181817 100644
> --- a/fs/nfsd/nfs4state.c
> +++ b/fs/nfsd/nfs4state.c
> @@ -1739,6 +1739,9 @@ move_to_close_lru(struct nfs4_stateowner *sop)
>  {
>  	dprintk("NFSD: move_to_close_lru nfs4_stateowner %p\n", sop);
>  
> +	if (list_empty(&sop->so_close_lru))
> +		return;
> +
>  	list_move_tail(&sop->so_close_lru, &close_lru);
>  	sop->so_time = get_seconds();
>  }
> -- 
> 1.5.3.3
>

More information about the NFSv4 mailing list