[pnfs] null deref in nfs41_proc_setup_sequence_call

Benny Halevy bhalevy at panasas.com
Thu Mar 8 08:31:54 EST 2007 

I hit the following null dereference in nfs41_proc_setup_sequence_call
with the pnfs code (w/ marc's latest patch he sent to the list)
I'm not sure how exactly it happened but I suspect it has to do with an
prior unsuccessful mount. The call to rpcauth_lookupcred
dereferences server->client without checking whether it is null
and the following patch works around that.

The question is whether this state (server->client == NULL) is legal
at this point.  If it is, then the patch is correct as a fix, otherwise
I suggest adding a BUG_ON(!server->client) instead and fixing the real bug.

Benny

diff -Npu /tmp/tmp.9016.0 /var/export/home/bhalevy/p4.local/pnfs-dev/fs/nfs/nfs4proc.c -L a/fs/nfs/nfs4proc.c -L b/fs/nfs/nfs4proc.c
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -285,6 +285,8 @@ static int nfs41_proc_setup_sequence_cal

        status = -1;
        list_for_each_entry(server, &clp->cl_superblocks, nfs4_siblings) {
+               if (!server->client)
+                       continue;
                cred = rpcauth_lookupcred(server->client->cl_auth, 0);
                if (IS_ERR(cred))
                        continue;

Here's the oops output:

Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.762019] general protection fault: 0000 [1] PREEMPT SMP
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.778867] CPU 0
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.784943] Modules linked in: panfs nfsd exportfs ipv6 autofs4 nfs lockd nfs_acl sunrpc forcedeth ext3 jbd sata_nv libata sd_mod scsi_mod
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.823015] Pid: 6575, comm: mount Tainted: PF     2.6.18.3-largeio-pnfs-bh #10
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.844901] RIP: 0010:[<ffffffff880f10df>]  [<ffffffff880f10df>] :nfs:nfs41_proc_setup_sequence_call+0xf2/0x183
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.875182] RSP: 0018:ffff81000f399818  EFLAGS: 00010246
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.891091] RAX: 6b6b6b6b6b6b6b6b RBX: ffff81001997cda8 RCX: ffff8100101d4228
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.912440] RDX: ffff81001997cf30 RSI: 0000000000000000 RDI: ffff81000f399908
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.933788] RBP: ffff81000f399848 R08: 0000000000000000 R09: 0000000000000000
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.955136] R10: 0000000000000000 R11: 0000000000000000 R12: 00000000ffffffff
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.976485] R13: ffff8100101d4158 R14: ffff81000f3998c8 R15: ffff81000f3998f8
Mar  8 14:53:43 bh-testlin1 kernel: [ 9988.997832] FS:  00002ae672b26b00(0000) GS:ffffffff8054a000(0000) knlGS:0000000000000000
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.022047] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.039254] CR2: 00002b068483b000 CR3: 000000000b41c000 CR4: 00000000000006e0
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.060603] Process mount (pid: 6575, threadinfo ffff81000f398000, task ffff81001a7450c0)
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.085076] Stack:  0000000000000000 ffff81000d2b4270 ffff81000f3998c8 ffff81000d2b4270
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.109288]  ffff81000d2b4320 ffff81000f399a58 ffff81000f399a38 ffffffff880f6e5e
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.131624]  5359535f48545541 ffff81000f399a98 0000000000003133 000000000000000d
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.153388] Call Trace:
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.161312]  [<ffffffff880f6e5e>] :nfs:nfs4_proc_get_root+0x177/0x369
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.180592]  [<ffffffff802cfe10>] vsnprintf+0x583/0x5ce
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.196251]  [<ffffffff8026bef2>] kmem_cache_alloc_node+0xe4/0xed
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.214505]  [<ffffffff8026c7ab>] kmalloc_node+0x25/0x2a
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.230419]  [<ffffffff880e2988>] :nfs:nfs_sb_init+0xc0/0x6ee
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.247617]  [<ffffffff8026bdc7>] cache_alloc_debugcheck_after+0x170/0x1b7
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.268213]  [<ffffffff880a6f8e>] :sunrpc:rpc_alloc_iostats+0x2f/0x37
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.287482]  [<ffffffff803a0f7d>] _spin_unlock_irqrestore+0x1b/0x37
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.306231]  [<ffffffff803a0b6f>] _spin_lock_irqsave+0x1f/0x7d
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.323684]  [<ffffffff803a0f7d>] _spin_unlock_irqrestore+0x1b/0x37
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.348544]  [<ffffffff802ced7c>] __up_write+0x10c/0x118
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.364481]  [<ffffffff880e4458>] :nfs:nfs4_get_sb+0x50c/0x573
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.381939]  [<ffffffff802791f8>] vfs_kern_mount+0x51/0x90
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.398377]  [<ffffffff80279270>] do_kern_mount+0x39/0x50
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.414530]  [<ffffffff8028dfae>] do_mount+0x686/0x6cc
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.429906]  [<ffffffff80377bd1>] tcp_time_wait+0x36a/0x379
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.446578]  [<ffffffff803a0f7d>] _spin_unlock_irqrestore+0x1b/0x37
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.465330]  [<ffffffff802cec68>] __up_read+0x92/0x9a
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.480441]  [<ffffffff8028d8d2>] copy_mount_options+0xd8/0x12e
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.498156]  [<ffffffff8023b9ea>] search_exception_tables+0x22/0x33
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.516907]  [<ffffffff803a329c>] do_page_fault+0x603/0x80a
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.533579]  [<ffffffff8033b341>] sock_destroy_inode+0x14/0x16
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.551033]  [<ffffffff802566a9>] __inc_zone_state+0x11/0x6d
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.567963]  [<ffffffff802568f1>] zone_statistics+0x70/0x75
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.584638]  [<ffffffff80250992>] get_page_from_freelist+0x21f/0x3f0
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.603650]  [<ffffffff8020a4f5>] error_exit+0x0/0x84
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.618790]  [<ffffffff8028e2df>] sys_mount+0x8a/0xd3
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.633904]  [<ffffffff802097f6>] system_call+0x7e/0x83
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.649537]
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.653996]
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.653997] Code: 48 8b 78 30 e8 43 ca fa ff 48 3d 00 f0 ff ff 48 89 c6 76 24
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.681162] RIP  [<ffffffff880f10df>] :nfs:nfs41_proc_setup_sequence_call+0xf2/0x183
Mar  8 14:53:43 bh-testlin1 kernel: [ 9989.704423]  RSP <ffff81000f399818>

The full diff from today's git is attched
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20070308.patch
Type: application/x-patch
Size: 10284 bytes
Desc: not available
Url : http://linux-nfs.org/pipermail/pnfs/attachments/20070308/89536775/attachment-0001.bin

More information about the pNFS mailing list