From: "J. Bruce Fields" <bfields@fieldses.org>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-nfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
jlayton@redhat.com
Subject: Re: linux-next NFSD: NULL pointer dereference at nfsd_svc()
Date: Fri, 6 Aug 2010 17:27:28 -0400 [thread overview]
Message-ID: <20100806212727.GC29536@fieldses.org> (raw)
In-Reply-To: <20100805213107.GB13821@fieldses.org>
On Thu, Aug 05, 2010 at 05:31:07PM -0400, J. Bruce Fields wrote:
> On Thu, Aug 05, 2010 at 04:46:12PM -0400, J. Bruce Fields wrote:
> > On Thu, Aug 05, 2010 at 10:10:16AM +0900, Tetsuo Handa wrote:
> > > J. Bruce Fields wrote:
> > > > Maybe figuring out exactly hwere that is would help work out what's
> > > > going on. Doing
> > > >
> > > > make net/sunrpc/svc.lst
> > > >
> > > > then looking for c1356dd4 (or just mailing me svc.lst) could help.
> > >
> > > "make net/sunrpc/svc.lst" failed due to following error.
> > >
> > > BFD: Dwarf Error: Abbrev offset (3238007024) greater than or equal to .debug_abbrev size (1607).
> > >
> > > Manual printk() debug reported that
> > > rqstp->rq_argp == rqstp->rq_resp == ZERO_SIZE_PTR and
> >
> > Huh. As far as I can tell that will only happen if you've not no nfsd
> > versions defined; how is that happening?
>
> OK, I think it's another startup-order problem: depending on how things
> are started up, sv_nrthreads may already be nonzero, causing us to skip
> nfsd_reset_versions(), so that the loop in __svc_create() ends up
> leaving xdrsize 0, and then the kmalloc's in svc_prepare_thread() assign
> ZERO_SIZE_PTR.
>
> I need to think a little more about what we should be doing here.
Bah, so what you were hitting was simple--I just moved the
nfsd_reset_versions() call to the wrong place; the below should fix it.
There's also a couple other bugs in the area.
Thanks for the -next testing!
--b.
commit e844a7b9805a2b74cfd34c8604f5bba3e0869305
Author: J. Bruce Fields <bfields@redhat.com>
Date: Fri Aug 6 15:48:03 2010 -0400
nfsd: initialize nfsd versions before creating svc
Commit 59db4a0c102e0de226a3395dbf25ea51bf845937 "nfsd: move more into
nfsd_startup()" inadvertently moved nfsd_versions after
nfsd_create_svc(). On older distributions using an rpc.nfsd that does
not explicitly set the list of nfsd versions, this results in
svc-create_pooled() being called with an empty versions array. The
resulting incomplete initialization leads to a NULL dereference in
svc_process_common() the first time a client accesses the server.
Move nfsd_reset_versions() back before the svc_create_pooled(); this
time, put it closer to the svc_create_pooled() call, to make this
mistake more difficult in the future.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 39ced4a..e2c4346 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -224,7 +224,6 @@ static int nfsd_startup(unsigned short port, int nrservs)
ret = nfs4_state_start();
if (ret)
goto out_lockd;
- nfsd_reset_versions();
nfsd_up = true;
return 0;
out_lockd:
@@ -329,6 +328,7 @@ int nfsd_create_serv(void)
nfsd_max_blksize >= 8*1024*2)
nfsd_max_blksize /= 2;
}
+ nfsd_reset_versions();
nfsd_serv = svc_create_pooled(&nfsd_program, nfsd_max_blksize,
nfsd_last_thread, nfsd, THIS_MODULE);
WARNING: multiple messages have this Message-ID (diff)
From: "J. Bruce Fields" <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
To: Tetsuo Handa
<penguin-kernel-JPay3/Yim36HaxMnTkn67Xf5DAMn2ifp@public.gmane.org>
Cc: linux-nfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: linux-next NFSD: NULL pointer dereference at nfsd_svc()
Date: Fri, 6 Aug 2010 17:27:28 -0400 [thread overview]
Message-ID: <20100806212727.GC29536@fieldses.org> (raw)
In-Reply-To: <20100805213107.GB13821-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
On Thu, Aug 05, 2010 at 05:31:07PM -0400, J. Bruce Fields wrote:
> On Thu, Aug 05, 2010 at 04:46:12PM -0400, J. Bruce Fields wrote:
> > On Thu, Aug 05, 2010 at 10:10:16AM +0900, Tetsuo Handa wrote:
> > > J. Bruce Fields wrote:
> > > > Maybe figuring out exactly hwere that is would help work out what's
> > > > going on. Doing
> > > >
> > > > make net/sunrpc/svc.lst
> > > >
> > > > then looking for c1356dd4 (or just mailing me svc.lst) could help.
> > >
> > > "make net/sunrpc/svc.lst" failed due to following error.
> > >
> > > BFD: Dwarf Error: Abbrev offset (3238007024) greater than or equal to .debug_abbrev size (1607).
> > >
> > > Manual printk() debug reported that
> > > rqstp->rq_argp == rqstp->rq_resp == ZERO_SIZE_PTR and
> >
> > Huh. As far as I can tell that will only happen if you've not no nfsd
> > versions defined; how is that happening?
>
> OK, I think it's another startup-order problem: depending on how things
> are started up, sv_nrthreads may already be nonzero, causing us to skip
> nfsd_reset_versions(), so that the loop in __svc_create() ends up
> leaving xdrsize 0, and then the kmalloc's in svc_prepare_thread() assign
> ZERO_SIZE_PTR.
>
> I need to think a little more about what we should be doing here.
Bah, so what you were hitting was simple--I just moved the
nfsd_reset_versions() call to the wrong place; the below should fix it.
There's also a couple other bugs in the area.
Thanks for the -next testing!
--b.
commit e844a7b9805a2b74cfd34c8604f5bba3e0869305
Author: J. Bruce Fields <bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Date: Fri Aug 6 15:48:03 2010 -0400
nfsd: initialize nfsd versions before creating svc
Commit 59db4a0c102e0de226a3395dbf25ea51bf845937 "nfsd: move more into
nfsd_startup()" inadvertently moved nfsd_versions after
nfsd_create_svc(). On older distributions using an rpc.nfsd that does
not explicitly set the list of nfsd versions, this results in
svc-create_pooled() being called with an empty versions array. The
resulting incomplete initialization leads to a NULL dereference in
svc_process_common() the first time a client accesses the server.
Move nfsd_reset_versions() back before the svc_create_pooled(); this
time, put it closer to the svc_create_pooled() call, to make this
mistake more difficult in the future.
Signed-off-by: J. Bruce Fields <bfields-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 39ced4a..e2c4346 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -224,7 +224,6 @@ static int nfsd_startup(unsigned short port, int nrservs)
ret = nfs4_state_start();
if (ret)
goto out_lockd;
- nfsd_reset_versions();
nfsd_up = true;
return 0;
out_lockd:
@@ -329,6 +328,7 @@ int nfsd_create_serv(void)
nfsd_max_blksize >= 8*1024*2)
nfsd_max_blksize /= 2;
}
+ nfsd_reset_versions();
nfsd_serv = svc_create_pooled(&nfsd_program, nfsd_max_blksize,
nfsd_last_thread, nfsd, THIS_MODULE);
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2010-08-06 21:28 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-02 7:47 linux-next NFSD: NULL pointer dereference at nfsd_svc() Tetsuo Handa
2010-08-02 14:32 ` Jeff Layton
2010-08-02 14:36 ` Jeff Layton
2010-08-02 18:16 ` J. Bruce Fields
2010-08-02 18:16 ` J. Bruce Fields
2010-08-02 18:53 ` Jeff Layton
2010-08-03 1:09 ` Tetsuo Handa
2010-08-03 1:09 ` Tetsuo Handa
2010-08-03 15:48 ` J. Bruce Fields
2010-08-03 16:24 ` J. Bruce Fields
2010-08-04 0:13 ` Tetsuo Handa
2010-08-04 0:13 ` Tetsuo Handa
[not found] ` <201008040013.o740DmYK024832-etx+eQDEXHD7nzcFbJAaVXf5DAMn2ifp@public.gmane.org>
2010-08-04 19:40 ` J. Bruce Fields
2010-08-04 19:40 ` J. Bruce Fields
2010-08-05 1:10 ` Tetsuo Handa
2010-08-05 1:10 ` Tetsuo Handa
2010-08-05 20:46 ` J. Bruce Fields
2010-08-05 20:46 ` J. Bruce Fields
2010-08-05 21:31 ` J. Bruce Fields
2010-08-05 21:31 ` J. Bruce Fields
2010-08-06 1:37 ` Tetsuo Handa
2010-08-06 1:37 ` Tetsuo Handa
2010-08-06 21:27 ` J. Bruce Fields [this message]
2010-08-06 21:27 ` J. Bruce Fields
2010-08-06 22:05 ` J. Bruce Fields
2010-08-06 22:05 ` J. Bruce Fields
2010-08-06 22:10 ` J. Bruce Fields
2010-08-07 1:48 ` Tetsuo Handa
2010-08-07 1:48 ` Tetsuo Handa
2010-08-07 2:33 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100806212727.GC29536@fieldses.org \
--to=bfields@fieldses.org \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.