From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jan Kara <jack@suse.cz>
Cc: "Toralf Förster" <toralf.foerster@gmx.de>,
"Linux NFS mailing list" <linux-nfs@vger.kernel.org>,
"user-mode-linux-devel@lists.sourceforge.net"
<user-mode-linux-devel@lists.sourceforge.net>,
linux-ext4@vger.kernel.org,
"Linux Kernel" <linux-kernel@vger.kernel.org>,
"J. Bruce Fields" <bfields@redhat.com>
Subject: Re: Issues with a rather unusual configured NFS server
Date: Tue, 13 Aug 2013 17:53:14 -0400 [thread overview]
Message-ID: <20130813215313.GH17781@fieldses.org> (raw)
In-Reply-To: <20130812143640.GF4596@quack.suse.cz>
On Mon, Aug 12, 2013 at 04:36:40PM +0200, Jan Kara wrote:
> On Sun 11-08-13 11:48:49, Toralf Förster wrote:
> > so that the server either crashes (if it is a user mode linux image) or at least its reboot functionality got broken
> > - if the NFS server is hammered with scary NFS calls using a fuzzy tool running at a remote NFS client under a non-privileged user id.
> >
> > It can re reproduced, if
> > - the NFS share is an EXT3 or EXT4 directory
> > - and it is created at file located at tempfs and mounted via loop device
> > - and the NFS server is forced to umount the NFS share
> > - and the server forced to restart the NSF service afterwards
> > - and trinity is used
> >
> > I could find a scenario for an automated bisect. 2 times it brought this commit
> > commit 68a3396178e6688ad7367202cdf0af8ed03c8727
> > Author: J. Bruce Fields <bfields@redhat.com>
> > Date: Thu Mar 21 11:21:50 2013 -0400
> >
> > nfsd4: shut down more of delegation earlier
Thanks for the report. I think I see the problem--after this commit
nfs4_set_delegation() failures result in nfs4_put_delegation being
called, but nfs4_put_delegation doesn't free the nfs4_file that has
already been set by alloc_init_deleg().
Let me think about how to fix that....
--b.
> Added Bruce to CC.
>
> > to be the one after which the user mode linux server crashes with a back trace like this:
> >
> >
> > $ cat /mnt/ramdisk/bt.v3.11-rc4-172-g8ae3f1d
> > [New LWP 14025]
> > Core was generated by `/home/tfoerste/devel/linux/linux earlyprintk ubda=/home/tfoerste/virtual/uml/tr'.
> > Program terminated with signal 6, Aborted.
> > #0 0xb77ef424 in __kernel_vsyscall ()
> > #0 0xb77ef424 in __kernel_vsyscall ()
> > #1 0x083a33c5 in kill ()
> > #2 0x0807163d in uml_abort () at arch/um/os-Linux/util.c:93
> > #3 0x08071925 in os_dump_core () at arch/um/os-Linux/util.c:138
> > #4 0x080613a7 in panic_exit (self=0x85a1518 <panic_exit_notifier>, unused1=0, unused2=0x85d6ce0 <buf.15904>) at arch/um/kernel/um_arch.c:240
> > #5 0x0809a3b8 in notifier_call_chain (nl=0x0, val=0, v=0x85d6ce0 <buf.15904>, nr_to_call=-2, nr_calls=0x0) at kernel/notifier.c:93
> > #6 0x0809a503 in __atomic_notifier_call_chain (nr_calls=<optimized out>, nr_to_call=<optimized out>, v=<optimized out>, val=<optimized out>, nh=<optimized out>) at kernel/notifier.c:182
> > #7 atomic_notifier_call_chain (nh=0x85d6cc4 <panic_notifier_list>, val=0, v=0x85d6ce0 <buf.15904>) at kernel/notifier.c:191
> > #8 0x08400ba8 in panic (fmt=0x0) at kernel/panic.c:128
> > #9 0x0818edf4 in ext4_put_super (sb=0x4a042690) at fs/ext4/super.c:818
> > #10 0x081010d2 in generic_shutdown_super (sb=0x4a042690) at fs/super.c:418
> > #11 0x0810209a in kill_block_super (sb=0x0) at fs/super.c:1028
> > #12 0x08100f6a in deactivate_locked_super (s=0x4a042690) at fs/super.c:299
> > #13 0x08101001 in deactivate_super (s=0x4a042690) at fs/super.c:324
> > #14 0x08118e0c in mntfree (mnt=<optimized out>) at fs/namespace.c:891
> > #15 mntput_no_expire (mnt=0x0) at fs/namespace.c:929
> > #16 0x0811a2f5 in SYSC_umount (flags=<optimized out>, name=<optimized out>) at fs/namespace.c:1335
> > #17 SyS_umount (name=134541632, flags=0) at fs/namespace.c:1305
> > #18 0x0811a369 in SYSC_oldumount (name=<optimized out>) at fs/namespace.c:1347
> > #19 SyS_oldumount (name=134541632) at fs/namespace.c:1345
> > #20 0x080618e2 in handle_syscall (r=0x49e919d4) at arch/um/kernel/skas/syscall.c:35
> > #21 0x08073c0d in handle_trap (local_using_sysemu=<optimized out>, regs=<optimized out>, pid=<optimized out>) at arch/um/os-Linux/skas/process.c:198
> > #22 userspace (regs=0x49e919d4) at arch/um/os-Linux/skas/process.c:431
> > #23 0x0805e65c in fork_handler () at arch/um/kernel/process.c:160
> > #24 0x00000000 in ?? ()
> >
> >
> >
> > A real system however would not crash bug would give a kernel BUG as reported here:
> > http://article.gmane.org/gmane.comp.file-systems.ext4/38915
> We have deleted inodes (regular files) in the orphan list during
> ext4_put_super(). My guess is that NFS is still holding some inode
> references to these inodes and thus inodes don't get deleted. So ext3/4
> would be just a victim here.
>
> > Furthermore the server won't be able any longer to reboot - it would hang
> > infinitely in the reboot phase. Just the magic sysrq keys still works
> > then.
> Well, this is likely because the filesystem cannot be shut down.
>
> Honza
> --
> Jan Kara <jack@suse.cz>
> SUSE Labs, CR
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jan Kara <jack@suse.cz>
Cc: "Toralf Förster" <toralf.foerster@gmx.de>,
"Linux NFS mailing list" <linux-nfs@vger.kernel.org>,
"user-mode-linux-devel@lists.sourceforge.net"
<user-mode-linux-devel@lists.sourceforge.net>,
linux-ext4@vger.kernel.org,
"Linux Kernel" <linux-kernel@vger.kernel.org>,
"J. Bruce Fields" <bfields@redhat.com>
Subject: Re: Issues with a rather unusual configured NFS server
Date: Tue, 13 Aug 2013 17:53:14 -0400 [thread overview]
Message-ID: <20130813215313.GH17781@fieldses.org> (raw)
In-Reply-To: <20130812143640.GF4596@quack.suse.cz>
On Mon, Aug 12, 2013 at 04:36:40PM +0200, Jan Kara wrote:
> On Sun 11-08-13 11:48:49, Toralf Förster wrote:
> > so that the server either crashes (if it is a user mode linux image) or at least its reboot functionality got broken
> > - if the NFS server is hammered with scary NFS calls using a fuzzy tool running at a remote NFS client under a non-privileged user id.
> >
> > It can re reproduced, if
> > - the NFS share is an EXT3 or EXT4 directory
> > - and it is created at file located at tempfs and mounted via loop device
> > - and the NFS server is forced to umount the NFS share
> > - and the server forced to restart the NSF service afterwards
> > - and trinity is used
> >
> > I could find a scenario for an automated bisect. 2 times it brought this commit
> > commit 68a3396178e6688ad7367202cdf0af8ed03c8727
> > Author: J. Bruce Fields <bfields@redhat.com>
> > Date: Thu Mar 21 11:21:50 2013 -0400
> >
> > nfsd4: shut down more of delegation earlier
Thanks for the report. I think I see the problem--after this commit
nfs4_set_delegation() failures result in nfs4_put_delegation being
called, but nfs4_put_delegation doesn't free the nfs4_file that has
already been set by alloc_init_deleg().
Let me think about how to fix that....
--b.
> Added Bruce to CC.
>
> > to be the one after which the user mode linux server crashes with a back trace like this:
> >
> >
> > $ cat /mnt/ramdisk/bt.v3.11-rc4-172-g8ae3f1d
> > [New LWP 14025]
> > Core was generated by `/home/tfoerste/devel/linux/linux earlyprintk ubda=/home/tfoerste/virtual/uml/tr'.
> > Program terminated with signal 6, Aborted.
> > #0 0xb77ef424 in __kernel_vsyscall ()
> > #0 0xb77ef424 in __kernel_vsyscall ()
> > #1 0x083a33c5 in kill ()
> > #2 0x0807163d in uml_abort () at arch/um/os-Linux/util.c:93
> > #3 0x08071925 in os_dump_core () at arch/um/os-Linux/util.c:138
> > #4 0x080613a7 in panic_exit (self=0x85a1518 <panic_exit_notifier>, unused1=0, unused2=0x85d6ce0 <buf.15904>) at arch/um/kernel/um_arch.c:240
> > #5 0x0809a3b8 in notifier_call_chain (nl=0x0, val=0, v=0x85d6ce0 <buf.15904>, nr_to_call=-2, nr_calls=0x0) at kernel/notifier.c:93
> > #6 0x0809a503 in __atomic_notifier_call_chain (nr_calls=<optimized out>, nr_to_call=<optimized out>, v=<optimized out>, val=<optimized out>, nh=<optimized out>) at kernel/notifier.c:182
> > #7 atomic_notifier_call_chain (nh=0x85d6cc4 <panic_notifier_list>, val=0, v=0x85d6ce0 <buf.15904>) at kernel/notifier.c:191
> > #8 0x08400ba8 in panic (fmt=0x0) at kernel/panic.c:128
> > #9 0x0818edf4 in ext4_put_super (sb=0x4a042690) at fs/ext4/super.c:818
> > #10 0x081010d2 in generic_shutdown_super (sb=0x4a042690) at fs/super.c:418
> > #11 0x0810209a in kill_block_super (sb=0x0) at fs/super.c:1028
> > #12 0x08100f6a in deactivate_locked_super (s=0x4a042690) at fs/super.c:299
> > #13 0x08101001 in deactivate_super (s=0x4a042690) at fs/super.c:324
> > #14 0x08118e0c in mntfree (mnt=<optimized out>) at fs/namespace.c:891
> > #15 mntput_no_expire (mnt=0x0) at fs/namespace.c:929
> > #16 0x0811a2f5 in SYSC_umount (flags=<optimized out>, name=<optimized out>) at fs/namespace.c:1335
> > #17 SyS_umount (name=134541632, flags=0) at fs/namespace.c:1305
> > #18 0x0811a369 in SYSC_oldumount (name=<optimized out>) at fs/namespace.c:1347
> > #19 SyS_oldumount (name=134541632) at fs/namespace.c:1345
> > #20 0x080618e2 in handle_syscall (r=0x49e919d4) at arch/um/kernel/skas/syscall.c:35
> > #21 0x08073c0d in handle_trap (local_using_sysemu=<optimized out>, regs=<optimized out>, pid=<optimized out>) at arch/um/os-Linux/skas/process.c:198
> > #22 userspace (regs=0x49e919d4) at arch/um/os-Linux/skas/process.c:431
> > #23 0x0805e65c in fork_handler () at arch/um/kernel/process.c:160
> > #24 0x00000000 in ?? ()
> >
> >
> >
> > A real system however would not crash bug would give a kernel BUG as reported here:
> > http://article.gmane.org/gmane.comp.file-systems.ext4/38915
> We have deleted inodes (regular files) in the orphan list during
> ext4_put_super(). My guess is that NFS is still holding some inode
> references to these inodes and thus inodes don't get deleted. So ext3/4
> would be just a victim here.
>
> > Furthermore the server won't be able any longer to reboot - it would hang
> > infinitely in the reboot phase. Just the magic sysrq keys still works
> > then.
> Well, this is likely because the filesystem cannot be shut down.
>
> Honza
> --
> Jan Kara <jack@suse.cz>
> SUSE Labs, CR
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2013-08-13 21:53 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-11 9:48 Issues with a rather unusual configured NFS server Toralf Förster
2013-08-11 9:48 ` [uml-devel] " Toralf Förster
2013-08-11 9:48 ` Toralf Förster
[not found] ` <52075E01.7030506-Mmb7MZpHnFY@public.gmane.org>
2013-08-12 14:36 ` Jan Kara
2013-08-12 14:36 ` Jan Kara
2013-08-12 14:36 ` Jan Kara
2013-08-13 21:53 ` J. Bruce Fields [this message]
2013-08-13 21:53 ` J. Bruce Fields
2013-08-14 16:44 ` Toralf Förster
2013-08-14 16:44 ` Toralf Förster
2013-08-27 18:06 ` J. Bruce Fields
2013-08-27 18:06 ` J. Bruce Fields
2013-08-27 18:06 ` J. Bruce Fields
2013-08-28 17:21 ` Toralf Förster
2013-08-28 17:21 ` Toralf Förster
2013-08-29 9:57 ` [uml-devel] " richard -rw- weinberger
2013-08-29 9:57 ` richard -rw- weinberger
2013-08-29 13:30 ` J. Bruce Fields
2013-08-29 13:30 ` J. Bruce Fields
[not found] ` <20130829133010.GA14773-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-08-30 14:10 ` Toralf Förster
2013-08-30 14:10 ` Toralf Förster
2013-08-30 14:10 ` Toralf Förster
2013-08-30 14:25 ` J. Bruce Fields
2013-08-30 14:25 ` J. Bruce Fields
2013-08-30 14:36 ` Richard Weinberger
2013-08-30 14:36 ` Richard Weinberger
2013-09-01 16:09 ` Toralf Förster
2013-09-01 21:15 ` Richard Weinberger
2013-09-02 16:53 ` Toralf Förster
2013-09-02 16:56 ` Richard Weinberger
[not found] ` <CAFLxGvyK5+nB9TgW1uPho9KGwQrWQHx=wEpj+o-mZcN92bWAOg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-30 18:27 ` Michael Richardson
2013-08-30 18:27 ` Michael Richardson
2013-09-07 20:44 ` Toralf Förster
2013-09-07 20:44 ` Toralf Förster
2013-09-07 20:44 ` Toralf Förster
[not found] ` <522B9010.8070902-Mmb7MZpHnFY@public.gmane.org>
2013-09-07 20:51 ` [uml-devel] " richard -rw- weinberger
2013-09-07 20:51 ` richard -rw- weinberger
2013-09-07 20:51 ` richard -rw- weinberger
2013-09-10 14:09 ` J. Bruce Fields
2013-09-10 14:09 ` J. Bruce Fields
2013-09-10 14:09 ` J. Bruce Fields
[not found] ` <20130910140937.GD16011-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-09-10 15:51 ` Toralf Förster
2013-09-10 15:51 ` Toralf Förster
2013-09-10 15:51 ` Toralf Förster
2013-09-22 16:58 ` Toralf Förster
2013-09-22 16:58 ` Toralf Förster
2013-09-22 16:58 ` Toralf Förster
2013-09-23 17:41 ` J. Bruce Fields
2013-09-23 17:41 ` J. Bruce Fields
2013-09-23 17:41 ` J. Bruce Fields
[not found] ` <20130923174129.GA19720-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>
2013-10-02 20:29 ` Toralf Förster
2013-10-02 20:29 ` Toralf Förster
2013-10-02 20:29 ` Toralf Förster
-- strict thread matches above, loose matches on Subject: below --
2013-09-27 14:53 Marc Meledandri
2013-09-28 15:37 Marc Meledandri
2013-10-01 14:34 ` J. Bruce Fields
2013-10-02 1:24 ` Marc Meledandri
2013-10-02 14:04 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130813215313.GH17781@fieldses.org \
--to=bfields@fieldses.org \
--cc=bfields@redhat.com \
--cc=jack@suse.cz \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=toralf.foerster@gmx.de \
--cc=user-mode-linux-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.