Re: PROBLEM: NULL pointer dereference; nfsd4_remove_cld_pipe

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Scott Mayhew <smayhew@redhat.com>
To: Jamie Heilman <jamie@audible.transient.net>
Cc: "J. Bruce Fields" <bfields@redhat.com>,
	linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: PROBLEM: NULL pointer dereference; nfsd4_remove_cld_pipe
Date: Tue, 12 Nov 2019 11:20:47 -0500	[thread overview]
Message-ID: <20191112162047.GF4276@coeurl.usersys.redhat.com> (raw)
In-Reply-To: <20191112101343.GA2806@audible.transient.net>

[-- Attachment #1: Type: text/plain, Size: 3940 bytes --]

Hi Jamie,

On Tue, 12 Nov 2019, Jamie Heilman wrote:

> Giving 5.4.0-rc7 a spin I hit a NULL pointer dereference and bisected
> it to:
> 
> commit 6ee95d1c899186c0798cafd25998d436bcdb9618
> Author: Scott Mayhew <smayhew@redhat.com>
> Date:   Mon Sep 9 16:10:31 2019 -0400
> 
>     nfsd: add support for upcall version 2
> 
> 
> The splat against 5.3.0-rc2-00034-g6ee95d1c8991:
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000036
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0 
> Oops: 0000 [#1] PREEMPT SMP PTI
> CPU: 0 PID: 2936 Comm: rpc.nfsd Not tainted 5.3.0-rc2-00034-g6ee95d1c8991 #1
> Hardware name: Dell Inc. Precision WorkStation T3400  /0TP412, BIOS A14 04/30/2012
> RIP: 0010:crypto_destroy_tfm+0x5/0x4d
> Code: 78 01 00 00 48 85 c0 74 05 e9 05 05 66 00 c3 55 48 8b af 80 01 00 00 e8 d5 ff ff ff 48 89 ef 5d e9 12 f9 ef ff 48 85 ff 74 47 <48> 83 7e 30 00 41 55 4c 8b 6e 38 41 54 49 89 fc 55 48 89 f5 75 14
> RSP: 0018:ffffc90000b7bd68 EFLAGS: 00010282
> RAX: ffffffffa0402841 RBX: ffff888230484400 RCX: 0000000000002cd0
> RDX: 0000000000002cce RSI: 0000000000000006 RDI: fffffffffffffffe
> RBP: ffffffff81e68440 R08: ffff888232801800 R09: ffffffffa0402841
> R10: 0000000000000200 R11: ffff88823048ae40 R12: ffff888231585100
> R13: ffff88823048ae40 R14: 000000000000000b R15: ffff888230484400
> FS:  00007f02102c3740(0000) GS:ffff888233a00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000036 CR3: 0000000230f94000 CR4: 00000000000406f0
> Call Trace:
>  nfsd4_remove_cld_pipe+0x6d/0x83 [nfsd]
>  nfsd4_cld_tracking_init+0x1cf/0x295 [nfsd]
>  nfsd4_client_tracking_init+0x72/0x13e [nfsd]
>  nfs4_state_start_net+0x22a/0x2cf [nfsd]
>  nfsd_svc+0x1c6/0x292 [nfsd]
>  write_threads+0x68/0xb0 [nfsd]
>  ? write_versions+0x333/0x333 [nfsd]
>  nfsctl_transaction_write+0x4a/0x62 [nfsd]
>  vfs_write+0xa0/0xdd
>  ksys_write+0x71/0xba
>  do_syscall_64+0x48/0x55
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x7f021056c904
> Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 48 8d 05 d9 3a 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48
> RSP: 002b:00007ffdc76ec618 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 000055b534955560 RCX: 00007f021056c904
> RDX: 0000000000000002 RSI: 000055b534955560 RDI: 0000000000000003
> RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffdc76ec4b0
> R10: 00007ffdc76ec367 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000008 R14: 0000000000000000 R15: 000055b534b8a2a0
> Modules linked in: cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative autofs4 fan nfsd auth_rpcgss nfs lockd grace fscache sunrpc bridge stp llc nhpoly1305_sse2 nhpoly1305 aes_generic chacha_x86_64 chacha_generic adiantum poly1305_generic vhost_net tun vhost tap dm_crypt snd_hda_codec_analog snd_hda_codec_generic usb_storage snd_hda_intel kvm_intel snd_hda_codec kvm snd_hwdep snd_hda_core snd_pcm dcdbas snd_timer irqbypass snd soundcore sr_mod cdrom tg3 sg floppy evdev xfs dm_mod raid1 md_mod psmouse
> CR2: 0000000000000036
> ---[ end trace bc12bbe4cdd6319f ]---
> ...
> NFS: Registering the id_resolver key type
> Key type id_resolver registered
> Key type id_legacy registered
> 
> 
> My kernel config is at
> http://audible.transient.net/~jamie/k/upcallv2.config-5.3.0-rc2-00034-g6ee95d1c8991
> 
> I don't think there's anything terribly interesting about my nfs
> server setup, this happens reliably on boot up, idle network, no
> active clients; let me know what else you need, happy to debug.
> 
> -- 
> Jamie Heilman                     http://audible.transient.net/~jamie/
> 
Please try this patch (v2 because I messed up the first one).

-Scott

[-- Attachment #2: 0001-nfsd-Fix-cld_net-cn_tfm-initialization.patch --]
[-- Type: text/plain, Size: 1522 bytes --]

From 34ae6455abfd81b47ab34b66ca88a29ff33c7d98 Mon Sep 17 00:00:00 2001
From: Scott Mayhew <smayhew@redhat.com>
Date: Tue, 12 Nov 2019 10:10:00 -0500
Subject: [PATCH v2] nfsd: Fix cld_net->cn_tfm initialization

Don't assign an error pointer to cn->cn_tfm, otherwise
an oops will occur in nfsd4_remove_cld_pipe().

Fixes: 6ee95d1c8991 ("nfsd: add support for upcall version 2")
Reported-by: Jamie Heilman <jamie@audible.transient.net>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
---
 fs/nfsd/nfs4recover.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index cdc75ad4438b..d1bc56b2e861 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -1578,6 +1578,7 @@ nfsd4_cld_tracking_init(struct net *net)
 	struct nfsd_net *nn = net_generic(net, nfsd_net_id);
 	bool running;
 	int retries = 10;
+	struct crypto_shash *tfm;
 
 	status = nfs4_cld_state_init(net);
 	if (status)
@@ -1586,11 +1587,12 @@ nfsd4_cld_tracking_init(struct net *net)
 	status = __nfsd4_init_cld_pipe(net);
 	if (status)
 		goto err_shutdown;
-	nn->cld_net->cn_tfm = crypto_alloc_shash("sha256", 0, 0);
-	if (IS_ERR(nn->cld_net->cn_tfm)) {
-		status = PTR_ERR(nn->cld_net->cn_tfm);
+	tfm = crypto_alloc_shash("sha256", 0, 0);
+	if (IS_ERR(tfm)) {
+		status = PTR_ERR(tfm);
 		goto err_remove;
 	}
+	nn->cld_net->cn_tfm = tfm;
 
 	/*
 	 * rpc pipe upcalls take 30 seconds to time out, so we don't want to
-- 
2.17.2

next prev parent reply	other threads:[~2019-11-12 16:20 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-12 10:13 PROBLEM: NULL pointer dereference; nfsd4_remove_cld_pipe Jamie Heilman
2019-11-12 16:06 ` Scott Mayhew
2019-11-12 16:20 ` Scott Mayhew [this message]
2019-11-12 18:13   ` Jamie Heilman
2019-11-12 18:57     ` Scott Mayhew

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cdc75ad4438 dfblob:d1bc56b2e86 )
 OR (
bs:"nfsd: Fix cld_net->cn_tfm initialization" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191112162047.GF4276@coeurl.usersys.redhat.com \
    --to=smayhew@redhat.com \
    --cc=bfields@redhat.com \
    --cc=jamie@audible.transient.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.