From: Scott Mayhew <smayhew@redhat.com>
To: chuck.lever@oracle.com, bfields@fieldses.org
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH] SUNRPC: Fix oops in the rpc_xdr_buf event class
Date: Thu, 12 Nov 2020 15:21:11 -0500 [thread overview]
Message-ID: <20201112202111.GL4526@aion.usersys.redhat.com> (raw)
In-Reply-To: <20201112201732.1689680-1-smayhew@redhat.com>
On Thu, 12 Nov 2020, Scott Mayhew wrote:
> Backchannel rpc tasks don't have task->tk_client set, so it's necessary
> to check it for NULL before dereferencing.
This fixes an oops triggered by the following reproducer:
# echo 1 >/sys/kernel/debug/tracing/events/sunrpc/rpc_xdr_sendto/enable
# mount localhost:/export /mnt/t
# cat /mnt/t/file
# date >/export/file
[ 112.033689] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[ 112.037302] PGD 0 P4D 0
[ 112.038492] Oops: 0000 [#1] SMP PTI
[ 112.040106] CPU: 2 PID: 1547 Comm: NFSv4 callback Kdump: loaded Not tainted 4.18.0-247.el8.x86_64 #1
[ 112.043259] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[ 112.047166] RIP: 0010:trace_event_raw_event_rpc_xdr_buf_class+0x6d/0xf0 [sunrpc]
[ 112.049321] Code: ba 38 00 00 00 4c 89 e6 48 89 e7 e8 fd 03 45 f2 48 85 c0 74 4c 41 0f b7 95 f0 00 00 00 48 89 e7 89 50 08 49 8b 95 b8 00 00 00 <8b> 52 04 89 50 0c 48 8b 55 00 48 89 50 10 48 8b 55 08 48 89 50 18
[ 112.053443] RSP: 0018:ffffb8eb012f3ce0 EFLAGS: 00010286
[ 112.054393] RAX: ffff9892c7098618 RBX: 0000000000000003 RCX: 0000000000000000
[ 112.055663] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb8eb012f3ce0
[ 112.056957] RBP: ffff989339d99808 R08: 0000000000000000 R09: ffff9892c7098618
[ 112.058233] R10: ffff9892c709860c R11: ffff9892c7060e00 R12: ffff98932d693318
[ 112.059478] R13: ffff989328a8dd00 R14: ffff989339d998e0 R15: ffff98931d3e5f28
[ 112.060759] FS: 0000000000000000(0000) GS:ffff98933bb00000(0000) knlGS:0000000000000000
[ 112.062247] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 112.063266] CR2: 0000000000000004 CR3: 000000002a20a002 CR4: 0000000000760ee0
[ 112.064533] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 112.065772] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 112.067015] PKRU: 55555554
[ 112.067504] Call Trace:
[ 112.068006] xprt_transmit+0x2f4/0x420 [sunrpc]
[ 112.068813] ? __rpc_sleep_on_priority_timeout+0xe0/0xe0 [sunrpc]
[ 112.069886] ? call_bc_encode+0x20/0x20 [sunrpc]
[ 112.070691] call_bc_transmit+0x33/0x40 [sunrpc]
[ 112.071509] __rpc_execute+0x85/0x3c0 [sunrpc]
[ 112.072290] ? kvm_clock_get_cycles+0xd/0x10
[ 112.073048] ? ktime_get+0x36/0xa0
[ 112.073667] rpc_run_bc_task+0x7c/0xb0 [sunrpc]
[ 112.074471] bc_svc_process+0x28e/0x300 [sunrpc]
[ 112.075381] nfs41_callback_svc+0x12d/0x1a0 [nfsv4]
[ 112.076246] ? finish_wait+0x80/0x80
[ 112.076922] ? nfs_map_gid_to_group+0x130/0x130 [nfsv4]
[ 112.077833] kthread+0x116/0x130
[ 112.078415] ? kthread_flush_work_fn+0x10/0x10
[ 112.079173] ret_from_fork+0x35/0x40
[ 112.079818] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache intel_rapl_msr intel_rapl_common isst_if_common nfit libnvdimm kvm_intel kvm snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg soundwire_intel irqbypass soundwire_generic_allocation snd_soc_core crct10dif_pclmul snd_compress crc32_pclmul soundwire_cadence soundwire_bus iTCO_wdt ghash_clmulni_intel iTCO_vendor_support snd_hda_codec qxl drm_ttm_helper ttm snd_hda_core snd_hwdep drm_kms_helper snd_seq snd_seq_device syscopyarea snd_pcm sysfillrect sysimgblt fb_sys_fops pcspkr snd_timer joydev drm snd soundcore virtio_balloon i2c_i801 lpc_ich nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c ahci libahci libata crc32c_intel serio_raw virtio_console virtio_net net_failover failover virtio_blk
[ 112.095079] CR2: 0000000000000004
-Scott
>
> Fixes: c509f15a5801 ("SUNRPC: Split the xdr_buf event class")
>
> Signed-off-by: Scott Mayhew <smayhew@redhat.com>
> ---
> include/trace/events/sunrpc.h | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/include/trace/events/sunrpc.h b/include/trace/events/sunrpc.h
> index 2477014e3fa6..2a03263b5f9d 100644
> --- a/include/trace/events/sunrpc.h
> +++ b/include/trace/events/sunrpc.h
> @@ -68,7 +68,8 @@ DECLARE_EVENT_CLASS(rpc_xdr_buf_class,
>
> TP_fast_assign(
> __entry->task_id = task->tk_pid;
> - __entry->client_id = task->tk_client->cl_clid;
> + __entry->client_id = task->tk_client ?
> + task->tk_client->cl_clid : -1;
> __entry->head_base = xdr->head[0].iov_base;
> __entry->head_len = xdr->head[0].iov_len;
> __entry->tail_base = xdr->tail[0].iov_base;
> --
> 2.25.4
>
next prev parent reply other threads:[~2020-11-12 20:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-12 20:17 [PATCH] SUNRPC: Fix oops in the rpc_xdr_buf event class Scott Mayhew
2020-11-12 20:21 ` Scott Mayhew [this message]
2020-11-12 20:39 ` Chuck Lever
2020-11-12 21:03 ` Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201112202111.GL4526@aion.usersys.redhat.com \
--to=smayhew@redhat.com \
--cc=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.