[patch] nfs client oops when receive a 'read reply Malformed Packet'

All of lore.kernel.org
 help / color / mirror / Atom feed

From: fanchaoting <fanchaoting@cn.fujitsu.com>
To: 范朝挺 <fanchaoting@cn.fujitsu.com>, linux-nfs@vger.kernel.org
Subject: [patch] nfs client oops when receive a 'read reply Malformed Packet'
Date: Wed, 20 Jun 2012 12:05:32 +0800	[thread overview]
Message-ID: <4FE14C0C.9050400@cn.fujitsu.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 11377 bytes --]

nfs client oops when receive a "read reply Malformed Packet".
I find that the xdr->iov may be NULL when client receive a 
Malformed Packet(only have 'Status' and 'file_attributes').

rpcauth_unwrap_req_decode
    nfs3_xdr_dec_read3res
         decode_read3resok  
             ......
             hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base;    (oops  xdr->iov is NULL)
             ......

rpcauth_unwrap_req_decode
    nfs3_xdr_dec_readlink3res
         decode_nfspath3
             .....
             hdrlen = (u8 *)xdr->p - (u8 *)xdr->iov->iov_base;    (oops  xdr->iov is NULL)
             .....
       
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874745] BUG: unable to handle kernel NULL pointer dereference at   (null)
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874823] IP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874905] *pdpt = 00000000368c6001 *pde = 0000000000000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874961] Oops: 0000 [#1] SMP
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.874998] Modules linked in: nfs nfs_acl auth_rpcgss fscache lockd sunrpc ppdev snd_hda_codec_realtek parport_pc snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_timer iTCO_wdt iTCO_vendor_support microcode parport snd i2c_i801 serio_raw r8169 soundcore 8139too 8139cp mii usb_storage i915 video i2c_algo_bit drm_kms_helper drm i2c_core [last unloaded: scsi_wait_scan]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875393]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875411] Pid: 4, comm: kworker/0:0 Not tainted 3.3.4-5.fc17.i686.PAE #1 Acer ASPIRE AG1720/E945GCZ
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875501] EIP: 0060:[<f963d31a>] EFLAGS: 00010246 CPU: 0
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875566] EIP is at nfs3_xdr_dec_read3res+0x6a/0x120 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875618] EAX: ff6f300c EBX: f4887ebc ECX: 00000000 EDX: 00000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875673] ESI: f37bdf5c EDI: 00000000 EBP: f4887ea0 ESP: f4887e7c
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Stack:
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  f7207b80 00000137 00000001 0251f8b2 00000000 00000000 f963d2b0 00000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  f6897000 f4887ee4 f958d563 f43a3b00 f7207b80 00000082 f4887ee0 f963d2b0
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  ff6f300c f689702c ff6f3032 00000000 00000000 00000000 f37bdf9c f37bde00
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Call Trace:
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f958d563>] rpcauth_unwrap_resp+0x73/0xb0 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f9583cdb>] call_decode+0x17b/0x820 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f963d2b0>] ? nfs3_xdr_dec_readdir3res+0xf0/0xf0 [nfs]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f958c1b2>] __rpc_execute+0x52/0x2a0 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f958c410>] rpc_async_schedule+0x10/0x20 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c045e4b8>] process_one_work+0x108/0x370
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c045d440>] ? do_work_for_cpu+0x20/0x20
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<f958c400>] ? __rpc_execute+0x2a0/0x2a0 [sunrpc]
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c045fa09>] worker_thread+0xf9/0x280
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c046f26e>] ? complete+0x4e/0x60
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c045f910>] ? manage_workers.isra.24+0x1d0/0x1d0
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c04642e2>] kthread+0x72/0x80

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
 kernel:[ 1339.875700] Process kworker/0:0 (pid: 4, ti=f4886000 task=f485a5b0 task.ti=f4886000)

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
 kernel:[ 1339.875700] Stack:

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
 kernel:[ 1339.875700] Call Trace:
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c0464270>] ? flush_kthread_worker+0x70/0x70
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700]  [<c094b3be>] kernel_thread_helper+0x6/0x10
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.875700] CR2: 0000000000000000
Jun 18 00:54:42 RHEL5GA kernel: [ 1339.899416] ---[ end trace 286ccde0ddd5fc09 ]---

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
 kernel:[ 1339.875700] Code: 0c 00 00 00 89 d8 e8 d6 8d f5 ff 85 c0 74 68 8b 08 8b 50 04 0f c9 0f ca 89 55 ec 8b 50 08 89 cf 0f ca 39 d1 75 67 8b 53 0c 8b 03 <2b> 02 8b 53 04 8b 52 24 29 c2 39 d1 89 55 e8 77 75 89 d8 89 fa

Message from syslogd@RHEL5GA at Jun 18 00:54:42 ...
 kernel:[ 1339.875700] EIP: [<f963d31a>] nfs3_xdr_dec_read3res+0x6a/0x120 [nfs] SS:ESP 0068:f4887e7c




messages-20130414:Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182093] BUG: unable to handle kernel NULL pointer dereference at           (null)
messages-20130414:Apr 13 22:53:00 RHEL7alpha1 kernel: [  964.326085] BUG: unable to handle kernel NULL pointer dereference at           (null)
[root@RHEL7alpha1 log]# vim messages-20130414
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182719] FS:  00007f12eeadc7c0(0000) GS:ffff88003c200000(0000) knlGS:0000000000000000
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182788] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182827] CR2: 0000000000000000 CR3: 000000003950d000 CR4: 00000000000006f0
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182872] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] Process ls (pid: 1676, threadinfo ffff880037ae2000, task ffff880037cbcce0)
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] Stack:
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  ffff880037ae3b30 ffff8800371c2e38 ffff880037ae3b08 ffffffffa02ca5d8
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  ffff880037ae3b90 0000000000000082 ffff88003434aa00 ffff88003887a764
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  ffff880037ae3b98 ffffffffa00e1d3d ffff880037ae3b68 ffff8800371c2e38
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] Call Trace:
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02ca5d8>] nfs3_xdr_dec_readlink3res+0x58/0x70 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa00e1d3d>] rpcauth_unwrap_resp+0x9d/0xd0 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02ca580>] ? nfs3_xdr_dec_create3res+0x80/0x80 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa00d653e>] call_decode+0x17e/0x250 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa00e02a6>] __rpc_execute+0x66/0x1d0 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa00e06d3>] rpc_execute+0x43/0x50 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa00d7af5>] rpc_run_task+0x75/0x90 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa00d7c13>] rpc_call_sync+0x43/0x70 [sunrpc]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02b6234>] ? nfs_alloc_fattr+0x24/0x70 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02c74bb>] nfs3_rpc_wrapper.constprop.7+0x4b/0x80 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02c796b>] nfs3_proc_readlink+0x8b/0xf0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02c1f50>] nfs_symlink_filler+0x30/0x70 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff8114c5f2>] do_read_cache_page+0x82/0x1a0
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02e53c0>] ? nfs_mark_delegation_referenced+0x10/0x10 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02c1f20>] ? nfs_follow_link+0xc0/0xc0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff8114c75c>] read_cache_page_async+0x1c/0x20
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff8114c76e>] read_cache_page+0xe/0x20
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffffa02c1ec8>] nfs_follow_link+0x68/0xc0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff811c0712>] generic_readlink+0x42/0xa0
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff811b9e0d>] sys_readlinkat+0xad/0xb0
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff810f4bbe>] ? audit_syscall_entry+0x30e/0x330
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff811b9e2b>] sys_readlink+0x1b/0x20
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  [<ffffffff81639202>] system_call_fastpath+0x16/0x1b
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] Code: 2f e2 ff 48 85 c0 74 4d 44 8b 20 48 8b 53 08 41 0f cc 41 81 fc 00 10 00 00 77 71 44 39 62 2c 76 6b 48 8b 4b 18 48 8b 03 8b 52 38 <48> 2b 01 29 c2 44 39 e2 72 36 48 89 df 44 89 e6 e8 1a 2c e2 ff
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] RIP  [<ffffffffa02c96e1>] decode_nfspath3+0x41/0xd0 [nfs]
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914]  RSP <ffff880037ae3ac8>
Apr 13 04:29:40 RHEL7alpha1 kernel: [  963.182914] CR2: 0000000000000000



Signed-off-by: fanchaoting<fanchaoting@cn.fujitsu.com>
---
 fs/nfs/nfs3xdr.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
index 183c6b1..6f53070 100644
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -250,6 +250,8 @@ static int decode_nfspath3(struct xdr_stream *xdr)
 	p = xdr_inline_decode(xdr, 4);
 	if (unlikely(p == NULL))
 		goto out_overflow;
+	if (unlikely(xdr->iov == NULL))
+		goto iov_null;
 	count = be32_to_cpup(p);
 	if (unlikely(count >= xdr->buf->page_len || count > NFS3_MAXPATHLEN))
 		goto out_nametoolong;
@@ -269,6 +271,9 @@ out_cheating:
 	dprintk("NFS: server cheating in pathname result: "
 		"count %u > recvd %u\n", count, recvd);
 	return -EIO;
+iov_null:
+	dprintk("NFS: %s:xdr->iov is NULL\n", __func__);
+	return -EIO;
 out_overflow:
 	print_overflow_msg(__func__, xdr);
 	return -EIO;
@@ -1588,6 +1593,8 @@ static int decode_read3resok(struct xdr_stream *xdr,
 	p = xdr_inline_decode(xdr, 4 + 4 + 4);
 	if (unlikely(p == NULL))
 		goto out_overflow;
+	if (unlikely(xdr->iov == NULL))
+		goto iov_null;
 	count = be32_to_cpup(p++);
 	eof = be32_to_cpup(p++);
 	ocount = be32_to_cpup(p++);
@@ -1613,6 +1620,9 @@ out_cheating:
 	count = recvd;
 	eof = 0;
 	goto out;
+iov_null:
+	dprintk("NFS: %s:xdr->iov is NULL\n", __func__);
+	return -EIO;
 out_overflow:
 	print_overflow_msg(__func__, xdr);
 	return -EIO;
-- 
1.7.7

[-- Attachment #2: dump.pcap --]
[-- Type: application/octet-stream, Size: 5478 bytes --]

next             reply	other threads:[~2012-06-20  4:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-20  4:05 fanchaoting [this message]
2012-06-20 14:48 ` [patch] nfs client oops when receive a 'read reply Malformed Packet' Myklebust, Trond
2012-06-21  7:10   ` fanchaoting
2012-06-21  7:34   ` fanchaoting

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:183c6b1 dfblob:6f53070 )
 OR (
bs:"[patch] nfs client oops when receive a 'read reply Malformed Packet'" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FE14C0C.9050400@cn.fujitsu.com \
    --to=fanchaoting@cn.fujitsu.com \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.