From: Vitaliy Gusev <gusev.vitaliy@gmail.com>
To: Trond.Myklebust@netapp.com
Cc: linux-fsdevel@vger.kernel.org, akpm@linux-foundation.org
Subject: [nfs] Oops during call nfs_mountpoint_inode_operations->lookup() method
Date: Mon, 17 Jan 2011 19:55:58 +0300 [thread overview]
Message-ID: <AANLkTi=fPGsawjfUG-9ozgP45FkxuVVkHJbd50wxL0ti@mail.gmail.com> (raw)
Hello!
I had tried mount NFS4.1 server and caught Oops in NFS4.1 client.
After some investigation I saw that NFSv4 client is also buggy.
Simple NFSv4 server modification can raise Oops in any linux NFSv4 client since
commit c02d7adf8c5429727a98bad1d039bccad4c61c50 .
The problem is a dereference and call i_op->lookup method, but
nfs_mountpoint_inode_operations
doesn't have that.
Oops in NFSv4 client:
[ 4022.269400] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 4022.269406] IP: [<(null)>] (null)
[ 4022.269442] PGD 0
[ 4022.269446] Oops: 0010 [#1] SMP
[ 4022.269448] last sysfs file: /sys/devices/virtual/bdi/0:21/uevent
[ 4022.269458] CPU 0
[ 4022.269459] Modules linked in: nfs_layout_nfsv41_files nfs lockd
fscache nfs_acl auth_rpcgss fuse sunrpc ip6t_REJECT nf_conntrack_ipv6
ip6table_filter ip6_tables ipv6 uinput vmw_balloon microcode ppdev
snd_ens1371 gameport snd_rawmidi snd_ac97_codec ac97_bus snd_seq
snd_seq_device parport_pc parport snd_pcm snd_timer snd e1000
soundcore snd_page_alloc i2c_piix4 shpchp i2c_core mptspi mptscsih
mptbase scsi_transport_spi [last unloaded: speedstep_lib]
[ 4022.269555]
[ 4022.269561] Pid: 2581, comm: mount.nfs4 Not tainted
2.6.36-1.pnfs_all_2010_11_03.fc15.x86_64 #1 440BX Desktop Reference
Platform/VMware Virtual Platform
[ 4022.269564] RIP: 0010:[<0000000000000000>] [<(null)>] (null)
[ 4022.269567] RSP: 0018:ffff880032469bc0 EFLAGS: 00010282
[ 4022.269569] RAX: ffffffffa02c7a60 RBX: ffff8800333cf858 RCX: 000000000000cb90
[ 4022.269571] RDX: ffff8800323ef5a8 RSI: ffff8800333cf858 RDI: ffff880016242268
[ 4022.269573] RBP: ffff880032469be8 R08: ffff880016242358 R09: ffffffff811406cd
[ 4022.269575] R10: ffffffff811406cd R11: ffffffff81a42798 R12: ffff880016242268
[ 4022.269577] R13: ffff880032469c78 R14: ffff880016242358 R15: ffff8800333cf5c8
[ 4022.269591] FS: 00007f61dcb96720(0000) GS:ffff880004400000(0000)
knlGS:0000000000000000
[ 4022.269594] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 4022.269596] CR2: 0000000000000000 CR3: 000000003210a000 CR4: 00000000000006f0
[ 4022.269630] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4022.269649] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 4022.269652] Process mount.nfs4 (pid: 2581, threadinfo
ffff880032468000, task ffff88003106c880)
[ 4022.269654] Stack:
[ 4022.269655] ffffffff8113740c ffff880032469be8 ffff8800323ef5a8
ffff8800323ef5a8
[ 4022.269659] <0> ffff880032469c68 ffff880032469c38 ffffffff8113753c
ffff880016242268
[ 4022.269664] <0> ffff88002f708500 ffff880032469c18 ffff8800323ef5a8
ffff8800196c18f8
[ 4022.269668] Call Trace:
[ 4022.269710] [<ffffffff8113740c>] ? d_alloc_and_lookup+0x4c/0x74
[ 4022.269715] [<ffffffff8113753c>] do_lookup+0xbb/0x10d
[ 4022.269731] [<ffffffff8113882a>] link_path_walk+0x1bf/0x47c
[ 4022.269753] [<ffffffff8107d99d>] ? trace_hardirqs_off+0xd/0xf
[ 4022.269756] [<ffffffff8107dddb>] ? lock_release_holdtime+0x54/0x5b
[ 4022.269760] [<ffffffff81138bdc>] path_walk+0x4f/0x9f
[ 4022.269763] [<ffffffff81138c90>] vfs_path_lookup+0x64/0xaa
[ 4022.269817] [<ffffffffa029b4e4>] nfs_follow_remote_path+0x167/0x2a0 [nfs]
[ 4022.269828] [<ffffffffa029c575>] nfs4_try_mount.clone.11+0x78/0xb2 [nfs]
[ 4022.269838] [<ffffffffa029c60c>] nfs4_get_sb+0x5d/0xd3 [nfs]
[ 4022.269841] [<ffffffff81130823>] vfs_kern_mount+0xad/0x1ac
[ 4022.269844] [<ffffffff8113098a>] do_kern_mount+0x4d/0xef
[ 4022.269851] [<ffffffff81147756>] do_mount+0x1df/0x239
[ 4022.269854] [<ffffffff81147890>] sys_mount+0x88/0xc2
[ 4022.269884] [<ffffffff81009d72>] system_call_fastpath+0x16/0x1b
[ 4022.269887] Code: Bad RIP value.
[ 4022.269905] RIP [<(null)>] (null)
[ 4022.269907] RSP <ffff880032469bc0>
[ 4022.269908] CR2: 0000000000000000
[ 4022.269925] ---[ end trace 40f778ff7786c338 ]---
------------
TEST NFSv4 server modification:
diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
index 4aa6278..181048e 100644
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -2042,9 +2042,11 @@ nfsd4_encode_fattr(struct svc_fh *fhp, struct
svc_export *exp,
WRITE64(NFS4_REFERRAL_FSID_MAJOR);
WRITE64(NFS4_REFERRAL_FSID_MINOR);
} else switch(fsid_source(fhp)) {
+ static unsigned key = 0;
case FSIDSOURCE_FSID:
- WRITE64((u64)exp->ex_fsid);
+ WRITE64((u64)exp->ex_fsid + key);
WRITE64((u64)0);
+ key++;
break;
case FSIDSOURCE_DEV:
WRITE32(0);
next reply other threads:[~2011-01-17 16:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-17 16:55 Vitaliy Gusev [this message]
2011-01-17 17:04 ` [nfs] Oops during call nfs_mountpoint_inode_operations->lookup() method Vitaliy Gusev
2011-01-17 22:18 ` Al Viro
2011-01-18 22:59 ` Vitaliy Gusev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='AANLkTi=fPGsawjfUG-9ozgP45FkxuVVkHJbd50wxL0ti@mail.gmail.com' \
--to=gusev.vitaliy@gmail.com \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@linux-foundation.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).