NFS crash problem in readdirplus

Linux NFS development
 help / color / mirror / Atom feed

From: Steven <steven@void.org>
To: nfs@lists.sourceforge.net
Subject: NFS crash problem in readdirplus
Date: Fri, 01 Apr 2005 09:30:53 -0800	[thread overview]
Message-ID: <20050401173053.32F551154F4@dead.void.org> (raw)


A readdirplus call with count=0 reliably causes a server crash due to a
null pointer dereference.  The relevant information from my 
/var/log/messages is at the end of this message.

I believe this to be caused by the following code;

fs/nfsd/nfs3xdr.c:562:
int
nfs3svc_decode_readdirplusargs(struct svc_rqst *rqstp, u32 *p,
					struct nfsd3_readdirargs *args)
{
	int len, pn;

	if (!(p = decode_fh(p, &args->fh)))
		return 0;
	p = xdr_decode_hyper(p, &args->cookie);
	args->verf     = p; p += 2;
	args->dircount = ntohl(*p++);
	args->count    = ntohl(*p++);

	len = (args->count > NFSSVC_MAXBLKSIZE) ? NFSSVC_MAXBLKSIZE :
						  args->count;
	args->count = len;

here>	while (len > 0) {
		pn = rqstp->rq_resused;
		svc_take_page(rqstp);
		if (!args->buffer)
			args->buffer = page_address(rqstp->rq_respages[pn]);
		len -= PAGE_SIZE;
	}

	return xdr_argsize_check(rqstp, p);
}

If len is 0 then the while loop is never executed.

Here is my system information.  I have seen this happen on various 2.4
servers as well.

    # cat /proc/version
    Linux version 2.6.5-1.358 (bhcompile@bugs.build.redhat.com) (gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 Sat May 8 09:04:50 EDT 2004

--Steven

--- /var/log/messages ---

Mar 29 13:26:31 tc47 kernel: Unable to handle kernel NULL pointer dereference at
 virtual address 00000000
Mar 29 13:26:31 tc47 kernel:  printing eip:
Mar 29 13:26:31 tc47 kernel: 42aeef47
Mar 29 13:26:31 tc47 kernel: *pde = 00000000
Mar 29 13:26:31 tc47 kernel: Oops: 0002 [#1]
Mar 29 13:26:31 tc47 kernel: CPU:    0
Mar 29 13:26:31 tc47 kernel: EIP:    0060:[<42aeef47>]    Not tainted
Mar 29 13:26:31 tc47 kernel: EFLAGS: 00010246   (2.6.5-1.358) 
Mar 29 13:26:31 tc47 kernel: EIP is at nfs3svc_encode_readdirres+0x3f/0x89 [nfsd
]
Mar 29 13:26:31 tc47 kernel: eax: 00000000   ebx: 2d690800   ecx: 00000000   edx
: 00000000
Mar 29 13:26:31 tc47 kernel: esi: 2d6908f8   edi: 33e5b080   ebp: 03a92800   esp
: 3fe58f50
Mar 29 13:26:31 tc47 kernel: ds: 007b   es: 007b   ss: 0068
Mar 29 13:26:31 tc47 kernel: Process nfsd (pid: 1190, threadinfo=3fe58000 task=3
cf7f930)
Mar 29 13:26:31 tc47 kernel: Stack: 03a92864 03a92800 42aeef08 33e5b020 42b019e4
 42ae35a6 33e5b018 03a92864 
Mar 29 13:26:31 tc47 kernel:        03a92800 42b01a98 33e5b018 42a7ec24 fffffeff
 00000043 0000010c 00000100 
Mar 29 13:26:31 tc47 kernel:        000186a3 03a92840 42b019e4 42b01a98 42b00ee0
 03948504 00000000 18b7b1a1 
Mar 29 13:26:31 tc47 kernel: Call Trace:
Mar 29 13:26:31 tc47 kernel:  [<42aeef08>] nfs3svc_encode_readdirres+0x0/0x89 [n
fsd]
Mar 29 13:26:31 tc47 kernel:  [<42ae35a6>] nfsd_dispatch+0x117/0x165 [nfsd]
Mar 29 13:26:31 tc47 kernel:  [<42a7ec24>] svc_process+0x323/0x55f [sunrpc]
Mar 29 13:26:31 tc47 kernel:  [<42ae3355>] nfsd+0x18f/0x2c9 [nfsd]
Mar 29 13:26:31 tc47 kernel:  [<42ae31c6>] nfsd+0x0/0x2c9 [nfsd]
Mar 29 13:26:31 tc47 kernel:  [<021041d9>] kernel_thread_helper+0x5/0xb
Mar 29 13:26:31 tc47 kernel: 
Mar 29 13:26:31 tc47 kernel: Code: c7 02 00 00 00 00 81 bb f8 00 00 00 00 00 75 
31 0f 94 c0 0f 




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

next             reply	other threads:[~2005-04-01 17:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-04-01 17:30 Steven [this message]
2005-04-20  8:49 ` NFS crash problem in readdirplus Olaf Kirch
2005-04-20 18:34   ` Steven
2005-04-20 20:10     ` Trond Myklebust

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050401173053.32F551154F4@dead.void.org \
    --to=steven@void.org \
    --cc=nfs@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox