NULL dereference from nfs_destroy_server, with possible fix.

NULL dereference from nfs_destroy_server, with possible fix.

[NeilBrown]

[-- Attachment #1: Type: text/plain, Size: 5737 bytes --]

Hi,

I recently managed to get the following stack trace, though I haven't been
able to reproduce it.

Dec 12 17:17:04 hp kernel: [22684.894434] BUG: unable to handle kernel NULL pointer dereference at 0000000000000310
Dec 12 17:17:04 hp kernel: [22684.894490] IP: [<ffffffff813248f9>] nlmclnt_done+0x9/0x30
Dec 12 17:17:04 hp kernel: [22684.894529] PGD 13cc5a067 PUD 13ca0a067 PMD 0 
Dec 12 17:17:04 hp kernel: [22684.894593] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Dec 12 17:17:04 hp kernel: [22684.894660] Modules linked in:
Dec 12 17:17:04 hp kernel: [22684.894691] CPU 0 
Dec 12 17:17:04 hp kernel: [22684.894708] Pid: 6874, comm: ls Not tainted 3.7.0-rc1+ #323 HP ProLiant ML310 G3
Dec 12 17:17:04 hp kernel: [22684.894745] RIP: 0010:[<ffffffff813248f9>]  [<ffffffff813248f9>] nlmclnt_done+0x9/0x30
Dec 12 17:17:04 hp kernel: [22684.894783] RSP: 0018:ffff880139d59958  EFLAGS: 00010292
Dec 12 17:17:04 hp kernel: [22684.894804] RAX: 0000000000000000 RBX: ffff88013760e7f0 RCX: 0000000000000000
Dec 12 17:17:04 hp kernel: [22684.894829] RDX: 0000000000000046 RSI: 0000000000000001 RDI: 0000000000000000
Dec 12 17:17:04 hp kernel: [22684.894852] RBP: ffff880139d59968 R08: 0000000000000000 R09: 0000000000000000
Dec 12 17:17:04 hp kernel: [22684.894878] R10: 0000000000000001 R11: 0000000000000000 R12: dead000000200200
Dec 12 17:17:04 hp kernel: [22684.894900] R13: ffff88013bdfaed0 R14: dead000000200200 R15: ffff880139fde7f0
Dec 12 17:17:04 hp kernel: [22684.894924] FS:  00007f279bbf57c0(0000) GS:ffff880147c00000(0000) knlGS:0000000000000000
Dec 12 17:17:04 hp kernel: [22684.894947] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Dec 12 17:17:04 hp kernel: [22684.894968] CR2: 0000000000000310 CR3: 0000000137ea1000 CR4: 00000000000007f0
Dec 12 17:17:04 hp kernel: [22684.894995] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Dec 12 17:17:04 hp kernel: [22684.895017] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Dec 12 17:17:04 hp kernel: [22684.895039] Process ls (pid: 6874, threadinfo ffff880139d58000, task ffff88013bbdc050)
Dec 12 17:17:04 hp kernel: [22684.895061] Stack:
Dec 12 17:17:04 hp kernel: [22684.895079]  ffff880139d59978 ffff88013760e7f0 ffff880139d59978 ffffffff812c41ff
Dec 12 17:17:04 hp kernel: [22684.895148]  ffff880139d599b8 ffffffff812c4eab ffffffff812c4d9b ffff88013760e7f0
Dec 12 17:17:04 hp kernel: [22684.895220]  ffff88013760e7f0 ffffffffffffff8c ffff88013e3a7ef0 00000000ffffff8c
Dec 12 17:17:04 hp kernel: [22684.895287] Call Trace:
Dec 12 17:17:04 hp kernel: [22684.895312]  [<ffffffff812c41ff>] nfs_destroy_server+0x1f/0x30
Dec 12 17:17:04 hp kernel: [22684.895337]  [<ffffffff812c4eab>] nfs_free_server+0x13b/0x200
Dec 12 17:17:04 hp kernel: [22684.895362]  [<ffffffff812c4d9b>] ? nfs_free_server+0x2b/0x200
Dec 12 17:17:04 hp kernel: [22684.895386]  [<ffffffff812c511b>] nfs_clone_server+0x1ab/0x250
Dec 12 17:17:04 hp kernel: [22684.895411]  [<ffffffff812dc498>] nfs3_clone_server+0x18/0x50
Dec 12 17:17:04 hp kernel: [22684.895437]  [<ffffffff812ce202>] nfs_xdev_mount+0x82/0x120
Dec 12 17:17:04 hp kernel: [22684.895462]  [<ffffffff812ce300>] ? nfs_set_super+0x60/0x60
Dec 12 17:17:04 hp kernel: [22684.895486]  [<ffffffff812cdd60>] ? nfs_set_sb_security+0x10/0x10
Dec 12 17:17:04 hp kernel: [22684.895512]  [<ffffffff8116a3bb>] mount_fs+0x1b/0xd0
Dec 12 17:17:04 hp kernel: [22684.895545]  [<ffffffff811843bf>] vfs_kern_mount+0x6f/0x110
Dec 12 17:17:04 hp kernel: [22684.895569]  [<ffffffff812d8f62>] nfs_do_submount+0xa2/0x150
Dec 12 17:17:04 hp kernel: [22684.895593]  [<ffffffff812d908e>] nfs_submount+0x7e/0xa0
Dec 12 17:17:04 hp kernel: [22684.895617]  [<ffffffff812d917c>] nfs_d_automount+0xcc/0x1c0
Dec 12 17:17:04 hp kernel: [22684.895643]  [<ffffffff811706c0>] follow_managed+0x150/0x310
Dec 12 17:17:04 hp kernel: [22684.895668]  [<ffffffff811710e1>] lookup_fast+0x1c1/0x310
Dec 12 17:17:04 hp kernel: [22684.895693]  [<ffffffff811744ac>] do_last.isra.57+0x17c/0xc50
Dec 12 17:17:04 hp kernel: [22684.895717]  [<ffffffff811718a3>] ? inode_permission+0x13/0x50
Dec 12 17:17:04 hp kernel: [22684.895741]  [<ffffffff81171d6d>] ? link_path_walk+0x22d/0x8f0
Dec 12 17:17:04 hp kernel: [22684.895766]  [<ffffffff81175033>] path_openat.isra.58+0xb3/0x4c0
Dec 12 17:17:04 hp kernel: [22684.895791]  [<ffffffff811716db>] ? getname_flags+0x2b/0x110
Dec 12 17:17:04 hp kernel: [22684.895816]  [<ffffffff8118285f>] ? __alloc_fd+0x2f/0x130
Dec 12 17:17:04 hp kernel: [22684.895842]  [<ffffffff8117579c>] do_filp_open+0x3c/0x90
Dec 12 17:17:04 hp kernel: [22684.895866]  [<ffffffff81182909>] ? __alloc_fd+0xd9/0x130
Dec 12 17:17:04 hp kernel: [22684.895891]  [<ffffffff8116614f>] do_sys_open+0xef/0x1d0


The problem is that nfs_destroy_server is calling nlmclnt_done(NULL).
This can happen if nfs_clone_server() is called on a v2/v3 mount but gets an
error between

	server->destroy = source->destroy;

(which sets server->destroy to nfs_destroy_dever without setting
server->nlm_host) and

	error = nfs_start_lockd(server);

(which sets both server->destroy and server->nlm_host).

If this happens then nfs_free_server() calls ->destroy() which crashes as
shown.

Maybe this patch?

Signed-off-by: NeilBrown <neilb@suse.de>
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8b39a42..b6603bb 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -617,7 +617,8 @@ static void nfs_destroy_server(struct nfs_server *server)
 {
 	if (!(server->flags & NFS_MOUNT_LOCAL_FLOCK) ||
 			!(server->flags & NFS_MOUNT_LOCAL_FCNTL))
-		nlmclnt_done(server->nlm_host);
+		if (server->nlm_host)
+			nlmclnt_done(server->nlm_host);
 }
 
 /*


Thanks,
NeilBrown

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: NULL dereference from nfs_destroy_server, with possible fix.

[Myklebust, Trond]

T24gVGh1LCAyMDEyLTEyLTEzIGF0IDExOjA1ICsxMTAwLCBOZWlsQnJvd24gd3JvdGU6DQo+IEhp
LA0KPiANCj4gSSByZWNlbnRseSBtYW5hZ2VkIHRvIGdldCB0aGUgZm9sbG93aW5nIHN0YWNrIHRy
YWNlLCB0aG91Z2ggSSBoYXZlbid0IGJlZW4NCj4gYWJsZSB0byByZXByb2R1Y2UgaXQuDQo+IA0K
PiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk0NDM0XSBCVUc6IHVuYWJsZSB0
byBoYW5kbGUga2VybmVsIE5VTEwgcG9pbnRlciBkZXJlZmVyZW5jZSBhdCAwMDAwMDAwMDAwMDAw
MzEwDQo+IERlYyAxMiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTQ0OTBdIElQOiBbPGZm
ZmZmZmZmODEzMjQ4Zjk+XSBubG1jbG50X2RvbmUrMHg5LzB4MzANCj4gRGVjIDEyIDE3OjE3OjA0
IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDUyOV0gUEdEIDEzY2M1YTA2NyBQVUQgMTNjYTBhMDY3IFBN
RCAwIA0KPiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk0NTkzXSBPb3BzOiAw
MDAwIFsjMV0gUFJFRU1QVCBTTVAgREVCVUdfUEFHRUFMTE9DDQo+IERlYyAxMiAxNzoxNzowNCBo
cCBrZXJuZWw6IFsyMjY4NC44OTQ2NjBdIE1vZHVsZXMgbGlua2VkIGluOg0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk0NjkxXSBDUFUgMCANCj4gRGVjIDEyIDE3OjE3OjA0
IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDcwOF0gUGlkOiA2ODc0LCBjb21tOiBscyBOb3QgdGFpbnRl
ZCAzLjcuMC1yYzErICMzMjMgSFAgUHJvTGlhbnQgTUwzMTAgRzMNCj4gRGVjIDEyIDE3OjE3OjA0
IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDc0NV0gUklQOiAwMDEwOls8ZmZmZmZmZmY4MTMyNDhmOT5d
ICBbPGZmZmZmZmZmODEzMjQ4Zjk+XSBubG1jbG50X2RvbmUrMHg5LzB4MzANCj4gRGVjIDEyIDE3
OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDc4M10gUlNQOiAwMDE4OmZmZmY4ODAxMzlkNTk5
NTggIEVGTEFHUzogMDAwMTAyOTINCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0
Ljg5NDgwNF0gUkFYOiAwMDAwMDAwMDAwMDAwMDAwIFJCWDogZmZmZjg4MDEzNzYwZTdmMCBSQ1g6
IDAwMDAwMDAwMDAwMDAwMDANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5
NDgyOV0gUkRYOiAwMDAwMDAwMDAwMDAwMDQ2IFJTSTogMDAwMDAwMDAwMDAwMDAwMSBSREk6IDAw
MDAwMDAwMDAwMDAwMDANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDg1
Ml0gUkJQOiBmZmZmODgwMTM5ZDU5OTY4IFIwODogMDAwMDAwMDAwMDAwMDAwMCBSMDk6IDAwMDAw
MDAwMDAwMDAwMDANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDg3OF0g
UjEwOiAwMDAwMDAwMDAwMDAwMDAxIFIxMTogMDAwMDAwMDAwMDAwMDAwMCBSMTI6IGRlYWQwMDAw
MDAyMDAyMDANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDkwMF0gUjEz
OiBmZmZmODgwMTNiZGZhZWQwIFIxNDogZGVhZDAwMDAwMDIwMDIwMCBSMTU6IGZmZmY4ODAxMzlm
ZGU3ZjANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NDkyNF0gRlM6ICAw
MDAwN2YyNzliYmY1N2MwKDAwMDApIEdTOmZmZmY4ODAxNDdjMDAwMDAoMDAwMCkga25sR1M6MDAw
MDAwMDAwMDAwMDAwMA0KPiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk0OTQ3
XSBDUzogIDAwMTAgRFM6IDAwMDAgRVM6IDAwMDAgQ1IwOiAwMDAwMDAwMDgwMDUwMDNiDQo+IERl
YyAxMiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTQ5NjhdIENSMjogMDAwMDAwMDAwMDAw
MDMxMCBDUjM6IDAwMDAwMDAxMzdlYTEwMDAgQ1I0OiAwMDAwMDAwMDAwMDAwN2YwDQo+IERlYyAx
MiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTQ5OTVdIERSMDogMDAwMDAwMDAwMDAwMDAw
MCBEUjE6IDAwMDAwMDAwMDAwMDAwMDAgRFIyOiAwMDAwMDAwMDAwMDAwMDAwDQo+IERlYyAxMiAx
NzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTUwMTddIERSMzogMDAwMDAwMDAwMDAwMDAwMCBE
UjY6IDAwMDAwMDAwZmZmZjBmZjAgRFI3OiAwMDAwMDAwMDAwMDAwNDAwDQo+IERlYyAxMiAxNzox
NzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTUwMzldIFByb2Nlc3MgbHMgKHBpZDogNjg3NCwgdGhy
ZWFkaW5mbyBmZmZmODgwMTM5ZDU4MDAwLCB0YXNrIGZmZmY4ODAxM2JiZGMwNTApDQo+IERlYyAx
MiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTUwNjFdIFN0YWNrOg0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1MDc5XSAgZmZmZjg4MDEzOWQ1OTk3OCBmZmZmODgw
MTM3NjBlN2YwIGZmZmY4ODAxMzlkNTk5NzggZmZmZmZmZmY4MTJjNDFmZg0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1MTQ4XSAgZmZmZjg4MDEzOWQ1OTliOCBmZmZmZmZm
ZjgxMmM0ZWFiIGZmZmZmZmZmODEyYzRkOWIgZmZmZjg4MDEzNzYwZTdmMA0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1MjIwXSAgZmZmZjg4MDEzNzYwZTdmMCBmZmZmZmZm
ZmZmZmZmZjhjIGZmZmY4ODAxM2UzYTdlZjAgMDAwMDAwMDBmZmZmZmY4Yw0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1Mjg3XSBDYWxsIFRyYWNlOg0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1MzEyXSAgWzxmZmZmZmZmZjgxMmM0MWZmPl0gbmZz
X2Rlc3Ryb3lfc2VydmVyKzB4MWYvMHgzMA0KPiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBb
MjI2ODQuODk1MzM3XSAgWzxmZmZmZmZmZjgxMmM0ZWFiPl0gbmZzX2ZyZWVfc2VydmVyKzB4MTNi
LzB4MjAwDQo+IERlYyAxMiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTUzNjJdICBbPGZm
ZmZmZmZmODEyYzRkOWI+XSA/IG5mc19mcmVlX3NlcnZlcisweDJiLzB4MjAwDQo+IERlYyAxMiAx
NzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTUzODZdICBbPGZmZmZmZmZmODEyYzUxMWI+XSBu
ZnNfY2xvbmVfc2VydmVyKzB4MWFiLzB4MjUwDQo+IERlYyAxMiAxNzoxNzowNCBocCBrZXJuZWw6
IFsyMjY4NC44OTU0MTFdICBbPGZmZmZmZmZmODEyZGM0OTg+XSBuZnMzX2Nsb25lX3NlcnZlcisw
eDE4LzB4NTANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NTQzN10gIFs8
ZmZmZmZmZmY4MTJjZTIwMj5dIG5mc194ZGV2X21vdW50KzB4ODIvMHgxMjANCj4gRGVjIDEyIDE3
OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NTQ2Ml0gIFs8ZmZmZmZmZmY4MTJjZTMwMD5dID8g
bmZzX3NldF9zdXBlcisweDYwLzB4NjANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIy
Njg0Ljg5NTQ4Nl0gIFs8ZmZmZmZmZmY4MTJjZGQ2MD5dID8gbmZzX3NldF9zYl9zZWN1cml0eSsw
eDEwLzB4MTANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NTUxMl0gIFs8
ZmZmZmZmZmY4MTE2YTNiYj5dIG1vdW50X2ZzKzB4MWIvMHhkMA0KPiBEZWMgMTIgMTc6MTc6MDQg
aHAga2VybmVsOiBbMjI2ODQuODk1NTQ1XSAgWzxmZmZmZmZmZjgxMTg0M2JmPl0gdmZzX2tlcm5f
bW91bnQrMHg2Zi8weDExMA0KPiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1
NTY5XSAgWzxmZmZmZmZmZjgxMmQ4ZjYyPl0gbmZzX2RvX3N1Ym1vdW50KzB4YTIvMHgxNTANCj4g
RGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NTU5M10gIFs8ZmZmZmZmZmY4MTJk
OTA4ZT5dIG5mc19zdWJtb3VudCsweDdlLzB4YTANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5l
bDogWzIyNjg0Ljg5NTYxN10gIFs8ZmZmZmZmZmY4MTJkOTE3Yz5dIG5mc19kX2F1dG9tb3VudCsw
eGNjLzB4MWMwDQo+IERlYyAxMiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTU2NDNdICBb
PGZmZmZmZmZmODExNzA2YzA+XSBmb2xsb3dfbWFuYWdlZCsweDE1MC8weDMxMA0KPiBEZWMgMTIg
MTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1NjY4XSAgWzxmZmZmZmZmZjgxMTcxMGUxPl0g
bG9va3VwX2Zhc3QrMHgxYzEvMHgzMTANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIy
Njg0Ljg5NTY5M10gIFs8ZmZmZmZmZmY4MTE3NDRhYz5dIGRvX2xhc3QuaXNyYS41NysweDE3Yy8w
eGM1MA0KPiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1NzE3XSAgWzxmZmZm
ZmZmZjgxMTcxOGEzPl0gPyBpbm9kZV9wZXJtaXNzaW9uKzB4MTMvMHg1MA0KPiBEZWMgMTIgMTc6
MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1NzQxXSAgWzxmZmZmZmZmZjgxMTcxZDZkPl0gPyBs
aW5rX3BhdGhfd2FsaysweDIyZC8weDhmMA0KPiBEZWMgMTIgMTc6MTc6MDQgaHAga2VybmVsOiBb
MjI2ODQuODk1NzY2XSAgWzxmZmZmZmZmZjgxMTc1MDMzPl0gcGF0aF9vcGVuYXQuaXNyYS41OCsw
eGIzLzB4NGMwDQo+IERlYyAxMiAxNzoxNzowNCBocCBrZXJuZWw6IFsyMjY4NC44OTU3OTFdICBb
PGZmZmZmZmZmODExNzE2ZGI+XSA/IGdldG5hbWVfZmxhZ3MrMHgyYi8weDExMA0KPiBEZWMgMTIg
MTc6MTc6MDQgaHAga2VybmVsOiBbMjI2ODQuODk1ODE2XSAgWzxmZmZmZmZmZjgxMTgyODVmPl0g
PyBfX2FsbG9jX2ZkKzB4MmYvMHgxMzANCj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIy
Njg0Ljg5NTg0Ml0gIFs8ZmZmZmZmZmY4MTE3NTc5Yz5dIGRvX2ZpbHBfb3BlbisweDNjLzB4OTAN
Cj4gRGVjIDEyIDE3OjE3OjA0IGhwIGtlcm5lbDogWzIyNjg0Ljg5NTg2Nl0gIFs8ZmZmZmZmZmY4
MTE4MjkwOT5dID8gX19hbGxvY19mZCsweGQ5LzB4MTMwDQo+IERlYyAxMiAxNzoxNzowNCBocCBr
ZXJuZWw6IFsyMjY4NC44OTU4OTFdICBbPGZmZmZmZmZmODExNjYxNGY+XSBkb19zeXNfb3Blbisw
eGVmLzB4MWQwDQo+IA0KPiANCj4gVGhlIHByb2JsZW0gaXMgdGhhdCBuZnNfZGVzdHJveV9zZXJ2
ZXIgaXMgY2FsbGluZyBubG1jbG50X2RvbmUoTlVMTCkuDQo+IFRoaXMgY2FuIGhhcHBlbiBpZiBu
ZnNfY2xvbmVfc2VydmVyKCkgaXMgY2FsbGVkIG9uIGEgdjIvdjMgbW91bnQgYnV0IGdldHMgYW4N
Cj4gZXJyb3IgYmV0d2Vlbg0KPiANCj4gCXNlcnZlci0+ZGVzdHJveSA9IHNvdXJjZS0+ZGVzdHJv
eTsNCj4gDQo+ICh3aGljaCBzZXRzIHNlcnZlci0+ZGVzdHJveSB0byBuZnNfZGVzdHJveV9kZXZl
ciB3aXRob3V0IHNldHRpbmcNCj4gc2VydmVyLT5ubG1faG9zdCkgYW5kDQo+IA0KPiAJZXJyb3Ig
PSBuZnNfc3RhcnRfbG9ja2Qoc2VydmVyKTsNCj4gDQo+ICh3aGljaCBzZXRzIGJvdGggc2VydmVy
LT5kZXN0cm95IGFuZCBzZXJ2ZXItPm5sbV9ob3N0KS4NCj4gDQo+IElmIHRoaXMgaGFwcGVucyB0
aGVuIG5mc19mcmVlX3NlcnZlcigpIGNhbGxzIC0+ZGVzdHJveSgpIHdoaWNoIGNyYXNoZXMgYXMN
Cj4gc2hvd24uDQo+IA0KPiBNYXliZSB0aGlzIHBhdGNoPw0KPiANCj4gU2lnbmVkLW9mZi1ieTog
TmVpbEJyb3duIDxuZWlsYkBzdXNlLmRlPg0KPiBkaWZmIC0tZ2l0IGEvZnMvbmZzL2NsaWVudC5j
IGIvZnMvbmZzL2NsaWVudC5jDQo+IGluZGV4IDhiMzlhNDIuLmI2NjAzYmIgMTAwNjQ0DQo+IC0t
LSBhL2ZzL25mcy9jbGllbnQuYw0KPiArKysgYi9mcy9uZnMvY2xpZW50LmMNCj4gQEAgLTYxNyw3
ICs2MTcsOCBAQCBzdGF0aWMgdm9pZCBuZnNfZGVzdHJveV9zZXJ2ZXIoc3RydWN0IG5mc19zZXJ2
ZXIgKnNlcnZlcikNCj4gIHsNCj4gIAlpZiAoIShzZXJ2ZXItPmZsYWdzICYgTkZTX01PVU5UX0xP
Q0FMX0ZMT0NLKSB8fA0KPiAgCQkJIShzZXJ2ZXItPmZsYWdzICYgTkZTX01PVU5UX0xPQ0FMX0ZD
TlRMKSkNCj4gLQkJbmxtY2xudF9kb25lKHNlcnZlci0+bmxtX2hvc3QpOw0KPiArCQlpZiAoc2Vy
dmVyLT5ubG1faG9zdCkNCj4gKwkJCW5sbWNsbnRfZG9uZShzZXJ2ZXItPm5sbV9ob3N0KTsNCj4g
IH0NCg0KSG1tLi4uIERvIHdlIG5lZWQgYWxsIHRob3NlIHRlc3RzIG9mIHNlcnZlci0+ZmxhZ3Mg
YWJvdmUgaWYgd2UgY2FuIGp1c3QNCmNoZWNrIHNlcnZlci0+bmxtX2hvc3QgZm9yIGEgTlVMTCB2
YWx1ZT8NCg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBjbGllbnQgbWFpbnRhaW5l
cg0KDQpOZXRBcHANClRyb25kLk15a2xlYnVzdEBuZXRhcHAuY29tDQp3d3cubmV0YXBwLmNvbQ0K

Re: NULL dereference from nfs_destroy_server, with possible fix.

[NeilBrown]

[-- Attachment #1: Type: text/plain, Size: 6884 bytes --]

On Thu, 13 Dec 2012 01:05:15 +0000 "Myklebust, Trond"
<Trond.Myklebust@netapp.com> wrote:

> On Thu, 2012-12-13 at 11:05 +1100, NeilBrown wrote:
> > Hi,
> > 
> > I recently managed to get the following stack trace, though I haven't been
> > able to reproduce it.
> > 
> > Dec 12 17:17:04 hp kernel: [22684.894434] BUG: unable to handle kernel NULL pointer dereference at 0000000000000310
> > Dec 12 17:17:04 hp kernel: [22684.894490] IP: [<ffffffff813248f9>] nlmclnt_done+0x9/0x30
> > Dec 12 17:17:04 hp kernel: [22684.894529] PGD 13cc5a067 PUD 13ca0a067 PMD 0 
> > Dec 12 17:17:04 hp kernel: [22684.894593] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> > Dec 12 17:17:04 hp kernel: [22684.894660] Modules linked in:
> > Dec 12 17:17:04 hp kernel: [22684.894691] CPU 0 
> > Dec 12 17:17:04 hp kernel: [22684.894708] Pid: 6874, comm: ls Not tainted 3.7.0-rc1+ #323 HP ProLiant ML310 G3
> > Dec 12 17:17:04 hp kernel: [22684.894745] RIP: 0010:[<ffffffff813248f9>]  [<ffffffff813248f9>] nlmclnt_done+0x9/0x30
> > Dec 12 17:17:04 hp kernel: [22684.894783] RSP: 0018:ffff880139d59958  EFLAGS: 00010292
> > Dec 12 17:17:04 hp kernel: [22684.894804] RAX: 0000000000000000 RBX: ffff88013760e7f0 RCX: 0000000000000000
> > Dec 12 17:17:04 hp kernel: [22684.894829] RDX: 0000000000000046 RSI: 0000000000000001 RDI: 0000000000000000
> > Dec 12 17:17:04 hp kernel: [22684.894852] RBP: ffff880139d59968 R08: 0000000000000000 R09: 0000000000000000
> > Dec 12 17:17:04 hp kernel: [22684.894878] R10: 0000000000000001 R11: 0000000000000000 R12: dead000000200200
> > Dec 12 17:17:04 hp kernel: [22684.894900] R13: ffff88013bdfaed0 R14: dead000000200200 R15: ffff880139fde7f0
> > Dec 12 17:17:04 hp kernel: [22684.894924] FS:  00007f279bbf57c0(0000) GS:ffff880147c00000(0000) knlGS:0000000000000000
> > Dec 12 17:17:04 hp kernel: [22684.894947] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> > Dec 12 17:17:04 hp kernel: [22684.894968] CR2: 0000000000000310 CR3: 0000000137ea1000 CR4: 00000000000007f0
> > Dec 12 17:17:04 hp kernel: [22684.894995] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > Dec 12 17:17:04 hp kernel: [22684.895017] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > Dec 12 17:17:04 hp kernel: [22684.895039] Process ls (pid: 6874, threadinfo ffff880139d58000, task ffff88013bbdc050)
> > Dec 12 17:17:04 hp kernel: [22684.895061] Stack:
> > Dec 12 17:17:04 hp kernel: [22684.895079]  ffff880139d59978 ffff88013760e7f0 ffff880139d59978 ffffffff812c41ff
> > Dec 12 17:17:04 hp kernel: [22684.895148]  ffff880139d599b8 ffffffff812c4eab ffffffff812c4d9b ffff88013760e7f0
> > Dec 12 17:17:04 hp kernel: [22684.895220]  ffff88013760e7f0 ffffffffffffff8c ffff88013e3a7ef0 00000000ffffff8c
> > Dec 12 17:17:04 hp kernel: [22684.895287] Call Trace:
> > Dec 12 17:17:04 hp kernel: [22684.895312]  [<ffffffff812c41ff>] nfs_destroy_server+0x1f/0x30
> > Dec 12 17:17:04 hp kernel: [22684.895337]  [<ffffffff812c4eab>] nfs_free_server+0x13b/0x200
> > Dec 12 17:17:04 hp kernel: [22684.895362]  [<ffffffff812c4d9b>] ? nfs_free_server+0x2b/0x200
> > Dec 12 17:17:04 hp kernel: [22684.895386]  [<ffffffff812c511b>] nfs_clone_server+0x1ab/0x250
> > Dec 12 17:17:04 hp kernel: [22684.895411]  [<ffffffff812dc498>] nfs3_clone_server+0x18/0x50
> > Dec 12 17:17:04 hp kernel: [22684.895437]  [<ffffffff812ce202>] nfs_xdev_mount+0x82/0x120
> > Dec 12 17:17:04 hp kernel: [22684.895462]  [<ffffffff812ce300>] ? nfs_set_super+0x60/0x60
> > Dec 12 17:17:04 hp kernel: [22684.895486]  [<ffffffff812cdd60>] ? nfs_set_sb_security+0x10/0x10
> > Dec 12 17:17:04 hp kernel: [22684.895512]  [<ffffffff8116a3bb>] mount_fs+0x1b/0xd0
> > Dec 12 17:17:04 hp kernel: [22684.895545]  [<ffffffff811843bf>] vfs_kern_mount+0x6f/0x110
> > Dec 12 17:17:04 hp kernel: [22684.895569]  [<ffffffff812d8f62>] nfs_do_submount+0xa2/0x150
> > Dec 12 17:17:04 hp kernel: [22684.895593]  [<ffffffff812d908e>] nfs_submount+0x7e/0xa0
> > Dec 12 17:17:04 hp kernel: [22684.895617]  [<ffffffff812d917c>] nfs_d_automount+0xcc/0x1c0
> > Dec 12 17:17:04 hp kernel: [22684.895643]  [<ffffffff811706c0>] follow_managed+0x150/0x310
> > Dec 12 17:17:04 hp kernel: [22684.895668]  [<ffffffff811710e1>] lookup_fast+0x1c1/0x310
> > Dec 12 17:17:04 hp kernel: [22684.895693]  [<ffffffff811744ac>] do_last.isra.57+0x17c/0xc50
> > Dec 12 17:17:04 hp kernel: [22684.895717]  [<ffffffff811718a3>] ? inode_permission+0x13/0x50
> > Dec 12 17:17:04 hp kernel: [22684.895741]  [<ffffffff81171d6d>] ? link_path_walk+0x22d/0x8f0
> > Dec 12 17:17:04 hp kernel: [22684.895766]  [<ffffffff81175033>] path_openat.isra.58+0xb3/0x4c0
> > Dec 12 17:17:04 hp kernel: [22684.895791]  [<ffffffff811716db>] ? getname_flags+0x2b/0x110
> > Dec 12 17:17:04 hp kernel: [22684.895816]  [<ffffffff8118285f>] ? __alloc_fd+0x2f/0x130
> > Dec 12 17:17:04 hp kernel: [22684.895842]  [<ffffffff8117579c>] do_filp_open+0x3c/0x90
> > Dec 12 17:17:04 hp kernel: [22684.895866]  [<ffffffff81182909>] ? __alloc_fd+0xd9/0x130
> > Dec 12 17:17:04 hp kernel: [22684.895891]  [<ffffffff8116614f>] do_sys_open+0xef/0x1d0
> > 
> > 
> > The problem is that nfs_destroy_server is calling nlmclnt_done(NULL).
> > This can happen if nfs_clone_server() is called on a v2/v3 mount but gets an
> > error between
> > 
> > 	server->destroy = source->destroy;
> > 
> > (which sets server->destroy to nfs_destroy_dever without setting
> > server->nlm_host) and
> > 
> > 	error = nfs_start_lockd(server);
> > 
> > (which sets both server->destroy and server->nlm_host).
> > 
> > If this happens then nfs_free_server() calls ->destroy() which crashes as
> > shown.
> > 
> > Maybe this patch?
> > 
> > Signed-off-by: NeilBrown <neilb@suse.de>
> > diff --git a/fs/nfs/client.c b/fs/nfs/client.c
> > index 8b39a42..b6603bb 100644
> > --- a/fs/nfs/client.c
> > +++ b/fs/nfs/client.c
> > @@ -617,7 +617,8 @@ static void nfs_destroy_server(struct nfs_server *server)
> >  {
> >  	if (!(server->flags & NFS_MOUNT_LOCAL_FLOCK) ||
> >  			!(server->flags & NFS_MOUNT_LOCAL_FCNTL))
> > -		nlmclnt_done(server->nlm_host);
> > +		if (server->nlm_host)
> > +			nlmclnt_done(server->nlm_host);
> >  }
> 
> Hmm... Do we need all those tests of server->flags above if we can just
> check server->nlm_host for a NULL value?
> 

No, you are right.   nlm_host will only be non-NULL if the one of the flags
is set, so the test is pointless.

NeilBrown


diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 8b39a42..5e8d24d 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -615,8 +615,7 @@ EXPORT_SYMBOL_GPL(nfs_create_rpc_client);
  */
 static void nfs_destroy_server(struct nfs_server *server)
 {
-	if (!(server->flags & NFS_MOUNT_LOCAL_FLOCK) ||
-			!(server->flags & NFS_MOUNT_LOCAL_FCNTL))
+	if (server->nlm_host)
 		nlmclnt_done(server->nlm_host);
 }
 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]