From: Christoph Hellwig <hch@infradead.org>
To: linux-nfs@vger.kernel.org
Subject: nfsd use after free in 4.0-rc
Date: Sun, 15 Mar 2015 05:56:14 -0700 [thread overview]
Message-ID: <20150315125614.GA766@infradead.org> (raw)
generic/011 1s ...[ 154.375068] general protection fault: 0000 [#1] SMP
[ 154.376050] Modules linked in:
[ 154.376785] CPU: 2 PID: 3818 Comm: nfsd Not tainted 4.0.0-rc3+ #150
[ 154.377891] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 154.377891] task: ffff88007b294410 ti: ffff88007a910000 task.ti: ffff88007a910000
[ 154.377891] RIP: 0010:[<ffffffff81102050>] [<ffffffff81102050>] __lock_acquire+0x140/0x1e20
[ 154.377891] RSP: 0018:ffff88007a9139e8 EFLAGS: 00010002
[ 154.377891] RAX: 0000000000000046 RBX: 6b6b6b6b6b6b6f03 RCX: 0000000000000000
[ 154.377891] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6f1b
[ 154.377891] RBP: ffff88007a913ac8 R08: 0000000000000001 R09: 0000000000000000
[ 154.377891] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88007b294410
[ 154.377891] R13: 6b6b6b6b6b6b6f1b R14: 0000000000000000 R15: 0000000000000000
[ 154.377891] FS: 0000000000000000(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000
[ 154.377891] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 154.377891] CR2: 00007ffff85d1fec CR3: 0000000076ebb000 CR4: 00000000000007e0
[ 154.377891] Stack:
[ 154.377891] ffff88007b294410 ffffffff824c0a20 ffff88007b294c08 0000000000000002
[ 154.377891] ffff88007a913af8 ffffffff0000032c ffff880000000000 0000000000000000
[ 154.377891] ffff88007a913b18 0000000000000046 ffff88007b294c00 ffffffff0000001a
[ 154.377891] Call Trace:
[ 154.377891] [<ffffffff811042ff>] lock_acquire+0x9f/0x120
[ 154.377891] [<ffffffff813c603e>] ? nfsd4_process_open2+0x1de/0x1010
[ 154.377891] [<ffffffff810fff5c>] ? lockdep_init_map+0xbc/0x520
[ 154.397191] [<ffffffff81e3fcec>] _raw_spin_lock+0x2c/0x40
[ 154.397191] [<ffffffff813c603e>] ? nfsd4_process_open2+0x1de/0x1010
[ 154.397191] [<ffffffff81e40446>] ? _raw_spin_unlock+0x26/0x30
[ 154.397191] [<ffffffff813c603e>] nfsd4_process_open2+0x1de/0x1010
[ 154.397191] [<ffffffff813c5e60>] ? nfsd4_process_open1+0x3d0/0x3d0
[ 154.397191] [<ffffffff811d79f3>] ? inode_permission+0x13/0x50
[ 154.397191] [<ffffffff813aa462>] ? nfsd_permission+0x72/0x130
[ 154.397191] [<ffffffff813a744a>] ? fh_verify+0x14a/0x540
[ 154.397191] [<ffffffff813b6fa0>] nfsd4_open+0x370/0x780
[ 154.397191] [<ffffffff813b6c30>] ? nfsd4_link+0xf0/0xf0
[ 154.397191] [<ffffffff813b782c>] nfsd4_proc_compound+0x47c/0x680
[ 154.397191] [<ffffffff813a4711>] nfsd_dispatch+0xa1/0x1b0
[ 154.397191] [<ffffffff81d5864a>] svc_process_common+0x2da/0x570
[ 154.397191] [<ffffffff81d58ca6>] svc_process+0x176/0x1e0
[ 154.397191] [<ffffffff813a3fe7>] nfsd+0x157/0x1d0
[ 154.397191] [<ffffffff813a3e90>] ? nfsd_destroy+0xc0/0xc0
[ 154.397191] [<ffffffff813a3e90>] ? nfsd_destroy+0xc0/0xc0
[ 154.397191] [<ffffffff810dda0f>] kthread+0xdf/0x100
[ 154.397191] [<ffffffff810dd930>] ? __init_kthread_worker+0x70/0x70
[ 154.397191] [<ffffffff81e40918>] ret_from_fork+0x58/0x90
[ 154.397191] [<ffffffff810dd930>] ? __init_kthread_worker+0x70/0x70
[ 154.397191] Code: 85 db 75 53 0f 1f 80 00 00 00 00 31 c0 48 8b 5d d8 4c 8b 65 e0 4c 8b 6d e8 4c 8b 75 f0 4c 8b 7d f8 c9 c3 0f 1f 84 00 00 00 00 00 <49> 81 7d 00 c0 58 75 82 b8 00 00 00 00 44 0f 44 c0 41 83 fe 01
[ 154.397191] RIP [<ffffffff81102050>] __lock_acquire+0x140/0x1e20
[ 154.397191] RSP <ffff88007a9139e8>
[ 154.397191] ---[ end trace ce8f0fa2103c18f2 ]---
[ 165.320204] Slab corruption (Tainted: G D ): nfsd4_openowners start=ffff88007b3fa8b0, len=528
[ 165.321157] Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
[ 165.321660] Last user: [<ffffffff813c0a43>](nfs4_free_openowner+0x13/0x20)
[ 165.322281] 030: 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b lkkkkkkkkkkkkkkk
[ 165.323172] Prev obj: start=ffff88007b3fa688, len=528
[ 165.323743] Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
[ 165.324365] Last user: [<ffffffff813c0a43>](nfs4_free_openowner+0x13/0x20)
[ 165.325035] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 165.325925] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 165.326809] Next obj: start=ffff88007b3faad8, len=528
[ 165.327366] Redzone: 0x9f911029d74e35b/0x9f911029d74e35b.
[ 165.327916] Last user:
[<ffffffff813c0a43>](nfs4_free_openowner+0x13/0x20)
[ 165.328572] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
[ 165.329439] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
next reply other threads:[~2015-03-15 12:56 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-15 12:56 Christoph Hellwig [this message]
2015-03-15 22:08 ` nfsd use after free in 4.0-rc Jeff Layton
2015-03-16 11:46 ` Christoph Hellwig
2015-03-16 12:20 ` Jeff Layton
2015-03-16 12:27 ` Christoph Hellwig
2015-03-16 16:19 ` J. Bruce Fields
2015-03-16 16:53 ` Jeff Layton
2015-03-16 17:10 ` J. Bruce Fields
2015-03-16 17:37 ` Jeff Layton
2015-03-16 15:58 ` J. Bruce Fields
2015-03-16 18:28 ` Christoph Hellwig
2015-03-21 14:06 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150315125614.GA766@infradead.org \
--to=hch@infradead.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox