From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Chuck Lever <chuck.lever@oracle.com>,
Jeff Layton <jlayton@redhat.com>,
Christian Theune <ct@flyingcircus.io>,
"J. Bruce Fields" <bfields@redhat.com>
Subject: [PATCH 4.4 15/66] nfsd: Fix general protection fault in release_lock_stateid()
Date: Sun, 24 Sep 2017 22:31:10 +0200 [thread overview]
Message-ID: <20170924202921.217956714@linuxfoundation.org> (raw)
In-Reply-To: <20170924202920.581603259@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit f46c445b79906a9da55c13e0a6f6b6a006b892fe upstream.
When I push NFSv4.1 / RDMA hard, (xfstests generic/089, for example),
I get this crash on the server:
Oct 28 22:04:30 klimt kernel: general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
Oct 28 22:04:30 klimt kernel: Modules linked in: cts rpcsec_gss_krb5 iTCO_wdt iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm btrfs irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd xor pcspkr raid6_pq i2c_i801 i2c_smbus lpc_ich mfd_core sg mei_me mei ioatdma shpchp wmi ipmi_si ipmi_msghandler rpcrdma ib_ipoib rdma_ucm acpi_power_meter acpi_pad ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb ahci libahci ptp mlx4_core pps_core dca libata i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
Oct 28 22:04:30 klimt kernel: CPU: 7 PID: 1558 Comm: nfsd Not tainted 4.9.0-rc2-00005-g82cd754 #8
Oct 28 22:04:30 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
Oct 28 22:04:30 klimt kernel: task: ffff880835c3a100 task.stack: ffff8808420d8000
Oct 28 22:04:30 klimt kernel: RIP: 0010:[<ffffffffa05a759f>] [<ffffffffa05a759f>] release_lock_stateid+0x1f/0x60 [nfsd]
Oct 28 22:04:30 klimt kernel: RSP: 0018:ffff8808420dbce0 EFLAGS: 00010246
Oct 28 22:04:30 klimt kernel: RAX: ffff88084e6660f0 RBX: ffff88084e667020 RCX: 0000000000000000
Oct 28 22:04:30 klimt kernel: RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffff88084e667020
Oct 28 22:04:30 klimt kernel: RBP: ffff8808420dbcf8 R08: 0000000000000001 R09: 0000000000000000
Oct 28 22:04:30 klimt kernel: R10: ffff880835c3a100 R11: ffff880835c3aca8 R12: 6b6b6b6b6b6b6b6b
Oct 28 22:04:30 klimt kernel: R13: ffff88084e6670d8 R14: ffff880835f546f0 R15: ffff880835f1c548
Oct 28 22:04:30 klimt kernel: FS: 0000000000000000(0000) GS:ffff88087bdc0000(0000) knlGS:0000000000000000
Oct 28 22:04:30 klimt kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 28 22:04:30 klimt kernel: CR2: 00007ff020389000 CR3: 0000000001c06000 CR4: 00000000001406e0
Oct 28 22:04:30 klimt kernel: Stack:
Oct 28 22:04:30 klimt kernel: ffff88084e667020 0000000000000000 ffff88084e6670d8 ffff8808420dbd20
Oct 28 22:04:30 klimt kernel: ffffffffa05ac80d ffff880835f54548 ffff88084e640008 ffff880835f545b0
Oct 28 22:04:30 klimt kernel: ffff8808420dbd70 ffffffffa059803d ffff880835f1c768 0000000000000870
Oct 28 22:04:30 klimt kernel: Call Trace:
Oct 28 22:04:30 klimt kernel: [<ffffffffa05ac80d>] nfsd4_free_stateid+0xfd/0x1b0 [nfsd]
Oct 28 22:04:30 klimt kernel: [<ffffffffa059803d>] nfsd4_proc_compound+0x40d/0x690 [nfsd]
Oct 28 22:04:30 klimt kernel: [<ffffffffa0583114>] nfsd_dispatch+0xd4/0x1d0 [nfsd]
Oct 28 22:04:30 klimt kernel: [<ffffffffa047bbf9>] svc_process_common+0x3d9/0x700 [sunrpc]
Oct 28 22:04:30 klimt kernel: [<ffffffffa047ca64>] svc_process+0xf4/0x330 [sunrpc]
Oct 28 22:04:30 klimt kernel: [<ffffffffa05827ca>] nfsd+0xfa/0x160 [nfsd]
Oct 28 22:04:30 klimt kernel: [<ffffffffa05826d0>] ? nfsd_destroy+0x170/0x170 [nfsd]
Oct 28 22:04:30 klimt kernel: [<ffffffff810b367b>] kthread+0x10b/0x120
Oct 28 22:04:30 klimt kernel: [<ffffffff810b3570>] ? kthread_stop+0x280/0x280
Oct 28 22:04:30 klimt kernel: [<ffffffff8174e8ba>] ret_from_fork+0x2a/0x40
Oct 28 22:04:30 klimt kernel: Code: c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 48 8b 87 b0 00 00 00 48 89 fb 4c 8b a0 98 00 00 00 <49> 8b 44 24 20 48 8d b8 80 03 00 00 e8 10 66 1a e1 48 89 df e8
Oct 28 22:04:30 klimt kernel: RIP [<ffffffffa05a759f>] release_lock_stateid+0x1f/0x60 [nfsd]
Oct 28 22:04:30 klimt kernel: RSP <ffff8808420dbce0>
Oct 28 22:04:30 klimt kernel: ---[ end trace cf5d0b371973e167 ]---
Jeff Layton says:
> Hm...now that I look though, this is a little suspicious:
>
> struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
>
> I wonder if it's possible for the openstateid to have already been
> destroyed at this point.
>
> We might be better off doing something like this to get the client pointer:
>
> stp->st_stid.sc_client;
>
> ...which should be more direct and less dependent on other stateids
> staying valid.
With the suggested change, I am no longer able to reproduce the above oops.
v2: Fix unhash_lock_stateid() as well
Fix-suggested-by: Jeff Layton <jlayton@redhat.com>
Fixes: 42691398be08 ('nfsd: Fix race between FREE_STATEID and LOCK')
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Cc: Christian Theune <ct@flyingcircus.io>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1145,9 +1145,7 @@ static void put_ol_stateid_locked(struct
static bool unhash_lock_stateid(struct nfs4_ol_stateid *stp)
{
- struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
-
- lockdep_assert_held(&oo->oo_owner.so_client->cl_lock);
+ lockdep_assert_held(&stp->st_stid.sc_client->cl_lock);
list_del_init(&stp->st_locks);
nfs4_unhash_stid(&stp->st_stid);
@@ -1156,12 +1154,12 @@ static bool unhash_lock_stateid(struct n
static void release_lock_stateid(struct nfs4_ol_stateid *stp)
{
- struct nfs4_openowner *oo = openowner(stp->st_openstp->st_stateowner);
+ struct nfs4_client *clp = stp->st_stid.sc_client;
bool unhashed;
- spin_lock(&oo->oo_owner.so_client->cl_lock);
+ spin_lock(&clp->cl_lock);
unhashed = unhash_lock_stateid(stp);
- spin_unlock(&oo->oo_owner.so_client->cl_lock);
+ spin_unlock(&clp->cl_lock);
if (unhashed)
nfs4_put_stid(&stp->st_stid);
}
next prev parent reply other threads:[~2017-09-24 20:34 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-24 20:30 [PATCH 4.4 00/66] 4.4.89-stable review Greg Kroah-Hartman
2017-09-24 20:30 ` [PATCH 4.4 01/66] ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() Greg Kroah-Hartman
2017-09-24 20:30 ` [PATCH 4.4 02/66] ipv6: add rcu grace period before freeing fib6_node Greg Kroah-Hartman
2017-09-24 20:30 ` [PATCH 4.4 03/66] ipv6: fix sparse warning on rt6i_node Greg Kroah-Hartman
2017-09-24 20:30 ` [PATCH 4.4 04/66] qlge: avoid memcpy buffer overflow Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 05/66] Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()" Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 06/66] tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 07/66] Revert "net: use lib/percpu_counter API for fragmentation mem accounting" Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 08/66] Revert "net: fix percpu memory leaks" Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 09/66] gianfar: Fix Tx flow control deactivation Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 10/66] ipv6: fix memory leak with multiple tables during netns destruction Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 11/66] ipv6: fix typo in fib6_net_exit() Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 12/66] f2fs: check hot_data for roll-forward recovery Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 13/66] x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 14/66] md/raid5: release/flush io in raid5_do_work() Greg Kroah-Hartman
2017-09-24 20:31 ` Greg Kroah-Hartman [this message]
2017-09-24 20:31 ` [PATCH 4.4 16/66] mm: prevent double decrease of nr_reserved_highatomic Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 17/66] tty: improve tty_insert_flip_char() fast path Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 18/66] tty: improve tty_insert_flip_char() slow path Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 19/66] tty: fix __tty_insert_flip_char regression Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 20/66] Input: i8042 - add Gigabyte P57 to the keyboard reset table Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 21/66] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 22/66] MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 23/66] MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 24/66] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 25/66] MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 26/66] MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 27/66] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 28/66] ext4: fix incorrect quotaoff if the quota feature is enabled Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 29/66] ext4: fix quota inconsistency during orphan cleanup for read-only mounts Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 30/66] powerpc: Fix DAR reporting when alignment handler faults Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 31/66] block: Relax a check in blk_start_queue() Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 32/66] md/bitmap: disable bitmap_resize for file-backed bitmaps Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 33/66] skd: Avoid that module unloading triggers a use-after-free Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 34/66] skd: Submit requests to firmware before triggering the doorbell Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 35/66] scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 36/66] scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 37/66] scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 38/66] scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 39/66] scsi: zfcp: fix missing trace records for early returns in TMF eh handlers Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 40/66] scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 41/66] scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 42/66] scsi: zfcp: trace high part of "new" 64 bit SCSI LUN Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 43/66] scsi: megaraid_sas: Check valid aen class range to avoid kernel panic Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 44/66] scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 45/66] scsi: storvsc: fix memory leak on ring buffer busy Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 46/66] scsi: sg: remove save_scat_len Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 47/66] scsi: sg: use standard lists for sg_requests Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 48/66] scsi: sg: off by one in sg_ioctl() Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 49/66] scsi: sg: factor out sg_fill_request_table() Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 50/66] scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 51/66] scsi: qla2xxx: Fix an integer overflow in sysfs code Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 52/66] ftrace: Fix selftest goto location on error Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 53/66] tracing: Apply trace_clock changes to instance max buffer Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 54/66] ARC: Re-enable MMU upon Machine Check exception Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 55/66] PCI: shpchp: Enable bridge bus mastering if MSI is enabled Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 56/66] media: v4l2-compat-ioctl32: Fix timespec conversion Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 57/66] media: uvcvideo: Prevent heap overflow when accessing mapped controls Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 58/66] bcache: initialize dirty stripes in flash_dev_run() Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 59/66] bcache: Fix leak of bdev reference Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 60/66] bcache: do not subtract sectors_to_gc for bypassed IO Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 61/66] bcache: correct cache_dirty_target in __update_writeback_rate() Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 62/66] bcache: Correct return value for sysfs attach errors Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 63/66] bcache: fix for gc and write-back race Greg Kroah-Hartman
2017-09-24 20:31 ` [PATCH 4.4 64/66] bcache: fix bch_hprint crash and improve output Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.4 65/66] ftrace: Fix memleak when unregistering dynamic ops when tracing disabled Greg Kroah-Hartman
2017-09-24 20:32 ` [PATCH 4.4 66/66] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-09-25 1:04 ` [PATCH 4.4 00/66] 4.4.89-stable review Guenter Roeck
2017-09-25 23:12 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170924202921.217956714@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bfields@redhat.com \
--cc=chuck.lever@oracle.com \
--cc=ct@flyingcircus.io \
--cc=jlayton@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.