linux/fs/nfsd
J. Bruce Fields b0a9d3ab57 nfsd4: fix race on client shutdown
Dropping the session's reference count after the client's means we leave
a window where the session's se_client pointer is NULL.  An xpt_user
callback that encounters such a session may then crash:

[  303.956011] BUG: unable to handle kernel NULL pointer dereference at 0000000000000318
[  303.959061] IP: [<ffffffff81481a8e>] _raw_spin_lock+0x1e/0x40
[  303.959061] PGD 37811067 PUD 3d498067 PMD 0
[  303.959061] Oops: 0002 [#8] PREEMPT SMP
[  303.959061] Modules linked in: md5 nfsd auth_rpcgss nfs_acl snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc microcode psmouse snd_timer serio_raw pcspkr evdev snd soundcore i2c_piix4 i2c_core intel_agp intel_gtt processor button nfs lockd sunrpc fscache ata_generic pata_acpi ata_piix uhci_hcd libata btrfs usbcore usb_common crc32c scsi_mod libcrc32c zlib_deflate floppy virtio_balloon virtio_net virtio_pci virtio_blk virtio_ring virtio
[  303.959061] CPU 0
[  303.959061] Pid: 264, comm: nfsd Tainted: G      D      3.8.0-ARCH+ #156 Bochs Bochs
[  303.959061] RIP: 0010:[<ffffffff81481a8e>]  [<ffffffff81481a8e>] _raw_spin_lock+0x1e/0x40
[  303.959061] RSP: 0018:ffff880037877dd8  EFLAGS: 00010202
[  303.959061] RAX: 0000000000000100 RBX: ffff880037a2b698 RCX: ffff88003d879278
[  303.959061] RDX: ffff88003d879278 RSI: dead000000100100 RDI: 0000000000000318
[  303.959061] RBP: ffff880037877dd8 R08: ffff88003c5a0f00 R09: 0000000000000002
[  303.959061] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[  303.959061] R13: 0000000000000318 R14: ffff880037a2b680 R15: ffff88003c1cbe00
[  303.959061] FS:  0000000000000000(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[  303.959061] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  303.959061] CR2: 0000000000000318 CR3: 000000003d49c000 CR4: 00000000000006f0
[  303.959061] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  303.959061] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  303.959061] Process nfsd (pid: 264, threadinfo ffff880037876000, task ffff88003c1fd0a0)
[  303.959061] Stack:
[  303.959061]  ffff880037877e08 ffffffffa03772ec ffff88003d879000 ffff88003d879278
[  303.959061]  ffff88003d879080 0000000000000000 ffff880037877e38 ffffffffa0222a1f
[  303.959061]  0000000000107ac0 ffff88003c22e000 ffff88003d879000 ffff88003c1cbe00
[  303.959061] Call Trace:
[  303.959061]  [<ffffffffa03772ec>] nfsd4_conn_lost+0x3c/0xa0 [nfsd]
[  303.959061]  [<ffffffffa0222a1f>] svc_delete_xprt+0x10f/0x180 [sunrpc]
[  303.959061]  [<ffffffffa0223d96>] svc_recv+0xe6/0x580 [sunrpc]
[  303.959061]  [<ffffffffa03587c5>] nfsd+0xb5/0x140 [nfsd]
[  303.959061]  [<ffffffffa0358710>] ? nfsd_destroy+0x90/0x90 [nfsd]
[  303.959061]  [<ffffffff8107ae00>] kthread+0xc0/0xd0
[  303.959061]  [<ffffffff81010000>] ? perf_trace_xen_mmu_set_pte_at+0x50/0x100
[  303.959061]  [<ffffffff8107ad40>] ? kthread_freezable_should_stop+0x70/0x70
[  303.959061]  [<ffffffff814898ec>] ret_from_fork+0x7c/0xb0
[  303.959061]  [<ffffffff8107ad40>] ? kthread_freezable_should_stop+0x70/0x70
[  303.959061] Code: ff ff 5d c3 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 65 48 8b 04 25 f0 c6 00 00 48 89 e5 83 80 44 e0 ff ff 01 b8 00 01 00 00 <3e> 66 0f c1 07 0f b6 d4 38 c2 74 0f 66 0f 1f 44 00 00 f3 90 0f
[  303.959061] RIP  [<ffffffff81481a8e>] _raw_spin_lock+0x1e/0x40
[  303.959061]  RSP <ffff880037877dd8>
[  303.959061] CR2: 0000000000000318
[  304.001218] ---[ end trace 2d809cd4a7931f5a ]---
[  304.001903] note: nfsd[264] exited with preempt_count 2

Reported-by: Bryan Schumaker <bjschuma@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2013-04-03 11:48:31 -04:00
..
acl.h nfsd: Remove declaration of nonexistent nfs4_acl_permisison 2013-02-13 06:15:35 -08:00
auth.c nfsd: Properly compare and initialize kuids and kgids 2013-02-13 06:16:09 -08:00
auth.h nfsd: Remove nfsd_luid, nfsd_lgid, nfsd_ruid and nfsd_rgid 2013-02-13 06:15:51 -08:00
cache.h nfsd: add new reply_cache_stats file in nfsdfs 2013-04-03 11:47:24 -04:00
current_stateid.h nfsd41: use current stateid by value 2012-02-15 11:20:45 -05:00
export.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
fault_inject.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
idmap.h nfsd: Convert idmap to use kuids and kgids 2013-02-13 06:15:49 -08:00
Kconfig fs/nfsd: remove depends on CONFIG_EXPERIMENTAL 2013-01-21 14:39:05 -08:00
lockd.c nfsd: Remove deprecated nfsctl system call and related code. 2011-07-15 18:58:42 -04:00
Makefile NFSD: Added fault injection 2011-11-07 21:10:47 -05:00
netns.h nfsd: make NFSd service structure allocated per net 2012-12-10 16:25:39 -05:00
nfs2acl.c nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00
nfs3acl.c nfsd4: cleanup: replace rq_resused count by rq_next_page pointer 2012-12-17 22:00:16 -05:00
nfs3proc.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
nfs3xdr.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
nfs4acl.c nfsd: Handle kuids and kgids in the nfs4acl to posix_acl conversion 2013-02-13 06:16:06 -08:00
nfs4callback.c nfsd: make NFSv4 lease time per net 2012-11-28 10:39:46 -05:00
nfs4idmap.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
nfs4proc.c nfsd4: handle seqid-mutating open errors from xdr decoding 2013-04-03 11:47:53 -04:00
nfs4recover.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
nfs4state.c nfsd4: fix race on client shutdown 2013-04-03 11:48:31 -04:00
nfs4xdr.c nfsd4: fix race on client shutdown 2013-04-03 11:48:31 -04:00
nfscache.c nfsd: scale up the number of DRC hash buckets with cache size 2013-04-03 11:47:25 -04:00
nfsctl.c nfsd: add new reply_cache_stats file in nfsdfs 2013-04-03 11:47:24 -04:00
nfsd.h fs/nfsd: change type of max_delegations, nfsd_drc_max_mem and nfsd_drc_mem_used 2013-02-23 17:50:22 -08:00
nfsfh.c exportfs: add FILEID_INVALID to indicate invalid fid_type 2012-11-07 19:22:30 -05:00
nfsfh.h fs: propagate umode_t, misc bits 2012-01-03 22:55:10 -05:00
nfsproc.c switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
nfssvc.c Merge branch 'for-3.9' of git://linux-nfs.org/~bfields/linux 2013-02-28 18:02:55 -08:00
nfsxdr.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-02-26 20:16:07 -08:00
state.h nfsd4: fix race on client shutdown 2013-04-03 11:48:31 -04:00
stats.c SUNRPC: register service stats /proc entries in passed network namespace context 2012-01-31 19:28:18 -05:00
vfs.c nfsd: fix bad offset use 2013-03-22 16:55:15 -04:00
vfs.h switch vfs_getattr() to struct path 2013-02-26 02:46:08 -05:00
xdr3.h nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00
xdr4.h nfsd4: handle seqid-mutating open errors from xdr decoding 2013-04-03 11:47:53 -04:00
xdr.h nfsd: handle vfs_getattr errors in acl protocol 2013-02-26 02:46:09 -05:00