linux/fs/nfs
Weston Andros Adamson f494a6071d NFSv4: fix NULL dereference in open recover
_nfs4_opendata_reclaim_to_nfs4_state doesn't expect to see a cached
open CLAIM_PREVIOUS, but this can happen. An example is when there are
RDWR openers and RDONLY openers on a delegation stateid. The recovery
path will first try an open CLAIM_PREVIOUS for the RDWR openers, this
marks the delegation as not needing RECLAIM anymore, so the open
CLAIM_PREVIOUS for the RDONLY openers will not actually send an rpc.

The NULL dereference is due to _nfs4_opendata_reclaim_to_nfs4_state
returning PTR_ERR(rpc_status) when !rpc_done. When the open is
cached, rpc_done == 0 and rpc_status == 0, thus
_nfs4_opendata_reclaim_to_nfs4_state returns NULL - this is unexpected
by callers of nfs4_opendata_to_nfs4_state().

This can be reproduced easily by opening the same file two times on an
NFSv4.0 mount with delegations enabled, once as RDWR and once as RDONLY then
sleeping for a long time.  While the files are held open, kick off state
recovery and this NULL dereference will be hit every time.

An example OOPS:

[   65.003602] BUG: unable to handle kernel NULL pointer dereference at 00000000
00000030
[   65.005312] IP: [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4]
[   65.006820] PGD 7b0ea067 PUD 791ff067 PMD 0
[   65.008075] Oops: 0000 [#1] SMP
[   65.008802] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache
snd_ens1371 gameport nfsd snd_rawmidi snd_ac97_codec ac97_bus btusb snd_seq snd
_seq_device snd_pcm ppdev bluetooth auth_rpcgss coretemp snd_page_alloc crc32_pc
lmul crc32c_intel ghash_clmulni_intel microcode rfkill nfs_acl vmw_balloon serio
_raw snd_timer lockd parport_pc e1000 snd soundcore parport i2c_piix4 shpchp vmw
_vmci sunrpc ata_generic mperf pata_acpi mptspi vmwgfx ttm scsi_transport_spi dr
m mptscsih mptbase i2c_core
[   65.018684] CPU: 0 PID: 473 Comm: 192.168.10.85-m Not tainted 3.11.2-201.fc19
.x86_64 #1
[   65.020113] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 07/31/2013
[   65.022012] task: ffff88003707e320 ti: ffff88007b906000 task.ti: ffff88007b906000
[   65.023414] RIP: 0010:[<ffffffffa037d6ee>]  [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4]
[   65.025079] RSP: 0018:ffff88007b907d10  EFLAGS: 00010246
[   65.026042] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   65.027321] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000000000000000
[   65.028691] RBP: ffff88007b907d38 R08: 0000000000016f60 R09: 0000000000000000
[   65.029990] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
[   65.031295] R13: 0000000000000050 R14: 0000000000000000 R15: 0000000000000001
[   65.032527] FS:  0000000000000000(0000) GS:ffff88007f600000(0000) knlGS:0000000000000000
[   65.033981] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   65.035177] CR2: 0000000000000030 CR3: 000000007b27f000 CR4: 00000000000407f0
[   65.036568] Stack:
[   65.037011]  0000000000000000 0000000000000001 ffff88007b907d90 ffff88007a880220
[   65.038472]  ffff88007b768de8 ffff88007b907d48 ffffffffa037e4a5 ffff88007b907d80
[   65.039935]  ffffffffa036a6c8 ffff880037020e40 ffff88007a880000 ffff880037020e40
[   65.041468] Call Trace:
[   65.042050]  [<ffffffffa037e4a5>] nfs4_close_state+0x15/0x20 [nfsv4]
[   65.043209]  [<ffffffffa036a6c8>] nfs4_open_recover_helper+0x148/0x1f0 [nfsv4]
[   65.044529]  [<ffffffffa036a886>] nfs4_open_recover+0x116/0x150 [nfsv4]
[   65.045730]  [<ffffffffa036d98d>] nfs4_open_reclaim+0xad/0x150 [nfsv4]
[   65.046905]  [<ffffffffa037d979>] nfs4_do_reclaim+0x149/0x5f0 [nfsv4]
[   65.048071]  [<ffffffffa037e1dc>] nfs4_run_state_manager+0x3bc/0x670 [nfsv4]
[   65.049436]  [<ffffffffa037de20>] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4]
[   65.050686]  [<ffffffffa037de20>] ? nfs4_do_reclaim+0x5f0/0x5f0 [nfsv4]
[   65.051943]  [<ffffffff81088640>] kthread+0xc0/0xd0
[   65.052831]  [<ffffffff81088580>] ? insert_kthread_work+0x40/0x40
[   65.054697]  [<ffffffff8165686c>] ret_from_fork+0x7c/0xb0
[   65.056396]  [<ffffffff81088580>] ? insert_kthread_work+0x40/0x40
[   65.058208] Code: 5c 41 5d 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 57 41 89 f7 41 56 41 89 ce 41 55 41 89 d5 41 54 53 48 89 fb <4c> 8b 67 30 f0 41 ff 44 24 44 49 8d 7c 24 40 e8 0e 0a 2d e1 44
[   65.065225] RIP  [<ffffffffa037d6ee>] __nfs4_close+0x1e/0x160 [nfsv4]
[   65.067175]  RSP <ffff88007b907d10>
[   65.068570] CR2: 0000000000000030
[   65.070098] ---[ end trace 0d1fe4f5c7dd6f8b ]---

Cc: <stable@vger.kernel.org> #3.7+
Signed-off-by: Weston Andros Adamson <dros@netapp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2013-10-28 14:53:32 -04:00
..
blocklayout NFSv4.1 use pnfs_device maxcount for the blocklayout gdia_maxcount 2013-06-28 15:34:44 -04:00
objlayout NFSv4.1 use pnfs_device maxcount for the objectlayout gdia_maxcount 2013-06-28 15:34:45 -04:00
cache_lib.c NFS: simplify and clean cache library 2013-02-15 10:43:36 -05:00
cache_lib.h NFS: simplify and clean cache library 2013-02-15 10:43:36 -05:00
callback_proc.c NFS: When displaying session slot numbers, use "%u" consistently 2013-09-03 15:26:30 -04:00
callback_xdr.c Merge branch 'labeled-nfs' into linux-next 2013-06-28 16:29:51 -04:00
callback.c NFS client updates for Linux 3.11 2013-07-09 12:09:43 -07:00
callback.h NFS: Add in v4.2 callback operation 2013-06-08 16:20:18 -04:00
client.c NFSv4: Ensure that we disable the resend timeout for NFSv4 2013-10-01 18:22:11 -04:00
delegation.c NFSv4: Add tracepoints for debugging delegations 2013-08-22 08:58:24 -04:00
delegation.h NFSv4: Fix CB_RECALL_ANY to only return delegations that are not in use 2013-04-05 17:03:57 -04:00
dir.c NFSv4: Honour the 'opened' parameter in the atomic_open() filesystem method 2013-09-26 10:20:18 -04:00
direct.c aio: Kill aio_rw_vect_retry() 2013-07-30 11:53:12 -04:00
dns_resolve.c NFSv4: Move the DNS resolver into the NFSv4 module 2013-06-18 13:47:18 -04:00
dns_resolve.h
file.c NFS avoid expired credential keys for buffered writes 2013-09-03 15:25:09 -04:00
fscache-index.c
fscache.c NFS4: Open files for fscaching 2012-12-20 22:19:42 +00:00
fscache.h NFS: Provide stub nfs_fscache_wait_on_invalidate() for when CONFIG_NFS_FSCACHE=n 2012-12-21 08:06:48 -08:00
getroot.c NFS:Add labels to client function prototypes 2013-06-08 16:20:15 -04:00
idmap.c NFSv4: Convert idmapper to use the new framework for pipefs dentries 2013-09-01 11:12:42 -04:00
inode.c truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
internal.h fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
iostat.h
Kconfig Kconfig: Add Kconfig entry for Labeled NFS V4 client 2013-06-08 16:20:17 -04:00
Makefile NFS: Enable slot table helpers for NFSv4.0 2013-09-03 15:26:33 -04:00
mount_clnt.c nfs: have nfs_mount fake up a auth_flavs list when the server didn't provide it 2013-06-28 15:51:51 -04:00
namespace.c NFS:Add labels to client function prototypes 2013-06-08 16:20:15 -04:00
netns.h nfs: include NFSv4 header in netns.h 2012-10-02 08:17:02 -07:00
nfs2super.c NFS: Convert v2 into a module 2012-07-30 19:06:41 -04:00
nfs2xdr.c nfs: Convert nfs2xdr to use kuids and kgids 2013-02-13 06:15:30 -08:00
nfs3acl.c userns: Pass a userns parameter into posix_acl_to_xattr and posix_acl_from_xattr 2012-09-18 01:01:35 -07:00
nfs3client.c NFS: Only initialize the ACL client in the v3 case 2012-07-30 19:05:54 -04:00
nfs3proc.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
nfs3super.c NFS: Convert v3 into a module 2012-07-30 19:06:46 -04:00
nfs3xdr.c nfs: Convert nfs3xdr to use kuids and kgids 2013-02-13 06:15:31 -08:00
nfs4_fs.h NFSv4.1: sp4_mach_cred: WARN_ON -> WARN_ON_ONCE 2013-09-11 09:08:08 -04:00
nfs4client.c NFSv4: Ensure that we disable the resend timeout for NFSv4 2013-10-01 18:22:11 -04:00
nfs4file.c NFSv4: Honour the 'opened' parameter in the atomic_open() filesystem method 2013-09-26 10:20:18 -04:00
nfs4filelayout.c NFSv4.1 Use MDS auth flavor for data server connection 2013-09-06 14:49:16 -04:00
nfs4filelayout.h NFSv4.1: Use layout credentials for get_deviceinfo calls 2013-06-06 16:24:37 -04:00
nfs4filelayoutdev.c NFSv4.1: Ensure memory ordering between nfs4_ds_connect and nfs4_fl_prepare_ds 2013-09-29 15:58:35 -04:00
nfs4getroot.c NFSv4: Fix security auto-negotiation 2013-09-07 16:18:30 -04:00
nfs4namespace.c NFSv4: Allow security autonegotiation for submounts 2013-09-07 17:52:42 -04:00
nfs4proc.c NFSv4: fix NULL dereference in open recover 2013-10-28 14:53:32 -04:00
nfs4renewd.c workqueue: use mod_delayed_work() instead of cancel + queue 2012-08-13 16:27:37 -07:00
nfs4session.c When CONFIG_NFS_V4_1 is not enabled, "make C=2" emits this warning: 2013-09-04 12:26:30 -04:00
nfs4session.h When CONFIG_NFS_V4_1 is not enabled, "make C=2" emits this warning: 2013-09-04 12:26:30 -04:00
nfs4state.c NFSv4 Remove zeroing state kern warnings 2013-10-28 14:28:53 -04:00
nfs4super.c NFSv4: Fix security auto-negotiation 2013-09-07 16:18:30 -04:00
nfs4sysctl.c nfs: include nfs4_fh.h in nfs4sysctl.c 2012-10-02 08:17:03 -07:00
nfs4trace.c NFSv4.1: Add tracepoints for debugging slot table operations 2013-08-22 08:58:27 -04:00
nfs4trace.h NFSv4.1: Add tracepoints for debugging test_stateid events 2013-08-22 08:58:27 -04:00
nfs4xdr.c NFSv4.1 fix decode_free_stateid 2013-09-10 13:04:37 -04:00
nfs.h NFS: Convert v4 into a module 2012-07-30 19:06:52 -04:00
nfsroot.c
nfstrace.c NFS: Add event tracing for generic NFS lookups 2013-08-22 08:58:18 -04:00
nfstrace.h NFS: Add tracepoints for debugging NFS hard links 2013-08-22 08:58:20 -04:00
pagelist.c NFS: Don't check lock owner compatability unless file is locked (part 2) 2013-09-06 11:27:41 -04:00
pnfs_dev.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
pnfs.c NFSv4: Add tracepoints for debugging reads and writes 2013-08-22 08:58:26 -04:00
pnfs.h NFSv4.1 Fix gdia_maxcount calculation to fit in ca_maxresponsesize 2013-06-28 15:34:43 -04:00
proc.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
read.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
super.c nfs: fix handling of invalid mount options in nfs_remount 2013-10-28 14:35:07 -04:00
symlink.c
sysctl.c
unlink.c NFS: Ensure that rmdir() waits for sillyrenames to complete 2013-09-03 15:26:29 -04:00
write.c NFS: Don't check lock owner compatibility in writes unless file is locked 2013-09-05 18:11:42 -04:00