merged pavel's version into cifs-2.6.git for-next and added cc: stable On Mon, Apr 10, 2017 at 4:32 PM, Sachin Prabhu <sprabhu@xxxxxxxxxx> wrote: > On Mon, 2017-04-10 at 13:18 -0700, Pavel Shilovsky wrote: >> 2017-04-09 21:44 GMT-07:00 Eryu Guan <eguan@xxxxxxxxxx>: >> > Hi all, >> > >> > Starting from 4.11-rc6 kernel, I noticed fstests generic/010 would >> > crash >> > cifs v2.0/2.1/3.0 mounts, I was testing with local mount linux >> > samba >> > server. >> > >> > [ 324.109085] run fstests generic/010 at 2017-04-09 17:39:05 >> > [ 324.245779] BUG: unable to handle kernel NULL pointer >> > dereference at (null) >> > [ 324.254532] IP: cifs_discard_remaining_data+0x12/0x70 [cifs] >> > [ 324.260843] PGD 0 >> > [ 324.260844] >> > [ 324.264741] Oops: 0000 [#1] SMP >> > [ 324.268241] Modules linked in: cmac arc4 md4 nls_utf8 cifs ccm >> > dns_resolver binfmt_misc intel_rapl x86_pkg_temp_thermal >> > intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul >> > crc32_pclmul ghash_clmulni_intel pcbc aesni_intel cdc_ether nfsd >> > crypto_simd iTCO_wdt glue_helper usbnet cryptd iTCO_vendor_support >> > gpio_ich ipmi_ssif mii wmi ipmi_si sg pcspkr ie31200_edac >> > ipmi_devintf edac_core shpchp i2c_i801 ipmi_msghandler lpc_ich >> > auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c >> > sr_mod cdrom sd_mod ata_generic pata_acpi mgag200 i2c_algo_bit >> > drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm >> > e1000e drm ata_piix libata ptp crc32c_intel pps_core i2c_core >> > dm_mirror dm_region_hash dm_log dm_mod >> > [ 324.339637] CPU: 0 PID: 25782 Comm: cifsd Not tainted 4.11.0-rc6 >> > #1 >> > [ 324.346627] Hardware name: IBM IBM System X3250 M4 -[2583AC1]- >> > /00D3729, BIOS -[JQE164AUS-1.07]- 12/09/2013 >> > [ 324.357399] task: ffff999d307fc380 task.stack: ffffb01f490e8000 >> > [ 324.364010] RIP: 0010:cifs_discard_remaining_data+0x12/0x70 >> > [cifs] >> > [ 324.370904] RSP: 0018:ffffb01f490ebdf8 EFLAGS: 00010246 >> > [ 324.376732] RAX: 00000000ffffffc3 RBX: ffff999d31185480 RCX: >> > 0000000000000d50 >> > [ 324.384691] RDX: 0000000000000d50 RSI: 0000000000000000 RDI: >> > ffff999cac4a0800 >> > [ 324.392651] RBP: ffffb01f490ebe08 R08: 0000000000071888 R09: >> > 0000000000000077 >> > [ 324.400611] R10: 0000000000038c44 R11: 0000000000081840 R12: >> > 0000000000000004 >> > [ 324.408569] R13: ffff999c7e815100 R14: ffff999c7e815100 R15: >> > 000000000000004d >> > [ 324.416529] FS: 0000000000000000(0000) >> > GS:ffff999d3fc00000(0000) knlGS:0000000000000000 >> > [ 324.425556] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> > [ 324.431965] CR2: 0000000000000000 CR3: 00000001a6809000 CR4: >> > 00000000001406f0 >> > [ 324.439924] Call Trace: >> > [ 324.442657] cifs_readv_discard+0x1e/0x40 [cifs] >> > [ 324.447812] cifs_readv_receive+0xd6/0x560 [cifs] >> > [ 324.453056] cifs_demultiplex_thread+0x66f/0xa70 [cifs] >> > [ 324.458887] kthread+0x101/0x140 >> > [ 324.462491] ? cifs_handle_standard+0x130/0x130 [cifs] >> > [ 324.468222] ? kthread_park+0x90/0x90 >> > [ 324.472306] ? do_syscall_64+0x67/0x180 >> > [ 324.476584] ret_from_fork+0x2c/0x40 >> > [ 324.480570] Code: 05 55 39 d4 e9 50 fe ff ff e8 3b 2a 07 d4 90 >> > 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 >> > bc 04 00 00 00 53 <8b> 06 48 89 fb 44 2b a7 38 03 00 00 0f c8 25 ff >> > ff ff 00 41 01 >> > [ 324.501642] RIP: cifs_discard_remaining_data+0x12/0x70 [cifs] >> > RSP: ffffb01f490ebdf8 >> > [ 324.510182] CR2: 0000000000000000 >> > [ 324.513879] ---[ end trace 754f09c6094faa76 ]--- >> > [ 324.519028] Kernel panic - not syncing: Fatal exception >> > [ 324.524889] Kernel Offset: 0x13600000 from 0xffffffff81000000 >> > (relocation range: 0xffffffff80000000-0xffffffffbfffffff) >> > [ 324.536921] ---[ end Kernel panic - not syncing: Fatal exception >> > >> > And I bisected this to >> > >> > commit 38bd49064a1ecb67baad33598e3d824448ab11ec >> > Author: Sachin Prabhu <sprabhu@xxxxxxxxxx> >> > Date: Fri Mar 3 15:41:38 2017 -0800 >> > >> > Handle mismatched open calls >> > >> > A signal can interrupt a SendReceive call which result in >> > incoming >> > responses to the call being ignored. This is a problem for >> > calls such as >> > open which results in the successful response being ignored. >> > This >> > results in an open file resource on the server. >> > >> > The patch looks into responses which were cancelled after being >> > sent and >> > in case of successful open closes the open fids. >> > >> > For this patch, the check is only done in SendReceive2() >> > >> > RH-bz: 1403319 >> > >> > Signed-off-by: Sachin Prabhu <sprabhu@xxxxxxxxxx> >> > Reviewed-by: Pavel Shilovsky <pshilov@xxxxxxxxxxxxx> >> > Cc: Stable <stable@xxxxxxxxxxxxxxx> >> > >> > I was able to reproduce this crash with cifs2.0/2.1 mounts manually >> > and >> > it was easy to hit. Though I haven't seen it with cifs 3.0 mount in >> > my >> > manual test, I did see v3.0 crash in my auto tests. If you need >> > more >> > info please let me know. >> > >> > Thanks, >> > Eryu >> > -- >> > To unsubscribe from this list: send the line "unsubscribe linux- >> > cifs" in >> > the body of a message to majordomo@xxxxxxxxxxxxxxx >> > More majordomo info at http://vger.kernel.org/majordomo-info.html >> >> Hi Eryu, >> >> Thank for reporting this. I ended up with a fix for the problem (see >> patch attached). >> >> Sachin, can you please review the patch? > > Hello Pavel, > > I had sent another version of the patch which fixes the problem but it > ended up being sent privately to Steve. > > I like your version better. > > Acked-by: Sachin Prabhu <sprabhu@xxxxxxxxxx> > > >> >> -- >> Best regards, >> Pavel Shilovsky > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Thanks, Steve -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
