Hi Dave,
On Sun, 2017-07-16 at 17:15 -0400, Dave Jones wrote:
> On Fri, Jul 14, 2017 at 10:25:43AM -0400, Dave Jones wrote:
> > On Thu, Jul 13, 2017 at 05:16:24PM -0400, Anna Schumaker wrote:
> > > Hi Linus,
> > >
> > > The following changes since commit
> 32c1431eea4881a6b17bd7c639315010aeefa452:
> > >
> > > Linux 4.12-rc5 (2017-06-11 16:48:20 -0700)
> > >
> > > are available in the git repository at:
> > >
> > > git://git.linux-nfs.org/projects/anna/linux-nfs.git tags/nfs-
> for-4.13-1
> > >
> > > for you to fetch changes up to
> b4f937cffa66b3d56eb8f586e620d0b223a281a3:
> > >
> > > NFS: Don't run wake_up_bit() when nobody is waiting... (2017-
> 07-13 16:57:18 -0400)
> >
> > Since this landed, I'm seeing this during boot..
> >
> > =================================================================
> =
> > BUG: KASAN: global-out-of-bounds in strscpy+0x4a/0x230
> > Read of size 8 at addr ffffffffb4eeaf20 by task nfsd/688
>
> Now that this one got fixed, this one fell out instead..
> Will dig deeper tomorrow.
>
> ==================================================================
> BUG: KASAN: global-out-of-bounds in call_start+0x93/0x100
> Read of size 8 at addr ffffffff8d582588 by task kworker/0:1/22
>
> CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.13.0-rc1-firewall+ #1
> Workqueue: rpciod rpc_async_schedule
> Call Trace:
> dump_stack+0x68/0x94
> print_address_description+0x2c/0x270
> ? call_start+0x93/0x100
> kasan_report+0x239/0x350
> __asan_load8+0x55/0x90
> call_start+0x93/0x100
> ? rpc_default_callback+0x10/0x10
> ? rpc_default_callback+0x10/0x10
> __rpc_execute+0x170/0x740
> ? rpc_wake_up_queued_task+0x50/0x50
> ? __lock_is_held+0x9f/0x110
> rpc_async_schedule+0x12/0x20
> process_one_work+0x4ba/0xb10
> ? process_one_work+0x401/0xb10
> ? pwq_dec_nr_in_flight+0x120/0x120
> worker_thread+0x91/0x670
> ? __sched_text_start+0x8/0x8
> kthread+0x1ab/0x200
> ? process_one_work+0xb10/0xb10
> ? __kthread_create_on_node+0x340/0x340
> ret_from_fork+0x27/0x40
>
> The buggy address belongs to the variable:
> nfs_cb_version+0x8/0x740
Does the following patch fix it?
Cheers
Trond
8<--------------------------------------
>From b9230cdfbbee90178a1318d20cd3373ffb758788 Mon Sep 17 00:00:00 2001
From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
Date: Sun, 16 Jul 2017 18:52:18 -0400
Subject: [PATCH] nfsd: Fix a memory scribble in the callback channel
The offset of the entry in struct rpc_version has to match the version
number.
Reported-by: Dave Jones <davej@xxxxxxxxxxxxxxxxx>
Fixes: 1c5876ddbdb4 ("sunrpc: move p_count out of struct rpc_procinfo")
Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
---
fs/nfsd/nfs4callback.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index b45083c0f9ae..49b0a9e7ff18 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -720,8 +720,8 @@ static const struct rpc_version nfs_cb_version4 = {
.counts = nfs4_cb_counts,
};
-static const struct rpc_version *nfs_cb_version[] = {
- &nfs_cb_version4,
+static const struct rpc_version *nfs_cb_version[2] = {
+ [1] = &nfs_cb_version4,
};
static const struct rpc_program cb_program;
@@ -795,7 +795,7 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
.saddress = (struct sockaddr *) &conn->cb_saddr,
.timeout = &timeparms,
.program = &cb_program,
- .version = 0,
+ .version = 1,
.flags = (RPC_CLNT_CREATE_NOPING | RPC_CLNT_CREATE_QUIET),
};
struct rpc_clnt *client;
--
2.13.3
--
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@xxxxxxxxxxxxxxx
