Re: [PATCH 6/6] nfsd: add nfsd_file_acquire_local().

kernel test robot <oliver.sang@xxxxxxxxx> · Thu, 4 Jul 2024 16:58:37 +0800

Hello,

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: 23fc4a797ca65dbe32393093e546c23c0cf278c1 ("[PATCH 6/6] nfsd: add nfsd_file_acquire_local().")
url: https://github.com/intel-lab-lkp/linux/commits/NeilBrown/nfsd-introduce-__fh_verify-which-takes-explicit-nfsd_net-arg/20240701-122856
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 22a40d14b572deb80c0648557f4bd502d7e83826
patch link: https://lore.kernel.org/all/20240701025802.22985-7-neilb@xxxxxxx/
patch subject: [PATCH 6/6] nfsd: add nfsd_file_acquire_local().

in testcase: filebench
version: filebench-x86_64-22620e6-1_20240224
with following parameters:

	disk: 1HDD
	fs: btrfs
	fs2: nfsv4
	test: singlestreamwritedirect.f
	cpufreq_governor: performance

compiler: gcc-13
test machine: 128 threads 2 sockets Intel(R) Xeon(R) Platinum 8358 CPU @ 2.60GHz (Ice Lake) with 128G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202407041659.c2371438-oliver.sang@xxxxxxxxx

[   35.440736][ T2585] BUG: kernel NULL pointer dereference, address: 0000000000000010
[   35.449115][ T2585] #PF: supervisor read access in kernel mode
[   35.455679][ T2585] #PF: error_code(0x0000) - not-present page
[   35.461966][ T2585] PGD 0
[   35.465163][ T2585] Oops: Oops: 0000 [#1] SMP NOPTI
[   35.470524][ T2585] CPU: 40 PID: 2585 Comm: nfsd Tainted: G S                 6.10.0-rc6-00006-g23fc4a797ca6 #1
[   35.481056][ T2585] Hardware name: Intel Corporation M50CYP2SB1U/M50CYP2SB1U, BIOS SE5C620.86B.01.01.0003.2104260124 04/26/2021
[ 35.493034][ T2585] RIP: 0010:nfsexp_flags (fs/nfsd/auth.c:14) nfsd
[ 35.499118][ T2585] Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 8b 56 78 48 8d 46 7c 48 8d 14 d0 48 39 d0 73 1a <8b> 4f 10 eb 09 48 83 c0 08 48 39 d0 73 0c 39 08 75 f3 8b 40 04 c3
All code
========
   0:	00 90 90 90 90 90    	add    %dl,-0x6f6f6f70(%rax)
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	66 0f 1f 00          	nopw   (%rax)
  15:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1a:	8b 56 78             	mov    0x78(%rsi),%edx
  1d:	48 8d 46 7c          	lea    0x7c(%rsi),%rax
  21:	48 8d 14 d0          	lea    (%rax,%rdx,8),%rdx
  25:	48 39 d0             	cmp    %rdx,%rax
  28:	73 1a                	jae    0x44
  2a:*	8b 4f 10             	mov    0x10(%rdi),%ecx		<-- trapping instruction
  2d:	eb 09                	jmp    0x38
  2f:	48 83 c0 08          	add    $0x8,%rax
  33:	48 39 d0             	cmp    %rdx,%rax
  36:	73 0c                	jae    0x44
  38:	39 08                	cmp    %ecx,(%rax)
  3a:	75 f3                	jne    0x2f
  3c:	8b 40 04             	mov    0x4(%rax),%eax
  3f:	c3                   	retq   

Code starting with the faulting instruction
===========================================
   0:	8b 4f 10             	mov    0x10(%rdi),%ecx
   3:	eb 09                	jmp    0xe
   5:	48 83 c0 08          	add    $0x8,%rax
   9:	48 39 d0             	cmp    %rdx,%rax
   c:	73 0c                	jae    0x1a
   e:	39 08                	cmp    %ecx,(%rax)
  10:	75 f3                	jne    0x5
  12:	8b 40 04             	mov    0x4(%rax),%eax
  15:	c3                   	retq   
[   35.519118][ T2585] RSP: 0018:ffa000000b48fb18 EFLAGS: 00010283
[   35.525649][ T2585] RAX: ff11001086c8d47c RBX: 0000000000000000 RCX: 0000000000000000
[   35.534071][ T2585] RDX: ff11001086c8d484 RSI: ff11001086c8d400 RDI: 0000000000000000
[   35.542422][ T2585] RBP: ff11001086c8d400 R08: 0000000000000000 R09: ff11000128adb500
[   35.550760][ T2585] R10: ffa000000b48fc00 R11: ff11000154660160 R12: ff11000154660000
[   35.559184][ T2585] R13: ff11001086c8d400 R14: ff11001086cb7800 R15: 0000000000008000
[   35.567487][ T2585] FS:  0000000000000000(0000) GS:ff11002000200000(0000) knlGS:0000000000000000
[   35.576800][ T2585] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   35.583895][ T2585] CR2: 0000000000000010 CR3: 000000207de1c002 CR4: 0000000000771ef0
[   35.592300][ T2585] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   35.600610][ T2585] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   35.609052][ T2585] PKRU: 55555554
[   35.612962][ T2585] Call Trace:
[   35.616640][ T2585]  <TASK>
[ 35.620001][ T2585] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) 
[ 35.624224][ T2585] ? page_fault_oops (arch/x86/mm/fault.c:715) 
[ 35.629458][ T2585] ? exc_page_fault (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) 
[ 35.634666][ T2585] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623) 
[ 35.640019][ T2585] ? nfsexp_flags (fs/nfsd/auth.c:14) nfsd
[ 35.645521][ T2585] nfsd_setuser_and_check_port (fs/nfsd/nfsfh.c:109) nfsd
[ 35.652274][ T2585] __fh_verify (fs/nfsd/nfsfh.c:372) nfsd
[ 35.657656][ T2585] nfsd_file_do_acquire (fs/nfsd/filecache.c:997) nfsd
[ 35.663821][ T2585] nfsd_file_acquire_opened (fs/nfsd/filecache.c:1235 (discriminator 1)) nfsd
[ 35.670245][ T2585] nfs4_get_vfs_file (fs/nfsd/nfs4state.c:5557) nfsd
[ 35.676256][ T2585] nfsd4_process_open2 (fs/nfsd/nfs4state.c:6098) nfsd
[ 35.682411][ T2585] nfsd4_open (fs/nfsd/nfs4proc.c:624) nfsd
[ 35.687758][ T2585] nfsd4_proc_compound (fs/nfsd/nfs4proc.c:2776) nfsd
[ 35.693946][ T2585] nfsd_dispatch (fs/nfsd/nfssvc.c:1004) nfsd
[ 35.699460][ T2585] svc_process_common (net/sunrpc/svc.c:1391) 
[ 35.704884][ T2585] ? __pfx_nfsd_dispatch (fs/nfsd/nfssvc.c:961) nfsd
[ 35.711172][ T2585] svc_process (net/sunrpc/svc.c:1537 (discriminator 1)) 
[ 35.715880][ T2585] svc_handle_xprt (net/sunrpc/svc_xprt.c:831) 
[ 35.721128][ T2585] svc_recv (include/linux/sunrpc/bc_xprt.h:40 net/sunrpc/svc_xprt.c:892) 
[ 35.725731][ T2585] ? __pfx_nfsd (fs/nfsd/nfssvc.c:910) nfsd
[ 35.731143][ T2585] nfsd (fs/nfsd/nfssvc.c:939) nfsd
[ 35.735821][ T2585] kthread (kernel/kthread.c:389) 
[ 35.740131][ T2585] ? __pfx_kthread (kernel/kthread.c:342) 
[ 35.745176][ T2585] ret_from_fork (arch/x86/kernel/process.c:147) 
[ 35.750004][ T2585] ? __pfx_kthread (kernel/kthread.c:342) 
[ 35.754945][ T2585] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
[   35.760136][ T2585]  </TASK>
[   35.763428][ T2585] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfsd auth_rpcgss device_dax(+) nd_pmem nd_btt dax_pmem btrfs blake2b_generic xor raid6_pq libcrc32c intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp sd_mod coretemp t10_pi crc64_rocksoft_generic crc64_rocksoft crc64 kvm_intel sg kvm crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel sha512_ssse3 rapl ahci ast libahci acpi_power_meter intel_cstate ipmi_ssif mei_me drm_shmem_helper intel_th_gth intel_th_pci ioatdma i2c_i801 intel_uncore dax_hmem libata drm_kms_helper ipmi_si acpi_ipmi mei i2c_smbus intel_pch_thermal intel_th wmi dca nfit ipmi_devintf libnvdimm ipmi_msghandler acpi_pad joydev binfmt_misc drm fuse loop dm_mod ip_tables
[   35.830582][ T2585] CR2: 0000000000000010
[   35.835241][ T2585] ---[ end trace 0000000000000000 ]---
[   35.849208][ T2585] pstore: backend (erst) writing error (-28)
[ 35.855581][ T2585] RIP: 0010:nfsexp_flags (fs/nfsd/auth.c:14) nfsd
[ 35.861704][ T2585] Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 8b 56 78 48 8d 46 7c 48 8d 14 d0 48 39 d0 73 1a <8b> 4f 10 eb 09 48 83 c0 08 48 39 d0 73 0c 39 08 75 f3 8b 40 04 c3
All code
========
   0:	00 90 90 90 90 90    	add    %dl,-0x6f6f6f70(%rax)
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	66 0f 1f 00          	nopw   (%rax)
  15:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1a:	8b 56 78             	mov    0x78(%rsi),%edx
  1d:	48 8d 46 7c          	lea    0x7c(%rsi),%rax
  21:	48 8d 14 d0          	lea    (%rax,%rdx,8),%rdx
  25:	48 39 d0             	cmp    %rdx,%rax
  28:	73 1a                	jae    0x44
  2a:*	8b 4f 10             	mov    0x10(%rdi),%ecx		<-- trapping instruction
  2d:	eb 09                	jmp    0x38
  2f:	48 83 c0 08          	add    $0x8,%rax
  33:	48 39 d0             	cmp    %rdx,%rax
  36:	73 0c                	jae    0x44
  38:	39 08                	cmp    %ecx,(%rax)
  3a:	75 f3                	jne    0x2f
  3c:	8b 40 04             	mov    0x4(%rax),%eax
  3f:	c3                   	retq   

Code starting with the faulting instruction
===========================================
   0:	8b 4f 10             	mov    0x10(%rdi),%ecx
   3:	eb 09                	jmp    0xe
   5:	48 83 c0 08          	add    $0x8,%rax
   9:	48 39 d0             	cmp    %rdx,%rax
   c:	73 0c                	jae    0x1a
   e:	39 08                	cmp    %ecx,(%rax)
  10:	75 f3                	jne    0x5
  12:	8b 40 04             	mov    0x4(%rax),%eax
  15:	c3                   	retq   

The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240704/202407041659.c2371438-oliver.sang@xxxxxxxxx

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki