Re: [PATCH 1/2] NFS: Fix a number of bugs in the idmapper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2012-07-31 at 15:42 +0100, David Howells wrote:
> Fix a number of bugs in the NFS idmapper code:
> 
>  (1) Only registered key types can be passed to the core keys code, so
>      register the legacy idmapper key type.
> 
>      This is a requirement because the unregister function cleans up keys
>      belonging to that key type so that there aren't dangling pointers to the
>      module left behind - including the key->type pointer.
> 
>  (2) Rename the legacy key type.  You can't have two key types with the same
>      name, and (1) would otherwise require that.
> 
>  (3) complete_request_key() must be called in the error path of
>      nfs_idmap_legacy_upcall().
> 
>  (4) There is one idmap struct for each nfs_client struct.  This means that
>      idmap->idmap_key_cons is shared without the use of a lock.  This is a
>      problem because key_instantiate_and_link() - as called indirectly by
>      idmap_pipe_downcall() - releases anyone waiting for the key to be
>      instantiated.
> 
>      What happens is that idmap_pipe_downcall() running in the rpc.idmapd
>      thread, releases the NFS filesystem in whatever thread that is running in
>      to continue.  This may then make another idmapper call, overwriting
>      idmap_key_cons before idmap_pipe_downcall() gets the chance to call
>      complete_request_key().
> 
>      I *think* that reading idmap_key_cons only once, before
>      key_instantiate_and_link() is called, and then caching the result in a
>      variable is sufficient.
> 
> Bug (4) is the cause of:
> 
> BUG: unable to handle kernel NULL pointer dereference at           (null)
> IP: [<          (null)>]           (null)
> PGD 0
> Oops: 0010 [#1] SMP
> CPU 1
> Modules linked in: ppdev parport_pc lp parport ip6table_filter ip6_tables ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack nfs fscache xt_CHECKSUM auth_rpcgss iptable_mangle nfs_acl bridge stp llc lockd be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi snd_hda_codec_realtek snd_usb_audio snd_hda_intel snd_hda_codec snd_seq snd_pcm snd_hwdep snd_usbmidi_lib snd_rawmidi snd_timer uvcvideo videobuf2_core videodev media videobuf2_vmalloc snd_seq_device videobuf2_memops e1000e vhost_net iTCO_wdt joydev coretemp snd soundcore macvtap macvlan i2c_i801 snd_page_alloc tun iTCO_vendor_support microcode kvm_intel kvm sunrpc hid_logitech_dj usb_storage i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan]
> Pid: 1229, comm: rpc.idmapd Not tainted 3.4.2-1.fc16.x86_64 #1 Gateway DX4710-UB801A/G33M05G1
> RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
> RSP: 0018:ffff8801a3645d40  EFLAGS: 00010246
> RAX: ffff880077707e30 RBX: ffff880077707f50 RCX: ffff8801a18ccd80
> RDX: 0000000000000006 RSI: ffff8801a3645e75 RDI: ffff880077707f50
> RBP: ffff8801a3645d88 R08: ffff8801a430f9c0 R09: ffff8801a3645db0
> R10: 000000000000000a R11: 0000000000000246 R12: ffff8801a18ccd80
> R13: ffff8801a3645e75 R14: ffff8801a430f9c0 R15: 0000000000000006
> FS:  00007fb6fb51a700(0000) GS:ffff8801afc80000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 00000001a49b0000 CR4: 00000000000027e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> Process rpc.idmapd (pid: 1229, threadinfo ffff8801a3644000, task ffff8801a3bf9710)
> Stack:
>  ffffffff81260878 ffff8801a3645db0 ffff8801a3645db0 ffff880077707a90
>  ffff880077707f50 ffff8801a18ccd80 0000000000000006 ffff8801a3645e75
>  ffff8801a430f9c0 ffff8801a3645dd8 ffffffff81260983 ffff8801a3645de8
> Call Trace:
>  [<ffffffff81260878>] ? __key_instantiate_and_link+0x58/0x100
>  [<ffffffff81260983>] key_instantiate_and_link+0x63/0xa0
>  [<ffffffffa057062b>] idmap_pipe_downcall+0x1cb/0x1e0 [nfs]
>  [<ffffffffa0107f57>] rpc_pipe_write+0x67/0x90 [sunrpc]
>  [<ffffffff8117f833>] vfs_write+0xb3/0x180
>  [<ffffffff8117fb5a>] sys_write+0x4a/0x90
>  [<ffffffff81600329>] system_call_fastpath+0x16/0x1b
> Code:  Bad RIP value.
> RIP  [<          (null)>]           (null)
>  RSP <ffff8801a3645d40>
> CR2: 0000000000000000
> 
> Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
> Reviewed-by: Steve Dickson <steved@xxxxxxxxxx>
> ---

This patch should already be present in nfs-for-next as of yesterday.
(I've been on a 2 week vacation).

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@xxxxxxxxxx
www.netapp.com

��.n��������+%������w��{.n�����{��w���jg��������ݢj����G�������j:+v���w�m������w�������h�����٥



[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux