On Mon, Sep 24, 2012 at 07:31:23PM +0000, Myklebust, Trond wrote: > On Mon, 2012-09-24 at 13:52 -0400, Bryan Schumaker wrote: > > On 09/24/2012 01:42 PM, J. Bruce Fields wrote: > > > On Mon, Sep 24, 2012 at 01:39:01PM -0400, bjschuma@xxxxxxxxxx wrote: > > >> From: Bryan Schumaker <bjschuma@xxxxxxxxxx> > > >> > > >> f39c1bfb5a03e2d255451bff05be0d7255298fa4 (SUNRPC: Fix a UDP transport > > >> regression) introduced the "alloc_slot" function for xprt operations, > > >> but never created one for the backchannel operations. This patch fixes > > >> a null pointer dereference when mounting NFS over v4.1. > > > > > > Thanks, I just rebased some of my work to 3.6 and ran across that! It > > > crashes the 4.1 server very quickly.... > > > > That sounds like my story. It got my peer-to-peer server right away, too. > > > > - Bryan > > > > > > > > --b. > > > > > >> > > >> Call Trace: > > >> [<ffffffffa0207957>] ? xprt_reserve+0x47/0x50 [sunrpc] > > >> [<ffffffffa02023a4>] call_reserve+0x34/0x60 [sunrpc] > > >> [<ffffffffa020e280>] __rpc_execute+0x90/0x400 [sunrpc] > > >> [<ffffffffa020e61a>] rpc_async_schedule+0x2a/0x40 [sunrpc] > > >> [<ffffffff81073589>] process_one_work+0x139/0x500 > > >> [<ffffffff81070e70>] ? alloc_worker+0x70/0x70 > > >> [<ffffffffa020e5f0>] ? __rpc_execute+0x400/0x400 [sunrpc] > > >> [<ffffffff81073d1e>] worker_thread+0x15e/0x460 > > >> [<ffffffff8145c839>] ? preempt_schedule+0x49/0x70 > > >> [<ffffffff81073bc0>] ? rescuer_thread+0x230/0x230 > > >> [<ffffffff81079603>] kthread+0x93/0xa0 > > >> [<ffffffff81465d04>] kernel_thread_helper+0x4/0x10 > > >> [<ffffffff81079570>] ? kthread_freezable_should_stop+0x70/0x70 > > >> [<ffffffff81465d00>] ? gs_change+0x13/0x13 > > >> > > >> Signed-off-by: Bryan Schumaker <bjschuma@xxxxxxxxxx> > > >> --- > > >> net/sunrpc/xprtsock.c | 1 + > > >> 1 file changed, 1 insertion(+) > > >> > > >> diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c > > >> index 86b7777..aaaadfb 100644 > > >> --- a/net/sunrpc/xprtsock.c > > >> +++ b/net/sunrpc/xprtsock.c > > >> @@ -2521,6 +2521,7 @@ static struct rpc_xprt_ops xs_tcp_ops = { > > >> static struct rpc_xprt_ops bc_tcp_ops = { > > >> .reserve_xprt = xprt_reserve_xprt, > > >> .release_xprt = xprt_release_xprt, > > >> + .alloc_slot = xprt_alloc_slot, > > >> .rpcbind = xs_local_rpcbind, > > >> .buf_alloc = bc_malloc, > > >> .buf_free = bc_free, > > >> -- > > >> 1.7.12.1 > > >> > > >> -- > > >> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > > >> the body of a message to majordomo@xxxxxxxxxxxxxxx > > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > Argh... Sorry, that was entirely my fault. I traced the client side > backchannel code, and found it was allocating slots using its own > mechanism, then thought that applied to bc_tcp_ops. > > I find the NFSv4.1 backchannel code to be even more confusing than > lockd. Patches very much welcomed. > ...and BTW the .rpcbind hack above is a prime example. Bruce, why do you > need that? The server back channel sets xprt_set_bound() in > xs_setup_bc_tcp() and should never clear it. Beats me; you're suggesting the below? Agreed, looks wrong. It must be pointless in the AF_LOCAL case too, though I didn't try to verify. --b. commit ad25de5558f702fa2c7ececedf4d61975dababa8 Author: J. Bruce Fields <bfields@xxxxxxxxxx> Date: Mon Sep 24 15:53:29 2012 -0400 sunrpc: server back channel needs no rpcbind method XPRT_BOUND is set on server backchannel xprts by xs_setup_bc_tcp() (using xprt_set_bound()), and is never cleared, so ->rpcbind() will never need to be called. Reported-by: "Myklebust, Trond" <Trond.Myklebust@xxxxxxxxxx> Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx> diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c index cd59a80..3a8663e6 100644 --- a/net/sunrpc/xprtsock.c +++ b/net/sunrpc/xprtsock.c @@ -2529,7 +2529,6 @@ static struct rpc_xprt_ops bc_tcp_ops = { .reserve_xprt = xprt_reserve_xprt, .release_xprt = xprt_release_xprt, .alloc_slot = xprt_alloc_slot, - .rpcbind = xs_local_rpcbind, .buf_alloc = bc_malloc, .buf_free = bc_free, .send_request = bc_send_request, -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html