mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-18 00:24:39 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs/nfs
History
David Howells f1fe29b4a0 NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 
Use i_writecount to control whether to get an fscache cookie in nfs_open() as
NFS does not do write caching yet.  I *think* this is the cause of a problem
encountered by Mark Moseley whereby __fscache_uncache_page() gets a NULL
pointer dereference because cookie->def is NULL:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff812a1903>] __fscache_uncache_page+0x23/0x160
PGD 0
Thread overran stack, or stack corrupted
Oops: 0000 [#1] SMP
Modules linked in: ...
CPU: 7 PID: 18993 Comm: php Not tainted 3.11.1 #1
Hardware name: Dell Inc. PowerEdge R420/072XWF, BIOS 1.3.5 08/21/2012
task: ffff8804203460c0 ti: ffff880420346640
RIP: 0010:[<ffffffff812a1903>] __fscache_uncache_page+0x23/0x160
RSP: 0018:ffff8801053af878 EFLAGS: 00210286
RAX: 0000000000000000 RBX: ffff8800be2f8780 RCX: ffff88022ffae5e8
RDX: 0000000000004c66 RSI: ffffea00055ff440 RDI: ffff8800be2f8780
RBP: ffff8801053af898 R08: 0000000000000001 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000000 R12: ffffea00055ff440
R13: 0000000000001000 R14: ffff8800c50be538 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88042fc60000(0063) knlGS:00000000e439c700
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000000000010 CR3: 0000000001d8f000 CR4: 00000000000607f0
Stack:
...
Call Trace:
[<ffffffff81365a72>] __nfs_fscache_invalidate_page+0x42/0x70
[<ffffffff813553d5>] nfs_invalidate_page+0x75/0x90
[<ffffffff811b8f5e>] truncate_inode_page+0x8e/0x90
[<ffffffff811b90ad>] truncate_inode_pages_range.part.12+0x14d/0x620
[<ffffffff81d6387d>] ? __mutex_lock_slowpath+0x1fd/0x2e0
[<ffffffff811b95d3>] truncate_inode_pages_range+0x53/0x70
[<ffffffff811b969d>] truncate_inode_pages+0x2d/0x40
[<ffffffff811b96ff>] truncate_pagecache+0x4f/0x70
[<ffffffff81356840>] nfs_setattr_update_inode+0xa0/0x120
[<ffffffff81368de4>] nfs3_proc_setattr+0xc4/0xe0
[<ffffffff81357f78>] nfs_setattr+0xc8/0x150
[<ffffffff8122d95b>] notify_change+0x1cb/0x390
[<ffffffff8120a55b>] do_truncate+0x7b/0xc0
[<ffffffff8121f96c>] do_last+0xa4c/0xfd0
[<ffffffff8121ffbc>] path_openat+0xcc/0x670
[<ffffffff81220a0e>] do_filp_open+0x4e/0xb0
[<ffffffff8120ba1f>] do_sys_open+0x13f/0x2b0
[<ffffffff8126aaf6>] compat_SyS_open+0x36/0x50
[<ffffffff81d7204c>] sysenter_dispatch+0x7/0x24

The code at the instruction pointer was disassembled:

> (gdb) disas __fscache_uncache_page
> Dump of assembler code for function __fscache_uncache_page:
> ...
> 0xffffffff812a18ff <+31>: mov 0x48(%rbx),%rax
> 0xffffffff812a1903 <+35>: cmpb $0x0,0x10(%rax)
> 0xffffffff812a1907 <+39>: je 0xffffffff812a19cd <__fscache_uncache_page+237>

These instructions make up:

	ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);

That cmpb is the faulting instruction (%rax is 0).  So cookie->def is NULL -
which presumably means that the cookie has already been at least partway
through __fscache_relinquish_cookie().

What I think may be happening is something like a three-way race on the same
file:

	PROCESS 1	PROCESS 2	PROCESS 3
	===============	===============	===============
	open(O_TRUNC|O_WRONLY)
			open(O_RDONLY)
					open(O_WRONLY)
	-->nfs_open()
	-->nfs_fscache_set_inode_cookie()
	nfs_fscache_inode_lock()
	nfs_fscache_disable_inode_cookie()
	__fscache_relinquish_cookie()
	nfs_inode->fscache = NULL
	<--nfs_fscache_set_inode_cookie()

			-->nfs_open()
			-->nfs_fscache_set_inode_cookie()
			nfs_fscache_inode_lock()
			nfs_fscache_enable_inode_cookie()
			__fscache_acquire_cookie()
			nfs_inode->fscache = cookie
			<--nfs_fscache_set_inode_cookie()
	<--nfs_open()
	-->nfs_setattr()
	...
	...
	-->nfs_invalidate_page()
	-->__nfs_fscache_invalidate_page()
	cookie = nfsi->fscache
					-->nfs_open()
					-->nfs_fscache_set_inode_cookie()
					nfs_fscache_inode_lock()
					nfs_fscache_disable_inode_cookie()
					-->__fscache_relinquish_cookie()
	-->__fscache_uncache_page(cookie)
	<crash>
					<--__fscache_relinquish_cookie()
					nfs_inode->fscache = NULL
					<--nfs_fscache_set_inode_cookie()

What is needed is something to prevent process #2 from reacquiring the cookie
- and I think checking i_writecount should do the trick.

It's also possible to have a two-way race on this if the file is opened
O_TRUNC|O_RDONLY instead.

Reported-by: Mark Moseley <moseleymark@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2013-09-27 18:40:25 +01:00
..
blocklayout NFSv4.1 use pnfs_device maxcount for the blocklayout gdia_maxcount 2013-06-28 15:34:44 -04:00
objlayout NFSv4.1 use pnfs_device maxcount for the objectlayout gdia_maxcount 2013-06-28 15:34:45 -04:00
cache_lib.c NFS: simplify and clean cache library 2013-02-15 10:43:36 -05:00
cache_lib.h NFS: simplify and clean cache library 2013-02-15 10:43:36 -05:00
callback.c NFS client updates for Linux 3.11 2013-07-09 12:09:43 -07:00
callback.h NFS: Add in v4.2 callback operation 2013-06-08 16:20:18 -04:00
callback_proc.c NFS: When displaying session slot numbers, use "%u" consistently 2013-09-03 15:26:30 -04:00
callback_xdr.c Merge branch 'labeled-nfs' into linux-next 2013-06-28 16:29:51 -04:00
client.c NFS Remove unused authflavour parameter from init_client 2013-08-07 13:09:30 -04:00
delegation.c NFSv4: Add tracepoints for debugging delegations 2013-08-22 08:58:24 -04:00
delegation.h NFSv4: Fix CB_RECALL_ANY to only return delegations that are not in use 2013-04-05 17:03:57 -04:00
dir.c NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
direct.c aio: Kill aio_rw_vect_retry() 2013-07-30 11:53:12 -04:00
dns_resolve.c NFSv4: Move the DNS resolver into the NFSv4 module 2013-06-18 13:47:18 -04:00
dns_resolve.h
file.c NFS avoid expired credential keys for buffered writes 2013-09-03 15:25:09 -04:00
fscache-index.c
fscache.c NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
fscache.h NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
getroot.c NFS:Add labels to client function prototypes 2013-06-08 16:20:15 -04:00
idmap.c NFSv4: Convert idmapper to use the new framework for pipefs dentries 2013-09-01 11:12:42 -04:00
inode.c NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
internal.h fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
iostat.h
Kconfig Kconfig: Add Kconfig entry for Labeled NFS V4 client 2013-06-08 16:20:17 -04:00
Makefile NFS: Enable slot table helpers for NFSv4.0 2013-09-03 15:26:33 -04:00
mount_clnt.c nfs: have nfs_mount fake up a auth_flavs list when the server didn't provide it 2013-06-28 15:51:51 -04:00
namespace.c NFS:Add labels to client function prototypes 2013-06-08 16:20:15 -04:00
netns.h nfs: include NFSv4 header in netns.h 2012-10-02 08:17:02 -07:00
nfs.h NFS: Convert v4 into a module 2012-07-30 19:06:52 -04:00
nfs2super.c NFS: Convert v2 into a module 2012-07-30 19:06:41 -04:00
nfs2xdr.c nfs: Convert nfs2xdr to use kuids and kgids 2013-02-13 06:15:30 -08:00
nfs3acl.c userns: Pass a userns parameter into posix_acl_to_xattr and posix_acl_from_xattr 2012-09-18 01:01:35 -07:00
nfs3client.c NFS: Only initialize the ACL client in the v3 case 2012-07-30 19:05:54 -04:00
nfs3proc.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
nfs3super.c NFS: Convert v3 into a module 2012-07-30 19:06:46 -04:00
nfs3xdr.c nfs: Convert nfs3xdr to use kuids and kgids 2013-02-13 06:15:31 -08:00
nfs4_fs.h NFSv4.1: sp4_mach_cred: WARN_ON -> WARN_ON_ONCE 2013-09-11 09:08:08 -04:00
nfs4client.c NFSv4: Allow security autonegotiation for submounts 2013-09-07 17:52:42 -04:00
nfs4file.c NFS: Use i_writecount to control whether to get an fscache cookie in nfs_open() 2013-09-27 18:40:25 +01:00
nfs4filelayout.c NFSv4.1 Use MDS auth flavor for data server connection 2013-09-06 14:49:16 -04:00
nfs4filelayout.h NFSv4.1: Use layout credentials for get_deviceinfo calls 2013-06-06 16:24:37 -04:00
nfs4filelayoutdev.c NFSv4.1 Fix gdia_maxcount calculation to fit in ca_maxresponsesize 2013-06-28 15:34:43 -04:00
nfs4getroot.c NFSv4: Fix security auto-negotiation 2013-09-07 16:18:30 -04:00
nfs4namespace.c NFSv4: Allow security autonegotiation for submounts 2013-09-07 17:52:42 -04:00
nfs4proc.c NFS client bugfixes: 2013-09-12 13:39:34 -07:00
nfs4renewd.c workqueue: use mod_delayed_work() instead of cancel + queue 2012-08-13 16:27:37 -07:00
nfs4session.c When CONFIG_NFS_V4_1 is not enabled, "make C=2" emits this warning: 2013-09-04 12:26:30 -04:00
nfs4session.h When CONFIG_NFS_V4_1 is not enabled, "make C=2" emits this warning: 2013-09-04 12:26:30 -04:00
nfs4state.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
nfs4super.c NFSv4: Fix security auto-negotiation 2013-09-07 16:18:30 -04:00
nfs4sysctl.c nfs: include nfs4_fh.h in nfs4sysctl.c 2012-10-02 08:17:03 -07:00
nfs4trace.c NFSv4.1: Add tracepoints for debugging slot table operations 2013-08-22 08:58:27 -04:00
nfs4trace.h NFSv4.1: Add tracepoints for debugging test_stateid events 2013-08-22 08:58:27 -04:00
nfs4xdr.c NFSv4.1 fix decode_free_stateid 2013-09-10 13:04:37 -04:00
nfsroot.c SUNRPC/NFS: Add Kbuild dependencies for NFS_DEBUG/RPC_DEBUG 2012-03-20 13:08:26 -04:00
nfstrace.c NFS: Add event tracing for generic NFS lookups 2013-08-22 08:58:18 -04:00
nfstrace.h NFS: Add tracepoints for debugging NFS hard links 2013-08-22 08:58:20 -04:00
pagelist.c NFS: Don't check lock owner compatability unless file is locked (part 2) 2013-09-06 11:27:41 -04:00
pnfs.c NFSv4: Add tracepoints for debugging reads and writes 2013-08-22 08:58:26 -04:00
pnfs.h NFSv4.1 Fix gdia_maxcount calculation to fit in ca_maxresponsesize 2013-06-28 15:34:43 -04:00
pnfs_dev.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00
proc.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
read.c NFSv4: Don't try to recover NFSv4 locks when they are lost. 2013-09-04 12:26:32 -04:00
super.c fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
symlink.c
sysctl.c NFS: Initialize v4 sysctls from nfs_init_v4() 2012-07-17 13:33:18 -04:00
unlink.c NFS: Ensure that rmdir() waits for sillyrenames to complete 2013-09-03 15:26:29 -04:00
write.c NFS: Don't check lock owner compatibility in writes unless file is locked 2013-09-05 18:11:42 -04:00