Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751961AbdHARam (ORCPT ); Tue, 1 Aug 2017 13:30:42 -0400 Received: from us-smtp-delivery-194.mimecast.com ([216.205.24.194]:22926 "EHLO us-smtp-delivery-194.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751862AbdHARai (ORCPT ); Tue, 1 Aug 2017 13:30:38 -0400 From: Trond Myklebust To: "torvalds@linux-foundation.org" , "linux-kernel@vger.kernel.org" , "bfields@fieldses.org" , "linux-nfs@vger.kernel.org" , "schumaker.anna@gmail.com" , "davej@codemonkey.org.uk" , "linux-fsdevel@vger.kernel.org" Subject: Re: [GIT PULL] Please pull NFS client changes for Linux 4.13 Thread-Topic: [GIT PULL] Please pull NFS client changes for Linux 4.13 Thread-Index: AQHS/B1u2F85s8I96U27Pz1m90AG+KJTYeuAgAOXKACAABx5gIAARTIAgAELdQCAFckMAIAA6JGAgACsC4CAABjegIAAAscA Date: Tue, 1 Aug 2017 17:30:30 +0000 Message-ID: <1501608628.70813.1.camel@primarydata.com> References: <20170714142543.k5xcbnb4mww3sxpy@codemonkey.org.uk> <20170716211530.sx7mn35f2mhmykug@codemonkey.org.uk> <1500245845.13893.3.camel@primarydata.com> <20170717030504.qca74wsswct26ytn@codemonkey.org.uk> <20170731154322.tfzkukscda4fe7wm@codemonkey.org.uk> <20170801155131.xy7nbw5ih7ml5fmf@codemonkey.org.uk> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [50.108.4.17] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;DM5PR11MB0075;20:EVBc+vn5OrBzyL+AItMKzGwEZHJhuKDu1vRxFbofq/SEkcRVLXK6o8TOLgdA61V+klt2dxC1YnMpGq35rWd8OBlGMqhCBJ/yAtsc396WdbwzKkbcexSd5XpZenggki5GND32ujxtamxa1S1WF1AkL7lUWrj61zqdeWzm2YJDHG0= x-ms-office365-filtering-correlation-id: 62eef53b-500e-4482-5f43-08d4d9030211 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(2017082002075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:DM5PR11MB0075; x-ms-traffictypediagnostic: DM5PR11MB0075: x-exchange-antispam-report-test: UriScan:; x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123558100)(20161123555025)(20161123560025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(2016111802025)(6043046)(6072148)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:DM5PR11MB0075;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:DM5PR11MB0075; x-forefront-prvs: 0386B406AA x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(6009001)(39410400002)(39400400002)(39830400002)(39450400003)(377454003)(24454002)(199003)(377424004)(189002)(305945005)(81166006)(8936002)(6506006)(7736002)(14454004)(2501003)(77096006)(5660300001)(6512007)(189998001)(93886004)(6486002)(97736004)(3660700001)(6436002)(229853002)(6116002)(53936002)(6246003)(99286003)(2950100002)(38730400002)(8676002)(53546010)(81156014)(2906002)(3280700002)(39060400002)(3846002)(2900100001)(102836003)(101416001)(105586002)(25786009)(54356999)(103116003)(478600001)(2201001)(106356001)(36756003)(50986999)(66066001)(33646002)(86362001)(68736007)(76176999);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR11MB0075;H:DM5PR11MB0075.namprd11.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-ID: MIME-Version: 1.0 X-OriginatorOrg: primarydata.com X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Aug 2017 17:30:30.7663 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 03193ed6-8726-4bb3-a832-18ab0d28adb7 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB0075 X-MC-Unique: D3-JpFf2OGGzbxccaB3AKg-1 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id v71HUlFW013403 Content-Length: 3018 Lines: 84 On Tue, 2017-08-01 at 10:20 -0700, Linus Torvalds wrote: > On Tue, Aug 1, 2017 at 8:51 AM, davej@codemonkey.org.uk > wrote: > > On Mon, Jul 31, 2017 at 10:35:45PM -0700, Linus Torvalds wrote: > > > Any chance of getting the output from > > > > > > ./scripts/faddr2line vmlinux > > nfs4_exchange_id_done+0x3d7/0x8e0 > > > > > > Hm, that points to this.. > > > > 7463 /* Save the EXCHANGE_ID verifier session trunk > > tests */ > > 7464 memcpy(clp->cl_confirm.data, cdata- > > >args.verifier->data, > > 7465 sizeof(clp->cl_confirm.data)); > > Ok, that certainly made no sense to me, because the KASAN report made > it look like a stale pathname access (allocated in getname, freed in > putname), but I think the issue is more fundamental than that. > > That cdata->args.verifier seems to be entirely broken. AT least for > the "xprt == NULL" case, it does the following: > > - use the address of a local variable ("&verifier") > > - wait for the rpc completion using rpc_wait_for_completion_task(). > > That's unacceptably buggy crap. rpc_wait_for_completion_task() will > happily exit on a deadly signal even if the rpc hasn't been > completed, > so now you'll have a stale pointer to a stack that has been freed. > > So I think the 'pathname' part may actually be entirely a red > herring, > and it's the underlying access itself that just picks up a random > pointer from a stack that now contains something different. And KASAN > didn't notice the stale stack access itself, because the stack slot > is > still valid - it's just no longer the original 'verifier' allocation. > > Or *something* like that. > > None of this looks even remotely new, though - the code seems to go > back to 2009. Have you just changed what you're testing to trigger > these things? > > I'm not even sure why it does that stupid stack allocation. It does a > *real* allocation just a few lines later: > > struct nfs41_exchange_id_data *calldata > ... > calldata = kzalloc(sizeof(*calldata), GFP_NOFS); > > and the whole verifier structure could easily have been part of that > same allocation as far as I can tell. > > And that really might seem to be the right thing to do. > > TOTALLY UNTESTED PROBABLY COMPLETE CRAP patch attatched. > > That patch compiles for me. It *might* even work. Or it might just be > the ramblings of a diseased mind. > > Anna? Trond? > I came to the same conclusion yesterday, and have a stable patch that does something similar. I just got distracted with the other bugs that were introduced by the exchangeid patch series in Linux-4.9 (including what looks like a duplicate free issue in nfs4_test_session_trunk()). I can pass a few of the more critical patches on to Anna for merging in this cycle, then I've got some clean ups ready for the 4.14 merge window. Cheers Trond -- Trond Myklebust Linux NFS client maintainer, PrimaryData trond.myklebust@primarydata.com