Bruce,
I was testing your nfsd-next branch (plus my modified v3 callback
address and state patch I just sent) and saw this on console after a
simple test of mount, umount, mount cycle of a NFSv4.1 mount.
==================================================================
[ 8523.413808] BUG: KASAN: use-after-free in
find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.417537] Read of size 4 at addr ffff888117a6cee8 by task nfsd/1132
[ 8523.420320]
[ 8523.421012] CPU: 7 PID: 1132 Comm: nfsd Kdump: loaded Not tainted
5.13.0-rc2-bfields-nfsd+ #16
[ 8523.424499] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 8523.426785] Call Trace:
[ 8523.427880] dump_stack+0x9c/0xcf
[ 8523.429375] print_address_description.constprop.0+0x18/0x130
[ 8523.431756] ? find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.434160] kasan_report.cold+0x7f/0x111
[ 8523.435795] ? find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.438207] find_clp_in_name_tree.isra.0+0x13e/0x190 [nfsd]
[ 8523.440519] ? _raw_write_lock_bh+0xb0/0xb0
[ 8523.442284] nfsd4_exchange_id+0x7f5/0x1730 [nfsd]
[ 8523.444290] ? nfsd4_mach_creds_match+0x210/0x210 [nfsd]
[ 8523.446479] ? svcauth_unix_set_client+0xab8/0x1370 [sunrpc]
[ 8523.449121] nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.451187] nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.453053] ? svc_reserve+0x10c/0x220 [sunrpc]
[ 8523.454986] svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.457119] ? svc_set_num_threads+0x440/0x440 [sunrpc]
[ 8523.459318] ? nfsd_svc+0x9a0/0x9a0 [nfsd]
[ 8523.461044] ? svc_xprt_release+0x2fd/0x720 [sunrpc]
[ 8523.463135] svc_process+0x353/0x4f0 [sunrpc]
[ 8523.464998] nfsd+0x2a1/0x410 [nfsd]
[ 8523.466526] ? __kthread_parkme+0x85/0x100
[ 8523.468251] ? nfsd_shutdown_threads+0x1f0/0x1f0 [nfsd]
[ 8523.470409] kthread+0x31c/0x3e0
[ 8523.471725] ? __kthread_bind_mask+0x90/0x90
[ 8523.473440] ret_from_fork+0x22/0x30
[ 8523.474924]
[ 8523.475571] Allocated by task 1132:
[ 8523.477010] kasan_save_stack+0x1b/0x40
[ 8523.478564] __kasan_slab_alloc+0x61/0x80
[ 8523.480185] kmem_cache_alloc+0xec/0x250
[ 8523.481795] create_client+0x1bf/0xe00 [nfsd]
[ 8523.483639] nfsd4_exchange_id+0x2b8/0x1730 [nfsd]
[ 8523.485646] nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.487677] nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.489487] svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.491608] svc_process+0x353/0x4f0 [sunrpc]
[ 8523.493564] nfsd+0x2a1/0x410 [nfsd]
[ 8523.507991] kthread+0x31c/0x3e0
[ 8523.509297] ret_from_fork+0x22/0x30
[ 8523.510734]
[ 8523.511358] Last potentially related work creation:
[ 8523.513263] kasan_save_stack+0x1b/0x40
[ 8523.514771] kasan_record_aux_stack+0xa5/0xb0
[ 8523.516476] insert_work+0x4a/0x350
[ 8523.517852] __queue_work+0x4db/0xc20
[ 8523.519288] queue_work_on+0x59/0x80
[ 8523.520707] nfsd4_run_cb+0x51/0x80 [nfsd]
[ 8523.522799] nfsd4_shutdown_callback+0xbf/0x2a0 [nfsd]
[ 8523.524889] __destroy_client+0x48a/0x6d0 [nfsd]
[ 8523.526738] nfsd4_destroy_clientid+0x2da/0x4c0 [nfsd]
[ 8523.528823] nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.530826] nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.532594] svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.534988] svc_process+0x353/0x4f0 [sunrpc]
[ 8523.536774] nfsd+0x2a1/0x410 [nfsd]
[ 8523.538258] kthread+0x31c/0x3e0
[ 8523.539539] ret_from_fork+0x22/0x30
[ 8523.540949]
[ 8523.541571] Second to last potentially related work creation:
[ 8523.543778] kasan_save_stack+0x1b/0x40
[ 8523.545281] kasan_record_aux_stack+0xa5/0xb0
[ 8523.546992] insert_work+0x4a/0x350
[ 8523.548352] __queue_work+0x4db/0xc20
[ 8523.549778] queue_work_on+0x59/0x80
[ 8523.551178] nfsd4_run_cb+0x51/0x80 [nfsd]
[ 8523.552830] nfsd4_probe_callback_sync+0xa/0x20 [nfsd]
[ 8523.554900] nfsd4_destroy_session+0x658/0x920 [nfsd]
[ 8523.556956] nfsd4_proc_compound+0xc83/0x1f20 [nfsd]
[ 8523.558949] nfsd_dispatch+0x4fd/0xa30 [nfsd]
[ 8523.560707] svc_process_common+0xcca/0x2310 [sunrpc]
[ 8523.562777] svc_process+0x353/0x4f0 [sunrpc]
[ 8523.564587] nfsd+0x2a1/0x410 [nfsd]
[ 8523.566065] kthread+0x31c/0x3e0
[ 8523.567338] ret_from_fork+0x22/0x30
[ 8523.568747]
[ 8523.569405] The buggy address belongs to the object at ffff888117a6ce50
[ 8523.569405] which belongs to the cache nfsd4_clients of size 1304
[ 8523.574309] The buggy address is located 152 bytes inside of
[ 8523.574309] 1304-byte region [ffff888117a6ce50, ffff888117a6d368)
[ 8523.578794] The buggy address belongs to the page:
[ 8523.580661] page:000000005a8edc90 refcount:1 mapcount:0
mapping:0000000000000000 index:0xffff888117a6ce50 pfn:0x117a68
[ 8523.584734] head:000000005a8edc90 order:3 compound_mapcount:0
compound_pincount:0
[ 8523.587613] flags:
0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 8523.590475] raw: 0017ffffc0010200 dead000000000100 dead000000000122
ffff88810ca21180
[ 8523.593442] raw: ffff888117a6ce50 0000000080160015 00000001ffffffff
0000000000000000
[ 8523.596406] page dumped because: kasan: bad access detected
[ 8523.598551]
[ 8523.599168] Memory state around the buggy address:
[ 8523.601043] ffff888117a6cd80: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 8523.603798] ffff888117a6ce00: fc fc fc fc fc fc fc fc fc fc fb fb
fb fb fb fb
[ 8523.614732] >ffff888117a6ce80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 8523.617540] ^
[ 8523.620077] ffff888117a6cf00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 8523.622826] ffff888117a6cf80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 8523.625586] ==================================================================
[ 8523.628381] Disabling lock debugging due to kernel taint
On Wed, Jun 02, 2021 at 02:13:02PM -0400, David Wysochanski wrote:
> I was testing your nfsd-next branch (plus my modified v3 callback
> address and state patch I just sent) and saw this on console after a
> simple test of mount, umount, mount cycle of a NFSv4.1 mount.
Oops, thanks, it just needs this, I think; maybe I'd've caught that bug
earlier if I'd actually posted that patch. Doing that now....
--b.
commit 70d6ebca5248
Author: J. Bruce Fields <[email protected]>
Date: Wed Jun 2 15:50:45 2021 -0400
foldme
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 967912b4a7dd..6c64ce93510f 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2841,6 +2841,7 @@ move_to_confirmed(struct nfs4_client *clp)
list_move(&clp->cl_idhash, &nn->conf_id_hashtbl[idhashval]);
rb_erase(&clp->cl_namenode, &nn->unconf_name_tree);
add_clp_to_name_tree(clp, &nn->conf_name_tree);
+ set_bit(NFSD4_CLIENT_CONFIRMED, &clp->cl_flags);
trace_nfsd_clid_confirmed(&clp->cl_clientid);
renew_client_locked(clp);
}