Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1819686ybk; Mon, 11 May 2020 05:11:31 -0700 (PDT) X-Google-Smtp-Source: APiQypLWKUeHf6lx5i8IsqNA1NoPlTPIDcLJWs7lw7UdMFDB0TxDhR09M4f7ARjalNdVbGWEOcgG X-Received: by 2002:aa7:c3cb:: with SMTP id l11mr12677774edr.129.1589199091795; Mon, 11 May 2020 05:11:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589199091; cv=none; d=google.com; s=arc-20160816; b=V4xVWHB56BisEAaKzehwEePq3E/VSM1LRw3dVrEPZ+L0ni4nFoZGhattKLwR/Tdaal 3g+KOjfqyZWVh3cLUHrfByhtHAStW560TkHyPkbrA/7m8tX6/yCTGycitCce5wHnfmOU 4ZHzZgaII9eobtS9ewrwruGgjsVFE0ISVH+NIr0Tq0u3/GrWWvLhHYxmFCwSQqiM2/u5 bzbq+c0RKLfzIImJgVLNTIQg8KaPY8eHvfItAPCXaZxB3SrtSh75OIAU80sIwb8+32q2 JBhTI3mpv7Ik2j3mQlbx0m5FbjQZC2V/d8D2Ejwh7mh27jGQm89kyMXoJyPU4ngjsVOX hCkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=n8DSiesfkDCcbdQha/ivQ11kBOlJ+H4bPGGAvA7i7xg=; b=V9A2P0eYdZV5/ElFF3YoXcMSLart6I7BKZncZA4YXL1BQ5kbBbwMHVp/NMSYLHAB+B xLkflaNCRdC5SCnBso8KtOHmv/5ID19JixXKcVMQ7l8vCnso16ny2Pm15k4+qh12nMYy A5TnZrRqCH0LiYmumufxko7i+9ts06Kq2fE+OPOlkSrIiB5xckVBNZmiZKk/vyz06+YG duDJ2MItw48sp2XX1sc3Qs2ZDaZqpnjdrBmugQenNVHSdrPPr83b9M9TtSWs1lcOw0BJ bJCLGAR9WUEWXuWSbHQx/4WWMgZuGM2Dl8w+SjKZ5gCP1i32kIEePh9LWvD7QVnHlLU+ O9+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FAQ9hoqm; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l19si5585872edr.184.2020.05.11.05.11.05; Mon, 11 May 2020 05:11:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=FAQ9hoqm; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729666AbgEKMK6 (ORCPT + 99 others); Mon, 11 May 2020 08:10:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1727019AbgEKMK5 (ORCPT ); Mon, 11 May 2020 08:10:57 -0400 Received: from mail-qk1-x742.google.com (mail-qk1-x742.google.com [IPv6:2607:f8b0:4864:20::742]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C1E2C061A0C for ; Mon, 11 May 2020 05:10:57 -0700 (PDT) Received: by mail-qk1-x742.google.com with SMTP id a136so453453qkg.6 for ; Mon, 11 May 2020 05:10:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=n8DSiesfkDCcbdQha/ivQ11kBOlJ+H4bPGGAvA7i7xg=; b=FAQ9hoqm8TflzO53GLjFjcnn2r6enk4TiOPc+5roMD5fUJyNNTmu7j9MCtyC+Hd8PZ /3jyDJlbRjDg4sStM3VZsn9eFFSqn+pXiFePRbTKAHDhTQ90Q+gw6lutRcd/Q/nTyP4L io2oPZDK4KtGOsocrOz/t97HTcrcD/xecdPycsFuOrsr6e/6ln7FBw2WBe1uPKyU7ijQ BvGuG0WMgc7mGApbmjvEYgPGVhOSjKIaqtjK+2KZsXRHswEaaWdqaOUSBsZaSFJ8OZMG OsCWCx9mTbfMyQTkB+p94KqO59KZHB0vaPnjUKXjJJlB/YcC5uUM2r3juNF+hwOQ/IeJ MGUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=n8DSiesfkDCcbdQha/ivQ11kBOlJ+H4bPGGAvA7i7xg=; b=Oj1TUxTm4BbgyVGn9KvEDevlX7ySuWU2ZOJBb9m0ejqbljQyOpQv7OoNH6I8Mr/xOV WjnZvSuYrdcRNoqLKbEzjmVg5yJROIU7nzbeaUonFn8Au/RgPGf68i5+NpMpoAfNFUIQ QVUKT1wMEmf0XIbMPjdxd7F0m+r5URiNy8v4McQ95wMBBbASBpQsyFm9WqKnC87G4opX x95cUZUT7NO4WHbjR+eNv6UdwffJdLNDUWN9uxKZVhF1F5voMlJJUhhFlH6Fk4VZwlwa +2MboXViR5Ht9o0x5+gJkmEk6DrQaR3qz2+qtkf9t2KyKFOIeanv5yX1hGzg8z0E5A7l lCtQ== X-Gm-Message-State: AGi0PubXnbmr4QBzN7ssXO6DtYlSREZrA5dWMsGxWRIFzJZFIIeG74fM pwBhMnhjUtVG8x6MXEnzOtODY9o= X-Received: by 2002:a37:27d8:: with SMTP id n207mr15785635qkn.40.1589199056609; Mon, 11 May 2020 05:10:56 -0700 (PDT) Received: from gabell (209-6-122-159.s2973.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [209.6.122.159]) by smtp.gmail.com with ESMTPSA id k43sm9542253qtk.67.2020.05.11.05.10.55 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 May 2020 05:10:56 -0700 (PDT) Date: Mon, 11 May 2020 08:10:54 -0400 From: Masayoshi Mizuma To: "J. Bruce Fields" Cc: Trond Myklebust , Anna Schumaker , linux-nfs@vger.kernel.org Subject: Re: [PATCH] nfs: fix NULL deference in nfs4_get_valid_delegation Message-ID: <20200511121054.l2j34vnwqxhvd2ao@gabell> References: <20200508221935.GA11225@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200508221935.GA11225@fieldses.org> Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Fri, May 08, 2020 at 06:19:35PM -0400, J. Bruce Fields wrote: > From: "J. Bruce Fields" > > We add the new state to the nfsi->open_states list, making it > potentially visible to other threads, before we've finished initializing > it. > > That wasn't a problem when all the readers were also taking the i_lock > (as we do here), but since we switched to RCU, there's now a possibility > that a reader could see the partially initialized state. > > Symptoms observed were a crash when another thread called > nfs4_get_valid_delegation() on a NULL inode. > > Fixes: 9ae075fdd190 "NFSv4: Convert open state lookup to use RCU" > Signed-off-by: J. Bruce Fields > --- > fs/nfs/nfs4state.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c > index ac93715c05a4..a8dc25ce48bb 100644 > --- a/fs/nfs/nfs4state.c > +++ b/fs/nfs/nfs4state.c > @@ -734,9 +734,9 @@ nfs4_get_open_state(struct inode *inode, struct nfs4_state_owner *owner) > state = new; > state->owner = owner; > atomic_inc(&owner->so_count); > - list_add_rcu(&state->inode_states, &nfsi->open_states); > ihold(inode); > state->inode = inode; > + list_add_rcu(&state->inode_states, &nfsi->open_states); > spin_unlock(&inode->i_lock); > /* Note: The reclaim code dictates that we add stateless > * and read-only stateids to the end of the list */ > -- Thank you for posting the patch! It works for our box. Please feel free to add: Reviewed-by: Seiichi Ikarashi Tested-by: Daisuke Matsuda Tested-by: Masayoshi Mizuma Without the patch, the system which is a NFSv4 client has been crashed randomly. The panic log is such as: BUG: unable to handle page fault for address: ffffffffffffffb0 ... RIP: 0010:nfs4_get_valid_delegation+0x6/0x30 [nfsv4] ... Call Trace: nfs4_open_prepare+0x80/0x1c0 [nfsv4] __rpc_execute+0x75/0x390 [sunrpc] ? finish_task_switch+0x75/0x260 rpc_async_schedule+0x29/0x40 [sunrpc] process_one_work+0x1ad/0x370 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x10c/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 After applied the patch, the panic is gone. Thanks! Masa