• Jeff Layton's avatar
    sunrpc: fix some missing rq_rbuffer assignments · 18e601d6
    Jeff Layton authored
    We've been seeing some crashes in testing that look like this:
    
    BUG: unable to handle kernel NULL pointer dereference at           (null)
    IP: [<ffffffff8135ce99>] memcpy_orig+0x29/0x110
    PGD 212ca2067 PUD 212ca3067 PMD 0
    Oops: 0002 [#1] SMP
    Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache ppdev parport_pc i2c_piix4 sg parport i2c_core virtio_balloon pcspkr acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod ata_generic pata_acpi virtio_scsi 8139too ata_piix libata 8139cp mii virtio_pci floppy virtio_ring serio_raw virtio
    CPU: 1 PID: 1540 Comm: nfsd Not tainted 4.9.0-rc1 #39
    Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2007
    task: ffff88020d7ed200 task.stack: ffff880211838000
    RIP: 0010:[<ffffffff8135ce99>]  [<ffffffff8135ce99>] memcpy_orig+0x29/0x110
    RSP: 0018:ffff88021183bdd0  EFLAGS: 00010206
    RAX: 0000000000000000 RBX: ffff88020d7fa000 RCX: 000000f400000000
    RDX: 0000000000000014 RSI: ffff880212927020 RDI: 0000000000000000
    RBP: ffff88021183be30 R08: 01000000ef896996 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: ffff880211704ca8
    R13: ffff88021473f000 R14: 00000000ef896996 R15: ffff880211704800
    FS:  0000000000000000(0000) GS:ffff88021fc80000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 0000000212ca1000 CR4: 00000000000006e0
    Stack:
     ffffffffa01ea087 ffffffff63400001 ffff880215145e00 ffff880211bacd00
     ffff88021473f2b8 0000000000000004 00000000d0679d67 ffff880211bacd00
     ffff88020d7fa000 ffff88021473f000 0000000000000000 ffff88020d7faa30
    Call Trace:
     [<ffffffffa01ea087>] ? svc_tcp_recvfrom+0x5a7/0x790 [sunrpc]
     [<ffffffffa01f84d8>] svc_recv+0xad8/0xbd0 [sunrpc]
     [<ffffffffa0262d5e>] nfsd+0xde/0x160 [nfsd]
     [<ffffffffa0262c80>] ? nfsd_destroy+0x60/0x60 [nfsd]
     [<ffffffff810a9418>] kthread+0xd8/0xf0
     [<ffffffff816dbdbf>] ret_from_fork+0x1f/0x40
     [<ffffffff810a9340>] ? kthread_park+0x60/0x60
    Code: 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe 7c 35 48 83 ea 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 8b 56 10 4c 8b 5e 18 48 8d 76 20 <4c> 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4
    RIP  [<ffffffff8135ce99>] memcpy_orig+0x29/0x110
     RSP <ffff88021183bdd0>
    CR2: 0000000000000000
    
    Both Bruce and Eryu ran a bisect here and found that the problematic
    patch was 68778945 (SUNRPC: Separate buffer pointers for RPC Call and
    Reply messages).
    
    That patch changed rpc_xdr_encode to use a new rq_rbuffer pointer to
    set up the receive buffer, but didn't change all of the necessary
    codepaths to set it properly. In particular the backchannel setup was
    missing.
    
    We need to set rq_rbuffer whenever rq_buffer is set. Ensure that it is.
    Reviewed-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Reported-by: default avatarEryu Guan <guaneryu@gmail.com>
    Tested-by: default avatarEryu Guan <guaneryu@gmail.com>
    Fixes: 68778945 "SUNRPC: Separate buffer pointers..."
    Reported-by: default avatarJ. Bruce Fields <bfields@fieldses.org>
    Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    18e601d6
xprtsock.c 84.9 KB