Bug 2160443
Summary: | [RHEL 9][NFS] Crash in file_has_perm() when dereferencing a NULL file->f_security | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 9 | Reporter: | Stan Saner <ssaner> |
Component: | kernel | Assignee: | Jeff Layton <jlayton> |
kernel sub component: | NFS | QA Contact: | Yongcheng Yang <yoyang> |
Status: | CLOSED ERRATA | Docs Contact: | |
Severity: | urgent | ||
Priority: | urgent | CC: | akrherz, jiyin, jlayton, jrehova, nfs-team, xzhou, yieli, yoyang |
Version: | 9.1 | Keywords: | Triaged |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kernel-5.14.0-253.el9 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-05-09 08:11:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2144442 |
Description
Stan Saner
2023-01-12 12:52:29 UTC
More random noteS: - the fact that fi_deleg_file and fi_fds[0] is different may suggest that there was some sort of conflicting access that caused the filecache to unhash 0xffff8bb992c763a8 and create a new nfsd_file entry instead of reusing it. That could mean that there was at least one delegation recall involving this nfsd_file. Looking more at the logs, the first hint that we have that something is wrong are these: [ 7886.767600] Leaked POSIX lock on dev=0xfd:0x9 ino=0x33364eeb93 fl_owner=000000006de0bef7 fl_flags=0x1001 fl_type=0x1 fl_pid=8168 [ 7886.775029] Leaked POSIX lock on dev=0xfd:0x5 ino=0x45077a84e8 fl_owner=00000000ae1b5970 fl_flags=0x1001 fl_type=0x1 fl_pid=8134 [ 7886.780079] Leaked POSIX lock on dev=0xfd:0x9 ino=0x1c0c7cba46 fl_owner=00000000cd073bee fl_flags=0x1 fl_type=0x1 fl_pid=8198 The fl_flags (0x1001) indicate that these are non-OFD POSIX locks. The first two are locks that were reclaimed when the server was last rebooted (FL_RECLAIM == 0x1000). I had dismissed the info about exportfs as coincidental, but I went back and had a look and there is a call to nfsd_file_cache_purge that occurs when the exports table is flushed. So, I set up a host running pynfs and then ran 'exportfs -rva' in a tight loop, and got this. This crash involves an open stateid and not a delegation, but it's a very similar problem. It's probably more likely to happen with delegations as they tend to be long-lived. I'm working on a patch for this now. [ 131.763247] NFSD: Using nfsdcld client tracking operations. [ 131.764965] NFSD: no clients to reclaim, skipping NFSv4 grace period (net f0000000) [ 337.962027] ------------[ cut here ]------------ [ 337.963823] refcount_t: underflow; use-after-free. [ 337.965502] WARNING: CPU: 6 PID: 3401 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [ 337.967999] Modules linked in: nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) sunrpc(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ext4(E) crc16(E) cirrus(E) kvm_intel(E) 9p(E) mbcache(E) joydev(E) virtio_net(E) drm_shmem_helper(E) net_failover(E) kvm(E) jbd2(E) netfs(E) psmouse(E) evdev(E) pcspkr(E) failover(E) irqbypass(E) virtio_balloon(E) drm_kms_helper(E) 9pnet_virtio(E) button(E) drm(E) configfs(E) zram(E) zsmalloc(E) crct10dif_pclmul(E) crc32_pclmul(E) nvme(E) ghash_clmulni_intel(E) virtio_blk(E) sha512_ssse3(E) sha512_generic(E) nvme_core(E) t10_pi(E) virtio_pci(E) virtio(E) crc64_rocksoft_generic(E) aesni_intel(E) crypto_simd(E) crc64_rocksoft(E) virtio_pci_legacy_dev(E) i6300esb(E) cryptd(E) serio_raw(E) crc64(E) virtio_pci_modern_dev(E) virtio_ring(E) btrfs(E) blake2b_generic(E) xor(E) raid6_pq(E) libcrc32c(E) crc32c_generic(E) crc32c_intel(E) autofs4(E) [ 337.992040] CPU: 6 PID: 3401 Comm: nfsd Tainted: G E 6.2.0-rc3+ #11 [ 337.994701] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 [ 337.998046] RIP: 0010:refcount_warn_saturate+0xba/0x110 [ 337.999852] Code: 01 01 e8 83 e5 4f 00 0f 0b c3 cc cc cc cc 80 3d 60 f4 05 01 00 75 85 48 c7 c7 30 b5 e1 9d c6 05 50 f4 05 01 01 e8 60 e5 4f 00 <0f> 0b c3 cc cc cc cc 80 3d 3b f4 05 01 00 0f 85 5e ff ff ff 48 c7 [ 338.005245] RSP: 0018:ffffa36802e4bd50 EFLAGS: 00010282 [ 338.006621] RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000000 [ 338.008273] RDX: 0000000000000001 RSI: ffffffff9de03ef5 RDI: 00000000ffffffff [ 338.009804] RBP: 0000000000000003 R08: 0000000000000000 R09: ffffa36802e4bc00 [ 338.011719] R10: 0000000000000003 R11: ffffffff9e0bfdc8 R12: ffff9578da461b80 [ 338.013533] R13: 0000000000000001 R14: ffff9578da422280 R15: ffff9578da461b80 [ 338.015238] FS: 0000000000000000(0000) GS:ffff957a37d00000(0000) knlGS:0000000000000000 [ 338.017179] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 338.018680] CR2: 00007f324c1e1c08 CR3: 000000020360a004 CR4: 0000000000060ee0 [ 338.020377] Call Trace: [ 338.021190] <TASK> [ 338.021956] release_all_access+0x96/0x120 [nfsd] [ 338.023192] ? _raw_spin_unlock+0x15/0x30 [ 338.024192] nfsd4_close+0x275/0x3d0 [nfsd] [ 338.025468] ? fh_verify+0x45e/0x780 [nfsd] [ 338.027535] ? __pfx_nfsd4_encode_noop+0x10/0x10 [nfsd] [ 338.028775] ? nfsd4_encode_operation+0xae/0x280 [nfsd] [ 338.030593] nfsd4_proc_compound+0x3ae/0x6f0 [nfsd] [ 338.032341] nfsd_dispatch+0x16a/0x270 [nfsd] [ 338.034667] svc_process_common+0x2eb/0x660 [sunrpc] [ 338.036614] ? __pfx_nfsd_dispatch+0x10/0x10 [nfsd] [ 338.038827] ? __pfx_nfsd+0x10/0x10 [nfsd] [ 338.040267] svc_process+0xad/0x100 [sunrpc] [ 338.041981] nfsd+0xd5/0x190 [nfsd] [ 338.043362] kthread+0xe9/0x110 [ 338.044680] ? __pfx_kthread+0x10/0x10 [ 338.046376] ret_from_fork+0x2c/0x50 [ 338.047892] </TASK> [ 338.049067] ---[ end trace 0000000000000000 ]--- [ 760.792789] BUG: kernel NULL pointer dereference, address: 0000000000000078 [ 760.795933] #PF: supervisor read access in kernel mode [ 760.797477] #PF: error_code(0x0000) - not-present page [ 760.799120] PGD 0 P4D 0 [ 760.800140] Oops: 0000 [#1] PREEMPT SMP PTI [ 760.801383] CPU: 2 PID: 3401 Comm: nfsd Tainted: G W E 6.2.0-rc3+ #11 [ 760.803120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 [ 760.805018] RIP: 0010:filp_close+0x23/0x70 [ 760.806099] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 41 54 55 53 48 8b 47 38 48 85 c0 0f 84 41 e1 6d 00 48 8b 47 28 48 89 fb 48 89 f5 45 31 e4 <48> 8b 40 78 48 85 c0 74 08 e8 6f 70 72 00 41 89 c4 f6 43 45 40 75 [ 760.809737] RSP: 0018:ffffa36802e4bc78 EFLAGS: 00010246 [ 760.811084] RAX: 0000000000000000 RBX: ffff9578c7d4d600 RCX: 0000000000000000 [ 760.812540] RDX: 000000000000098d RSI: 0000000000000000 RDI: ffff9578c7d4d600 [ 760.814433] RBP: 0000000000000000 R08: 0000011335048e60 R09: ffff9578f82f1540 [ 760.816089] R10: ffffa36802e4bcd0 R11: ffffa36802e4bcd8 R12: 0000000000000000 [ 760.817529] R13: 0000000000000001 R14: dead000000000100 R15: ffff9578f82f1558 [ 760.818982] FS: 0000000000000000(0000) GS:ffff957a37c80000(0000) knlGS:0000000000000000 [ 760.820544] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 760.821734] CR2: 0000000000000078 CR3: 00000001565ce002 CR4: 0000000000060ee0 [ 760.823141] Call Trace: [ 760.823808] <TASK> [ 760.824419] nfsd_file_free+0xe9/0x210 [nfsd] [ 760.825610] release_all_access+0x96/0x120 [nfsd] [ 760.826680] nfs4_free_ol_stateid+0x22/0x60 [nfsd] [ 760.827747] free_ol_stateid_reaplist+0x61/0x90 [nfsd] [ 760.828858] release_openowner+0x258/0x2a0 [nfsd] [ 760.829792] __destroy_client+0x183/0x290 [nfsd] [ 760.830694] nfsd4_setclientid_confirm+0x1a3/0x4f0 [nfsd] [ 760.831763] nfsd4_proc_compound+0x3ae/0x6f0 [nfsd] [ 760.832717] nfsd_dispatch+0x16a/0x270 [nfsd] [ 760.833576] svc_process_common+0x2eb/0x660 [sunrpc] [ 760.834587] ? __pfx_nfsd_dispatch+0x10/0x10 [nfsd] [ 760.835576] ? __pfx_nfsd+0x10/0x10 [nfsd] [ 760.836462] svc_process+0xad/0x100 [sunrpc] [ 760.837317] nfsd+0xd5/0x190 [nfsd] [ 760.838133] kthread+0xe9/0x110 [ 760.838862] ? __pfx_kthread+0x10/0x10 [ 760.839755] ret_from_fork+0x2c/0x50 [ 760.840534] </TASK> [ 760.841167] Modules linked in: nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) sunrpc(E) nls_iso8859_1(E) nls_cp437(E) vfat(E) fat(E) ext4(E) crc16(E) cirrus(E) kvm_intel(E) 9p(E) mbcache(E) joydev(E) virtio_net(E) drm_shmem_helper(E) net_failover(E) kvm(E) jbd2(E) netfs(E) psmouse(E) evdev(E) pcspkr(E) failover(E) irqbypass(E) virtio_balloon(E) drm_kms_helper(E) 9pnet_virtio(E) button(E) drm(E) configfs(E) zram(E) zsmalloc(E) crct10dif_pclmul(E) crc32_pclmul(E) nvme(E) ghash_clmulni_intel(E) virtio_blk(E) sha512_ssse3(E) sha512_generic(E) nvme_core(E) t10_pi(E) virtio_pci(E) virtio(E) crc64_rocksoft_generic(E) aesni_intel(E) crypto_simd(E) crc64_rocksoft(E) virtio_pci_legacy_dev(E) i6300esb(E) cryptd(E) serio_raw(E) crc64(E) virtio_pci_modern_dev(E) virtio_ring(E) btrfs(E) blake2b_generic(E) xor(E) raid6_pq(E) libcrc32c(E) crc32c_generic(E) crc32c_intel(E) autofs4(E) [ 760.853527] CR2: 0000000000000078 [ 760.854340] ---[ end trace 0000000000000000 ]--- [ 760.855261] RIP: 0010:filp_close+0x23/0x70 [ 760.856185] Code: 90 90 90 90 90 90 90 0f 1f 44 00 00 41 54 55 53 48 8b 47 38 48 85 c0 0f 84 41 e1 6d 00 48 8b 47 28 48 89 fb 48 89 f5 45 31 e4 <48> 8b 40 78 48 85 c0 74 08 e8 6f 70 72 00 41 89 c4 f6 43 45 40 75 [ 760.859350] RSP: 0018:ffffa36802e4bc78 EFLAGS: 00010246 [ 760.860356] RAX: 0000000000000000 RBX: ffff9578c7d4d600 RCX: 0000000000000000 [ 760.861628] RDX: 000000000000098d RSI: 0000000000000000 RDI: ffff9578c7d4d600 [ 760.862898] RBP: 0000000000000000 R08: 0000011335048e60 R09: ffff9578f82f1540 [ 760.864172] R10: ffffa36802e4bcd0 R11: ffffa36802e4bcd8 R12: 0000000000000000 [ 760.865438] R13: 0000000000000001 R14: dead000000000100 R15: ffff9578f82f1558 [ 760.866692] FS: 0000000000000000(0000) GS:ffff957a37c80000(0000) knlGS:0000000000000000 [ 760.868053] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 760.869102] CR2: 0000000000000078 CR3: 00000001565ce002 CR4: 0000000000060ee0 Patch sent to the linux-nfs mailing list: https://lore.kernel.org/linux-nfs/20230119192021.83578-1-jlayton@kernel.org/T/#u For QA, the reproducer is to run a bunch of NFSv4 activity against the server (pynfs is fine, but probably any rw-heavy file-based workload will do) while it's also running "exportfs -ra" in a tight loop. The current 9.2 kernels will crash rather quickly, but with the patch it seems to survive. It's probably also possible to hit this with NFSv3 too, but that's a little more tricky since v3-only struct nfsd_files don't tend to live that long. I'm building a test kernel now and will post a link to it once it's done. *** Bug 2164822 has been marked as a duplicate of this bug. *** *** Bug 2164820 has been marked as a duplicate of this bug. *** *** Bug 2164887 has been marked as a duplicate of this bug. *** Centos 9 MR is here: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/1942 Test kernels are available there. *** Bug 2165199 has been marked as a duplicate of this bug. *** (In reply to Jeff Layton from comment #25) > Centos 9 MR is here: > https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/1942 > > Test kernels are available there. Verified that MR build can fix this issue: https://beaker.engineering.redhat.com/jobs/7475454 https://beaker.engineering.redhat.com/jobs/7475453 Verified in the latest kernel version 5.14.0-261.el9: https://beaker.engineering.redhat.com/jobs/7510052 There is a boot warning in 5.14.0-253.el9 but no panic occur: https://beaker.engineering.redhat.com/jobs/7510054 Reproduced in kernel 5.14.0-252.el9: https://beaker.engineering.redhat.com/jobs/7510053 FWIW, 5.14.0-267.el9.x86_64 has fixed this issue for me. Thanks everyone. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2458 |