Message ID | 20180614203408.20818-1-paulo@paulo.ac |
---|---|
State | New |
Headers | show |
Series | cifs: Fix kernel oops when traceSMB is enabled | expand |
Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> Awesome find Paolo! On Fri, Jun 15, 2018 at 6:34 AM, Paulo Alcantara <paulo@paulo.ac> wrote: > When traceSMB is enabled through 'echo 1 > /proc/fs/cifs/traceSMB', after a > mount, the following oops is triggered: > > [ 27.137943] BUG: unable to handle kernel paging request at > ffff8800f80c268b > [ 27.143396] PGD 2c6b067 P4D 2c6b067 PUD 0 > [ 27.145386] Oops: 0000 [#1] SMP PTI > [ 27.146186] CPU: 2 PID: 2655 Comm: mount.cifs Not tainted 4.17.0+ #39 > [ 27.147174] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS > 1.0.0-prebuilt.qemu-project.org 04/01/2014 > [ 27.148969] RIP: 0010:hex_dump_to_buffer+0x413/0x4b0 > [ 27.149738] Code: 48 8b 44 24 08 31 db 45 31 d2 48 89 6c 24 18 44 89 > 6c 24 24 48 c7 c1 78 b5 23 82 4c 89 64 24 10 44 89 d5 41 89 dc 4c 8d 58 > 02 <44> 0f b7 00 4d 89 dd eb 1f 83 c5 01 41 01 c4 41 39 ef 0f 84 48 fe > [ 27.152396] RSP: 0018:ffffc9000058f8c0 EFLAGS: 00010246 > [ 27.153129] RAX: ffff8800f80c268b RBX: 0000000000000000 RCX: > ffffffff8223b578 > [ 27.153867] RDX: 0000000000000000 RSI: ffffffff81a55496 RDI: > 0000000000000008 > [ 27.154612] RBP: 0000000000000000 R08: 0000000000000020 R09: > 0000000000000083 > [ 27.155355] R10: 0000000000000000 R11: ffff8800f80c268d R12: > 0000000000000000 > [ 27.156101] R13: 0000000000000002 R14: ffffc9000058f94d R15: > 0000000000000008 > [ 27.156838] FS: 00007f1693a6b740(0000) GS:ffff88007fd00000(0000) > knlGS:0000000000000000 > [ 27.158354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 27.159093] CR2: ffff8800f80c268b CR3: 00000000798fa001 CR4: > 0000000000360ee0 > [ 27.159892] DR0: 0000000000000000 DR1: 0000000000000000 DR2: > 0000000000000000 > [ 27.160661] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: > 0000000000000400 > [ 27.161464] Call Trace: > [ 27.162123] print_hex_dump+0xd3/0x160 > [ 27.162814] journal-offline (2658) used greatest stack depth: 13144 > bytes left > [ 27.162824] ? __release_sock+0x60/0xd0 > [ 27.165344] ? tcp_sendmsg+0x31/0x40 > [ 27.166177] dump_smb+0x39/0x40 > [ 27.166972] ? vsnprintf+0x236/0x490 > [ 27.167807] __smb_send_rqst.constprop.12+0x103/0x430 > [ 27.168554] ? apic_timer_interrupt+0xa/0x20 > [ 27.169306] smb_send_rqst+0x48/0xc0 > [ 27.169984] cifs_send_recv+0xda/0x420 > [ 27.170639] SMB2_negotiate+0x23d/0xfa0 > [ 27.171301] ? vsnprintf+0x236/0x490 > [ 27.171961] ? smb2_negotiate+0x19/0x30 > [ 27.172586] smb2_negotiate+0x19/0x30 > [ 27.173257] cifs_negotiate_protocol+0x70/0xd0 > [ 27.173935] ? kstrdup+0x43/0x60 > [ 27.174551] cifs_get_smb_ses+0x295/0xbe0 > [ 27.175260] ? lock_timer_base+0x67/0x80 > [ 27.175936] ? __internal_add_timer+0x1a/0x50 > [ 27.176575] ? add_timer+0x10f/0x230 > [ 27.177267] cifs_mount+0x101/0x1190 > [ 27.177940] ? cifs_smb3_do_mount+0x144/0x5c0 > [ 27.178575] cifs_smb3_do_mount+0x144/0x5c0 > [ 27.179270] mount_fs+0x35/0x150 > [ 27.179930] vfs_kern_mount.part.28+0x54/0xf0 > [ 27.180567] do_mount+0x5ad/0xc40 > [ 27.181234] ? kmem_cache_alloc_trace+0xed/0x1a0 > [ 27.181916] ksys_mount+0x80/0xd0 > [ 27.182535] __x64_sys_mount+0x21/0x30 > [ 27.183220] do_syscall_64+0x4e/0x100 > [ 27.183882] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > [ 27.184535] RIP: 0033:0x7f169339055a > [ 27.185192] Code: 48 8b 0d 41 d9 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 > 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f > 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0e d9 2b 00 f7 d8 64 89 01 48 > [ 27.187268] RSP: 002b:00007fff7b44eb58 EFLAGS: 00000202 ORIG_RAX: > 00000000000000a5 > [ 27.188515] RAX: ffffffffffffffda RBX: 00007f1693a7e70e RCX: > 00007f169339055a > [ 27.189244] RDX: 000055b9f97f64e5 RSI: 000055b9f97f652c RDI: > 00007fff7b45074f > [ 27.189974] RBP: 000055b9fb8c9260 R08: 000055b9fb8ca8f0 R09: > 0000000000000000 > [ 27.190721] R10: 0000000000000000 R11: 0000000000000202 R12: > 000055b9fb8ca8f0 > [ 27.191429] R13: 0000000000000000 R14: 00007f1693a7c000 R15: > 00007f1693a7e91d > [ 27.192167] Modules linked in: > [ 27.192797] CR2: ffff8800f80c268b > [ 27.193435] ---[ end trace 67404c618badf323 ]--- > > The problem was that dump_smb() had been called with an invalid pointer, > that is, in __smb_send_rqst(), iov[1] doesn't exist (n_vec == 1). > > This patch fixes it by relying on the n_vec value to dump out the smb > packets. > > Signed-off-by: Paulo Alcantara <palcantara@suse.de> > --- > fs/cifs/transport.c | 10 +++++----- > 1 file changed, 5 insertions(+), 5 deletions(-) > > diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c > index 13c244dfb3c1..a3ea42a4cb98 100644 > --- a/fs/cifs/transport.c > +++ b/fs/cifs/transport.c > @@ -281,17 +281,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, > send_length += 4; > } > > + cifs_dbg(FYI, "Sending smb: smb_len=%u\n", send_length); > + > for (j = 0; j < num_rqst; j++) { > iov = rqst[j].rq_iov; > n_vec = rqst[j].rq_nvec; > > - cifs_dbg(FYI, "Sending smb: smb_len=%u\n", send_length); > - dump_smb(iov[0].iov_base, iov[0].iov_len); > - dump_smb(iov[1].iov_base, iov[1].iov_len); > - > size = 0; > - for (i = 0; i < n_vec; i++) > + for (i = 0; i < n_vec; i++) { > + dump_smb(iov[i].iov_base, iov[i].iov_len); > size += iov[i].iov_len; > + } > > iov_iter_kvec(&smb_msg.msg_iter, WRITE | ITER_KVEC, > iov, n_vec, size); > -- > 2.17.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-cifs" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Yes - good job. Merged into cifs-2.6.git for-next On Thu, Jun 14, 2018 at 3:48 PM, ronnie sahlberg <ronniesahlberg@gmail.com> wrote: > Reviewed-by: Ronnie Sahlberg <lsahlber@redhat.com> > > Awesome find Paolo! > > On Fri, Jun 15, 2018 at 6:34 AM, Paulo Alcantara <paulo@paulo.ac> wrote: >> When traceSMB is enabled through 'echo 1 > /proc/fs/cifs/traceSMB', after a >> mount, the following oops is triggered: >> >> [ 27.137943] BUG: unable to handle kernel paging request at >> ffff8800f80c268b >> [ 27.143396] PGD 2c6b067 P4D 2c6b067 PUD 0 >> [ 27.145386] Oops: 0000 [#1] SMP PTI >> [ 27.146186] CPU: 2 PID: 2655 Comm: mount.cifs Not tainted 4.17.0+ #39 >> [ 27.147174] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS >> 1.0.0-prebuilt.qemu-project.org 04/01/2014 >> [ 27.148969] RIP: 0010:hex_dump_to_buffer+0x413/0x4b0 >> [ 27.149738] Code: 48 8b 44 24 08 31 db 45 31 d2 48 89 6c 24 18 44 89 >> 6c 24 24 48 c7 c1 78 b5 23 82 4c 89 64 24 10 44 89 d5 41 89 dc 4c 8d 58 >> 02 <44> 0f b7 00 4d 89 dd eb 1f 83 c5 01 41 01 c4 41 39 ef 0f 84 48 fe >> [ 27.152396] RSP: 0018:ffffc9000058f8c0 EFLAGS: 00010246 >> [ 27.153129] RAX: ffff8800f80c268b RBX: 0000000000000000 RCX: >> ffffffff8223b578 >> [ 27.153867] RDX: 0000000000000000 RSI: ffffffff81a55496 RDI: >> 0000000000000008 >> [ 27.154612] RBP: 0000000000000000 R08: 0000000000000020 R09: >> 0000000000000083 >> [ 27.155355] R10: 0000000000000000 R11: ffff8800f80c268d R12: >> 0000000000000000 >> [ 27.156101] R13: 0000000000000002 R14: ffffc9000058f94d R15: >> 0000000000000008 >> [ 27.156838] FS: 00007f1693a6b740(0000) GS:ffff88007fd00000(0000) >> knlGS:0000000000000000 >> [ 27.158354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >> [ 27.159093] CR2: ffff8800f80c268b CR3: 00000000798fa001 CR4: >> 0000000000360ee0 >> [ 27.159892] DR0: 0000000000000000 DR1: 0000000000000000 DR2: >> 0000000000000000 >> [ 27.160661] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: >> 0000000000000400 >> [ 27.161464] Call Trace: >> [ 27.162123] print_hex_dump+0xd3/0x160 >> [ 27.162814] journal-offline (2658) used greatest stack depth: 13144 >> bytes left >> [ 27.162824] ? __release_sock+0x60/0xd0 >> [ 27.165344] ? tcp_sendmsg+0x31/0x40 >> [ 27.166177] dump_smb+0x39/0x40 >> [ 27.166972] ? vsnprintf+0x236/0x490 >> [ 27.167807] __smb_send_rqst.constprop.12+0x103/0x430 >> [ 27.168554] ? apic_timer_interrupt+0xa/0x20 >> [ 27.169306] smb_send_rqst+0x48/0xc0 >> [ 27.169984] cifs_send_recv+0xda/0x420 >> [ 27.170639] SMB2_negotiate+0x23d/0xfa0 >> [ 27.171301] ? vsnprintf+0x236/0x490 >> [ 27.171961] ? smb2_negotiate+0x19/0x30 >> [ 27.172586] smb2_negotiate+0x19/0x30 >> [ 27.173257] cifs_negotiate_protocol+0x70/0xd0 >> [ 27.173935] ? kstrdup+0x43/0x60 >> [ 27.174551] cifs_get_smb_ses+0x295/0xbe0 >> [ 27.175260] ? lock_timer_base+0x67/0x80 >> [ 27.175936] ? __internal_add_timer+0x1a/0x50 >> [ 27.176575] ? add_timer+0x10f/0x230 >> [ 27.177267] cifs_mount+0x101/0x1190 >> [ 27.177940] ? cifs_smb3_do_mount+0x144/0x5c0 >> [ 27.178575] cifs_smb3_do_mount+0x144/0x5c0 >> [ 27.179270] mount_fs+0x35/0x150 >> [ 27.179930] vfs_kern_mount.part.28+0x54/0xf0 >> [ 27.180567] do_mount+0x5ad/0xc40 >> [ 27.181234] ? kmem_cache_alloc_trace+0xed/0x1a0 >> [ 27.181916] ksys_mount+0x80/0xd0 >> [ 27.182535] __x64_sys_mount+0x21/0x30 >> [ 27.183220] do_syscall_64+0x4e/0x100 >> [ 27.183882] entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> [ 27.184535] RIP: 0033:0x7f169339055a >> [ 27.185192] Code: 48 8b 0d 41 d9 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 >> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f >> 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0e d9 2b 00 f7 d8 64 89 01 48 >> [ 27.187268] RSP: 002b:00007fff7b44eb58 EFLAGS: 00000202 ORIG_RAX: >> 00000000000000a5 >> [ 27.188515] RAX: ffffffffffffffda RBX: 00007f1693a7e70e RCX: >> 00007f169339055a >> [ 27.189244] RDX: 000055b9f97f64e5 RSI: 000055b9f97f652c RDI: >> 00007fff7b45074f >> [ 27.189974] RBP: 000055b9fb8c9260 R08: 000055b9fb8ca8f0 R09: >> 0000000000000000 >> [ 27.190721] R10: 0000000000000000 R11: 0000000000000202 R12: >> 000055b9fb8ca8f0 >> [ 27.191429] R13: 0000000000000000 R14: 00007f1693a7c000 R15: >> 00007f1693a7e91d >> [ 27.192167] Modules linked in: >> [ 27.192797] CR2: ffff8800f80c268b >> [ 27.193435] ---[ end trace 67404c618badf323 ]--- >> >> The problem was that dump_smb() had been called with an invalid pointer, >> that is, in __smb_send_rqst(), iov[1] doesn't exist (n_vec == 1). >> >> This patch fixes it by relying on the n_vec value to dump out the smb >> packets. >> >> Signed-off-by: Paulo Alcantara <palcantara@suse.de> >> --- >> fs/cifs/transport.c | 10 +++++----- >> 1 file changed, 5 insertions(+), 5 deletions(-) >> >> diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c >> index 13c244dfb3c1..a3ea42a4cb98 100644 >> --- a/fs/cifs/transport.c >> +++ b/fs/cifs/transport.c >> @@ -281,17 +281,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, >> send_length += 4; >> } >> >> + cifs_dbg(FYI, "Sending smb: smb_len=%u\n", send_length); >> + >> for (j = 0; j < num_rqst; j++) { >> iov = rqst[j].rq_iov; >> n_vec = rqst[j].rq_nvec; >> >> - cifs_dbg(FYI, "Sending smb: smb_len=%u\n", send_length); >> - dump_smb(iov[0].iov_base, iov[0].iov_len); >> - dump_smb(iov[1].iov_base, iov[1].iov_len); >> - >> size = 0; >> - for (i = 0; i < n_vec; i++) >> + for (i = 0; i < n_vec; i++) { >> + dump_smb(iov[i].iov_base, iov[i].iov_len); >> size += iov[i].iov_len; >> + } >> >> iov_iter_kvec(&smb_msg.msg_iter, WRITE | ITER_KVEC, >> iov, n_vec, size); >> -- >> 2.17.1 >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/fs/cifs/transport.c b/fs/cifs/transport.c index 13c244dfb3c1..a3ea42a4cb98 100644 --- a/fs/cifs/transport.c +++ b/fs/cifs/transport.c @@ -281,17 +281,17 @@ __smb_send_rqst(struct TCP_Server_Info *server, int num_rqst, send_length += 4; } + cifs_dbg(FYI, "Sending smb: smb_len=%u\n", send_length); + for (j = 0; j < num_rqst; j++) { iov = rqst[j].rq_iov; n_vec = rqst[j].rq_nvec; - cifs_dbg(FYI, "Sending smb: smb_len=%u\n", send_length); - dump_smb(iov[0].iov_base, iov[0].iov_len); - dump_smb(iov[1].iov_base, iov[1].iov_len); - size = 0; - for (i = 0; i < n_vec; i++) + for (i = 0; i < n_vec; i++) { + dump_smb(iov[i].iov_base, iov[i].iov_len); size += iov[i].iov_len; + } iov_iter_kvec(&smb_msg.msg_iter, WRITE | ITER_KVEC, iov, n_vec, size);
When traceSMB is enabled through 'echo 1 > /proc/fs/cifs/traceSMB', after a mount, the following oops is triggered: [ 27.137943] BUG: unable to handle kernel paging request at ffff8800f80c268b [ 27.143396] PGD 2c6b067 P4D 2c6b067 PUD 0 [ 27.145386] Oops: 0000 [#1] SMP PTI [ 27.146186] CPU: 2 PID: 2655 Comm: mount.cifs Not tainted 4.17.0+ #39 [ 27.147174] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 [ 27.148969] RIP: 0010:hex_dump_to_buffer+0x413/0x4b0 [ 27.149738] Code: 48 8b 44 24 08 31 db 45 31 d2 48 89 6c 24 18 44 89 6c 24 24 48 c7 c1 78 b5 23 82 4c 89 64 24 10 44 89 d5 41 89 dc 4c 8d 58 02 <44> 0f b7 00 4d 89 dd eb 1f 83 c5 01 41 01 c4 41 39 ef 0f 84 48 fe [ 27.152396] RSP: 0018:ffffc9000058f8c0 EFLAGS: 00010246 [ 27.153129] RAX: ffff8800f80c268b RBX: 0000000000000000 RCX: ffffffff8223b578 [ 27.153867] RDX: 0000000000000000 RSI: ffffffff81a55496 RDI: 0000000000000008 [ 27.154612] RBP: 0000000000000000 R08: 0000000000000020 R09: 0000000000000083 [ 27.155355] R10: 0000000000000000 R11: ffff8800f80c268d R12: 0000000000000000 [ 27.156101] R13: 0000000000000002 R14: ffffc9000058f94d R15: 0000000000000008 [ 27.156838] FS: 00007f1693a6b740(0000) GS:ffff88007fd00000(0000) knlGS:0000000000000000 [ 27.158354] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 27.159093] CR2: ffff8800f80c268b CR3: 00000000798fa001 CR4: 0000000000360ee0 [ 27.159892] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 27.160661] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 27.161464] Call Trace: [ 27.162123] print_hex_dump+0xd3/0x160 [ 27.162814] journal-offline (2658) used greatest stack depth: 13144 bytes left [ 27.162824] ? __release_sock+0x60/0xd0 [ 27.165344] ? tcp_sendmsg+0x31/0x40 [ 27.166177] dump_smb+0x39/0x40 [ 27.166972] ? vsnprintf+0x236/0x490 [ 27.167807] __smb_send_rqst.constprop.12+0x103/0x430 [ 27.168554] ? apic_timer_interrupt+0xa/0x20 [ 27.169306] smb_send_rqst+0x48/0xc0 [ 27.169984] cifs_send_recv+0xda/0x420 [ 27.170639] SMB2_negotiate+0x23d/0xfa0 [ 27.171301] ? vsnprintf+0x236/0x490 [ 27.171961] ? smb2_negotiate+0x19/0x30 [ 27.172586] smb2_negotiate+0x19/0x30 [ 27.173257] cifs_negotiate_protocol+0x70/0xd0 [ 27.173935] ? kstrdup+0x43/0x60 [ 27.174551] cifs_get_smb_ses+0x295/0xbe0 [ 27.175260] ? lock_timer_base+0x67/0x80 [ 27.175936] ? __internal_add_timer+0x1a/0x50 [ 27.176575] ? add_timer+0x10f/0x230 [ 27.177267] cifs_mount+0x101/0x1190 [ 27.177940] ? cifs_smb3_do_mount+0x144/0x5c0 [ 27.178575] cifs_smb3_do_mount+0x144/0x5c0 [ 27.179270] mount_fs+0x35/0x150 [ 27.179930] vfs_kern_mount.part.28+0x54/0xf0 [ 27.180567] do_mount+0x5ad/0xc40 [ 27.181234] ? kmem_cache_alloc_trace+0xed/0x1a0 [ 27.181916] ksys_mount+0x80/0xd0 [ 27.182535] __x64_sys_mount+0x21/0x30 [ 27.183220] do_syscall_64+0x4e/0x100 [ 27.183882] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 27.184535] RIP: 0033:0x7f169339055a [ 27.185192] Code: 48 8b 0d 41 d9 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 0e d9 2b 00 f7 d8 64 89 01 48 [ 27.187268] RSP: 002b:00007fff7b44eb58 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 [ 27.188515] RAX: ffffffffffffffda RBX: 00007f1693a7e70e RCX: 00007f169339055a [ 27.189244] RDX: 000055b9f97f64e5 RSI: 000055b9f97f652c RDI: 00007fff7b45074f [ 27.189974] RBP: 000055b9fb8c9260 R08: 000055b9fb8ca8f0 R09: 0000000000000000 [ 27.190721] R10: 0000000000000000 R11: 0000000000000202 R12: 000055b9fb8ca8f0 [ 27.191429] R13: 0000000000000000 R14: 00007f1693a7c000 R15: 00007f1693a7e91d [ 27.192167] Modules linked in: [ 27.192797] CR2: ffff8800f80c268b [ 27.193435] ---[ end trace 67404c618badf323 ]--- The problem was that dump_smb() had been called with an invalid pointer, that is, in __smb_send_rqst(), iov[1] doesn't exist (n_vec == 1). This patch fixes it by relying on the n_vec value to dump out the smb packets. Signed-off-by: Paulo Alcantara <palcantara@suse.de> --- fs/cifs/transport.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)