From patchwork Thu Dec 9 17:34:52 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Bader X-Patchwork-Id: 74955 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id E936BB7043 for ; Fri, 10 Dec 2010 05:17:29 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1PQl3U-0004Kf-GU; Thu, 09 Dec 2010 18:17:24 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.69) (envelope-from ) id 1PQkOL-0000un-QR for kernel-team@lists.ubuntu.com; Thu, 09 Dec 2010 17:34:53 +0000 Received: from hutte.canonical.com ([91.189.90.181]) by adelie.canonical.com with esmtp (Exim 4.69 #1 (Debian)) id 1PQkOL-0003FV-P6; Thu, 09 Dec 2010 17:34:53 +0000 Received: from p5b2e4db5.dip.t-dialin.net ([91.46.77.181] helo=[192.168.2.121]) by hutte.canonical.com with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1PQkOL-0007qo-HL; Thu, 09 Dec 2010 17:34:53 +0000 Message-ID: <4D01133C.6070905@canonical.com> Date: Thu, 09 Dec 2010 18:34:52 +0100 From: Stefan Bader User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Lightning/1.0b1 Thunderbird/3.0.10 MIME-Version: 1.0 To: Andy Whitcroft Subject: Re: [Lucid, Maverick, Natty v2] SRU: Fix panic after nfs_umount References: <4D00FCB1.7090508@canonical.com> <20101209172729.GB16421@penfold> In-Reply-To: <20101209172729.GB16421@penfold> X-Enigmail-Version: 1.0.1 Cc: Ubuntu Kernel Team X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com On 12/09/2010 06:27 PM, Andy Whitcroft wrote: > On Thu, Dec 09, 2010 at 04:58:41PM +0100, Stefan Bader wrote: >> SRU justification: >> >> Impact: When trying to mount an export where server and client have no common >> authentication method, the client will abort the mount by sending an advisory >> unmount message to the server. A bug in the RPC client setup causes the sunrpc >> code to access memory outside an allocated array, which will sooner or later >> cause the kernel to crash. >> >> Fix: Patch from upstream (about to be submitted and targeted for stable too) >> changes the setup to use the actual array size instead of a manually entered number. >> >> Testcase: >> >> Server exports a mount with an authentication method the client does not >> support, eg.: >> [/etc/exports] /srv/foo *(rw,sec=krb5) >> >> Client tries to mount this directory with no special authentication method: >> while true; do mount :/srv/foo /mnt; sync; sleep 1; done >> >> *Note*: This fix is not upstream yet, but is likely to go upstream in that form. >> I just wanted to start the SRU process early due to the fact that it triggers >> quite easily and ends in an odd and fatal mess. It is obvious enough to me and >> has been tested locally. >> >> The change causing the regression has been added in the 2.6.32 time. So all >> kernels between that and now are affected. >> >> -Stefan > >> From dcc0a9d5d9490680ea9faa7b90de3224c3aba7e3 Mon Sep 17 00:00:00 2001 >> From: Chuck Lever >> Date: Wed, 8 Dec 2010 19:07:12 -0500 >> Subject: [PATCH] NFS: Fix panic after nfs_umount() >> >> After a few unsuccessful NFS mount attempts in which the client and >> server cannot agree on an authentication flavor both support, the >> client panics. nfs_umount() is invoked in the kernel in this case. >> >> Turns out this particular UMNT RPC invocation causes the RPC client to >> write off the end of the rpc_clnt's iostat array. This is because the >> mount client's nrprocs field is initialized with the count of defined >> procedures (two: MNT and UMNT), rather than the size of the client's >> proc array (four). >> >> The fix is to use the same initialization technique used by most other >> upper layer clients in the kernel. >> >> Introduced by commit 0b524123, which failed to update nrprocs when it >> added support for UMNT. >> >> BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=24302 >> BugLink: http://bugs.launchpad.net/bugs/683938 >> >> Reported-by: Stefan Bader >> Tested-by: Stefan Bader >> CC: stable@kernel.org # >= 2.6.32 >> Signed-off-by: Chuck Lever >> --- >> fs/nfs/mount_clnt.c | 4 ++-- >> 1 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/fs/nfs/mount_clnt.c b/fs/nfs/mount_clnt.c >> index 59047f8..50552c5 100644 >> --- a/fs/nfs/mount_clnt.c >> +++ b/fs/nfs/mount_clnt.c >> @@ -503,13 +503,13 @@ static struct rpc_procinfo mnt3_procedures[] = { >> >> static struct rpc_version mnt_version1 = { >> .number = 1, >> - .nrprocs = 2, >> + .nrprocs = ARRAY_SIZE(mnt_procedures), >> .procs = mnt_procedures, >> }; >> >> static struct rpc_version mnt_version3 = { >> .number = 3, >> - .nrprocs = 2, >> + .nrprocs = ARRAY_SIZE(mnt_procedures), >> .procs = mnt3_procedures, > > In this one I think the ARRAY_SIZE should reference mnt3_procedures. A > quick visual check says that actually they are the same size so the code > will work as it is, but I suspect it is wrong. > > Stefan as you have the upstream link could you check. > > -apw So as Chuck agreed it being a copy and paste error, here the modified version. -Stefan Acked-by: Tim Gardner Acked-by: Brad Figg From dcc0a9d5d9490680ea9faa7b90de3224c3aba7e3 Mon Sep 17 00:00:00 2001 From: Chuck Lever Date: Wed, 8 Dec 2010 19:07:12 -0500 Subject: [PATCH v2] NFS: Fix panic after nfs_umount() After a few unsuccessful NFS mount attempts in which the client and server cannot agree on an authentication flavor both support, the client panics. nfs_umount() is invoked in the kernel in this case. Turns out this particular UMNT RPC invocation causes the RPC client to write off the end of the rpc_clnt's iostat array. This is because the mount client's nrprocs field is initialized with the count of defined procedures (two: MNT and UMNT), rather than the size of the client's proc array (four). The fix is to use the same initialization technique used by most other upper layer clients in the kernel. Introduced by commit 0b524123, which failed to update nrprocs when it added support for UMNT. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=24302 BugLink: http://bugs.launchpad.net/bugs/683938 Reported-by: Stefan Bader Tested-by: Stefan Bader CC: stable@kernel.org # >= 2.6.32 Signed-off-by: Chuck Lever --- fs/nfs/mount_clnt.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/nfs/mount_clnt.c b/fs/nfs/mount_clnt.c index 59047f8..50552c5 100644 --- a/fs/nfs/mount_clnt.c +++ b/fs/nfs/mount_clnt.c @@ -503,13 +503,13 @@ static struct rpc_procinfo mnt3_procedures[] = { static struct rpc_version mnt_version1 = { .number = 1, - .nrprocs = 2, + .nrprocs = ARRAY_SIZE(mnt_procedures), .procs = mnt_procedures, }; static struct rpc_version mnt_version3 = { .number = 3, - .nrprocs = 2, + .nrprocs = ARRAY_SIZE(mnt3_procedures), .procs = mnt3_procedures, }; -- 1.7.0.4