[0/12] cifs compounding

Message ID	20180903033352.29586-1-lsahlber@redhat.com (mailing list archive)
Headers	show Return-Path: <linux-cifs-owner@kernel.org> From: Ronnie Sahlberg <lsahlber@redhat.com> To: linux-cifs <linux-cifs@vger.kernel.org> Cc: Steve French <smfrench@gmail.com> Subject: [PATCH 0/12] cifs compounding Date: Mon, 3 Sep 2018 13:33:40 +1000 Message-Id: <20180903033352.29586-1-lsahlber@redhat.com> Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk
Series	cifs compounding \| expand [0/12] cifs compounding [01/12] cifs: add a smb2_compound_op and change QUERY_INFO to use it [02/12] cifs: change mkdir to use a compound [03/12] cifs: change unlink to use a compound [04/12] cifs: create helpers for SMB2_set_info_init/free() [05/12] cifs: make rmdir() use compounding [06/12] cifs: change SMB2_OP_SET_EOF to use compounding [07/12] cifs: remove the is_falloc argument to SMB2_set_eof [08/12] cifs: change SMB2_OP_SET_INFO to use compounding [09/12] cifs: change SMB2_OP_RENAME and SMB2_OP_HARDLINK to use compounding [10/12] cifs: create a define for the max number of iov we need for a SMB2 set_info [11/12] cifs: add a warning if we try to to dequeue a deleted mid [12/12] cifs: only wake the thread for the very last PDU in a compound

Message ID

20180903033352.29586-1-lsahlber@redhat.com (mailing list archive)

Headers

From: Ronnie Sahlberg <lsahlber@redhat.com>
To: linux-cifs <linux-cifs@vger.kernel.org>
Cc: Steve French <smfrench@gmail.com>
Subject: [PATCH 0/12] cifs compounding
Date: Mon,  3 Sep 2018 13:33:40 +1000
Message-Id: <20180903033352.29586-1-lsahlber@redhat.com>
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk

Series

cifs compounding | expand

Steve, Please find an updated compounding patch series that is based on current for-next. It contains changes to check IF rqst[]->rq_iov has been set before calling the respective smb2_*_free() functions and thus preventing an oops.

Comments

Aurélien Aptel Sept. 3, 2018, 2:10 p.m. UTC | #1

Hi ronnie,

I've run xfstests against this version and I still hit oopses
unfortunately :(

Similar spot, generic/339 against samba master git, lots of
mkdirs (so lots of compounding):

fs/cifs/inode.c: CIFS VFS: in cifs_mkdir as Xid: 668528 with uid: 0
fs/cifs/inode.c: cifs_mkdir returned 0xfffffffe
fs/cifs/inode.c: CIFS VFS: leaving cifs_mkdir (xid = 668528) rc = -2
fs/cifs/inode.c: In cifs_mkdir, mode = 0x1c0 inode = 0x00000000b0925e3a
fs/cifs/inode.c: CIFS VFS: in cifs_mkdir as Xid: 668530 with uid: 0
fs/cifs/inode.c: cifs_mkdir returned 0xfffffffe
fs/cifs/inode.c: CIFS VFS: leaving cifs_mkdir (xid = 668530) rc = -2
fs/cifs/dir.c: Invalid file name
fs/cifs/dir.c: CIFS VFS: leaving cifs_lookup (xid = 668531) rc = -22
fs/cifs/inode.c: cifs_mkdir returned 0xfffffffe
fs/cifs/smb2ops.c: disabling oplocks
CIFS VFS: disabling echoes and oplocks
fs/cifs/connect.c: Reconnecting tcp session
fs/cifs/connect.c: cifs_reconnect: marking sessions and tcons for reconnect
fs/cifs/connect.c: cifs_reconnect: tearing down socket
fs/cifs/connect.c: State: 0x3 Flags: 0x0
fs/cifs/connect.c: Post shutdown state: 0x3 Flags: 0x0
fs/cifs/connect.c: cifs_reconnect: moving mids to private list
fs/cifs/connect.c: cifs_reconnect: issuing mid callbacks
==================================================================
BUG: KASAN: null-ptr-deref in _raw_spin_lock_irqsave+0x17/0x40
Write of size 4 at addr 0000000000000000 by task cifsd/19618

CPU: 3 PID: 19618 Comm: cifsd Not tainted 4.19.0-rc2+ #20
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
 dump_stack+0x5b/0x8b
 kasan_report+0x253/0x2a0
 ? _raw_spin_lock_irqsave+0x17/0x40
 _raw_spin_lock_irqsave+0x17/0x40
 remove_wait_queue+0x12/0x50
 sk_wait_data+0xf6/0x110
 ? autoremove_wake_function+0x30/0x30
 tcp_recvmsg+0x434/0xb00
 inet_recvmsg+0xa5/0xd0
 cifs_readv_from_socket+0xfe/0x1e0
 cifs_read_from_socket+0x3d/0x50
 ? try_to_wake_up+0x413/0x430
 ? allocate_buffers+0x85/0xf0
 cifs_demultiplex_thread+0xe9/0xb30
 kthread+0x126/0x130
 ? cifs_handle_standard+0x180/0x180
 ? kthread_destroy_worker+0x40/0x40
 ret_from_fork+0x35/0x40

Full log here [1]. I'm not sure why it's reconnecting right
before... malformed packet?

1: http://zbeul.ist/tmp/cifs-compounding-crash-2018-09-03.txt.bz2