linux/fs/nfs
Jeff Layton dd1b202632 nfs: decrement nrequests counter before releasing the req
I hit this panic in testing:

[ 6235.500016] run fstests generic/464 at 2023-09-18 22:51:24
[ 6288.410761] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 6288.412174] #PF: supervisor read access in kernel mode
[ 6288.413160] #PF: error_code(0x0000) - not-present page
[ 6288.413992] PGD 0 P4D 0
[ 6288.414603] Oops: 0000 [#1] PREEMPT SMP PTI
[ 6288.415419] CPU: 0 PID: 340798 Comm: kworker/u18:8 Not tainted 6.6.0-rc1-gdcf620ceebac #95
[ 6288.416538] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
[ 6288.417701] Workqueue: nfsiod rpc_async_release [sunrpc]
[ 6288.418676] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs]
[ 6288.419836] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b
[ 6288.422389] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246
[ 6288.423234] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000
[ 6288.424351] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840
[ 6288.425345] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff
[ 6288.426334] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4
[ 6288.427353] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0
[ 6288.428358] FS:  0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000
[ 6288.429513] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6288.430427] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0
[ 6288.431553] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 6288.432715] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 6288.433698] PKRU: 55555554
[ 6288.434196] Call Trace:
[ 6288.434667]  <TASK>
[ 6288.435132]  ? __die+0x1f/0x70
[ 6288.435723]  ? page_fault_oops+0x159/0x450
[ 6288.436389]  ? try_to_wake_up+0x98/0x5d0
[ 6288.437044]  ? do_user_addr_fault+0x65/0x660
[ 6288.437728]  ? exc_page_fault+0x7a/0x180
[ 6288.438368]  ? asm_exc_page_fault+0x22/0x30
[ 6288.439137]  ? nfs_inode_remove_request+0xc8/0x150 [nfs]
[ 6288.440112]  ? nfs_inode_remove_request+0xa0/0x150 [nfs]
[ 6288.440924]  nfs_commit_release_pages+0x16e/0x340 [nfs]
[ 6288.441700]  ? __pfx_call_transmit+0x10/0x10 [sunrpc]
[ 6288.442475]  ? _raw_spin_lock_irqsave+0x23/0x50
[ 6288.443161]  nfs_commit_release+0x15/0x40 [nfs]
[ 6288.443926]  rpc_free_task+0x36/0x60 [sunrpc]
[ 6288.444741]  rpc_async_release+0x29/0x40 [sunrpc]
[ 6288.445509]  process_one_work+0x171/0x340
[ 6288.446135]  worker_thread+0x277/0x3a0
[ 6288.446724]  ? __pfx_worker_thread+0x10/0x10
[ 6288.447376]  kthread+0xf0/0x120
[ 6288.447903]  ? __pfx_kthread+0x10/0x10
[ 6288.448500]  ret_from_fork+0x2d/0x50
[ 6288.449078]  ? __pfx_kthread+0x10/0x10
[ 6288.449665]  ret_from_fork_asm+0x1b/0x30
[ 6288.450283]  </TASK>
[ 6288.450688] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc nls_iso8859_1 nls_cp437 vfat fat 9p netfs ext4 kvm_intel crc16 mbcache jbd2 joydev kvm xfs irqbypass virtio_net pcspkr net_failover psmouse failover 9pnet_virtio cirrus drm_shmem_helper virtio_balloon drm_kms_helper button evdev drm loop dm_mod zram zsmalloc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 sha512_generic virtio_blk nvme aesni_intel crypto_simd cryptd nvme_core t10_pi i6300esb crc64_rocksoft_generic crc64_rocksoft crc64 virtio_pci virtio virtio_pci_legacy_dev virtio_pci_modern_dev virtio_ring serio_raw btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq autofs4
[ 6288.460211] CR2: 0000000000000000
[ 6288.460787] ---[ end trace 0000000000000000 ]---
[ 6288.461571] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs]
[ 6288.462500] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b
[ 6288.465136] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246
[ 6288.465963] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000
[ 6288.467035] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840
[ 6288.468093] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff
[ 6288.469121] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4
[ 6288.470109] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0
[ 6288.471106] FS:  0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000
[ 6288.472216] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6288.473059] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0
[ 6288.474096] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 6288.475097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 6288.476148] PKRU: 55555554
[ 6288.476665] note: kworker/u18:8[340798] exited with irqs disabled

Once we've released "req", it's not safe to dereference it anymore.
Decrement the nrequests counter before dropping the reference.

Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Tested-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
2023-09-28 12:22:25 -04:00
..
blocklayout nfs/blocklayout: Use the passed in gfp flags 2023-08-24 13:24:15 -04:00
filelayout pNFS/filelayout: treat GETDEVICEINFO errors as layout failure 2023-02-15 11:07:54 -05:00
flexfilelayout NFS/pNFS: Report EINVAL errors from connect() to the server 2023-09-13 11:51:11 -04:00
cache_lib.c
cache_lib.h
callback_proc.c nfs: convert to ctime accessor functions 2023-07-24 10:30:01 +02:00
callback_xdr.c SUNRPC: Use per-CPU counters to tally server RPC counts 2023-02-20 09:20:32 -05:00
callback.c SUNRPC: Add enum svc_auth_status 2023-08-29 17:45:22 -04:00
callback.h
client.c NFS/pNFS: Set the connect timeout for the pNFS flexfiles driver 2023-08-24 13:24:15 -04:00
delegation.c
delegation.h
dir.c nfs: fix redundant readdir request after get eof 2023-08-24 13:24:15 -04:00
direct.c NFS: More fixes for nfs_direct_write_reschedule_io() 2023-09-13 11:51:11 -04:00
dns_resolve.c NFS: Move common includes outside ifdef 2023-08-24 13:24:15 -04:00
dns_resolve.h
export.c nfsd: allow reaping files still under writeback 2023-04-26 09:04:59 -04:00
file.c filemap: Fix errors in file.c 2023-08-24 13:24:15 -04:00
fs_context.c NFS: Add an "xprtsec=" NFS mount option 2023-06-19 12:30:17 -04:00
fscache.c mm, netfs, fscache: stop read optimisation when folio removed from pagecache 2023-08-18 10:12:13 -07:00
fscache.h nfs: convert to ctime accessor functions 2023-07-24 10:30:01 +02:00
getroot.c
inode.c fs: pass the request_mask to generic_fillattr 2023-08-09 08:56:36 +02:00
internal.h NFS/pNFS: Set the connect timeout for the pNFS flexfiles driver 2023-08-24 13:24:15 -04:00
io.c
iostat.h NFS: Remove all NFSIOS_FSCACHE counters due to conversion to netfs API 2023-04-11 13:08:26 -04:00
Kconfig NFS: Enable the READ_PLUS operation by default 2023-08-23 15:58:47 -04:00
Makefile
mount_clnt.c
namespace.c fs: pass the request_mask to generic_fillattr 2023-08-09 08:56:36 +02:00
netns.h
nfs2super.c
nfs2xdr.c NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN 2023-08-30 11:08:27 -04:00
nfs3_fs.h fs: drop unused posix acl handlers 2023-03-06 09:57:12 +01:00
nfs3acl.c Mainly singleton patches all over the place. Series of note are: 2023-04-27 19:57:00 -07:00
nfs3client.c NFS/pNFS: Set the connect timeout for the pNFS flexfiles driver 2023-08-24 13:24:15 -04:00
nfs3proc.c
nfs3super.c fs: drop unused posix acl handlers 2023-03-06 09:57:12 +01:00
nfs3xdr.c NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN 2023-08-30 11:08:27 -04:00
nfs4_fs.h fs: Pass argument to fcntl_setlease as int 2023-07-10 14:36:11 +02:00
nfs4client.c NFSv4.1: fix pnfs MDS=DS session trunking 2023-09-13 11:51:11 -04:00
nfs4file.c fs: Pass argument to fcntl_setlease as int 2023-07-10 14:36:11 +02:00
nfs4getroot.c
nfs4idmap.c
nfs4idmap.h
nfs4namespace.c
nfs4proc.c NFSv4: Fix a state manager thread deadlock regression 2023-09-27 15:16:40 -04:00
nfs4renewd.c
nfs4session.c
nfs4session.h
nfs4state.c NFSv4: Fix a state manager thread deadlock regression 2023-09-27 15:16:40 -04:00
nfs4super.c
nfs4sysctl.c nfs: simplify two-level sysctl registration for nfs4_cb_sysctls 2023-04-13 11:49:35 -07:00
nfs4trace.c
nfs4trace.h nfs4trace: fix state manager flag printing 2023-02-14 15:43:57 -05:00
nfs4xdr.c
nfs42.h NFSv4.2: Rework scratch handling for READ_PLUS (again) 2023-08-23 15:58:47 -04:00
nfs42proc.c NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ 2023-08-30 11:08:27 -04:00
nfs42xattr.c NFSv4.2: fix wrong shrinker_id 2023-06-19 15:10:45 -04:00
nfs42xdr.c NFSv4.2: Rework scratch handling for READ_PLUS (again) 2023-08-23 15:58:47 -04:00
nfs.h
nfsroot.c NFS: Prefer strscpy over strlcpy calls 2023-05-22 12:34:41 -07:00
nfstrace.c
nfstrace.h NFS: Remove fscache specific trace points and NFS_INO_FSCACHE bit 2023-04-11 13:08:27 -04:00
pagelist.c NFS: Convert buffered read paths to use netfs when fscache is enabled 2023-04-11 13:08:26 -04:00
pnfs_dev.c NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info 2023-08-24 13:24:15 -04:00
pnfs_nfs.c pNFS: Fix assignment of xprtdata.cred 2023-08-30 14:31:31 -04:00
pnfs.c pNFS/filelayout: treat GETDEVICEINFO errors as layout failure 2023-02-15 11:07:54 -05:00
pnfs.h NFS: Convert buffered writes to use folios 2023-02-14 14:22:32 -05:00
proc.c
read.c NFSv4.2: Rework scratch handling for READ_PLUS (again) 2023-08-23 15:58:47 -04:00
super.c NFS: switch back to using kill_anon_super 2023-08-31 12:47:16 +02:00
symlink.c
sysctl.c nfs: simplify two-level sysctl registration for nfs_cb_sysctls 2023-04-13 11:49:35 -07:00
sysfs.c NFS: Fix sysfs server name memory leak 2023-08-19 10:26:29 -04:00
sysfs.h NFS: Add sysfs links to sunrpc clients for nfs_clients 2023-06-19 15:04:13 -04:00
unlink.c
write.c nfs: decrement nrequests counter before releasing the req 2023-09-28 12:22:25 -04:00