On Mon, 2025-06-16 at 15:49 +0800, ChenXiaoSong wrote: > Hi Jeff: > > Do you have any suggestions for this null-ptr-deref issue? > > Here is the link to the vmcore analysis: > > https://chenxiaosong.com/en/nfs/en-null-ptr-deref-in-nfsd4_probe_callback.html > > Thanks, > ChenXiaoSong. > Not right offhand. My first guess would be some sort of UAF. Maybe a nfs4_client refcounting issue? If this is reproducible then you may want to turn up KASAN which might give you more info. That said, 4.19.90 is more than 6 years old at this point. You may want to consider moving to something more recent. > 在 2025/6/11 15:12, ChenXiaoSong 写道: > > 在 2025/6/10 19:09, Jeff Layton 写道: > > > > > > Synchronization was probably too strong a word. I remember looking over > > > this code and convincing myself that the probe callback wasn't subject > > > to the same races as the others, but I think that was mostly because > > > the outcome of those races was not harmful. Note that the probe itself > > > can actually be run at the start of a completely unrelated callback to > > > the same client. > > > > > > So you hit a NULL pointer in __queue_work()? The work_struct is > > > embedded in the nfs4_client so that would probably imply that that the > > > nfs4_client struct was corrupt? > > > > > > You may want to get a vmcore and analyze it if you can reproduce this. > > > > Thanks for your reply. > > > > I have already got a vmcore. Here is the link to the vmcore analysis: > > > > https://chenxiaosong.com/en/nfs/en-null-ptr-deref-in- > > nfsd4_probe_callback.html > > > > Please let me know if you need any more detailed information. > > > > Thanks, > > ChenXiaoSong. > -- Jeff Layton <jlayton@xxxxxxxxxx>
