On 9/10/25 5:47 PM, rtm@xxxxxxxxxxxxx wrote: > So if a client sends a flexfile LAYOUTCOMMIT to a pNFS server, it will > crash here in nfsd4_layoutcommit(): > > nfserr = ops->proc_layoutcommit(inode, lcp); > > I've attached a demo: > # cc nfsd155a.c > # ./a.out > ... > [ 643.202841] BUG: kernel NULL pointer dereference, address: 0000000000000000 > [ 643.203679] CPU: 8 UID: 0 PID: 1115 Comm: nfsd Not tainted 6.17.0-rc4-00231-gc8ed9b5c02a5 #28 PREEMPT(voluntary) > > #0 nfsd4_layoutcommit (rqstp=0xffffffd6047cd000, cstate=0xffffffd60a062028, > u=0xffffffd60a022720) at fs/nfsd/nfs4proc.c:2529 > #1 0xffffffff804b9768 in nfsd4_proc_compound (rqstp=0xffffffd6047cd000) > at fs/nfsd/nfs4proc.c:2888 > #2 0xffffffff804a0558 in nfsd_dispatch (rqstp=0xffffffd6047cd000) > at fs/nfsd/nfssvc.c:991 > #3 0xffffffff81034022 in svc_process_common ( > rqstp=rqstp@entry=0xffffffd6047cd000) at net/sunrpc/svc.c:1428 > #4 0xffffffff81034522 in svc_process (rqstp=rqstp@entry=0xffffffd6047cd000) > at net/sunrpc/svc.c:1568 > #5 0xffffffff810469a0 in svc_handle_xprt (xprt=0xffffffd60449d800, > rqstp=0xffffffd6047cd000) at net/sunrpc/svc_xprt.c:817 > #6 svc_recv (rqstp=rqstp@entry=0xffffffd6047cd000) > at net/sunrpc/svc_xprt.c:874 > #7 0xffffffff8049f58c in nfsd (vrqstp=0xffffffd6047cd000) > at fs/nfsd/nfssvc.c:926 > > (gdb) print ops > $1 = (const struct nfsd4_layout_ops *) 0xffffffff81366130 <ff_layout_ops> > (gdb) print ops->proc_layoutcommit > $2 = (__be32 (*)(struct inode *, struct nfsd4_layoutcommit *)) 0x0 > > Robert Morris > rtm@xxxxxxx > Right, at a guess, this is just like yesterday's -- IIUC pNFS clients don't need to send LAYOUTCOMMIT for NFSD's degenerate FlexFile layouts, so a FlexFile proc_layoutcommit has never been added. Agreed, however, that NFSD should avoid crashing if it gets one of these operations. -- Chuck Lever
