So if a client sends a flexfile LAYOUTCOMMIT to a pNFS server, it will
crash here in nfsd4_layoutcommit():
nfserr = ops->proc_layoutcommit(inode, lcp);
I've attached a demo:
# cc nfsd155a.c
# ./a.out
...
[ 643.202841] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 643.203679] CPU: 8 UID: 0 PID: 1115 Comm: nfsd Not tainted 6.17.0-rc4-00231-gc8ed9b5c02a5 #28 PREEMPT(voluntary)
#0 nfsd4_layoutcommit (rqstp=0xffffffd6047cd000, cstate=0xffffffd60a062028,
u=0xffffffd60a022720) at fs/nfsd/nfs4proc.c:2529
#1 0xffffffff804b9768 in nfsd4_proc_compound (rqstp=0xffffffd6047cd000)
at fs/nfsd/nfs4proc.c:2888
#2 0xffffffff804a0558 in nfsd_dispatch (rqstp=0xffffffd6047cd000)
at fs/nfsd/nfssvc.c:991
#3 0xffffffff81034022 in svc_process_common (
rqstp=rqstp@entry=0xffffffd6047cd000) at net/sunrpc/svc.c:1428
#4 0xffffffff81034522 in svc_process (rqstp=rqstp@entry=0xffffffd6047cd000)
at net/sunrpc/svc.c:1568
#5 0xffffffff810469a0 in svc_handle_xprt (xprt=0xffffffd60449d800,
rqstp=0xffffffd6047cd000) at net/sunrpc/svc_xprt.c:817
#6 svc_recv (rqstp=rqstp@entry=0xffffffd6047cd000)
at net/sunrpc/svc_xprt.c:874
#7 0xffffffff8049f58c in nfsd (vrqstp=0xffffffd6047cd000)
at fs/nfsd/nfssvc.c:926
(gdb) print ops
$1 = (const struct nfsd4_layout_ops *) 0xffffffff81366130 <ff_layout_ops>
(gdb) print ops->proc_layoutcommit
$2 = (__be32 (*)(struct inode *, struct nfsd4_layoutcommit *)) 0x0
Robert Morris
rtm@xxxxxxx
Attachment:
nfsd155a.c
Description: Binary data
