I think the bug is caused by the following:

In nfs_dupreq_start, when the state is DUPREQ_START, the following code is entered:

            if (unlikely(dv->state == DUPREQ_START)) {
                status = DUPREQ_BEING_PROCESSED;

Note that in this case req->rq_u1 is not assigned.

Later, the caller of this routine, nfs_rpc_process_request, will check the status, and in the case of DUPREQ_BEING_PROCESSED will break out of the switch statement and jump to freeargs, which will call free_args and then nfs_dupreq_rele. Unfortunately, nfs_dupreq_rele is assuming that req->rq_u1 points to a cache entry, but it was never assigned in this case, leading to dereferencing a null ptr. In 2.6, there was a check to see if res_nfs was assigned before calling nfs_dupreq_rele, but it appears that it was removed in 2.8 and later. The code should either check for req->rq_u1 or res_nfs.

Although we noticed this bug in 2.8.2, from looking at the code it looks like it is also in the tip.

Bill
_______________________________________________
Devel mailing list -- devel@lists.nfs-ganesha.org
To unsubscribe send an email to devel-leave@lists.nfs-ganesha.org