[RH7] sunrpc: fix crash when cache_head become valid before update

Submitted by Pavel Tikhomirov on Sept. 13, 2019, 11:34 a.m.

Details

Message ID 20190913113434.11142-1-ptikhomirov@virtuozzo.com
State New
Series "sunrpc: fix crash when cache_head become valid before update"
Headers show

Commit Message

Pavel Tikhomirov Sept. 13, 2019, 11:34 a.m.
We've added cache_fresh_locked() of expired cache_head in
sunrpc_cache_lookup() to fix leak, but that was wrong. These makes these
entry CACHE_VALID, and in svcauth_unix_set_client cache_check returns 0
on these entry (ipm->h) and we start to access ipm->m_client which is
uninitialized here. It is only initialized after sunrpc_cache_update().

But actually for the leak fix, we only needed to cleanup pending
requests for the expired cache_head which is removed from hash. To do
these it is enough to call cache_fresh_unlocked() thus triggering
cache_dequeue() which cleanups pending requests.

Crash backtrace:
[13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
[13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
[13108726.326448] PGD 0
[13108726.326468] Oops: 0002 [#1] SMP
[13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
[13108726.327173]  dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
[13108726.327817]  ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
[13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G        W  O   ------------   3.10.0-862.20.2.vz7.73.29 #1 73.29
[13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
[13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
[13108726.328610] RIP: 0010:[<ffffffffc01f79eb>]  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
[13108726.328706] RSP: 0018:ffffa0c2a74bfd80  EFLAGS: 00010246
[13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
[13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
[13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
[13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
[13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
[13108726.329022] FS:  0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
[13108726.329081] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
[13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[13108726.338908] PKRU: 00000000
[13108726.341047] Call Trace:
[13108726.343074]  [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
[13108726.344837]  [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
[13108726.346631]  [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
[13108726.348332]  [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
[13108726.350016]  [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
[13108726.351735]  [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
[13108726.353459]  [<ffffffff8a2bf741>] kthread+0xd1/0xe0
[13108726.355195]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
[13108726.356896]  [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
[13108726.358577]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
[13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
[13108726.363769] RIP  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
[13108726.365530]  RSP <ffffa0c2a74bfd80>
[13108726.367179] CR2: 0000000000000074

https://jira.sw.ru/browse/PSBM-97738

Fixes ec2421405f25 ("sunrpc: cache_head leak due queued request")

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 net/sunrpc/cache.c | 3 ---
 1 file changed, 3 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 7e2e289e4287..c5997990adb6 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -53,8 +53,6 @@  static void cache_init(struct cache_head *h, struct cache_detail *detail)
 	h->last_refresh = now;
 }
 
-static void cache_fresh_locked(struct cache_head *head, time_t expiry,
-			       struct cache_detail *detail);
 static void cache_fresh_unlocked(struct cache_head *head,
 				 struct cache_detail *detail);
 
@@ -102,7 +100,6 @@  struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
 				*hp = tmp->next;
 				tmp->next = NULL;
 				detail->entries --;
-				cache_fresh_locked(tmp, 0, detail);
 				freeme = tmp;
 				break;
 			}

Comments

Vasily Averin Sept. 13, 2019, 2:08 p.m.
Did you saw commit d58431eacb ("sunrpc: don't mark uninitialised items as VALID.") ?
it also fixes your patch but by some other way.

is it probably some other issue?

Thank you,
	Vasily Averin


On 9/13/19 2:34 PM, Pavel Tikhomirov wrote:
> We've added cache_fresh_locked() of expired cache_head in
> sunrpc_cache_lookup() to fix leak, but that was wrong. These makes these
> entry CACHE_VALID, and in svcauth_unix_set_client cache_check returns 0
> on these entry (ipm->h) and we start to access ipm->m_client which is
> uninitialized here. It is only initialized after sunrpc_cache_update().
> 
> But actually for the leak fix, we only needed to cleanup pending
> requests for the expired cache_head which is removed from hash. To do
> these it is enough to call cache_fresh_unlocked() thus triggering
> cache_dequeue() which cleanups pending requests.
> 
> Crash backtrace:
> [13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
> [13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
> [13108726.326448] PGD 0
> [13108726.326468] Oops: 0002 [#1] SMP
> [13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
> [13108726.327173]  dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
> [13108726.327817]  ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
> [13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G        W  O   ------------   3.10.0-862.20.2.vz7.73.29 #1 73.29
> [13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
> [13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
> [13108726.328610] RIP: 0010:[<ffffffffc01f79eb>]  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
> [13108726.328706] RSP: 0018:ffffa0c2a74bfd80  EFLAGS: 00010246
> [13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
> [13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
> [13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
> [13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
> [13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
> [13108726.329022] FS:  0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
> [13108726.329081] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
> [13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [13108726.338908] PKRU: 00000000
> [13108726.341047] Call Trace:
> [13108726.343074]  [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
> [13108726.344837]  [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
> [13108726.346631]  [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
> [13108726.348332]  [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
> [13108726.350016]  [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
> [13108726.351735]  [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
> [13108726.353459]  [<ffffffff8a2bf741>] kthread+0xd1/0xe0
> [13108726.355195]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
> [13108726.356896]  [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
> [13108726.358577]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
> [13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
> [13108726.363769] RIP  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
> [13108726.365530]  RSP <ffffa0c2a74bfd80>
> [13108726.367179] CR2: 0000000000000074
> 
> https://jira.sw.ru/browse/PSBM-97738
> 
> Fixes ec2421405f25 ("sunrpc: cache_head leak due queued request")
> 
> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
> ---
>  net/sunrpc/cache.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
> index 7e2e289e4287..c5997990adb6 100644
> --- a/net/sunrpc/cache.c
> +++ b/net/sunrpc/cache.c
> @@ -53,8 +53,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
>  	h->last_refresh = now;
>  }
>  
> -static void cache_fresh_locked(struct cache_head *head, time_t expiry,
> -			       struct cache_detail *detail);
>  static void cache_fresh_unlocked(struct cache_head *head,
>  				 struct cache_detail *detail);
>  
> @@ -102,7 +100,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
>  				*hp = tmp->next;
>  				tmp->next = NULL;
>  				detail->entries --;
> -				cache_fresh_locked(tmp, 0, detail);
>  				freeme = tmp;
>  				break;
>  			}
>
Pavel Tikhomirov Sept. 13, 2019, 2:25 p.m.
On 9/13/19 5:08 PM, Vasily Averin wrote:
> Did you saw commit d58431eacb ("sunrpc: don't mark uninitialised items as VALID.") ?
> it also fixes your patch but by some other way.

Haven't seen it. Thanks!

> 
> is it probably some other issue?

Fixing same issue. That's the other way to fix it which I thought of.

But I thought there is no need in cache_fresh_locked at all, we do 
cache_fresh_unlocked in cache_clean without previous cache_fresh_locked.
The cache_fresh_locked only updates expiry_time and last_refresh times 
and sets the entry as CACHE_VALID. It appeared that we don't need the 
latter, so why to we need first two?

> 
> Thank you,
> 	Vasily Averin
> 
> 
> On 9/13/19 2:34 PM, Pavel Tikhomirov wrote:
>> We've added cache_fresh_locked() of expired cache_head in
>> sunrpc_cache_lookup() to fix leak, but that was wrong. These makes these
>> entry CACHE_VALID, and in svcauth_unix_set_client cache_check returns 0
>> on these entry (ipm->h) and we start to access ipm->m_client which is
>> uninitialized here. It is only initialized after sunrpc_cache_update().
>>
>> But actually for the leak fix, we only needed to cleanup pending
>> requests for the expired cache_head which is removed from hash. To do
>> these it is enough to call cache_fresh_unlocked() thus triggering
>> cache_dequeue() which cleanups pending requests.
>>
>> Crash backtrace:
>> [13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
>> [13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>> [13108726.326448] PGD 0
>> [13108726.326468] Oops: 0002 [#1] SMP
>> [13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
>> [13108726.327173]  dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
>> [13108726.327817]  ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
>> [13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G        W  O   ------------   3.10.0-862.20.2.vz7.73.29 #1 73.29
>> [13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
>> [13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
>> [13108726.328610] RIP: 0010:[<ffffffffc01f79eb>]  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>> [13108726.328706] RSP: 0018:ffffa0c2a74bfd80  EFLAGS: 00010246
>> [13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
>> [13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
>> [13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
>> [13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
>> [13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
>> [13108726.329022] FS:  0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
>> [13108726.329081] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
>> [13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> [13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> [13108726.338908] PKRU: 00000000
>> [13108726.341047] Call Trace:
>> [13108726.343074]  [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
>> [13108726.344837]  [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
>> [13108726.346631]  [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
>> [13108726.348332]  [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
>> [13108726.350016]  [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
>> [13108726.351735]  [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
>> [13108726.353459]  [<ffffffff8a2bf741>] kthread+0xd1/0xe0
>> [13108726.355195]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
>> [13108726.356896]  [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
>> [13108726.358577]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
>> [13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
>> [13108726.363769] RIP  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>> [13108726.365530]  RSP <ffffa0c2a74bfd80>
>> [13108726.367179] CR2: 0000000000000074
>>
>> https://jira.sw.ru/browse/PSBM-97738
>>
>> Fixes ec2421405f25 ("sunrpc: cache_head leak due queued request")
>>
>> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
>> ---
>>   net/sunrpc/cache.c | 3 ---
>>   1 file changed, 3 deletions(-)
>>
>> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
>> index 7e2e289e4287..c5997990adb6 100644
>> --- a/net/sunrpc/cache.c
>> +++ b/net/sunrpc/cache.c
>> @@ -53,8 +53,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
>>   	h->last_refresh = now;
>>   }
>>   
>> -static void cache_fresh_locked(struct cache_head *head, time_t expiry,
>> -			       struct cache_detail *detail);
>>   static void cache_fresh_unlocked(struct cache_head *head,
>>   				 struct cache_detail *detail);
>>   
>> @@ -102,7 +100,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
>>   				*hp = tmp->next;
>>   				tmp->next = NULL;
>>   				detail->entries --;
>> -				cache_fresh_locked(tmp, 0, detail);
>>   				freeme = tmp;
>>   				break;
>>   			}
>>
Vasily Averin Sept. 13, 2019, 2:44 p.m.
On 9/13/19 5:25 PM, Pavel Tikhomirov wrote:
> 
> 
> On 9/13/19 5:08 PM, Vasily Averin wrote:
>> Did you saw commit d58431eacb ("sunrpc: don't mark uninitialised items as VALID.") ?
>> it also fixes your patch but by some other way.
> 
> Haven't seen it. Thanks!
> 
>>
>> is it probably some other issue?
> 
> Fixing same issue. That's the other way to fix it which I thought of.
> 
> But I thought there is no need in cache_fresh_locked at all, we do 
> cache_fresh_unlocked in cache_clean without previous cache_fresh_locked.
> The cache_fresh_locked only updates expiry_time and last_refresh times 
> and sets the entry as CACHE_VALID. It appeared that we don't need the 
> latter, so why to we need first two?


Ask Neil Brown ? ^:)
 
>>
>> Thank you,
>> 	Vasily Averin
>>
>>
>> On 9/13/19 2:34 PM, Pavel Tikhomirov wrote:
>>> We've added cache_fresh_locked() of expired cache_head in
>>> sunrpc_cache_lookup() to fix leak, but that was wrong. These makes these
>>> entry CACHE_VALID, and in svcauth_unix_set_client cache_check returns 0
>>> on these entry (ipm->h) and we start to access ipm->m_client which is
>>> uninitialized here. It is only initialized after sunrpc_cache_update().
>>>
>>> But actually for the leak fix, we only needed to cleanup pending
>>> requests for the expired cache_head which is removed from hash. To do
>>> these it is enough to call cache_fresh_unlocked() thus triggering
>>> cache_dequeue() which cleanups pending requests.
>>>
>>> Crash backtrace:
>>> [13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
>>> [13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>>> [13108726.326448] PGD 0
>>> [13108726.326468] Oops: 0002 [#1] SMP
>>> [13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
>>> [13108726.327173]  dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
>>> [13108726.327817]  ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
>>> [13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G        W  O   ------------   3.10.0-862.20.2.vz7.73.29 #1 73.29
>>> [13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
>>> [13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
>>> [13108726.328610] RIP: 0010:[<ffffffffc01f79eb>]  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>>> [13108726.328706] RSP: 0018:ffffa0c2a74bfd80  EFLAGS: 00010246
>>> [13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
>>> [13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
>>> [13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
>>> [13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
>>> [13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
>>> [13108726.329022] FS:  0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
>>> [13108726.329081] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>> [13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
>>> [13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>> [13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>> [13108726.338908] PKRU: 00000000
>>> [13108726.341047] Call Trace:
>>> [13108726.343074]  [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
>>> [13108726.344837]  [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
>>> [13108726.346631]  [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
>>> [13108726.348332]  [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
>>> [13108726.350016]  [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
>>> [13108726.351735]  [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
>>> [13108726.353459]  [<ffffffff8a2bf741>] kthread+0xd1/0xe0
>>> [13108726.355195]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
>>> [13108726.356896]  [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
>>> [13108726.358577]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
>>> [13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
>>> [13108726.363769] RIP  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>>> [13108726.365530]  RSP <ffffa0c2a74bfd80>
>>> [13108726.367179] CR2: 0000000000000074
>>>
>>> https://jira.sw.ru/browse/PSBM-97738
>>>
>>> Fixes ec2421405f25 ("sunrpc: cache_head leak due queued request")
>>>
>>> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
>>> ---
>>>   net/sunrpc/cache.c | 3 ---
>>>   1 file changed, 3 deletions(-)
>>>
>>> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
>>> index 7e2e289e4287..c5997990adb6 100644
>>> --- a/net/sunrpc/cache.c
>>> +++ b/net/sunrpc/cache.c
>>> @@ -53,8 +53,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
>>>   	h->last_refresh = now;
>>>   }
>>>   
>>> -static void cache_fresh_locked(struct cache_head *head, time_t expiry,
>>> -			       struct cache_detail *detail);
>>>   static void cache_fresh_unlocked(struct cache_head *head,
>>>   				 struct cache_detail *detail);
>>>   
>>> @@ -102,7 +100,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
>>>   				*hp = tmp->next;
>>>   				tmp->next = NULL;
>>>   				detail->entries --;
>>> -				cache_fresh_locked(tmp, 0, detail);
>>>   				freeme = tmp;
>>>   				break;
>>>   			}
>>>
>
Pavel Tikhomirov Sept. 16, 2019, 8:26 a.m.
On 9/13/19 5:44 PM, Vasily Averin wrote:
> 
> 
> On 9/13/19 5:25 PM, Pavel Tikhomirov wrote:
>>
>>
>> On 9/13/19 5:08 PM, Vasily Averin wrote:
>>> Did you saw commit d58431eacb ("sunrpc: don't mark uninitialised items as VALID.") ?
>>> it also fixes your patch but by some other way.
>>
>> Haven't seen it. Thanks!
>>
>>>
>>> is it probably some other issue?
>>
>> Fixing same issue. That's the other way to fix it which I thought of.
>>
>> But I thought there is no need in cache_fresh_locked at all, we do
>> cache_fresh_unlocked in cache_clean without previous cache_fresh_locked.
>> The cache_fresh_locked only updates expiry_time and last_refresh times
>> and sets the entry as CACHE_VALID. It appeared that we don't need the
>> latter, so why to we need first two?
> 
> 
> Ask Neil Brown ? ^:)

Done in separate thread.

>   
>>>
>>> Thank you,
>>> 	Vasily Averin
>>>
>>>
>>> On 9/13/19 2:34 PM, Pavel Tikhomirov wrote:
>>>> We've added cache_fresh_locked() of expired cache_head in
>>>> sunrpc_cache_lookup() to fix leak, but that was wrong. These makes these
>>>> entry CACHE_VALID, and in svcauth_unix_set_client cache_check returns 0
>>>> on these entry (ipm->h) and we start to access ipm->m_client which is
>>>> uninitialized here. It is only initialized after sunrpc_cache_update().
>>>>
>>>> But actually for the leak fix, we only needed to cleanup pending
>>>> requests for the expired cache_head which is removed from hash. To do
>>>> these it is enough to call cache_fresh_unlocked() thus triggering
>>>> cache_dequeue() which cleanups pending requests.
>>>>
>>>> Crash backtrace:
>>>> [13108726.326291] BUG: unable to handle kernel NULL pointer dereference at 0000000000000074
>>>> [13108726.326365] IP: [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>>>> [13108726.326448] PGD 0
>>>> [13108726.326468] Oops: 0002 [#1] SMP
>>>> [13108726.326497] Modules linked in: nbd isofs xfs loop kpatch_cumulative_81_0_r1(O) xt_physdev nfnetlink_queue bluetooth rfkill ip6table_nat nf_nat_ipv6 ip_vs_wrr ip_vs_wlc ip_vs_sh nf_conntrack_netlink ip_vs_sed ip_vs_pe_sip nf_conntrack_sip ip_vs_nq ip_vs_lc ip_vs_lblcr ip_vs_lblc ip_vs_ftp ip_vs_dh nf_nat_ftp nf_conntrack_ftp iptable_raw xt_recent nf_log_ipv6 xt_hl ip6t_rt nf_log_ipv4 nf_log_common xt_LOG xt_limit xt_TCPMSS xt_tcpmss vxlan ip6_udp_tunnel udp_tunnel xt_statistic xt_NFLOG nfnetlink_log dummy xt_mark xt_REDIRECT nf_nat_redirect raw_diag udp_diag tcp_diag inet_diag netlink_diag af_packet_diag unix_diag rpcsec_gss_krb5 xt_addrtype ip6t_rpfilter ipt_REJECT nf_reject_ipv4 ip6t_REJECT nf_reject_ipv6 ebtable_nat ebtable_broute nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_raw nfsv4
>>>> [13108726.327173]  dns_resolver cls_u32 binfmt_misc arptable_filter arp_tables ip6table_filter ip6_tables devlink fuse_kio_pcs ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_nat iptable_nat nf_nat_ipv4 xt_comment nf_conntrack_ipv4 nf_defrag_ipv4 xt_wdog_tmo xt_multiport bonding xt_set xt_conntrack iptable_filter iptable_mangle kpatch(O) ebtable_filter ebt_among ebtables ip_set_hash_ip ip_set nfnetlink vfat fat skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass fuse pcspkr ses enclosure joydev sg mei_me hpwdt hpilo lpc_ich mei ipmi_si shpchp ipmi_devintf ipmi_msghandler xt_ipvs acpi_power_meter ip_vs_rr nfsv3 nfsd auth_rpcgss nfs_acl nfs lockd grace fscache nf_nat cls_fw sch_htb sch_cbq sch_sfq ip_vs em_u32 nf_conntrack tun br_netfilter veth overlay ip6_vzprivnet ip6_vznetstat ip_vznetstat
>>>> [13108726.327817]  ip_vzprivnet vziolimit vzevent vzlist vzstat vznetstat vznetdev vzmon vzdev bridge pio_kaio pio_nfs pio_direct pfmt_raw pfmt_ploop1 ploop ip_tables ext4 mbcache jbd2 sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper scsi_transport_iscsi 8021q syscopyarea sysfillrect garp sysimgblt fb_sys_fops mrp stp ttm llc bnx2x crct10dif_pclmul crct10dif_common crc32_pclmul crc32c_intel drm dm_multipath ghash_clmulni_intel uas aesni_intel lrw gf128mul glue_helper ablk_helper cryptd tg3 smartpqi scsi_transport_sas mdio libcrc32c i2c_core usb_storage ptp pps_core wmi sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kpatch_cumulative_82_0_r1]
>>>> [13108726.328403] CPU: 35 PID: 63742 Comm: nfsd ve: 51332 Kdump: loaded Tainted: G        W  O   ------------   3.10.0-862.20.2.vz7.73.29 #1 73.29
>>>> [13108726.328491] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 10/02/2018
>>>> [13108726.328554] task: ffffa0a6a41b1160 ti: ffffa0c2a74bc000 task.ti: ffffa0c2a74bc000
>>>> [13108726.328610] RIP: 0010:[<ffffffffc01f79eb>]  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>>>> [13108726.328706] RSP: 0018:ffffa0c2a74bfd80  EFLAGS: 00010246
>>>> [13108726.328750] RAX: 0000000000000001 RBX: ffffa0a6183ae000 RCX: 0000000000000000
>>>> [13108726.328811] RDX: 0000000000000074 RSI: 0000000000000286 RDI: ffffa0c2a74bfcf0
>>>> [13108726.328864] RBP: ffffa0c2a74bfe00 R08: ffffa0bab8c22960 R09: 0000000000000001
>>>> [13108726.328916] R10: 0000000000000001 R11: 0000000000000001 R12: ffffa0a32aa7f000
>>>> [13108726.328969] R13: ffffa0a6183afac0 R14: ffffa0c233d88d00 R15: ffffa0c2a74bfdb4
>>>> [13108726.329022] FS:  0000000000000000(0000) GS:ffffa0e17f9c0000(0000) knlGS:0000000000000000
>>>> [13108726.329081] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>>>> [13108726.332311] CR2: 0000000000000074 CR3: 00000026a1b28000 CR4: 00000000007607e0
>>>> [13108726.334606] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>>>> [13108726.336754] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>>>> [13108726.338908] PKRU: 00000000
>>>> [13108726.341047] Call Trace:
>>>> [13108726.343074]  [<ffffffff8a2c78b4>] ? groups_alloc+0x34/0x110
>>>> [13108726.344837]  [<ffffffffc01f5eb4>] svc_set_client+0x24/0x30 [sunrpc]
>>>> [13108726.346631]  [<ffffffffc01f2ac1>] svc_process_common+0x241/0x710 [sunrpc]
>>>> [13108726.348332]  [<ffffffffc01f3093>] svc_process+0x103/0x190 [sunrpc]
>>>> [13108726.350016]  [<ffffffffc07d605f>] nfsd+0xdf/0x150 [nfsd]
>>>> [13108726.351735]  [<ffffffffc07d5f80>] ? nfsd_destroy+0x80/0x80 [nfsd]
>>>> [13108726.353459]  [<ffffffff8a2bf741>] kthread+0xd1/0xe0
>>>> [13108726.355195]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
>>>> [13108726.356896]  [<ffffffff8a9556dd>] ret_from_fork_nospec_begin+0x7/0x21
>>>> [13108726.358577]  [<ffffffff8a2bf670>] ? create_kthread+0x60/0x60
>>>> [13108726.360240] Code: 4c 8b 45 98 0f 8e 2e 01 00 00 83 f8 fe 0f 84 76 fe ff ff 85 c0 0f 85 2b 01 00 00 49 8b 50 40 b8 01 00 00 00 48 89 93 d0 1a 00 00 <f0> 0f c1 02 83 c0 01 83 f8 01 0f 8e 53 02 00 00 49 8b 44 24 38
>>>> [13108726.363769] RIP  [<ffffffffc01f79eb>] svcauth_unix_set_client+0x2ab/0x520 [sunrpc]
>>>> [13108726.365530]  RSP <ffffa0c2a74bfd80>
>>>> [13108726.367179] CR2: 0000000000000074
>>>>
>>>> https://jira.sw.ru/browse/PSBM-97738
>>>>
>>>> Fixes ec2421405f25 ("sunrpc: cache_head leak due queued request")
>>>>
>>>> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
>>>> ---
>>>>    net/sunrpc/cache.c | 3 ---
>>>>    1 file changed, 3 deletions(-)
>>>>
>>>> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
>>>> index 7e2e289e4287..c5997990adb6 100644
>>>> --- a/net/sunrpc/cache.c
>>>> +++ b/net/sunrpc/cache.c
>>>> @@ -53,8 +53,6 @@ static void cache_init(struct cache_head *h, struct cache_detail *detail)
>>>>    	h->last_refresh = now;
>>>>    }
>>>>    
>>>> -static void cache_fresh_locked(struct cache_head *head, time_t expiry,
>>>> -			       struct cache_detail *detail);
>>>>    static void cache_fresh_unlocked(struct cache_head *head,
>>>>    				 struct cache_detail *detail);
>>>>    
>>>> @@ -102,7 +100,6 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
>>>>    				*hp = tmp->next;
>>>>    				tmp->next = NULL;
>>>>    				detail->entries --;
>>>> -				cache_fresh_locked(tmp, 0, detail);
>>>>    				freeme = tmp;
>>>>    				break;
>>>>    			}
>>>>
>>