Ubuntu
linux package

HWE kernels: NFSv4.1 NULL pointer dereference

Bug #1939157 reported by Malcolm Scott
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned
Hirsute
Won't Fix
High
Unassigned
linux-hwe-5.11 (Ubuntu)
New
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Hirsute
Invalid
Undecided
Unassigned

Bug Description

Ubuntu 20.04 systems running as NFSv4.1 clients are experiencing crashes (in this case with a NetApp filer mounted):

[ 266.199481] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 266.199495] #PF: supervisor read access in kernel mode
[ 266.199500] #PF: error_code(0x0000) - not-present page
[ 266.199503] PGD 0 P4D 0
[ 266.199511] Oops: 0000 [#1] SMP PTI
[ 266.199518] CPU: 15 PID: 2244 Comm: tracker-extract Not tainted 5.11.0-25-generic #27~20.04.1-Ubuntu
[ 266.199525] Hardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.06.0006.032420170950 03/24/2017
[ 266.199529] RIP: 0010:pnfs_mark_matching_lsegs_return+0xfe/0x140 [nfsv4]
[ 266.199631] Code: f0 41 80 4d 50 08 49 8b 06 4d 89 f5 4c 39 75 d0 75 9b 8b 45 bc 85 c0 75 3b 48 8b 45 c8 48 8b 50 38 48 83 c0 38 48 39 c2 74 23 <41> 8b 34 24 48 8b 7d c8 44 89 fa e8 42 e0 ff ff 31 c0 48 83 c4 20
[ 266.199637] RSP: 0018:ffffae23a19a7c88 EFLAGS: 00010297
[ 266.199642] RAX: ffffa048621ef238 RBX: ffffa048621ef238 RCX: 0000000000000000
[ 266.199646] RDX: ffffa04847636780 RSI: ffffa04847636780 RDI: ffffa048621ef200
[ 266.199650] RBP: ffffae23a19a7cd0 R08: 0000000000000001 R09: ffffa086febdcc10
[ 266.199653] R10: ffffa0677ffd6b80 R11: 0000000000000003 R12: 0000000000000000
[ 266.199657] R13: ffffa048621ef228 R14: ffffa048621ef228 R15: 0000000000000000
[ 266.199661] FS: 00007f9de3440340(0000) GS:ffffa086febc0000(0000) knlGS:0000000000000000
[ 266.199665] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 266.199669] CR2: 0000000000000000 CR3: 000000012ed86006 CR4: 00000000001706e0
[ 266.199674] Call Trace:
[ 266.199682] _pnfs_return_layout+0x13d/0x2c0 [nfsv4]
[ 266.199755] ? nfs_put_delegation+0x4c/0x70 [nfsv4]
[ 266.199814] nfs4_evict_inode+0x78/0x80 [nfsv4]
[ 266.199870] evict+0xd2/0x180
[ 266.199879] iput+0x18f/0x200
[ 266.199884] nfs_dentry_iput+0x33/0x60 [nfs]
[ 266.199934] dentry_unlink_inode+0xb8/0x110
[ 266.199946] __dentry_kill+0xdf/0x180
[ 266.199953] dput+0x171/0x320
[ 266.199960] do_renameat2+0x387/0x500
[ 266.199968] __x64_sys_rename+0x45/0x50
[ 266.199974] do_syscall_64+0x38/0x90
[ 266.199987] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 266.199996] RIP: 0033:0x7f9de644200b
[ 266.200003] Code: e8 aa ce 0a 00 85 c0 0f 95 c0 0f b6 c0 f7 d8 5d c3 66 0f 1f 44 00 00 b8 ff ff ff ff 5d c3 90 f3 0f 1e fa b8 52 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 51 4e 18 00 f7 d8
[ 266.200008] RSP: 002b:00007ffe70e5f008 EFLAGS: 00000246 ORIG_RAX: 0000000000000052
[ 266.200014] RAX: ffffffffffffffda RBX: 000055a5ed503070 RCX: 00007f9de644200b
[ 266.200018] RDX: 000055a5ed37b940 RSI: 000055a5ed1db250 RDI: 000055a5ed4aea00
[ 266.200022] RBP: 000055a5ed503060 R08: 0000000000000000 R09: 0000000000000000
[ 266.200025] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000000001
[ 266.200029] R13: 000055a5ed503078 R14: 000055a5ed503040 R15: 000055a5ed37b980
[ 266.200036] Modules linked in: nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace nfs_ssc fscache intel_rapl_msr intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_
pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper mgag200 rapl joydev input_leds intel_cstate drm_kms_helper ipmi_si ipmi_devintf cec rc_core fb_sys_fops syscopyarea sysfillrect mei_me ipmi_msghandler s
ysimgblt mei ioatdma mac_hid ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt ipt_REJECT nf_reject_ipv4 xt_comment nf_log_ipv4 nf_log_common xt_addrtype xt_limit xt_LOG xt_recent xt_tcpudp sch_fq_codel xt_state xt_conn

This bug occurs in all recent 20.04 HWE kernels (both 5.8 and 5.11). I believe it is fixed by https://patchwork.kernel.org<email address hidden>/ -- please consider backporting this patch.

(The bug was briefly also present in the 5.4 kernels, but was fixed in 5.4.0-79: see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1936673)

Revision history for this message
Stefan Bader (smb) wrote :

This was fixed in Ubuntu-5.4.0-80.90 by:

Author: Anna Schumaker <email address hidden>
Date: Wed May 19 12:54:51 2021 -0400
NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()

For 5.11 this is pending release as Ubuntu-5.11.0-26.28 (currently in -proposed).

Changed in linux (Ubuntu):
status: New → Fix Released
Changed in linux (Ubuntu Hirsute):
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Tobias Karnat (tobiaskarnat-remondis) wrote :

This affects Focal as well, because the kernel is available as HWE.

The pending release is only for Ubuntu Hirsute yet.

Kleber Sacilotto de Souza (kleber-souza)
Changed in linux-hwe-5.11 (Ubuntu Hirsute):
status: New → Fix Committed
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux-hwe-5.11 (Ubuntu Hirsute):
status: Fix Committed → Invalid
Changed in linux-hwe-5.11 (Ubuntu Focal):
status: New → Fix Committed
Changed in linux (Ubuntu Focal):
status: New → Invalid
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Malcolm Scott (malcscott)
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-hwe-5.11 - 5.11.0-27.29~20.04.1

---------------
linux-hwe-5.11 (5.11.0-27.29~20.04.1) focal; urgency=medium

  * focal/linux-hwe-5.11: 5.11.0-27.29~20.04.1 -proposed tracker (LP: #1939554)

  * Update SmartPQI driver (LP: #1933518)
    - scsi: smartpqi: Add support for new product ids
    - scsi: smartpqi: Refactor aio submission code
    - scsi: smartpqi: Refactor scatterlist code
    - scsi: smartpqi: Add support for RAID5 and RAID6 writes
    - scsi: smartpqi: Add support for RAID1 writes
    - scsi: smartpqi: Add support for BMIC sense feature cmd and feature bits
    - scsi: smartpqi: Add support for long firmware version
    - scsi: smartpqi: Align code with oob driver
    - scsi: smartpqi: Add stream detection
    - scsi: smartpqi: Add host level stream detection enable
    - scsi: smartpqi: Disable WRITE SAME for HBA NVMe disks
    - scsi: smartpqi: Remove timeouts from internal cmds
    - scsi: smartpqi: Add support for wwid
    - scsi: smartpqi: Update event handler
    - scsi: smartpqi: Update soft reset management for OFA
    - scsi: smartpqi: Synchronize device resets with mutex
    - scsi: smartpqi: Update suspend/resume and shutdown
    - scsi: smartpqi: Update RAID bypass handling
    - scsi: smartpqi: Update OFA management
    - scsi: smartpqi: Update device scan operations
    - scsi: smartpqi: Fix driver synchronization issues
    - scsi: smartpqi: Convert snprintf() to scnprintf()
    - scsi: smartpqi: Add phy ID support for the physical drives
    - scsi: smartpqi: Update SAS initiator_port_protocols and
      target_port_protocols
    - scsi: smartpqi: Add additional logging for LUN resets
    - scsi: smartpqi: Update enclosure identifier in sysfs
    - scsi: smartpqi: Correct system hangs when resuming from hibernation
    - scsi: smartpqi: Update version to 2.1.8-045
    - scsi: smartpqi: Fix blocks_per_row static checker issue
    - scsi: smartpqi: Fix device pointer variable reference static checker issue
    - scsi: smartpqi: Remove unused functions

  * Hirsute update: upstream stable patchset 2021-06-14 (LP: #1931896) // HWE
    kernels: NFSv4.1 NULL pointer dereference (LP: #1939157)
    - NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()

  * REGRESSION: shiftfs lets sendfile fail with EINVAL (LP: #1939301)
    - SAUCE: shiftfs: fix sendfile() invocations

 -- Kleber Sacilotto de Souza <email address hidden> Wed, 11 Aug 2021 16:53:07 +0200

Changed in linux-hwe-5.11 (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.

Changed in linux (Ubuntu Hirsute):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.