null pointer dereference in nfs_lookup_revalidate
This document (7011866) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 11 SP2
SUSE Linux Enterprise Server 11 SP1
Situation
The system panics and leaves a backtrace with:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
and
RIP: 0010:[<ffffffffa02a6fe9>] [<ffffffffa02a6fe9>] nfs_lookup_revalidate+0x219/0x500 [nfs]
#0 [] machine_kexec at ffffffff81020ac2
#1 [] crash_kexec at ffffffff810887e0
#2 [] oops_end at ffffffff8139f600
#3 [] __bad_area_nosemaphore at ffffffff8102ed15
#4 [] __wake_up at ffffffff8103aa73
#5 [] page_fault at ffffffff8139e87f
[exception RIP: nfs_lookup_revalidate+537]
RIP: ffffffffa0374fe9 RSP: ffff880bd2275c28 RFLAGS: 00010246
RAX: ffff8805f7d2a102 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: 0000000000000001 RDI: ffff880c0e5cdc00
RBP: ffff8805f7d295b0 R8: 0000000000000004 R9: ffff88060e3ba0c0
R10: 0000000000000004 R11: ffffffff81185330 R12: ffff8805faa38500
R13: ffff8805f6eee9b0 R14: ffff8805f6eee800 R15: ffff8805febc0180
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#6 [] nfs_lookup_revalidate at ffffffffa0374f75
#7 [] __put_nfs_open_context at ffffffffa03790f5
#8 [] dput at ffffffff8111279a
#9 [] nfs_lookup_revalidate at ffffffffa037501a
#10 [] bit_waitqueue at ffffffff810657d0
#11 [] nfs_access_get_cached at ffffffffa0372c87
#12 [] nfs_do_access at ffffffffa0373059
#13 [] __lookup_hash at ffffffff811088e6
#14 [] lookup_one_len at ffffffff811095f9
#15 [] nfs_sillyrename at ffffffffa0372043
#16 [] nfs_unlink at ffffffffa0373806
#17 [] vfs_unlink at ffffffff8110a061
#18 [] do_unlinkat at ffffffff8110c8c1
#19 [] mntput_no_expire at ffffffff811199f3
#20 [] filp_close at ffffffff810fd046
#21 [] system_call_fastpath at ffffffff81002f7b
BUG: unable to handle kernel NULL pointer dereference at 0000000000000034
and
RIP: 0010:[<ffffffffa02a6fe9>] [<ffffffffa02a6fe9>] nfs_lookup_revalidate+0x219/0x500 [nfs]
#0 [] machine_kexec at ffffffff81020ac2
#1 [] crash_kexec at ffffffff810887e0
#2 [] oops_end at ffffffff8139f600
#3 [] __bad_area_nosemaphore at ffffffff8102ed15
#4 [] __wake_up at ffffffff8103aa73
#5 [] page_fault at ffffffff8139e87f
[exception RIP: nfs_lookup_revalidate+537]
RIP: ffffffffa0374fe9 RSP: ffff880bd2275c28 RFLAGS: 00010246
RAX: ffff8805f7d2a102 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000009 RSI: 0000000000000001 RDI: ffff880c0e5cdc00
RBP: ffff8805f7d295b0 R8: 0000000000000004 R9: ffff88060e3ba0c0
R10: 0000000000000004 R11: ffffffff81185330 R12: ffff8805faa38500
R13: ffff8805f6eee9b0 R14: ffff8805f6eee800 R15: ffff8805febc0180
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#6 [] nfs_lookup_revalidate at ffffffffa0374f75
#7 [] __put_nfs_open_context at ffffffffa03790f5
#8 [] dput at ffffffff8111279a
#9 [] nfs_lookup_revalidate at ffffffffa037501a
#10 [] bit_waitqueue at ffffffff810657d0
#11 [] nfs_access_get_cached at ffffffffa0372c87
#12 [] nfs_do_access at ffffffffa0373059
#13 [] __lookup_hash at ffffffff811088e6
#14 [] lookup_one_len at ffffffff811095f9
#15 [] nfs_sillyrename at ffffffffa0372043
#16 [] nfs_unlink at ffffffffa0373806
#17 [] vfs_unlink at ffffffff8110a061
#18 [] do_unlinkat at ffffffff8110c8c1
#19 [] mntput_no_expire at ffffffff811199f3
#20 [] filp_close at ffffffff810fd046
#21 [] system_call_fastpath at ffffffff81002f7b
Resolution
The SLES11 SP2 kernel update to kernel 3.0.58-0.6.2.1 includes the patch to resolve the problem.
Customers with SLES11 SP1 and with a long term support contract (LTSS) can contact SUSE Technical Services to get a PTF (temporary fix) until a LTSS kernel including the patch will be released.
Customers with SLES11 SP1 and with a long term support contract (LTSS) can contact SUSE Technical Services to get a PTF (temporary fix) until a LTSS kernel including the patch will be released.
Cause
So far there has been no reproducible case that is known to trigger the Oops and only the backtrace with the "exception RIP: nfs_lookup_revalidate" will point to the problem.
Analysis of the Oops showed that it is due to lookup_one_len() calling down to the dentry revalidation code with a NULL pointer to struct nameidata.
The NULL pointer here is nd passed to nfs_lookup_revalidate. This is called from lookup_one_len() as NULL and nfs_lookup_revalidate() should check for nd to be NULL. The patch corrects the problem.
It affects all kernel <=3.5, and was corrected with an upstream patch submitted to kernel.org
Analysis of the Oops showed that it is due to lookup_one_len() calling down to the dentry revalidation code with a NULL pointer to struct nameidata.
The NULL pointer here is nd passed to nfs_lookup_revalidate. This is called from lookup_one_len() as NULL and nfs_lookup_revalidate() should check for nd to be NULL. The patch corrects the problem.
It affects all kernel <=3.5, and was corrected with an upstream patch submitted to kernel.org
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7011866
- Creation Date: 01-Mar-2013
- Modified Date:14-Oct-2022
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
