kernel crashes due to NULL pointer dereference bug in the nfsd module
This document (000021042) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server 15 SP2
Situation
A SLES15 SP3 system crashes due to NULL pointer dereference bug in the nfsd module.
An example of the crash stack trace in the kernel kdump's "dmesg.txt" is shown below:
[1149777.870651] BUG: kernel NULL pointer dereference, address: 0000000000000010
[1149777.870662] #PF: supervisor write access in kernel mode
[1149777.870665] #PF: error_code(0x0002) - not-present page
[1149777.870666] PGD 0 P4D 0
[1149777.870670] Oops: 0002 [#1] SMP PTI
[1149777.870673] CPU: 1 PID: 28663 Comm: kworker/u4:1 Kdump: loaded Tainted: P OE N 5.3.18-150300.59.68-default #1 SLE15-SP3
[1149777.870677] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
[1149777.870701] Workqueue: nfsd4 laundromat_main [nfsd]
[1149777.870707] RIP: 0010:_raw_spin_lock+0xc/0x20
[1149777.870710] Code: 01 00 00 75 05 48 89 d8 5b c3 e8 0f 36 7d ff 48 89 d8 5b c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 02 f3 c3 89 c6 e8 d5 1c 7d ff 66 90 c3 66 90 66 66
[1149777.870714] RSP: 0018:ffffb29000773e08 EFLAGS: 00010246
[1149777.870716] RAX: 0000000000000000 RBX: ffffa01f5b749e80 RCX: 0000000000000054
[1149777.870718] RDX: 0000000000000001 RSI: 0000000000000080 RDI: 0000000000000010
[1149777.870720] RBP: 0000000000000010 R08: ffffa01fabea4c98 R09: 8080808080808080
[1149777.870721] R10: ffffb2900008fdc8 R11: fefefefefefefeff R12: ffffa01f5b749eb8
[1149777.870723] R13: ffffa01fabea4d30 R14: ffffa01f5b749ed8 R15: 0000000000000000
[1149777.870725] FS: 0000000000000000(0000) GS:ffffa0203fd00000(0000) knlGS:0000000000000000
[1149777.870727] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1149777.870729] CR2: 0000000000000010 CR3: 00000001e8064000 CR4: 00000000000006e0
[1149777.870761] Call Trace:
[1149777.870772] unhash_delegation_locked+0x39/0xa0 [nfsd]
[1149777.870781] laundromat_main+0x23e/0x530 [nfsd]
[1149777.870787] process_one_work+0x1f4/0x3e0
[1149777.870790] worker_thread+0x2d/0x3e0
[1149777.870793] ? process_one_work+0x3e0/0x3e0
[1149777.870795] kthread+0x10d/0x130
[1149777.870797] ? kthread_park+0xa0/0xa0
[1149777.870799] ret_from_fork+0x35/0x40
An example of the crash stack trace in the kernel kdump's "dmesg.txt" is shown below:
[1149777.870651] BUG: kernel NULL pointer dereference, address: 0000000000000010
[1149777.870662] #PF: supervisor write access in kernel mode
[1149777.870665] #PF: error_code(0x0002) - not-present page
[1149777.870666] PGD 0 P4D 0
[1149777.870670] Oops: 0002 [#1] SMP PTI
[1149777.870673] CPU: 1 PID: 28663 Comm: kworker/u4:1 Kdump: loaded Tainted: P OE N 5.3.18-150300.59.68-default #1 SLE15-SP3
[1149777.870677] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
[1149777.870701] Workqueue: nfsd4 laundromat_main [nfsd]
[1149777.870707] RIP: 0010:_raw_spin_lock+0xc/0x20
[1149777.870710] Code: 01 00 00 75 05 48 89 d8 5b c3 e8 0f 36 7d ff 48 89 d8 5b c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 02 f3 c3 89 c6 e8 d5 1c 7d ff 66 90 c3 66 90 66 66
[1149777.870714] RSP: 0018:ffffb29000773e08 EFLAGS: 00010246
[1149777.870716] RAX: 0000000000000000 RBX: ffffa01f5b749e80 RCX: 0000000000000054
[1149777.870718] RDX: 0000000000000001 RSI: 0000000000000080 RDI: 0000000000000010
[1149777.870720] RBP: 0000000000000010 R08: ffffa01fabea4c98 R09: 8080808080808080
[1149777.870721] R10: ffffb2900008fdc8 R11: fefefefefefefeff R12: ffffa01f5b749eb8
[1149777.870723] R13: ffffa01fabea4d30 R14: ffffa01f5b749ed8 R15: 0000000000000000
[1149777.870725] FS: 0000000000000000(0000) GS:ffffa0203fd00000(0000) knlGS:0000000000000000
[1149777.870727] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[1149777.870729] CR2: 0000000000000010 CR3: 00000001e8064000 CR4: 00000000000006e0
[1149777.870761] Call Trace:
[1149777.870772] unhash_delegation_locked+0x39/0xa0 [nfsd]
[1149777.870781] laundromat_main+0x23e/0x530 [nfsd]
[1149777.870787] process_one_work+0x1f4/0x3e0
[1149777.870790] worker_thread+0x2d/0x3e0
[1149777.870793] ? process_one_work+0x3e0/0x3e0
[1149777.870795] kthread+0x10d/0x130
[1149777.870797] ? kthread_park+0xa0/0xa0
[1149777.870799] ret_from_fork+0x35/0x40
Resolution
This bug is fixed in SLES15 SP3 kernel version 5.3.18-150300.59.106.1 or later.
The bug fix is also back ported to SLES15 SP2 LTSS kernel version 5.3.18-150200.24.145.1 or later.
The bug fix is also back ported to SLES15 SP2 LTSS kernel version 5.3.18-150200.24.145.1 or later.
Cause
The issue is caused by a NULL pointer dereference bug in the nfsd module of the kernel.
Status
Top Issue
Additional Information
The release notes for the kernel patches ("SUSE-SLE-Module-Basesystem-15-SP3-2022-3264" and "SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-778") contains the following description:
- nfsd: fix use-after-free due to delegation race
The changelog for the fix in the "kernel-default" package also contains similar description:
# rpm -q --changelog kernel-default
...
- nfsd: fix use-after-free due to delegation race.
- nfsd: fix use-after-free due to delegation race
The changelog for the fix in the "kernel-default" package also contains similar description:
# rpm -q --changelog kernel-default
...
- nfsd: fix use-after-free due to delegation race.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021042
- Creation Date: 17-Apr-2023
- Modified Date:17-Apr-2023
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
