506730 – sys-kernel/gentoo-sources-3.13.6 - NULL pointer dereference in nfs41_assign_slot

Bug 506730 - sys-kernel/gentoo-sources-3.13.6 - NULL pointer dereference in nfs41_assign_slot

Summary: sys-kernel/gentoo-sources-3.13.6 - NULL pointer dereference in nfs41_assign_slot

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Kernel Bug Wranglers and Kernel Maintainers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-04 09:08 UTC by Henrik Grubbström
Modified:	2014-05-19 15:43 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Henrik Grubbström 2014-04-04 09:08:52 UTC

Sudden panic in normal desktop operation.

Transcribed Oops follows (unfortunately some of the code dump was lost):

BUG: unable to handle kernel NULL pointer derefererence at 0000000000000014
IP: [<ffffffff8128b918>] nfs41_assign_slot+0x38/0x60
PGD 0
Oops: 002 [#1] SMP
Modules linked in: x86_pkg_temp_thermal
CPU: 0 PID: 4031 Comm: kworker/0:1 Not tainted 3.13.6-gentoo #2
Hardware name: Gigabyte Technology Co., Ltd. Z68XP-UD3/Z68XP-UD3, BIOS F10 03/20/2012
Workqueue: rpciod rpc_async_schedule
task: ffff8801fbc7c530 ti: ffff8800621a4000 task.ti: ffff8800621a4000
RIP: 0010:[<ffffffff8128b018>]  [<ffffffff812b018>] nfs41_assign_slot+0x38/0x60
RSP: 0018:ffff8800621a5c58  EFLAGS: 00010246
RAX: 0000000110b5d5f4 RBX: ffff880234ac6098 RCX: ffff880234ac6000
RDX: 0000000000000000 RSI: ffff8800b09eb300 RDI: ffff88002f3ee300
RBP: ffff8800621a5c58 R08: ffff88015f568490 R09: 0000000000000000
R10: dff6fabfa6509f40 R11: ffffea00088d4200 R12: ffff88002f3ee300
R13: ffffffff8128afe0 R14: ffff8800b09eb300 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88023fa00000(0000) knlGS:0000000000000000
CS:  0000000000000014 CR3: 0000000081d03000 CR4: 00000000000407f0
Stack:
 ffff8800621a5ca8 ffffffff8199218e ffff8800621a5c76 ffffffff8127fc20
 ffff8800621a5cc8 ffff880234ac6000 ffff8800b09eb300 ffff88022350a0d8
 ffffffff819915e0 0000000000000000 ffff8800621a5cb8 ffffffff8128b46a
Call Trace:
 [<ffffffff8199218e>] rpc_wake_up_first+0x5e/0x1a0
 [<ffffffff8127fc20>] ? decode_getfattr+0x10/0x20
 [<ffffffff819915e0>] ? rpc_malloc+0x70/0x70
 [<ffffffff8128b46a>] nfs41_wake_and_assign_slot+0x2a/0x40
 [<ffffffff8127589a>] nfs40_sequence_done.isra.39+0x3a/0x70
 [<ffffffff8127875d>] nfs_write_done+0x1d/0x100
 [<ffffffff81267b5c>] nfs_writeback_done+0x3c/0x1e0
 [<ffffffff819915e0>] ? rpc_malloc+0x70/0x70
 [<ffffffff81267d09>] nfs_writeback_done_common+0x9/0x10
 [<ffffffff81991607>] rpc_exit_task+0x27/0x90
 [<ffffffff81989980>] ? call_transmit+0x270/0x270
 [<ffffffff819923e5>] __rpc_execute+0x75/0x2a0
 [<ffffffff81992635>] rpc_async_schedule+0x25/0x40
 [<ffffffff810605ff>] process_one_work+0x17f/0x420
 [<ffffffff81060ce9>] worker_thread+0x119/0x370
 [<ffffffff81060bd0>] ? rescuer_thread+0x2f0/0x2f0
 [<ffffffff81067634>] kthread+0xc4/0xe0
 [<ffffffff81067570>] ? flush_kthread_worker+0x70/0x70
 [<ffffffff81a5167c>] ret_from_fork+0x7c/0xb0
 [<ffffffff81067570>] ? flush_kthread_worker+0x70/0x70
Code: 57 38 48 8b 81 a8 01 00 00 a8 01 74 09 31 c0 41 f6 40 08 02 74 2f 48 8b 81 80 01 00 00 48 89 46 10 49 89 30 48 8b 05 e8 1f e6 00 <c7> 42 14 ...
RIP  [<ffffffff8128b018>] nfs41_assign_slot+0x38(0x60
 RSP <ffff8800621<5c58>
CR2: 0000000000000014
Kernel panic - not syncing: Fatal exception in interrupt
drm_kms_helper: panic occurred, switching back to text console

Comment 1 Henrik Grubbström 2014-04-10 14:49:01 UTC

Just triggered it again.

Seems to be the exact same backtrace, with just the addresses on the stack differing.
This time I succeeded in capturing the full code dump.

BUG: unable to handle kernel NULL pointer derefererence at 0000000000000014
IP: [<ffffffff8128b018>] nfs41_assign_slot+0x38/0x60
PGD 0
Oops: 002 [#1] SMP
Modules linked in: x86_pkg_temp_thermal
CPU: 0 PID: 13823 Comm: kworker/0:1 Not tainted 3.13.6-gentoo #2
Hardware name: Gigabyte Technology Co., Ltd. Z68XP-UD3/Z68XP-UD3, BIOS F10 03/20/2012
Workqueue: rpciod rpc_async_schedule
task: ffff88018f975490 ti: ffff8801772f4000 task.ti: ffff8801772f4000
RIP: 0010:[<ffffffff8128b018>]  [<ffffffff812b018>] nfs41_assign_slot+0x38/0x60
RSP: 0018:ffff8801772f5c58  EFLAGS: 00010246
RAX: 000000012368e2d6 RBX: ffff8800b1ed8698 RCX: ffff8800b1ed8600
RDX: 0000000000000000 RSI: ffff88022d11c240 RDI: ffff88011f047700
RBP: ffff8801772f5c58 R08: ffff880034ccaa30 R09: 0000000000000000
R10: dff9ab07b03e71c0 R11: 0000000000000000 R12: ffff88011f047700
R13: ffffffff8128afe0 R14: ffff88022d11c240 R15: 0000000000000000
FS:  0000000000000000(0000) GS: ffff88023fa00000(0000) knlGS:0000000000000000
CS:  0010 BS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000014 CR3: 0000000229415000 CR4: 00000000000407f0
Stack:
 ffff8801772f5ca8 ffffffff8199218e ffff8801772f5c78 ffffffff8127fc20
 ffff8801772f5cc8 ffff8800b1ed8600 ffff88022d11c240 ffff8801773e7358
 ffffffff819915e0 0000000000000000 ffff8801772f5cb8 ffffffff8128b46a
Call Trace:
 [<ffffffff8199218e>] rpc_wake_up_first+0x5e/0x1a0
 [<ffffffff8127fc20>] ? decode_getfattr+0x10/0x20
 [<ffffffff819915e0>] ? rpc_malloc+0x70/0x70
 [<ffffffff8128b46a>] nfs41_wake_and_assign_slot+0x2a/0x40
 [<ffffffff8127589a>] nfs40_sequence_done.isra.39+0x3a/0x70
 [<ffffffff8127875d>] nfs_write_done+0x1d/0x100
 [<ffffffff81267b5c>] nfs_writeback_done+0x3c/0x1e0
 [<ffffffff819915e0>] ? rpc_malloc+0x70/0x70
 [<ffffffff81267d09>] nfs_writeback_done_common+0x9/0x10
 [<ffffffff81991607>] rpc_exit_task+0x27/0x90
 [<ffffffff81989980>] ? call_transmit+0x270/0x270
 [<ffffffff819923e5>] __rpc_execute+0x75/0x2a0
 [<ffffffff81992635>] rpc_async_schedule+0x25/0x40
 [<ffffffff810605ff>] process_one_work+0x17f/0x420
 [<ffffffff81060ce9>] worker_thread+0x119/0x370
 [<ffffffff81060bd0>] ? rescuer_thread+0x2f0/0x2f0
 [<ffffffff81067634>] kthread+0xc4/0xe0
 [<ffffffff81067570>] ? flush_kthread_worker+0x70/0x70
 [<ffffffff81a5167c>] ret_from_fork+0x7c/0xb0
 [<ffffffff81067570>] ? flush_kthread_worker+0x70/0x70
Code: 57 38 48 8b 81 a8 01 00 00 a8 01 74 09 31 c0 41 f6 40 08 02 74 2f 48 8b 81 80 01 00 00 48 89 46 10 49 89 30 48 8b 05 e8 1f e6 00 <c7> 42 14 00 00 00 00 48 89 32 c7 42 10 01 00 00 00 48 89 42 00
RIP  [<ffffffff8128b018>] nfs41_assign_slot+0x38(0x60
 RSP <ffff8801772f5c58>
CR2: 0000000000000014
Kernel panic - not syncing: Fatal exception in interrupt
drm_kms_helper: panic occurred, switching back to text console

Comment 2 Henrik Grubbström 2014-04-10 14:51:11 UTC

I've now switched kernel to sys-kernel/gentoo-sources-3.14.0 to see if it fixes the problem.

Comment 3 Henrik Grubbström 2014-05-19 14:56:50 UTC

(In reply to Henrik Grubbström from comment #2)
> I've now switched kernel to sys-kernel/gentoo-sources-3.14.0 to see if it
> fixes the problem.

It seems to have fixed the problem (or at least significantly reduced it):

$ uname -r
3.14.0-gentoo
$ uptime
 16:54:12 up 39 days, 49 min, 42 users,  load average: 0.11, 0.13, 0.20

Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2014-05-19 15:43:17 UTC

(In reply to Henrik Grubbström from comment #3)
> It seems to have fixed the problem (or at least significantly reduced it)

Sounds good; this is usually the advice we give first, trying the latest kernel (in git-sources) you might see a fix which seems to maybe be the case here.

If you can reproduce this again on the latest kernel, then please reopen the bug.