Ubuntu
linux package

rpcb_getport_async in sunrpc can cause oops on Hardy

Bug #224750 reported by HIRANO Takahito
12
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Tim Gardner
Hardy
Fix Released
High
Tim Gardner
Ubuntu ubuntu-8.04.1
Intrepid
Fix Released
High
Tim Gardner

Bug Description

The rpcb_getport_async function in the sunrpc module copies larger memory area than the allocated on Ubuntu Hardy.
This can cause oops.

This bug is derived from Linux 2.6.24 in kernel.org.
It seems to be fixed on Linux 2.6.25 in kernel.org by the commit 86d61d8638ddf9cdf87df26c7fa69b2804425fbe.

See original description
Revision history for this message
HIRANO Takahito (hiranotaka) wrote :
Download full text (4.2 KiB)

The log message should be like:

Apr 28 11:37:07 suzu kernel: [791867.915427] Unable to handle kernel paging request at ffff88003f68c000 RIP:
Apr 28 11:37:07 suzu kernel: [791867.915445] [memcpy_c+0xb/0x20] memcpy_c+0xb/0x20
Apr 28 11:37:07 suzu kernel: [791867.915455] PGD 1b77067 PUD 1b78067 PMD 1d74067 PTE 0
Apr 28 11:37:07 suzu kernel: [791867.915461] Oops: 0000 [1] SMP
Apr 28 11:37:07 suzu kernel: [791867.915464] CPU 0
Apr 28 11:37:07 suzu kernel: [791867.915467] Modules linked in: fuse nfs lockd nfs_acl sunrpc binfmt_misc rfcomm l2cap bluetooth ppdev parport_pc lp parport autofs4 cpufreq_userspace cpufreq_stats cpufreq_conservative cpufreq_ondemand freq_table cpufreq_powersave ipv6 af_packet aes_x86_64 dm_crypt dm_mod evdev ext2 mbcache
Apr 28 11:37:07 suzu kernel: [791867.915496] Pid: 31236, comm: pidgin Not tainted 2.6.24-16-xen #1
Apr 28 11:37:07 suzu kernel: [791867.915498] RIP: e030:[memcpy_c+0xb/0x20] [memcpy_c+0xb/0x20] memcpy_c+0xb/0x20
Apr 28 11:37:07 suzu kernel: [791867.915502] RSP: e02b:ffff880030341ca0 EFLAGS: 00010246
Apr 28 11:37:07 suzu kernel: [791867.915504] RAX: ffff880040445de0 RBX: ffff880040445dc0 RCX: 0000000000000004
Apr 28 11:37:07 suzu kernel: [791867.915507] RDX: 0000000000000000 RSI: ffff88003f68c000 RDI: ffff880040445e40
Apr 28 11:37:07 suzu kernel: [791867.915509] RBP: ffff88003f076800 R08: 0000000000000000 R09: ffff880040445dc0
Apr 28 11:37:07 suzu kernel: [791867.915512] R10: ffffffff804984a0 R11: 0000000000000000 R12: ffff88003eaeca00
Apr 28 11:37:07 suzu kernel: [791867.915514] R13: ffff880040589080 R14: ffff88003eaecc00 R15: 0000000000000070
Apr 28 11:37:07 suzu kernel: [791867.915518] FS: 00007ff5e4a14950(0000) GS:ffffffff805c6000(0000) knlGS:0000000000000000
Apr 28 11:37:07 suzu kernel: [791867.915520] CS: e033 DS: 0000 ES: 0000
Apr 28 11:37:07 suzu kernel: [791867.915523] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Apr 28 11:37:07 suzu kernel: [791867.915525] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000000
Apr 28 11:37:07 suzu kernel: [791867.915528] Process pidgin (pid: 31236, threadinfo ffff880030340000, task ffff880030306040)
Apr 28 11:37:07 suzu kernel: [791867.915530] Stack: ffffffff881136d3 ffff880040589080 ffffffff8814d670 85e90b856f000002
Apr 28 11:37:07 suzu kernel: [791867.915537] 0000000000000000 0000000000000000 ffff880040589080 ffffffff88119370
Apr 28 11:37:07 suzu kernel: [791867.915542] ffff880040589170 ffff88003dcb3080 ffffffff8810ab8b ffffffff88119370
Apr 28 11:37:07 suzu kernel: [791867.915546] Call Trace:
Apr 28 11:37:07 suzu kernel: [791867.915566] [<ffffffff881136d3>] :sunrpc:rpcb_getport_async+0x1d3/0x3d0
Apr 28 11:37:07 suzu kernel: [791867.915579] [<ffffffff8810ab8b>] :sunrpc:__rpc_execute+0x6b/0x290
Apr 28 11:37:07 suzu kernel: [791867.915592] [<ffffffff88103f86>] :sunrpc:rpc_do_run_task+0x76/0xd0
Apr 28 11:37:07 suzu kernel: [791867.915600] [<ffffffff8813d97a>] :lockd:nlm_gc_hosts+0x5a/0x1d0
Apr 28 11:37:07 suzu kernel: [791867.915611] [<ffffffff88104045>] :sunrpc:rpc_call_sync+0x15/0x40
Apr 28 11:37:07 suzu kernel: [791867.915617] [<ffffffff8813c894>] :lockd:nlmclnt_call+0xd4/0x2e0
Apr 28 11:37:07 suzu kernel: [791867...

Read more...

Revision history for this message
HIRANO Takahito (hiranotaka) wrote :

And the patch.

HIRANO Takahito (hiranotaka)
description: updated
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Test kernel linux_2.6.24-17.31ubuntu2 at http://ppa.launchpad.net/timg-tpi/ubuntu

Changed in linux:
assignee: nobody → timg-tpi
importance: Undecided → High
milestone: none → ubuntu-8.04.1
status: New → In Progress
Revision history for this message
HIRANO Takahito (hiranotaka) wrote :

The binary packages of 2.6.24-17.31ubuntu2 don't seem to exist.
Is something wrong?

Revision history for this message
Tim Gardner (timg-tpi) wrote :

You can test using linux_2.6.24-17.32ubuntu5 which is a superset. If you need the -17 LUM you'll have to build it because the -17 header packages have not bubbled into the archive (which prevents building LUM in the PPA)

Revision history for this message
HIRANO Takahito (hiranotaka) wrote :

Thank you. 17.32ubuntu5 works very well so far.

Revision history for this message
Tim Gardner (timg-tpi) wrote :

SRU Justification:

Impact: NFS client can cause kernel oops

Fix Description: The rpcb_getport_async function in the sunrpc module copies larger memory area than the allocated on Ubuntu Hardy. Because of this problem, NFS users might encounter oops. This bug is derived from Linux 2.6.24 in kernel.org. It seems to be fixed on Linux 2.6.25 in kernel.org by the commit 86d61d8638ddf9cdf87df26c7fa69b2804425fbe.

Patch: http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=commit;h=f180b030afa2df41482b990ac502c64d51a7492c

TEST CASE: https://lists.ubuntu.com/archives/kernel-team/2008-May/002397.html

Revision history for this message
Tim Gardner (timg-tpi) wrote :

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-hardy.git;a=commit;h=f180b030afa2df41482b990ac502c64d51a7492c

Changed in linux:
status: In Progress → Fix Committed
Leann Ogasawara (leannogasawara)
Changed in linux:
assignee: nobody → timg-tpi
importance: Undecided → High
status: New → Fix Committed
Steve Langasek (vorlon)
Changed in linux:
milestone: ubuntu-8.04.1 → none
Leann Ogasawara (leannogasawara)
Changed in linux:
milestone: none → ubuntu-8.04.1
Revision history for this message
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here

Revision history for this message
Steve Langasek (vorlon) wrote :

I routinely use hardy as an NFSv3 client. I never observed this sunrpc oops, so I can't say whether it's fixed, but so far I also don't have any problems with the -19 kernel as an NFS client either; so if no one else has any negative feedback on the change, this looks ok to push.

Revision history for this message
Martin Pitt (pitti) wrote :

Copied to hardy-updates. The new kernel was tested extensively by many people, who reported back in other bug reports. Due to lack of feedback, this particular bug was not confirmed to be tested, though. Please report back here if the bug still occurs for you with the new kernel packages, then we will reopen this bug.

Changed in linux:
status: Fix Committed → Fix Released
Revision history for this message
Daniel J Blueman (danielblueman) wrote :

For the record, I can no longer reproduce the rpcb_getport_async crash that I was seeing frequently with the updated kernel; great work!

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Also marking this "Fix Released" for Intrepid. Thanks.

Changed in linux:
status: Fix Committed → Fix Released
Revision history for this message
Xoby (xoby) wrote :

I think still have the bug on Hardy even with the updated kernel (2.6.24-19-generic).

When I copied a big file (800M) from an NFS share (NFS4+Kerberos) the copy did not work (see dmesg output as attachment)

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 224750] Re: rpcb_getport_async in sunrpc can cause oops on Hardy

On Mon, Jul 21, 2008 at 12:33:17AM -0000, Xoby wrote:
> I think still have the bug on Hardy even with the updated kernel
> (2.6.24-19-generic).

Your crash does not appear to be related to this one, the kernel backtrace
is altogether different. Please open a separate bug report.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

Revision history for this message
Martin Pitt (pitti) wrote :

Xoby [2008-07-21 0:33 -0000]:
> I think still have the bug on Hardy even with the updated kernel
> (2.6.24-19-generic).

That's not the updated kernel from this SRU. You want
2.6.14-20-generic. Unfortunately linux-meta hasn't been updated yet,
so you need to install it by hand (don't forget linux-ubuntu-modules
and linux-restricted-modules).

Revision history for this message
Xoby (xoby) wrote : Re: [Bug 224750] Re: rpcb_getport_async in sunrpc can cause oops on Hardy

On Mon, Jul 21, 2008 at 01:23:04AM -0000, Steve Langasek wrote:
> Your crash does not appear to be related to this one, the kernel backtrace
> is altogether different. Please open a separate bug report.

It already exists, it's bug 212485 [1] "After viewing a film on an
nfs4 share for about 20 minutes ... with a similar kernel
backtrace". But as 212485 is marked as a duplicate of 224750 it seemed
the good place to answer ...

[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/212485

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 224750] Re: rpcb_getport_async in sunrpc can cause oops on Hardy

On Mon, Jul 21, 2008 at 10:13:33AM -0000, Xoby wrote:

> It already exists, it's bug 212485

Ok, I'm unmarking that bug as a duplicate, since the backtraces between the
two are different and don't appear to have the same cause.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
<email address hidden> <email address hidden>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.