[Bug 242012] [NEW] BUG: Oops when trying to use NFS with autofs

Rich Rincebrain at gmail.com
Sat Jun 21 23:16:54 UTC 2008 

Public bug reported:

I was using NFSv3 happily with my Ubuntu Hardy client from my Ubuntu
Gutsy server, and I received a Permission denied error when trying to
copy some stuff over - no big deal, log into the server and chown the
entire directory.

Then NFS for that mountpoint stopped responding, as did most stat-
involving commands anywhere on my client's filesystem (ls in
particular). df reported the space for all of my mount points but
claimed that this particular mount point had vanished (I had two mounts
from the Gutsy server, one was fine and the other reported No such file
or directory from df).

I checked dmesg, and discovered that I had a BUG and Oops waiting for
me. The stack might be crap, I can't tell, but as far as I can see
ip4_datagram_connect can't call do_mount unless there's a function
pointer I missed.

[ 2359.637798] BUG: unable to handle kernel NULL pointer dereference at virtual address 0000006a
[ 2359.637810] printing eip: c01a7c39 *pde = 00000000 
[ 2359.637819] Oops: 0000 [#1] SMP 
[ 2359.637824] Modules linked in: udf binfmt_misc af_packet ipv6 ppdev autofs4 sbs sbshc speedstep_centrino dock cpufreq_userspace cpufreq_stats container cpufreq_powersave cpufreq_ondemand freq_table cpufreq_conservative nfs lockd nfs_acl sunrpc iptable_filter ip_tables x_tables sbp2 parport_pc lp parport pcmcia joydev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm_oss snd_pcm snd_mixer_oss nvidia(P) video output i2c_core snd_seq_dummy snd_seq_oss ipw2200 sdhci snd_seq_midi ieee80211 serio_raw snd_rawmidi snd_seq_midi_event yenta_socket ieee80211_crypt mmc_core rsrc_nonstatic pcmcia_core snd_seq button battery snd_timer snd_seq_device ac snd intel_agp shpchp soundcore dcdbas agpgart pci_hotplug evdev iTCO_wdt iTCO_vendor_support snd_page_alloc psmouse ext3 jbd mbcache sg sr_mod cdrom sd_mod ata_piix pata_acpi ahci b44 ata_generic libata ohci1394 scsi_mod ieee1394 ssb mii ehci_hcd uhci_hcd usbcore raid10 raid456 async_xor async_memcpy async_tx xor raid1 raid0 multipath linear md_mod dm_mirror dm_snapshot dm_mod thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 2359.637962] 
[ 2359.637968] Pid: 13553, comm: mount.nfs Tainted: P        (2.6.24-19-generic #1)
[ 2359.637975] EIP: 0060:[<c01a7c39>] EFLAGS: 00010206 CPU: 0
[ 2359.637985] EIP is at graft_tree+0x39/0xf0
[ 2359.637990] EAX: d0a05f68 EBX: ffffffec ECX: 00000000 EDX: f288ff2c
[ 2359.637995] ESI: f29eb280 EDI: f288ff2c EBP: 00000023 ESP: f288fe04
[ 2359.638000]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 2359.638006] Process mount.nfs (pid: 13553, ti=f288e000 task=f284e5c0 task.ti=f288e000)
[ 2359.638011] Stack: f288ff2c f288ff30 f29eb280 c01a7fd2 00200006 f29eb280 f3561000 f29b4000 
[ 2359.638024]        c01a90eb 00000000 f35d1000 00000023 f288feac 00000000 f36c1d80 c02eb79c 
[ 2359.638035]        00000001 df9ba9e0 df9ba980 f79dadd0 00000025 e6c78300 0000014e f780713c 
[ 2359.638047] Call Trace:
[ 2359.638063]  [<c01a7fd2>] do_add_mount+0x72/0x100
[ 2359.638087]  [<c01a90eb>] do_mount+0x5fb/0x700
[ 2359.638114]  [<c02eb79c>] ip4_datagram_connect+0x23c/0x370
[ 2359.638154]  [<c016da2f>] find_lock_page+0x2f/0xb0
[ 2359.638182]  [<c016ff76>] filemap_fault+0x216/0x420
[ 2359.638197]  [<c021ad80>] copy_to_user+0x30/0x60
[ 2359.638229]  [<c012103d>] kunmap_atomic+0x3d/0xb0
[ 2359.638273]  [<c01206ad>] fixup_exception+0x1d/0x60
[ 2359.638333]  [<c01730d0>] __alloc_pages+0x60/0x3a0
[ 2359.638349]  [<c031df80>] do_page_fault+0x0/0x730
[ 2359.638400]  [<c01a79f0>] copy_mount_options+0x40/0x140
[ 2359.638428]  [<c01a9807>] sys_mount+0x77/0xb0
[ 2359.638455]  [<c01043c2>] sysenter_past_esp+0x6b/0xa9
[ 2359.638487]  [<c0310000>] unix_stream_sendmsg+0x1a0/0x390
[ 2359.638517]  =======================
[ 2359.638520] Code: 04 89 c6 89 7c 24 08 8b 40 14 89 d7 8b 40 30 85 c0 79 11 89 d8 8b 74 24 04 8b 1c 24 8b 7c 24 08 83 c4 0c c3 8b 02 b3 ec 8b 48 0c <0f> b7 41 6a 25 00 f0 00 00 3d 00 40 00 00 8b 46 10 0f 94 c2 8b 
[ 2359.638575] EIP: [<c01a7c39>] graft_tree+0x39/0xf0 SS:ESP 0068:f288fe04
[ 2359.638614] ---[ end trace f0b6cb7e9db89d85 ]---

Server is running 2.6.22-14-386, client is running 2.6.24-19-generic.

This is probably a security vulnerability, as it means a remote,
untrusted machine (I had root_squash and no authentication enabled on
the server/client) can cause severe DoS to clients. Not marking as such,
though, because I'm not sure.

** Affects: linux-meta (Ubuntu)
     Importance: Undecided
         Status: New

-- 
BUG: Oops when trying to use NFS with autofs
https://bugs.launchpad.net/bugs/242012
You received this bug notification because you are a member of Kernel
Bugs, which is subscribed to linux-meta in ubuntu.

More information about the kernel-bugs mailing list