RHEL6: kernel crash with RIP memcpy called from sunrpc code xdr_skb_read_bits

Issue

• kernel crashed inside a memcpy in sunrpc code called from TCP receive data path
• System crashed with the following message, indicating RIP in memcpy called from xdr_skb_read_bits

general protection fault: 0000 [#1] SMP 
last sysfs file: /sys/devices/pci0000:00/0000:00:05.0/local_cpus
CPU 0 
Modules linked in: fuse iptable_mangle iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 bridge stp llc iptable_filter ip_tables openafs(P)(U) autofs4 nfs fscache nfs_acl auth_rpcgss lockd sunrpc sg microcode virtio_console virtio_net i2c_piix4 i2c_core ext4 mbcache jbd2 virtio_blk sr_mod cdrom virtio_pci virtio_ring virtio pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod [last unloaded: mperf]

Pid: 7818, comm: cp Tainted: P           ---------------    2.6.32-279.14.1.el6.x86_64 #1 Red Hat RHEV Hypervisor
RIP: 0010:[<ffffffff8127e5ab>]  [<ffffffff8127e5ab>] memcpy+0xb/0x120
RSP: 0018:ffff880028203868  EFLAGS: 00010246
RAX: 9248ac92a847a000 RBX: 000000000000047c RCX: 000000000000001e
RDX: 0000000000000000 RSI: ffff88015ad81990 RDI: 9248ac92a847a000
RBP: ffff8800282038d0 R08: 0000000000000000 R09: 9248ac92a847a000
R10: 000000000000512c R11: 0000000000000002 R12: 000000000000012c
R13: ffff8801107781c0 R14: 000000000000021c R15: 00000000000000f0
FS:  00007f5237ab57a0(0000) GS:ffff880028200000(0000) knlGS:00000000f779d830
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00007f502ef2f000 CR3: 000000012dde9000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
Process cp (pid: 7818, threadinfo ffff88011e76c000, task ffff8801c07eeae0)
Stack:
 ffffffff814314e3 ffff8800282038c0 ffffffff8143fb2c ffff880028203900
<d> ffffffff00000000 9248ac92a847a000 0000000000000000 ffff88041023bc00
<d> ffff8800282039c0 000000000000047c 0000000000001000 ffff88041034f498
Call Trace:
 <IRQ> 
 [<ffffffff814314e3>] ? skb_copy_bits+0x63/0x2e0
 [<ffffffff8143fb2c>] ? dev_queue_xmit+0x19c/0x6f0
 [<ffffffffa015c83b>] xdr_skb_read_bits+0x3b/0x60 [sunrpc]
 [<ffffffffa015c55f>] xdr_partial_copy_from_skb+0xbf/0x240 [sunrpc]
 [<ffffffffa015c800>] ? xdr_skb_read_bits+0x0/0x60 [sunrpc]
 [<ffffffffa0160414>] xs_tcp_data_recv+0x6a4/0xba0 [sunrpc]
 [<ffffffff81481db6>] tcp_read_sock+0x106/0x230
 [<ffffffffa015fd70>] ? xs_tcp_data_recv+0x0/0xba0 [sunrpc]
 [<ffffffffa015ee52>] xs_tcp_data_ready+0x72/0xb0 [sunrpc]
 [<ffffffff81484cae>] ? __tcp_ack_snd_check+0x5e/0xa0
 [<ffffffff8148a314>] tcp_rcv_established+0x294/0x800
 [<ffffffff81492463>] tcp_v4_do_rcv+0x2e3/0x430
 [<ffffffffa0038557>] ? ipv4_confirm+0x87/0x1d0 [nf_conntrack_ipv4]
 [<ffffffff81493d1e>] tcp_v4_rcv+0x4fe/0x8d0
 [<ffffffff814718d0>] ? ip_local_deliver_finish+0x0/0x2d0
 [<ffffffff814719ad>] ip_local_deliver_finish+0xdd/0x2d0
 [<ffffffff81471c38>] ip_local_deliver+0x98/0xa0
 [<ffffffff814710fd>] ip_rcv_finish+0x12d/0x440
 [<ffffffff81471685>] ip_rcv+0x275/0x350
 [<ffffffff8143adcb>] __netif_receive_skb+0x49b/0x6f0
 [<ffffffff8143d048>] netif_receive_skb+0x58/0x60
 [<ffffffffa013355d>] virtnet_poll+0x5ed/0x8e0 [virtio_net]
 [<ffffffff8143f7a3>] net_rx_action+0x103/0x2f0
 [<ffffffffa01320b9>] ? skb_recv_done+0x39/0x40 [virtio_net]
 [<ffffffff81073f61>] __do_softirq+0xc1/0x1e0
 [<ffffffff810dbb60>] ? handle_IRQ_event+0x60/0x170
 [<ffffffff8100c24c>] call_softirq+0x1c/0x30
 [<ffffffff8100de85>] do_softirq+0x65/0xa0
 [<ffffffff81073d45>] irq_exit+0x85/0x90
 [<ffffffff81506365>] do_IRQ+0x75/0xf0
 [<ffffffff8100ba53>] ret_from_intr+0x0/0x11
 <EOI> 
 [<ffffffff8117cae9>] ? fget_light+0x19/0x90
 [<ffffffff8117bff8>] sys_read+0x28/0x90
 [<ffffffff8100b0f2>] system_call_fastpath+0x16/0x1b
Code: 49 89 70 50 19 c0 49 89 70 58 41 c6 40 4c 04 83 e0 fc 83 c0 08 41 88 40 4d c9 c3 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 
RIP  [<ffffffff8127e5ab>] memcpy+0xb/0x120
 RSP <ffff880028203868>