RHEL6: NFS client system crashed when processing a readdir response - memcpy crashes with 'BUG: unable to handle kernel NULL pointer dereference at (null)'

Solution Verified - Updated -

Issue

  • memcpy crashes with BUG: unable to handle kernel NULL pointer dereference at (null)
  • NFS3 client crashed processing a readdir response with inside the following call chain: nfs_readdir_page_filler -> nfs3_decode_dirent -> xdr_inline_decode -> memcpy
BUG: unable to handle kernel NULL pointer dereference at (null)
  • Server rebooted abnormally and generated vmcore, following is the backtrace:
RIP: 0010:[<ffffffff812830cb>]  [<ffffffff812830cb>] memcpy+0xb/0x120
RSP: 0018:ffff883d57e9bad0  EFLAGS: 00010246
RAX: ffff880497efc000 RBX: ffff883d57e9bc08 RCX: 000000000afd37a1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880497efc000
RBP: ffff883d57e9baf8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000400 R12: 0000000000000004
R13: ffff880497efc000 R14: ffff883d57e9bd08 R15: ffff881064f7d780
FS:  00007f6b174507a0(0000) GS:ffff880028360000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 0000001e3025e000 CR4: 00000000000407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ls (pid: 49211, threadinfo ffff883d57e9a000, task ffff883511c26aa0)
Stack:
 ffffffffa047aa71 ffff883d57e9bcc8 ffff883d57e9bc08 000000009d1deb58
<d> ffff88102da79080 ffff883d57e9bb78 ffffffffa04f8aa6 ffff88000001aec0
<d> ffffffffa046f0b0 0000001057e9bce8 0000000000000000 0000000000000000
Call Trace:
 [<ffffffffa047aa71>] ? xdr_inline_decode+0xb1/0x120 [sunrpc]
 [<ffffffffa04f8aa6>] nfs3_decode_dirent+0x66/0x3d0 [nfs]
 [<ffffffffa046f0b0>] ? rpc_do_put_task+0x30/0x40 [sunrpc]
 [<ffffffffa04df26a>] nfs_readdir_page_filler+0x11a/0x580 [nfs]
 [<ffffffffa04df8d8>] nfs_readdir_xdr_to_array+0x208/0x2b0 [nfs]
 [<ffffffffa04df9a6>] nfs_readdir_filler+0x26/0xa0 [nfs]
 [<ffffffff8111a33e>] ? add_to_page_cache_lru+0x3e/0x50
 [<ffffffff8111bd2b>] do_read_cache_page+0x7b/0x180
 [<ffffffffa04df980>] ? nfs_readdir_filler+0x0/0xa0 [nfs]
 [<ffffffff811961e0>] ? filldir+0x0/0xe0
 [<ffffffff8111be79>] read_cache_page_async+0x19/0x20
 [<ffffffff8111be8e>] read_cache_page+0xe/0x20
 [<ffffffffa04dfb92>] nfs_readdir+0x172/0x5f0 [nfs]
 [<ffffffffa04f8a40>] ? nfs3_decode_dirent+0x0/0x3d0 [nfs]
 [<ffffffff811961e0>] ? filldir+0x0/0xe0
 [<ffffffff81196460>] vfs_readdir+0xc0/0xe0
 [<ffffffff811965e9>] sys_getdents+0x89/0xf0
 [<ffffffff8100b072>] system_call_fastpath+0x16/0x1b
Code: 49 89 70 50 19 c0 49 89 70 58 41 c6 40 4c 04 83 e0 fc 83 c0 08 41 88 40 4d c9 c3 90 90 90 90 90 48 89 f8 89 d1 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 20 48 83 ea 20 4c 8b 06 4c 8b 4e 08 4c 
RIP  [<ffffffff812830cb>] memcpy+0xb/0x120
 RSP <ffff883d57e9bad0>
CR2: 0000000000000000

Environment

  • Red Hat Enterprise Linux 6 (NFS client)
    • any RHEL6.4 kernel-2.6.32-358.*.el6
    • any RHEL6.5 kernel prior to 2.6.32-431.61.2.el6
    • any RHEL6.6 kernel prior to 2.6.32-504.33.2.el6
  • NFS3
  • NFS server
    • seen with RHEL4 and RHEL5 NFS servers
    • any other NFS server which sends 0 bytes in a readdir response

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content