[OpenAFS] NULL pointer dereference

Markus Koeberl spsc-sysadmin@mlist.tugraz.at
Wed, 21 Jan 2015 16:15:34 +0100 

Today my client crashed while reading emails with kmail/kontact.
I am using a backported version 1.6.9-2 from debian jessie which additional=
ly include the patch for reporting 2TB disk free. We use this version on al=
l our client starting from 14 Jun 2014 and its the first time this happened=
=2E I guess there is no easy way to reproduce it.
I found nothing relevant in the changelog till 1.6.10-3 and 1.6.11~pre1-1 w=
hich are the newest versions for debian.

dmesg output:

[4367269.820966] BUG: unable to handle kernel NULL pointer dereference at 0=
000000000000038
[4367269.820971] IP: [<ffffffffa0914240>] afs_linux_dentry_revalidate+0x25/=
0x46f [openafs]
[4367269.820985] PGD 29aede067 PUD 2695a6067 PMD 0=20
[4367269.820988] Oops: 0000 [#1] SMP=20
[4367269.820990] CPU 1=20
[4367269.820991] Modules linked in: vboxpci(O) vboxnetadp(O) vboxnetflt(O) =
vboxdrv(O) binfmt_misc nls_cp437 nls_utf8 isofs loop btrfs libcrc32c zlib_d=
eflate ufs qnx4 hfsplus hfs minix ntfs vfat msdos fat jfs reiserfs ext3 jbd=
 efivars snd_seq_dummy pci_stub openafs(P) parport_pc ppdev lp parport bnep=
 rfcomm bluetooth rfkill cpufreq_userspace cpufreq_stats cpufreq_powersave =
cpufreq_conservative ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_co=
re iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi nfsd nfs nfs_acl au=
th_rpcgss fscache lockd sunrpc fuse xfs ext2 blcr(O) blcr_imports(O) ohci_h=
cd snd_hda_codec_hdmi snd_hda_codec_realtek psmouse fglrx(P) joydev mxm_wmi=
 evdev snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_=
pcm snd_page_alloc snd_seq_midi snd_seq_midi_event coretemp snd_rawmidi crc=
32c_intel pcspkr snd_seq serio_raw snd_seq_device snd_timer i2c_i801 i2c_co=
re iTCO_wdt snd iTCO_vendor_support soundcore i7core_edac edac_core asus_at=
k0110 wmi acpi_cpufreq mperf processor button thermal_sys ext4 crc16 jbd2 m=
bcache dm_mod md_mod sr_mod ata_generic cdrom usbhid sg hid sd_mod usb_stor=
age crc_t10dif pata_jmicron uhci_hcd e1000 floppy ahci libahci libata ehci_=
hcd xhci_hcd firewire_ohci scsi_mod usbcore firewire_core crc_itu_t usb_com=
mon [last unloaded: vboxdrv]
[4367269.821051]=20
[4367269.821053] Pid: 13995, comm: kontact Tainted: P           O 3.2.0-4-a=
md64 #1 Debian 3.2.63-2+deb7u1 System manufacturer System Product Name/P6T
[4367269.821056] RIP: 0010:[<ffffffffa0914240>]  [<ffffffffa0914240>] afs_l=
inux_dentry_revalidate+0x25/0x46f [openafs]
[4367269.821063] RSP: 0018:ffff88005f93dc98  EFLAGS: 00010246
[4367269.821064] RAX: 0000000000000000 RBX: ffff8802c959a200 RCX: ffffc9000=
0002000
[4367269.821065] RDX: 0000000000000041 RSI: 0000000000000000 RDI: ffff8802c=
959a200
[4367269.821067] RBP: ffff880282255e00 R08: 0000000000000009 R09: ffff8802c=
959a238
[4367269.821068] R10: ffff8804ad05b9c0 R11: ffff8804ad05b9c0 R12: 000000000=
0000000
[4367269.821070] R13: ffff88005f93de08 R14: ffff88053323c840 R15: ffff88061=
736e240
[4367269.821072] FS:  00007f96eaf4c760(0000) GS:ffff88063fc20000(0000) knlG=
S:0000000000000000
[4367269.821073] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[4367269.821075] CR2: 0000000000000038 CR3: 000000035c3dc000 CR4: 000000000=
00006e0
[4367269.821076] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 000000000=
0000000
[4367269.821078] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 000000000=
0000400
[4367269.821079] Process kontact (pid: 13995, threadinfo ffff88005f93c000, =
task ffff88053323c840)
[4367269.821080] Stack:
[4367269.821082]  ffff8805e9a8bc00 0000000000000008 ffff88005f93dd2c ffffff=
ffa08efbc8
[4367269.821084]  0000000000000000 ffff88005f93dd7c ffff88005f93dd2c 000000=
0000000040
[4367269.821087]  ffff88061736e240 0000000000000000 0000000000000000 ffff88=
053323c840
[4367269.821089] Call Trace:
[4367269.821099]  [<ffffffffa08efbc8>] ? afs_AccessOK+0x72/0x166 [openafs]
[4367269.821108]  [<ffffffffa08f01de>] ? afs_access+0x522/0x5bc [openafs]
[4367269.821113]  [<ffffffff8110bfc8>] ? __d_lookup+0x3e/0xce
[4367269.821117]  [<ffffffff81103f55>] ? __lookup_hash.part.29+0x5d/0xa7
[4367269.821119]  [<ffffffff811057bd>] ? lookup_one_len+0xc5/0xd7
[4367269.821125]  [<ffffffffa09113f5>] ? afs_linux_unlink+0x12e/0x334 [open=
afs]
[4367269.821129]  [<ffffffff81036618>] ? should_resched+0x5/0x23
[4367269.821131]  [<ffffffff811052ac>] ? vfs_unlink+0x68/0xbb
[4367269.821133]  [<ffffffff811061a6>] ? do_unlinkat+0xd0/0x156
[4367269.821136]  [<ffffffff81110e43>] ? mntput_no_expire+0x1e/0xc9
[4367269.821140]  [<ffffffff81355a92>] ? system_call_fastpath+0x16/0x1b
[4367269.821141] Code: 00 48 89 47 70 c3 41 56 41 55 41 54 55 53 48 89 fb 4=
8 81 ec 10 01 00 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 08 01 00 00 31 c=
0 <f6> 46 38 40 48 c7 84 24 a0 00 00 00 00 00 00 00 0f 85 dd 03 00=20
[4367269.821159] RIP  [<ffffffffa0914240>] afs_linux_dentry_revalidate+0x25=
/0x46f [openafs]
[4367269.821165]  RSP <ffff88005f93dc98>
[4367269.821166] CR2: 0000000000000038
[4367269.821168] ---[ end trace 00865b118ab2fd01 ]---

=2D-=20
Markus Koeberl
Graz University of Technology
Signal Processing and Speech Communication Laboratory
E-mail: markus.koeberl@tugraz.at