Bug 750247

Summary: [abrt] kernel: [342487.745059] BUG: unable to handle kernel NULL pointer dereference at 0000003c eip: cifs_fill_dirent
Product: [Fedora] Fedora Reporter: Adam G. Metzler <adamgmetzler>
Component: kernelAssignee: Jeff Layton <jlayton>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: gansalmon, itamar, jlayton, jonathan, kernel-maint, madhu.chinakonda, steved
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:db224877c737e3c4df052a073472238dd46252d2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-16 20:26:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch -- readd NULL pointer check in cifs_save_resume_key none

Description Adam G. Metzler 2011-10-31 13:15:53 UTC 
libreport version: 2.0.6
abrt_version:   2.0.4.981
cmdline:        BOOT_IMAGE=/vmlinuz-3.1.0-1.fc16.i686 root=/dev/mapper/vg_f16-lv_root ro rd.md=0 rd.dm=0 KEYTABLE=us rd.lvm.lv=vg_f16/lv_swap quiet SYSFONT=latarcyrheb-sun16 rhgb rd.luks=0 LANG=en_US.UTF-8 rd.lvm.lv=vg_f16/lv_root
comment:        I was browseing for an alternative icon for a network share that was mounted in the /media directory. I openened the folder properties of the mount and clicked on the folder icon in the properties window, upon which this kernel error. I was still able to continue browseing to the icon I wished for and select it as expected.
kernel:         undefined
reason:         [342487.745059] BUG: unable to handle kernel NULL pointer dereference at 0000003c
reported_to:    file: /tmp/abrt.log
time:           Mon Oct 31 08:02:25 2011

backtrace:
:[342487.745059] BUG: unable to handle kernel NULL pointer dereference at 0000003c
:[342487.745230] IP: [<f85a5fcc>] cifs_fill_dirent+0xd6/0x152 [cifs]
:[342487.745397] *pde = 792b1067 
:[342487.745467] Oops: 0000 [#1] SMP 
:[342487.745549] Modules linked in: tcp_lp des_generic md4 nls_utf8 cifs fscache ppdev parport_pc lp parport fuse fcoe libfcoe libfc 8021q scsi_transport_fc scsi_tgt garp stp llc ip6t_REJECT nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_ipv6header nf_conntrack_ipv6 nf_conntrack_ipv4 nf_defrag_ipv6 nf_defrag_ipv4 xt_state ip6table_filter nf_conntrack ip6_tables binfmt_misc arc4 b43 snd_hda_codec_idt snd_hda_intel mac80211 cfg80211 snd_hda_codec snd_hwdep b44 ssb snd_seq snd_seq_device snd_pcm mmc_core uinput iTCO_wdt iTCO_vendor_support snd_timer joydev snd dell_laptop soundcore rfkill snd_page_alloc dcdbas mii microcode i915 drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: scsi_wait_scan]
:[342487.746009] 
:[342487.746009] Pid: 28378, comm: nautilus Not tainted 3.1.0-1.fc16.i686 #1 Dell Inc. Latitude 120L                   /0HG013
:[342487.746009] EIP: 0060:[<f85a5fcc>] EFLAGS: 00210246 CPU: 0
:[342487.746009] EIP is at cifs_fill_dirent+0xd6/0x152 [cifs]
:[342487.746009] EAX: 00000040 EBX: 00000000 ECX: 00000000 EDX: 00000101
:[342487.746009] ESI: efff7efc EDI: efff7f10 EBP: efff7ef0 ESP: efff7ed4
:[342487.746009]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
:[342487.746009] Process nautilus (pid: 28378, ti=efff6000 task=f17d3ed0 task.ti=efff6000)
:[342487.746009] Stack:
:[342487.746009]  efff7ee4 efff7f14 f858f3d3 015af6db da419780 da419780 da419240 efff7f14
:[342487.746009]  f85a6073 00000001 00000040 00000000 00000000 00000000 00000000 00000000
:[342487.746009]  efff7f68 f85a68ee da4197e0 00000000 00000000 00000000 00020000 00000096
:[342487.746009] Call Trace:
:[342487.746009]  [<f858f3d3>] ? CIFSFindNext+0x295/0x2c3 [cifs]
:[342487.746009]  [<f85a6073>] cifs_save_resume_key+0x2b/0x4a [cifs]
:[342487.746009]  [<f85a68ee>] cifs_readdir+0x357/0x6b1 [cifs]
:[342487.746009]  [<c04f78ac>] ? sys_ioctl+0x6a/0x6a
:[342487.746009]  [<c04f7b63>] vfs_readdir+0x6a/0x8f
:[342487.746009]  [<c04f78ac>] ? sys_ioctl+0x6a/0x6a
:[342487.746009]  [<c04f7cec>] sys_getdents64+0x66/0xa6
:[342487.746009]  [<c081091c>] syscall_call+0x7/0xb
:[342487.746009]  [<c0810000>] ? alarm_timer_nsleep_restart+0xa/0x89
:[342487.746009] Code: c8 ba 02 20 00 00 89 56 04 eb 0d ba 00 10 00 00 e8 7c 5e 02 c8 89 46 04 8b 43 04 89 46 08 8b 43 54 8b 53 58 eb 31 8d 43 40 89 06 <8b> 43 3c 89 46 04 8b 43 04 89 46 08 31 db eb 62 8d 43 44 eb e9 
:[342487.746009] EIP: [<f85a5fcc>] cifs_fill_dirent+0xd6/0x152 [cifs] SS:ESP 0068:efff7ed4
:[342487.746009] CR2: 000000000000003c
:[342487.831054] ---[ end trace 3ab1d8dc91f25673 ]---

event_log:
:2011-10-31-08:08:30> Smolt profile successfully saved
:2011-10-31-08:10:19> Submitting oops report to http://submit.kerneloops.org/submitoops.php
:2011-10-31-08:11:23  Kernel oops has not been sent due to Couldn't connect to server
:2011-10-31-08:11:23* (exited with 1)
:2011-10-31-08:11:23> Logging into Bugzilla at https://bugzilla.redhat.com
:2011-10-31-08:11:24  fatal: XML-RPC(300): RPC failed at server.  The username or password you entered is not valid.
:2011-10-31-08:11:24* (exited with 1)
:2011-10-31-08:11:24> The report was appended to /tmp/abrt.log
:2011-10-31-08:14:32> Smolt profile successfully saved
:2011-10-31-08:14:45> Submitting oops report to http://submit.kerneloops.org/submitoops.php
:2011-10-31-08:15:49  Kernel oops has not been sent due to Couldn't connect to server
:2011-10-31-08:15:49* (exited with 1)

smolt_data:
:
:
:General
:=================================
:UUID: 84468763-3d73-4972-9525-3952818c8ff7
:OS: Fedora release 16 (Verne)
:Default run level: Unknown
:Language: en_US.UTF-8
:Platform: i686
:BogoMIPS: 3457.89
:CPU Vendor: GenuineIntel
:CPU Model: Intel(R) Pentium(R) M processor 1.73GHz
:CPU Stepping: 8
:CPU Family: 6
:CPU Model Num: 13
:Number of CPUs: 1
:CPU Speed: 1733
:System Memory: 2006
:System Swap: 4031
:Vendor: Dell Inc.
:System: Latitude 120L 
:Form factor: Portable
:Kernel: 3.1.0-1.fc16.i686
:SELinux Enabled: 1
:SELinux Policy: targeted
:SELinux Enforce: Enforcing
:MythTV Remote: Unknown
:MythTV Role: Unknown
:MythTV Theme: Unknown
:MythTV Plugin: 
:MythTV Tuner: -1
:
:
:Devices
:=================================
:(5348:17176:4136:5) pci, b43-pci-bridge, NETWORK, Wireless 1370 WLAN Mini-PCI Card
:(5348:5900:4136:459) pci, b44, ETHERNET, BCM4401-B0 100Base-TX
:(32902:9618:4136:459) pci, i915, VIDEO, Mobile 915GM/GMS/910GML Express Graphics Controller
:(32902:10130:4136:459) pci, None, VIDEO, Mobile 915GM/GMS/910GML Express Graphics Controller
:(32902:9824:0:0) pci, pcieport, PCI/PCI, 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1
:(32902:9793:4136:459) pci, None, PCI/ISA, 82801FBM (ICH6M) LPC Interface Bridge
:(32902:9832:4136:459) pci, snd_hda_intel, MULTIMEDIA, 82801FB/FBM/FR/FW/FRW (ICH6 Family) High Definition Audio Controller
:(32902:9839:4136:459) pci, ata_piix, STORAGE, 82801FB/FBM/FR/FW/FRW (ICH6 Family) IDE Controller
:(32902:9288:4136:459) pci, None, PCI/PCI, 82801 Mobile PCI Bridge
:(32902:9830:0:0) pci, pcieport, PCI/PCI, 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 4
:(32902:9817:4136:459) pci, uhci_hcd, USB, 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #2
:(32902:9816:4136:459) pci, uhci_hcd, USB, 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #1
:(32902:9616:4136:459) pci, agpgart-intel, HOST/PCI, Mobile 915GM/PM/GMS/910GML Express Processor to DRAM Controller
:(32902:9818:4136:459) pci, uhci_hcd, USB, 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #3
:(32902:9819:4136:459) pci, uhci_hcd, USB, 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB UHCI #4
:(32902:9820:4136:459) pci, ehci_hcd, USB, 82801FB/FBM/FR/FW/FRW (ICH6 Family) USB2 EHCI Controller
:
:
:Filesystem Information
:=================================
:device mtpt type bsize frsize blocks bfree bavail file ffree favail
:-------------------------------------------------------------------
:/dev/mapper/vg_f16-lv_root / ext4 4096 4096 8466370 5490377 5404394 2154496 1848569 1848569
:/dev/sda2 /boot ext4 1024 1024 495844 416522 390922 128016 127788 127788
:
Comment 1 Jeff Layton 2011-11-14 12:35:20 UTC 
Hmm, I don't have a 32-bit machine handy...could you follow the directions here to get a listing of the spot where it oopsed?

    http://wiki.samba.org/index.php/LinuxCIFS_troubleshooting#Oopses
Comment 2 Jeff Layton 2011-11-14 15:35:41 UTC 
Ahh, nm -- I needed to upgrade my i686 machine anyway:

(gdb) list *(cifs_fill_dirent+0xd6)
0x1cff0 is in cifs_fill_dirent (fs/cifs/readdir.c:361).
356	
357	static void cifs_fill_dirent_dir(struct cifs_dirent *de,
358			const FILE_DIRECTORY_INFO *info)
359	{
360		de->name = &info->FileName[0];
361		de->namelen = le32_to_cpu(info->FileNameLength);
362		de->resume_key = info->FileIndex;
363	}
364	
365	static void cifs_fill_dirent_full(struct cifs_dirent *de,



Disassembly shows this:

   0x0001cff0 <+214>:	mov    0x3c(%ebx),%eax

...and the oops message shows that %ebx is 0. 3c is the offset of FileNameLength in FILE_DIRECTORY_INFO, so "info" was NULL here.
Comment 3 Jeff Layton 2011-11-14 15:45:21 UTC 
Looking farther down the stack to figure out where cifs_save_resume_key got
called:

(gdb) list *(cifs_readdir+0x357)
0x1d912 is in cifs_readdir (fs/cifs/readdir.c:566).
561		      (rc == 0) && !cifsFile->srch_inf.endOfSearch) {
562			cFYI(1, "calling findnext2");
563			rc = CIFSFindNext(xid, pTcon, cifsFile->netfid,
564					  &cifsFile->srch_inf);
565			cifs_save_resume_key(cifsFile->srch_inf.last_entry, cifsFile);
566			if (rc)
567				return -ENOENT;
568		}
569		if (index_to_find < cifsFile->srch_inf.index_of_last_entry) {
570			/* we found the buffer that contains the entry */
Comment 4 Jeff Layton 2011-11-14 15:49:27 UTC 
CIFSFindNext has this condition:

                        if (CIFSMaxBufSize < lnoff) {
                                cERROR(1, "ignoring corrupt resume name");
                                psrch_inf->last_entry = NULL;
                                return rc;

...so we need to ensure that we can deal with a NULL return in the caller, or fix CIFSFindNext not to do that.
Comment 5 Jeff Layton 2011-11-15 11:26:52 UTC 
Created attachment 533744 [details]
patch -- readd NULL pointer check in cifs_save_resume_key

This patch should fix it. I've gone ahead and sent it upstream. If you're able to reproduce this though, then please test this and let me know if it helps.
Comment 6 Jeff Layton 2011-11-16 20:26:05 UTC 
The final patch is a bit different, but the upstream cifs maintainer has accepted it and should push it to Linus in the near future. I've also cc'ed stable too so this should make its way into stable kernels eventually. I'm going to go ahead and close this with a resolution of UPSTREAM. Please reopen if you wish to discuss it further.