Bug 273541 - NULL Pointer deference in the kernel when traversing a kerberized autofs mount
NULL Pointer deference in the kernel when traversing a kerberized autofs mount
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
7
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Kernel Maintainer List
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-01 01:15 EDT by Josh Lange
Modified: 2007-12-04 11:05 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-03 21:42:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Lange 2007-09-01 01:15:58 EDT
Description of problem:
unable to handle kernel NULL pointer dereference at virtual address 00000094

Version-Release number of selected component (if applicable):2.6.21-1.3194.fc7


How reproducible: rarely

Steps to Reproduce:
1. setup a kerberos realm, and auto.master and auto.home
2. Make the credentials in the keytab invalid
3. do what I did below
  
Actual results:

[root@YYY ~]# ssh jhlange@fresno
The authenticity of host 'fresno (129.65.240.60)' can't be established.
RSA key fingerprint is 3a:69:1c:15:2d:84:5e:9c:a8:ae:58:f5:58:6b:eb:a2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'fresno' (RSA) to the list of known hosts.
jhlange@fresno's password: 
Last login: Fri Aug 31 21:26:07 2007 from vogon.csc.calpoly.edu
Could not chdir to home directory /home/jhlange: No such file or directory

(disconnected with ~.)

Connection to fresno closed.
[root@YYY ~]# ssh fresno
Last login: Fri Aug 31 21:23:48 2007 from YYY.csc.calpoly.edu
[root@fresno ~]# finger
Login     Name       Tty      Idle  Login Time   Office     Office Phone
root      root       pts/2          Aug 31 21:31 (YYY.csc.calpoly.edu)
[root@fresno ~]# !tail
-bash: !tail: event not found
[root@fresno ~]# tail /var/log/messages
Aug 31 21:30:36 fresno smartd[2416]: Device: /dev/sda, found in smartd database. 
Aug 31 21:30:37 fresno smartd[2416]: Device: /dev/sda, is SMART capable. Adding
to "monitor" list. 
Aug 31 21:30:37 fresno smartd[2416]: Monitoring 1 ATA and 0 SCSI devices 
Aug 31 21:30:37 fresno smartd[2418]: smartd has fork()ed into background mode.
New PID=2418. 
Aug 31 21:30:41 fresno pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0
Not Found
Aug 31 21:30:41 fresno last message repeated 3 times
Aug 31 21:30:44 fresno kernel: [drm] Initialized drm 1.1.0 20060810
Aug 31 21:30:44 fresno kernel: [drm] Initialized i915 1.6.0 20060119 on minor 0
Aug 31 21:30:49 fresno gdmgreeter[2574]: The accessibility registry was not found.
Aug 31 21:30:53 fresno automount[1909]: do_mount_indirect: failed to get group
info from getgrgid_r
[root@fresno ~]# tail /var/log/messages
Aug 31 21:30:36 fresno smartd[2416]: Device: /dev/sda, found in smartd database. 
Aug 31 21:30:37 fresno smartd[2416]: Device: /dev/sda, is SMART capable. Adding
to "monitor" list. 
Aug 31 21:30:37 fresno smartd[2416]: Monitoring 1 ATA and 0 SCSI devices 
Aug 31 21:30:37 fresno smartd[2418]: smartd has fork()ed into background mode.
New PID=2418. 
Aug 31 21:30:41 fresno pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0
Not Found
Aug 31 21:30:41 fresno last message repeated 3 times
Aug 31 21:30:44 fresno kernel: [drm] Initialized drm 1.1.0 20060810
Aug 31 21:30:44 fresno kernel: [drm] Initialized i915 1.6.0 20060119 on minor 0
Aug 31 21:30:49 fresno gdmgreeter[2574]: The accessibility registry was not found.
Aug 31 21:30:53 fresno automount[1909]: do_mount_indirect: failed to get group
info from getgrgid_r
[root@fresno ~]# tail -f /var/log/secure /var/log/messages &
[1] 2733
[root@fresno ~]# ==> /var/log/secure <==
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: flag: no use_shmem
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: flag: no external
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: flag: warn
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: ticket lifetime: 36000
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: renewable lifetime: 36000
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: banner: Kerberos 5
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: ccache dir: /tmp
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: keytab: FILE:/etc/krb5.keytab
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: no v5 creds for user 'root',
skipping session setup
Aug 31 21:31:13 fresno sshd[2681]: pam_krb5[2681]: pam_open_session returning 0
(Success)

==> /var/log/messages <==
Aug 31 21:30:36 fresno smartd[2416]: Device: /dev/sda, found in smartd database. 
Aug 31 21:30:37 fresno smartd[2416]: Device: /dev/sda, is SMART capable. Adding
to "monitor" list. 
Aug 31 21:30:37 fresno smartd[2416]: Monitoring 1 ATA and 0 SCSI devices 
Aug 31 21:30:37 fresno smartd[2418]: smartd has fork()ed into background mode.
New PID=2418. 
Aug 31 21:30:41 fresno pcscd: winscard.c:219:SCardConnect() Reader E-Gate 0 0
Not Found
Aug 31 21:30:41 fresno last message repeated 3 times
Aug 31 21:30:44 fresno kernel: [drm] Initialized drm 1.1.0 20060810
Aug 31 21:30:44 fresno kernel: [drm] Initialized i915 1.6.0 20060119 on minor 0
Aug 31 21:30:49 fresno gdmgreeter[2574]: The accessibility registry was not found.

[root@fresno ~]# 
[root@fresno ~]# 
[root@fresno ~]# cd /home
[root@fresno home]# ls
[root@fresno home]# kinit jhlange
Password for jhlange@CSC.CALPOLY.EDU: 
[root@fresno home]# cd jhlange
-bash: cd: jhlange: No such file or directory
[root@fresno home]# ls
[root@fresno home]# cd foster

[root@fresno foster]# ls
ls: cannot open directory .: No such file or directory
[root@fresno foster]# cd ..


Aug 31 21:33:14 fresno kernel: BUG: unable to handle kernel NULL pointer
dereference at virtual address 00000094
Aug 31 21:33:14 fresno kernel:  printing eip:
Aug 31 21:33:14 fresno kernel: c047cdf8
Aug 31 21:33:14 fresno kernel: *pde = 00000000
Aug 31 21:33:14 fresno kernel: Oops: 0000 [#1]
Aug 31 21:33:14 fresno kernel: SMP 
Aug 31 21:33:14 fresno kernel: last sysfs file: /class/drm/card0/dev
Aug 31 21:33:14 fresno kernel: Modules linked in: i915 drm cbc blkcipher nfs
lockd nfs_acl autofs4 hidp rfcomm l2cap bluetooth vmnet(P)(U) vmmon(P)(U)
rpcsec_gss_krb5 auth_rpcgss des sunrpc dm_mirror dm_multipath dm_mod video sbs
i2c_ec button dock battery ac ipv6 lp loop e100 mii serio_raw parport_pc
snd_intel8x0 snd_ac97_codec ac97_bus snd_seq_dummy snd_seq_oss
snd_seq_midi_event floppy snd_seq parport sr_mod cdrom snd_seq_device iTCO_wdt
iTCO_vendor_support i2c_i810 snd_pcm_oss snd_mixer_oss i2c_algo_bit snd_pcm
i2c_core snd_timer snd soundcore pcspkr snd_page_alloc sg ata_piix ata_generic
libata sd_mod scsi_mod ext3 jbd mbcache ehci_hcd ohci_hcd uhci_hcd
Aug 31 21:33:14 fresno kernel: CPU:    0
Aug 31 21:33:14 fresno kernel: EIP:    0060:[<c047cdf8>]    Tainted: P       VLI
Aug 31 21:33:14 fresno kernel: EFLAGS: 00210202   (2.6.21-1.3194.fc7 #1)
Aug 31 21:33:14 fresno kernel: EIP is at __link_path_walk+0x43/0xc2c
Aug 31 21:33:14 fresno kernel: eax: cef36954   ebx: debde140   ecx: c1475c40  
edx: df1da000
Aug 31 21:33:14 fresno kernel: esi: 00000000   edi: cef36954   ebp: d4b55f5c  
esp: d4b55e5c
Aug 31 21:33:14 fresno kernel: ds: 007b   es: 007b   fs: 00d8  gs: 0033  ss: 0068
Aug 31 21:33:14 fresno kernel: Process bash (pid: 2687, ti=d4b55000
task=d33dc0f0 task.ti=d4b55000)
Aug 31 21:33:14 fresno kernel: Stack: df1da000 00000803 00200046 de4bb3d8
c16ce804 00000001 bfb699a4 00000000 
Aug 31 21:33:14 fresno kernel:        bfb699fc c0404257 00000000 d33dc0f0
fffffffe bfd72447 00000006 df1da006 
Aug 31 21:33:14 fresno kernel:        d9d1aec0 fffffffe debde140 d4b55f5c
cef36954 d9d1aec0 c047da25 df1da000 
Aug 31 21:33:14 fresno kernel: Call Trace:
Aug 31 21:33:14 fresno kernel:  [<c0404257>] setup_sigcontext+0x10b/0x18b
Aug 31 21:33:14 fresno kernel:  [<c047da25>] link_path_walk+0x44/0xb3
Aug 31 21:33:14 fresno kernel:  [<c0451069>] audit_syscall_exit+0x294/0x2b0
Aug 31 21:33:14 fresno kernel:  [<c0407d2e>] do_syscall_trace+0xbb/0xc2
Aug 31 21:33:14 fresno kernel:  [<c047dd1d>] do_path_lookup+0x172/0x1c2
Aug 31 21:33:14 fresno kernel:  [<c047cc0f>] getname+0x59/0xad
Aug 31 21:33:14 fresno kernel:  [<c047e4dc>] __user_walk_fd+0x2f/0x40
Aug 31 21:33:14 fresno kernel:  [<c047e629>] __user_walk+0x14/0x16
Aug 31 21:33:14 fresno kernel:  [<c0474ea5>] sys_chdir+0x15/0x54
Aug 31 21:33:14 fresno kernel:  [<c0451069>] audit_syscall_exit+0x294/0x2b0
Aug 31 21:33:14 fresno kernel:  [<c0407d2e>] do_syscall_trace+0xbb/0xc2
Aug 31 21:33:14 fresno kernel:  [<c0404f70>] syscall_call+0x7/0xb
Aug 31 21:33:14 fresno kernel:  =======================
Aug 31 21:33:14 fresno kernel: Code: 8b 14 24 8a 02 3c 2f 74 f4 84 c0 0f 84 6a
0b 00 00 8b 45 00 83 7d 1c 00 8b 70 0c 74 0a 83 64 24 04 04 83 4c 24 04 01 83 4d
14 04 <8b> 86 94 00 00 00 66 8b 5e 6e 85 c0 74 0a 83 78 34 00 0f 85 d0 
Aug 31 21:33:14 fresno kernel: EIP: [<c047cdf8>] __link_path_walk+0x43/0xc2c
SS:ESP 0068:d4b55e5c








Expected results:
no panic

Additional info:

permissions on the nfsv4 host:
[root@YYY home]# stat foster
  File: `foster'
  Size: 4096            Blocks: 16         IO Block: 4096   directory
Device: 811h/2065d      Inode: 1610832743  Links: 38
Access: (0751/drwxr-x--x)  Uid: ( 8671/  foster)   Gid: (  350/CSC_Users)
Access: 2007-08-25 18:15:38.000000000 -0700
Modify: 2006-07-06 17:42:27.000000000 -0700
Change: 2007-08-31 21:04:07.169185000 -0700
[root@YYY home]# stat jhlange
  File: `jhlange'
  Size: 8192            Blocks: 32         IO Block: 4096   directory
Device: 811h/2065d      Inode: 2147483840  Links: 110
Access: (0711/drwx--x--x)  Uid: (24026/ jhlange)   Gid: (  350/CSC_Users)
Access: 2007-08-31 21:52:06.106185000 -0700
Modify: 2007-08-31 21:30:44.277185000 -0700
Change: 2007-08-31 21:30:44.277185000 -0700
[root@YYY home]# getfacl foster 
# file: foster
# owner: foster
# group: CSC_Users
user::rwx
user:apache:r-x
group::--x
mask::r-x
other::--x

[root@YYY home]# getfacl jhlange
# file: jhlange
# owner: jhlange
# group: CSC_Users
user::rwx
user:apache:r-x                 #effective:--x
group::--x
mask::--x
other::--x



my auto.home (executable map):
#!/bin/sh

echo "-fstype=nfs4,sec=krb5 xxx.csc.calpoly.edu:/home/$1"
##END


my auto.master:
/home /etc/auto.home



SYSTEM CONFIGURATION (exact duplicate system, booted at the same time, in the
same state):
[root@colusa home]# cat /proc/meminfo 
MemTotal:       507164 kB
MemFree:         68812 kB
Buffers:         95344 kB
Cached:         156088 kB
SwapCached:         52 kB
Active:         267792 kB
Inactive:        71356 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       507164 kB
LowFree:         68812 kB
SwapTotal:     1052216 kB
SwapFree:      1052160 kB
Dirty:              32 kB
Writeback:           0 kB
AnonPages:       87664 kB
Mapped:          37060 kB
Slab:            32372 kB
SReclaimable:    23048 kB
SUnreclaim:       9324 kB
PageTables:       3992 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:   1305796 kB
Committed_AS:   310736 kB
VmallocTotal:   516088 kB
VmallocUsed:      5268 kB
VmallocChunk:   510224 kB
HugePages_Total:     0
HugePages_Free:      0
HugePages_Rsvd:      0
Hugepagesize:     4096 kB
[root@colusa home]# cat /proc/cpuinfo 
processor       : 0
vendor_id       : GenuineIntel
cpu family      : 15
model           : 2
model name      : Intel(R) Pentium(R) 4 CPU 2.40GHz
stepping        : 7
cpu MHz         : 2392.064
cache size      : 512 KB
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 2
wp              : yes
flags           : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat
pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe up cid xtpr
bogomips        : 4786.47
clflush size    : 64

[root@colusa home]# lspci -v
00:00.0 Host bridge: Intel Corporation 82845G/GL[Brookdale-G]/GE/PE DRAM
Controller/Host-Hub Interface (rev 01)
        Flags: bus master, fast devsel, latency 0
        Memory at f8000000 (32-bit, prefetchable) [size=64M]
        Capabilities: [e4] Vendor Specific Information

00:02.0 VGA compatible controller: Intel Corporation 82845G/GL[Brookdale-G]/GE
Chipset Integrated Graphics Device (rev 01) (prog-if 00 [VGA])
        Subsystem: Compaq Computer Corporation Evo D510 SFF
        Flags: bus master, fast devsel, latency 0, IRQ 16
        Memory at f0000000 (32-bit, prefetchable) [size=128M]
        Memory at fc400000 (32-bit, non-prefetchable) [size=512K]
        Capabilities: [d0] Power Management version 1

00:1d.0 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
USB UHCI Controller #1 (rev 01) (prog-if 00 [UHCI])
        Subsystem: Compaq Computer Corporation Unknown device 00b9
        Flags: bus master, medium devsel, latency 0, IRQ 16
        I/O ports at 2440 [size=32]

00:1d.1 USB Controller: Intel Corporation 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M)
USB UHCI Controller #2 (rev 01) (prog-if 00 [UHCI])
        Subsystem: Compaq Computer Corporation Unknown device 00b9
        Flags: bus master, medium devsel, latency 0, IRQ 17
        I/O ports at 2460 [size=32]

00:1d.7 USB Controller: Intel Corporation 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI
Controller (rev 01) (prog-if 20 [EHCI])
        Subsystem: Compaq Computer Corporation Unknown device 00b9
        Flags: bus master, medium devsel, latency 0, IRQ 18
        Memory at fc480000 (32-bit, non-prefetchable) [size=1K]
        Capabilities: [50] Power Management version 2
        Capabilities: [58] Debug port

00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev 81) (prog-if 00
[Normal decode])
        Flags: bus master, fast devsel, latency 0
        Bus: primary=00, secondary=05, subordinate=05, sec-latency=64
        I/O behind bridge: 00001000-00001fff
        Memory behind bridge: fc500000-fc7fffff

00:1f.0 ISA bridge: Intel Corporation 82801DB/DBL (ICH4/ICH4-L) LPC Interface
Bridge (rev 01)
        Flags: bus master, medium devsel, latency 0

00:1f.1 IDE interface: Intel Corporation 82801DB (ICH4) IDE Controller (rev 01)
(prog-if 8a [Master SecP PriP])
        Subsystem: Compaq Computer Corporation Unknown device 00b9
        Flags: bus master, medium devsel, latency 0, IRQ 19
        I/O ports at 01f0 [size=8]
        I/O ports at 03f4 [size=1]
        I/O ports at 0170 [size=8]
        I/O ports at 0374 [size=1]
        I/O ports at 24a0 [size=16]
        Memory at 20000000 (32-bit, non-prefetchable) [size=1K]

00:1f.5 Multimedia audio controller: Intel Corporation 82801DB/DBL/DBM
(ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller (rev 01)
        Subsystem: Compaq Computer Corporation Unknown device 00ad
        Flags: bus master, medium devsel, latency 0, IRQ 21
        I/O ports at 2000 [size=256]
        I/O ports at 2400 [size=64]
        Memory at fc480400 (32-bit, non-prefetchable) [size=512]
        Memory at fc480600 (32-bit, non-prefetchable) [size=256]
        Capabilities: [50] Power Management version 2

05:08.0 Ethernet controller: Intel Corporation 82801DB PRO/100 VM (LOM) Ethernet
Controller (rev 81)
        Subsystem: Compaq Computer Corporation Unknown device 0012
        Flags: bus master, medium devsel, latency 66, IRQ 20
        Memory at fc500000 (32-bit, non-prefetchable) [size=4K]
        I/O ports at 1000 [size=64]
        Capabilities: [dc] Power Management version 2
Comment 1 Josh Lange 2007-09-01 02:03:40 EDT
It turns out the reason the system couldn't mount these directories is that
permissions were accidentally changed on our nfs server (not that the kerberos
credential was invalid, I was investigating this mount problem when this panic
occured):

our /etc/exports file:
/u1   gss/krb5(root_squash,sync,rw,fsid=0)


permissions:
[root@YYY u1]# pwd
/u1
[root@YYY u1]# ls -lh
total 180K
drw-r--r-- 4206 root root  96K Aug 30 22:56 home
Comment 2 Christopher Brown 2007-10-01 10:47:05 EDT
Hello,

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug and will try and assist you in resolving it if I can.

There hasn't been much activity on this bug for a while and your comments
indicate it might be appropriate to close this issue NOTABUG. Could you advise
whether this is indeed the case?

If the problem no longer exists then please close this bug or I'll do so in a
few days if there is no additional information lodged.
Comment 3 Jeff Moyer 2007-12-04 11:05:45 EST
Any kernel oops is a bug, so NOTABUG is really not the right resolution.

Josh, did you close this because the problem is addressed in more recent kernels?

Thanks!

Note You need to log in before you can comment on or make changes to this bug.