Bug 570044 - kernel panic when rmmod and insmod rpcsec_gss_krb5 module
Summary: kernel panic when rmmod and insmod rpcsec_gss_krb5 module
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 5.6
Assignee: Harshula Jayasuriya
QA Contact: Boris Ranto
URL:
Whiteboard:
Depends On:
Blocks: 557597
TreeView+ depends on / blocked
 
Reported: 2010-03-03 03:35 UTC by Harshula Jayasuriya
Modified: 2018-11-14 17:53 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-01-13 20:37:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch (1.60 KB, patch)
2010-03-03 04:09 UTC, Harshula Jayasuriya 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0017 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.6 kernel security and bug fix update 2011-01-13 10:37:42 UTC

Description Harshula Jayasuriya 2010-03-03 03:35:21 UTC 
Description of problem:

The kernel panics when an already inserted rpcsec_gss_krb5 kernel module is removed (rmmod) and re-inserted (insmod or modprobe). The bug has already been fixed in the upstream mainline kernel.

Version-Release number of selected component (if applicable):
* RHEL 5.4
* kernel-2.6.18-164.el5

How reproducible:
* Always

Steps to Reproduce:
1. Make sure the kernel module "rpcsec_gss_krb5" is inserted
2. rmmod rpcsec_gss_krb5
3. modprobe rpcsec_gss_krb5

Actual results:
* Kernel Panic

Expected results:
* The kernel module rpcsec_gss_krb5 should be inserted and the kernel should not panic.

Additional info:

* Oops message:
------------------------------------------------------------
Unable to handle kernel paging request at 000000000dca2015 RIP: 
 [<ffffffff883cc0fc>] :sunrpc:auth_domain_put+0x23/0x4d
PGD 16520067 PUD 16b4d067 PMD 0 
Oops: 0002 [1] SMP 
last sysfs file: /block/dm-1/range
CPU 0 
Modules linked in: rpcsec_gss_krb5 auth_rpcgss autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc ip6t_REJECT xt_tcpudp ip6table_filter ip6_tables x_tables ipv6 xfrm_nalgo crypto_api dm_multipath scsi_dh video hwmon backlight sbs i2c_ec button battery asus_acpi acpi_memhotplug ac parport_pc lp parport floppy 8139too virtio_pci 8139cp i2c_piix4 ide_cd virtio_ring i2c_core virtio mii cdrom serio_raw pcspkr dm_raid45 dm_message dm_region_hash dm_mem_cache dm_snapshot dm_zero dm_mirror dm_log dm_mod ata_piix libata sd_mod scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd
Pid: 2657, comm: insmod Not tainted 2.6.18-164.el5 #1
RIP: 0010:[<ffffffff883cc0fc>]  [<ffffffff883cc0fc>] :sunrpc:auth_domain_put+0x23/0x4d
RSP: 0000:ffff810016181ed8  EFLAGS: 00010202
RAX: 12b1801529ba3cc8 RBX: ffff81001ca8b900 RCX: ffff81001ca8b908
RDX: 000000000dca2015 RSI: ffffffff883e5a40 RDI: ffffffff883e5a40
RBP: ffff810016e9f5a0 R08: 73732f6b72623508 R09: ffff810016e9f5a9
R10: 0000000000000000 R11: 0000000000000000 R12: 000000000005f373
R13: ffffffff8849c127 R14: 0000000000000000 R15: ffffffff8848ae3e
FS:  00002b97168ca210(0000) GS:ffffffff803c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000000dca2015 CR3: 0000000016912000 CR4: 00000000000006e0
Process insmod (pid: 2657, threadinfo ffff810016180000, task ffff810014bc3100)
Stack:  ffff81001ca8b900 ffffffff88488b1b ffff810016e9f5a0 ffffffff8849d440
 ffffffff8849d3a0 ffffffff88487e60 ffff81001d56b040 ffffffff8849d500
 00000000127b5030 000000000000bb98 00000000127b5050 0000000000010000
Call Trace:
 [<ffffffff88488b1b>] :auth_rpcgss:svcauth_gss_register_pseudoflavor+0x86/0x9c
 [<ffffffff88487e60>] :auth_rpcgss:gss_mech_register+0x8e/0x112
 [<ffffffff8825f00d>] :rpcsec_gss_krb5:init_kerberos_module+0xd/0x25
 [<ffffffff800a5a2e>] sys_init_module+0xaf/0x1f2
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0


Code: 48 89 02 74 04 48 89 50 08 48 c7 41 08 00 02 20 00 48 8b 43 
RIP  [<ffffffff883cc0fc>] :sunrpc:auth_domain_put+0x23/0x4d
 RSP <ffff810016181ed8>
------------------------------------------------------------

------------------------------------------------------------
crash> bt
PID: 2657   TASK: ffff810014bc3100  CPU: 0   COMMAND: "insmod"
 #0 [ffff810016181c30] crash_kexec at ffffffff800ac5b9
 #1 [ffff810016181cf0] __die at ffffffff80065127
 #2 [ffff810016181d30] do_page_fault at ffffffff80066da7
 #3 [ffff810016181e20] error_exit at ffffffff8005dde9
    [exception RIP: auth_domain_put+35]
    RIP: ffffffff883cc0fc  RSP: ffff810016181ed8  RFLAGS: 00010202
    RAX: 12b1801529ba3cc8  RBX: ffff81001ca8b900  RCX: ffff81001ca8b908
    RDX: 000000000dca2015  RSI: ffffffff883e5a40  RDI: ffffffff883e5a40
    RBP: ffff810016e9f5a0   R8: 73732f6b72623508   R9: ffff810016e9f5a9
    R10: 0000000000000000  R11: 0000000000000000  R12: 000000000005f373
    R13: ffffffff8849c127  R14: 0000000000000000  R15: ffffffff8848ae3e
    ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0000
 #4 [ffff810016181ed0] auth_domain_put at ffffffff883cc0e9
 #5 [ffff810016181ee0] svcauth_gss_register_pseudoflavor at ffffffff88488b1b
 #6 [ffff810016181f00] gss_mech_register at ffffffff88487e60
 #7 [ffff810016181f50] sys_init_module at ffffffff800a5a2e
 #8 [ffff810016181f80] tracesys at ffffffff8005d28d (via system_call)
    RIP: 0000003e3cad408a  RSP: 00007fff389e3378  RFLAGS: 00000206
    RAX: ffffffffffffffda  RBX: ffffffff8005d28d  RCX: ffffffffffffffff
    RDX: 00000000127b5030  RSI: 000000000000bb98  RDI: 00000000127b5050
    RBP: 000000000000bb98   R8: 0000000000010010   R9: 0000000000000003
    R10: ffffffffffffffff  R11: 0000000000000206  R12: 00007fff389e3bd3
    R13: 0000000000000003  R14: 00000000127b5050  R15: 0000000000010000
    ORIG_RAX: 00000000000000af  CS: 0033  SS: 002b
------------------------------------------------------------

* The mainline kernel commit that fixes the bug:
------------------------------------------------------------
commit cb276805803b8e0616159d80a441ab26a931ada4
Author: J. Bruce Fields <bfields.edu>
Date:   Mon Jul 23 18:43:52 2007 -0700

    nfsd: fix possible oops on re-insertion of rpcsec_gss modules
    
    The handling of the re-registration case is wrong here; the "test" that was
    returned from auth_domain_lookup will not be used again, so that reference
    should be put.  And auth_domain_lookup never did anything with "new" in
    this case, so we should just clean it up ourself.
    
    Thanks to Akinobu Mita for bug report, analysis, and testing.
------------------------------------------------------------
Comment 2 Harshula Jayasuriya 2010-03-03 04:09:25 UTC 
Created attachment 397469 [details]
Patch
Comment 6 Jarod Wilson 2010-05-19 19:00:26 UTC 
in kernel-2.6.18-199.el5
You can download this test kernel from http://people.redhat.com/jwilson/el5

Please update the appropriate value in the Verified field
(cf_verified) to indicate this fix has been successfully
verified. Include a comment with verification details.
Comment 11 errata-xmlrpc 2011-01-13 20:37:25 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0017.html
Note You need to log in before you can comment on or make changes to this bug.