Bug#830771: linux-image-3.16.0-4-amd64: Kernel NULL pointer dereference, RIP: smb2_push_mandatory_locks+0x113/0x3c9 [cifs]

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#830771: linux-image-3.16.0-4-amd64: Kernel NULL pointer dereference, RIP: smb2_push_mandatory_locks+0x113/0x3c9 [cifs]
From: Martijn Grendelman <martijn@basispoort.nl>
Date: Mon, 11 Jul 2016 11:29:59 +0200
Message-id: <20160711092959.7134.49317.reportbug@prod-app01.basispoort-azure.isaac.local.>
Reply-to: Martijn Grendelman <martijn@basispoort.nl>, 830771@bugs.debian.org

Package: src:linux
Version: 3.16.7-ckt25-2+deb8u3
Severity: important

Dear Maintainer,

This is a Debian Jessie server running on Azure. Every once in a while, the server crashes and a kernel oops is logged:

[316317.199398] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
[316317.203332] IP: [<ffffffffa0385ee3>] smb2_push_mandatory_locks+0x113/0x3c9 [cifs]
[316317.203332] PGD 3aca7c067 PUD 3c6f2a067 PMD 0 
[316317.203332] Oops: 0000 [#1] SMP 
[316317.203332] Modules linked in: nfnetlink_queue nfnetlink_log nfnetlink bluetooth 6lowpan_iphc rfkill xt_tcpudp iptable_filter ip_tables x_tables binfmt_misc tcp_diag inet_diag cmachhha25__generic arc4 ecb md4 hmac nls_utf8 cifs dns_resolver fscache hv_utils serio_raw hyperv_keyboard i2c_piix4 i2c_core processor hyperv_fb evdev joydev thermal_sys pcspkr button autofs4 ext4 crc16 mbcache jbd2 dm_mod sg ata_generic sd_mod crc1110dif crct10dif_generic hid_generic crct10dif_common hid_hyperv ata_piix hv_netvsc hid libata hv_storvsc scsi_mod psmouse hv_vmbus floppy
[316317.203332] CPU: 6 PID: 44095 Comm: kworker/6:2 Not tainted 3.16.0-4-amd64 #1 Debian 3.16.7-ckt25-2+deb8u3
[316317.203332] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090006  05/23/2012
[316317.203332] Workqueue: cifsiod cifs_oplock_break [cifs]
[316317.203332] task: ffff8803bc7d1570 ti: ffff8803bc788000 task.ti: ffff8803bc788000
[316317.203332] RIP: 0010:[<ffffffffa03852e3>]  [<ffffffffa03852e3>] smb2_push_mandatory_locks+0x113/0x3c9 [cifs]
[316317.203332] RSP: 0018:ffff8803bc78bd80  EFLAGS: 00010246
[316317.203332] RAX: 0000000000000000 RBX: ffff8801fd5faa58 RCX: 0000000000000000
[316317.203332] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8803bc650000
[316317.203332] RBP: ffff8801fd5faa58 R08: 1028000000000000 R09: ffff8803bc640000
[316317.203332] R10: fcd3d14703cb2205 R11: 0000000000000000 R12: 0000000000000aaa
[316317.203332] R13: ffff8801fd5faa40 R14: ffff880295d33000 R15: ffff8803bc640000
[316317.203332] FS:  00007fdcf5a86700(0000) GS:ffff88045f840000(0000) knlGS:0000000000000000
[316317.203332] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[316317.203332] CR2: 0000000000000038 CR3: 000000045788f000 CR4: 00000000000006e0
[316317.203332] Stack:
[316317.203332]  ffff88030e2f7cd0 0000000000000000 ffff88030e2f7c28 0000000000031725
[316317.203332]  ffff8803bc7d1570 ffff88030e2f7c30 ffff8803bc7d1570 ffff88030e2f7c40
[316317.203332]  ffff880455d27ae8 ffff88030e2f7c28 ffff880295f74000 ffff88030e2f7cd0
[316317.203332] Call Trace:
[316317.203332]  [<ffffffffa035e1ef>] ? cifs_oplock_break+0x10f/0x380 [cifs]
[316317.203332]  [<ffffffff81081742>] ? process_one_work+0x172/0x420
[316317.203332]  [<ffffffff81081dd3>] ? worker_thread+0x113/0x4f0
[316317.203332]  [<ffffffff815105c1>] ? __schedule+0x2b1/0x700
[316317.203332]  [<ffffffff81081cc0>] ? rescuer_thread+0x2d0/0x2d0
[316317.203332]  [<ffffffff8108800d>] ? kthread+0xbd/0xe0
[316317.203332]  [<ffffffff81087f50>] ? kthread_create_on_node+0x180/0x180
[316317.203332]  [<ffffffff81514158>] ? ret_from_fork+0x58/0x90
[316317.203332]  [<ffffffff81087f50>] ? kthread_create_on_node+0x180/0x180
[316317.203332] Code: 04 25 80 b8 00 00 48 89 44 24 20 48 89 44 24 30 0f 1f 84 00 00 00 00 00 4d 8b 75 10 49 8b 5d 18 49 8d 6d 18 49 8b 46 78 48 39 eb <48> 8b 40 38 48 89 44 24 08 0f 84 a5 00 00 00 45 31 d2 4c 89 6c 
[316317.203332] RIP  [<ffffffffa03852e3>] smb2_push_mandatory_locks+0x113/0x3c9 [cifs]
[316317.203332]  RSP <ffff8803bc78bd80>
[316317.203332] CR2: 0000000000000038
[316317.203332] ---[ end trace c08f7fa2cf283a1e ]---


I have no idea how to reproduce the oops. I think it is load-related, even
though the load on these servers as a whole, or the CIFS mounts in particular,
is not extremely high. In total, we have nine identical machines running in
this environment (Azure cloud), three of which run production and have more
load than the other six.  These three all experienced this oops one or more
times in the past 10 days or so. The less loaded machines (test environment)
haven't crashed so far. All machines have 3 CIFS mounts.
'smb2_push_mandatory_locks' seems to be suspect every time.



-- Package-specific info:
** Version:
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt25-2+deb8u3 (2016-07-02)

** Command line:
BOOT_IMAGE=/vmlinuz initrd=/initrd.img root=UUID=0c2f972f-e9e5-438a-a9cf-0fa537a0c2a5 console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 

** Not tainted

** Model information
sys_vendor: Microsoft Corporation
product_name: Virtual Machine
product_version: 7.0
chassis_vendor: Microsoft Corporation
chassis_version: 7.0
bios_vendor: American Megatrends Inc.
bios_version: 090006 
board_vendor: Microsoft Corporation
board_name: Virtual Machine
board_version: 7.0

** Loaded modules:
binfmt_misc
xt_tcpudp
iptable_filter
ip_tables
x_tables
tcp_diag
inet_diag
cmac
sha256_generic
arc4
ecb
md4
hmac
nls_utf8
cifs
dns_resolver
fscache
hyperv_fb
i2c_piix4
serio_raw
i2c_core
evdev
hyperv_keyboard
hv_utils
pcspkr
joydev
processor
button
thermal_sys
autofs4
ext4
crc16
mbcache
jbd2
dm_mod
sg
sd_mod
crc_t10dif
crct10dif_generic
crct10dif_common
hid_generic
ata_generic
ata_piix
hid_hyperv
hv_netvsc
libata
hv_storvsc
hid
scsi_mod
psmouse
hv_vmbus
floppy

** Network interface configuration:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The normal eth0
auto eth0
iface eth0 inet dhcp

# Maybe the VM has 2 NICs?
allow-hotplug eth1
iface eth1 inet dhcp

# Maybe the VM has 3 NICs?
allow-hotplug eth2
iface eth2 inet dhcp

** Network status:
*** IP interfaces and addresses:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0d:3a:20:bd:a8 brd ff:ff:ff:ff:ff:ff
    inet 10.128.1.11/24 brd 10.128.1.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::20d:3aff:fe20:bda8/64 scope link 
       valid_lft forever preferred_lft forever

-- System Information:
Debian Release: 8.5
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages linux-image-3.16.0-4-amd64 depends on:
ii  debconf [debconf-2.0]                   1.5.56
ii  initramfs-tools [linux-initramfs-tool]  0.120+deb8u2
ii  kmod                                    18-3
ii  linux-base                              3.5

Versions of packages linux-image-3.16.0-4-amd64 recommends:
ii  firmware-linux-free  3.3
ii  irqbalance           1.0.6-3

Versions of packages linux-image-3.16.0-4-amd64 suggests:
pn  debian-kernel-handbook  <none>
ii  extlinux                3:6.03+dfsg-5+deb8u1
pn  linux-doc-3.16          <none>

Versions of packages linux-image-3.16.0-4-amd64 is related to:
pn  firmware-atheros        <none>
pn  firmware-bnx2           <none>
pn  firmware-bnx2x          <none>
pn  firmware-brcm80211      <none>
pn  firmware-intelwimax     <none>
pn  firmware-ipw2x00        <none>
pn  firmware-ivtv           <none>
pn  firmware-iwlwifi        <none>
pn  firmware-libertas       <none>
pn  firmware-linux          <none>
pn  firmware-linux-nonfree  <none>
pn  firmware-myricom        <none>
pn  firmware-netxen         <none>
pn  firmware-qlogic         <none>
pn  firmware-ralink         <none>
pn  firmware-realtek        <none>
pn  xen-hypervisor          <none>

-- debconf information:
  linux-image-3.16.0-4-amd64/prerm/removing-running-kernel-3.16.0-4-amd64: true
  linux-image-3.16.0-4-amd64/postinst/depmod-error-initrd-3.16.0-4-amd64: false
  linux-image-3.16.0-4-amd64/postinst/mips-initrd-3.16.0-4-amd64:

Reply to:

Prev by Date: Re: Visiting United Nations (UN is destroyed?)
Next by Date: Bug#830777: nfs-common: rpc.idmapd does not start under systemd on a pure client system
Previous by thread: Re: Visiting United Nations (UN is destroyed?)
Next by thread: Bug#830777: nfs-common: rpc.idmapd does not start under systemd on a pure client system
Index(es):
- Date
- Thread