Bug#1029138: linux-image-6.1.0-1-amd64: refcount_t: underflow; use-after-free in nfsd on a NFS server

To: Laurent Bonnaud <L.Bonnaud@laposte.net>, 1029138@bugs.debian.org
Subject: Bug#1029138: linux-image-6.1.0-1-amd64: refcount_t: underflow; use-after-free in nfsd on a NFS server
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 18 Jan 2023 16:46:20 +0100
Message-id: <[🔎] Y8gUTNPrOQ6cJNwo@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1029138@bugs.debian.org
In-reply-to: <cfd08710-a5aa-28f5-d644-d0506a44bda2@laposte.net>
References: <cfd08710-a5aa-28f5-d644-d0506a44bda2@laposte.net> <cfd08710-a5aa-28f5-d644-d0506a44bda2@laposte.net>

Hi,

On Wed, Jan 18, 2023 at 02:42:24PM +0100, Laurent Bonnaud wrote:
> 
> Package: src:linux
> Version: 6.1.4-1
> Severity: important
> 
> Dear Maintainer,
> 
> this system is a Debian 11 system that is used as a NFS server with the following packages:
> 
> ii  nfs-common                           1:1.3.4-6                                 amd64        NFS support files common to client and server
> ii  nfs-kernel-server                    1:1.3.4-6                                 amd64        support for NFS kernel server
> 
> I am having trouble with 5.10.x kernels, so I am trying the kernel that will be probably in Debian 12.
> 
> Unfortunately I see the following warning message from the kernel:
> 
> [16875.235769] svc: svc_tcp_read_marker lockd RPC fragment too large: 612067950
> [17014.023164] svc: svc_tcp_read_marker nfsd RPC fragment too large: 612067950
> [18029.296553] ------------[ cut here ]------------
> [18029.296558] refcount_t: underflow; use-after-free.
> [18029.296572] WARNING: CPU: 2 PID: 6051 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110
> [18029.296587] Modules linked in: ipt_REJECT nf_reject_ipv4 xt_multiport nft_compat nf_tables libcrc32c nfnetlink cts rpcsec_gss_krb5 ipmi_ssif intel_rapl_msr intel_rapl_common quota_v2 quota_tree skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp ghash_clmulni_intel sha512_ssse3 sha512_generic nls_ascii nls_cp437 vfat aesni_intel mgag200 fat crypto_simd cryptd drm_shmem_helper dell_smbios rapl dcdbas intel_cstate drm_kms_helper iTCO_wdt intel_pmc_bxt dell_wmi_descriptor iTCO_vendor_support pcspkr wmi_bmof intel_uncore efi_pstore joydev acpi_ipmi sg mei_me watchdog i2c_algo_bit mei intel_pch_thermal ipmi_si ipmi_devintf evdev ipmi_msghandler button nfsd nfs_acl lockd auth_rpcgss grace drm configfs sunrpc fuse efivarfs ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 crc32c_generic hid_generic usbhid hid sd_mod t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic ahci crct10dif_pclmul crct10dif_common crc32_pclmul xhci_pci crc32c_intel libahci i2c_i801 xhci_hcd
> [18029.296738]  ixgbe i2c_smbus megaraid_sas tg3 xfrm_algo dca mdio_devres lpc_ich libata libphy ptp pps_core mdio usbcore scsi_mod wmi usb_common scsi_common
> [18029.296769] CPU: 2 PID: 6051 Comm: kworker/2:1 Not tainted 6.1.0-1-amd64 #1  Debian 6.1.4-1
> [18029.296775] Hardware name: Dell Inc. PowerEdge R540/0NJK2F, BIOS 2.15.1 06/17/2022
> [18029.296779] Workqueue: nfsd_filecache nfsd_file_delayed_close [nfsd]
> [18029.296850] RIP: 0010:refcount_warn_saturate+0xba/0x110
> [18029.296857] Code: 01 01 e8 5d 3d 4a 00 0f 0b c3 cc cc cc cc 80 3d 18 4c cd 01 00 75 85 48 c7 c7 18 a0 14 87 c6 05 08 4c cd 01 01 e8 3a 3d 4a 00 <0f> 0b c3 cc cc cc cc 80 3d f3 4b cd 01 00 0f 85 5e ff ff ff 48 c7
> [18029.296862] RSP: 0018:ffffaaa746f97e40 EFLAGS: 00010282
> [18029.296867] RAX: 0000000000000000 RBX: ffff9bc0d27158f8 RCX: 0000000000000000
> [18029.296871] RDX: 0000000000000001 RSI: ffffffff8713289e RDI: 00000000ffffffff
> [18029.296874] RBP: ffffaaa746f97e68 R08: 0000000000000000 R09: ffffaaa746f97cc8
> [18029.296878] R10: 0000000000000003 R11: ffffffff87ed23c8 R12: ffff9bc0d27158f0
> [18029.296881] R13: 0000000000000000 R14: ffff9bc197cb06c0 R15: ffff9bc040563b08
> [18029.296884] FS:  0000000000000000(0000) GS:ffff9bc6e0100000(0000) knlGS:0000000000000000
> [18029.296889] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [18029.296892] CR2: 00007f627af751c0 CR3: 00000001c0744006 CR4: 00000000007706e0
> [18029.296896] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [18029.296899] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [18029.296902] PKRU: 55555554
> [18029.296905] Call Trace:
> [18029.296909]  <TASK>
> [18029.296912]  nfsd_file_dispose_list+0x4d/0x70 [nfsd]
> [18029.296975]  nfsd_file_delayed_close+0x73/0xa0 [nfsd]
> [18029.297034]  process_one_work+0x1c4/0x380
> [18029.297045]  worker_thread+0x4d/0x380
> [18029.297052]  ? _raw_spin_lock_irqsave+0x23/0x50
> [18029.297061]  ? rescuer_thread+0x3a0/0x3a0
> [18029.297068]  kthread+0xe6/0x110
> [18029.297074]  ? kthread_complete_and_exit+0x20/0x20
> [18029.297081]  ret_from_fork+0x1f/0x30
> [18029.297095]  </TASK>
> [18029.297097] ---[ end trace 0000000000000000 ]---

Would it be possible to test 6.1.7, which contains related nfs changes
with the nfsd filecache?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1029138: linux-image-6.1.0-1-amd64: refcount_t: underflow; use-after-free in nfsd on a NFS server
  - From: Laurent Bonnaud <L.Bonnaud@laposte.net>

Prev by Date: Processed: tagging 1029130
Next by Date: Bug#996839: [PATCH v3] perf script flamegraph: Avoid d3-flame-graph package dependency
Previous by thread: Processed: tagging 1029130
Next by thread: Bug#1029138: linux-image-6.1.0-1-amd64: refcount_t: underflow; use-after-free in nfsd on a NFS server
Index(es):
- Date
- Thread