Performing verification for jammy.
I set up a VM according to the testcase, and I installed 5.15.0-179-generic from
-updates.
I opened two terminals, and in each one of them ran:
$ while true; do
grep -Rr . /sys/kernel/sunrpc/xprt-switches/;
done
and
$ sudo -s
# while true; do
mount -t nfs 192.168.122.126:/mnt/nfs_share /mnt/test
umount /mnt/test
done
In less then a second, the system panics:
[ 344.733550] BUG: kernel NULL pointer dereference, address: 0000000000000020
[ 344.734325] #PF: supervisor read access in kernel mode
[ 344.735195] #PF: error_code(0x0000) - not-present page
[ 344.736342] PGD 0 P4D 0
[ 344.736963] Oops: 0000 [#1] SMP NOPTI
[ 344.737763] CPU: 2 PID: 23280 Comm: grep Not tainted 5.15.0-179-generic
#189-Ubuntu
[ 344.741403] RIP: 0010:kernel_getsockname+0x6/0x20
[ 344.742369] Code: 00 00 00 00 0f 1f 44 00 00 55 48 8b 47 20 48 8b 40 60 48
89 e5 ff d0 0f 1f 00 5d c3 cc cc cc cc 0f 1f 40 00 0f 1f 44 00 00 55 <48> 8b 47
20 31 d2 48 8b 40 38 48 89 e5 ff d0 0f 1f 00 5d c3 cc cc
[ 344.746132] RSP: 0018:ffffd22080b5fb68 EFLAGS: 00010246
[ 344.747147] RAX: 0000000000000000 RBX: ffff893457734f78 RCX: 0000000000000003
[ 344.748550] RDX: 0000000000000003 RSI: ffffd22080b5fb78 RDI: 0000000000000000
[ 344.750009] RBP: ffffd22080b5fc00 R08: ffff8934577d7d80 R09: ffff89344ae46000
[ 344.751466] R10: 000000000000000b R11: 0000000000000000 R12: ffff8934534b1000
[ 344.752961] R13: ffff89344ae46000 R14: ffff893453916008 R15: 0000000000000000
[ 344.754443] FS: 00007f52d6243740(0000) GS:ffff8934bbd00000(0000)
knlGS:0000000000000000
[ 344.756077] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 344.757134] CR2: 0000000000000020 CR3: 00000001127a2004 CR4: 0000000000770ee0
[ 344.758451] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 344.759772] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
[ 344.761148] PKRU: 55555554
[ 344.761645] Call Trace:
[ 344.762109] <TASK>
[ 344.762496] ? xs_sock_getport+0x2b/0x70 [sunrpc]
[ 344.763390] ? kvmalloc_node+0x28/0xa0
[ 344.764080] ? memcg_slab_post_alloc_hook+0x19e/0x210
[ 344.765066] get_srcport+0x15/0x20 [sunrpc]
[ 344.765878] rpc_sysfs_xprt_info_show+0x110/0x130 [sunrpc]
[ 344.766912] ? path_init+0x3a6/0x3f0
[ 344.767570] kobj_attr_show+0xf/0x30
[ 344.768275] sysfs_kf_seq_show+0xa2/0x100
[ 344.769061] kernfs_seq_show+0x24/0x30
[ 344.769783] seq_read_iter+0x121/0x4b0
[ 344.770492] kernfs_fop_read_iter+0x30/0x40
[ 344.771264] new_sync_read+0x10a/0x190
[ 344.771972] vfs_read+0x106/0x1a0
[ 344.772591] ksys_read+0x67/0xf0
[ 344.773199] __x64_sys_read+0x19/0x20
[ 344.773880] x64_sys_call+0x1dba/0x1fa0
[ 344.774580] do_syscall_64+0x56/0xb0
[ 344.775217] ? __do_sys_newfstatat+0x49/0x70
[ 344.776009] ? arch_exit_to_user_mode_prepare.constprop.0+0x1e/0xc0
[ 344.777159] ? syscall_exit_to_user_mode+0x41/0x80
[ 344.778042] ? do_syscall_64+0x63/0xb0
[ 344.778986] ? exc_page_fault+0x89/0x170
[ 344.780033] entry_SYSCALL_64_after_hwframe+0x6c/0xd6
I then enabled -proposed, and installed 5.15.0-184-generic, and
rebooted.
$ uname -rv
5.15.0-184-generic #194-Ubuntu SMP Mon May 25 18:34:53 UTC 2026
I ran the same commands in different terminals. They both ran for about a minute
this time, with no oops messages, before getting stuck, but this now resembles
the behaviour in 6.8, 6.17, 7.0 and current mainline. The system is still
usable and stable, and should be okay.
The panic itself is fixed, and should be much more resilient to system wide
greps, and the CVE is fixed.
Marking verified for jammy.
** Tags removed: verification-needed-jammy-linux
** Tags added: verification-done-jammy-linux
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2149767
Title:
SUNRPC: System wide grep leads to NULL pointer deference in sysfs
reads
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2149767/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
