Something in the Kernel crashes when I try to mount via NFS

This change was made by a bot.

Would it be possible for you to test the latest upstream stable kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v3.13 stable kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.13.11-ckt27-trusty/

Will try.

Nope ... did not work

uname -a
Linux paul-ThinkPad-T430s 3.13.11-031311ckt27-generic #201509251131 SMP Fri Sep 25 15:34:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

[ 133.141688] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
[ 133.141734] IP: [<ffffffff8160f10d>] skb_copy_and_csum_datagram_iovec+0x2d/0x110
[ 133.141773] PGD 0
[ 133.141785] Oops: 0000 [#1] SMP
[ 133.141804] Modules linked in: ctr ccm pci_stub vboxpci(OF) vboxnetadp(OF) vboxnetflt(OF) vboxdrv(OF) vmw_vsock_vmci_transport vsock vmw_vmci rfcomm bnep snd_hda_codec_hdmi snd_hda_codec_realtek binfmt_misc nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache nls_iso8859_1 arc4 iwldvm mac80211 hid_generic intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul usbhid ghash_clmulni_intel aesni_intel hid cdc_mbim cdc_ncm btusb snd_hda_intel aes_x86_64 usbnet snd_hda_codec bluetooth lrw mii gf128mul uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev snd_hwdep glue_helper cdc_acm iwlwifi cdc_wdm ablk_helper thinkpad_acpi cryptd snd_pcm snd_page_alloc nvram cfg80211 snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq joydev i915 serio_raw shpchp snd_seq_device mei_me wmi snd_timer mei drm_kms_helper drm snd lpc_ich soundcore parport_pc ppdev i2c_algo_bit mac_hid video lp parport mmc_block psmouse ahci e1000e sdhci_pci libahci sdhci ptp pps_core
[ 133.142227] CPU: 3 PID: 1503 Comm: nfsd Tainted: GF O 3.13.11-031311ckt27-generic #201509251131
[ 133.142251] Hardware name: LENOVO 2355CTO/2355CTO, BIOS G7ET95WW (2.55 ) 07/10/2013
[ 133.142271] task: ffff8803f588c800 ti: ffff8803f4c4a000 task.ti: ffff8803f4c4a000
[ 133.142291] RIP: 0010:[<ffffffff8160f10d>] [<ffffffff8160f10d>] skb_copy_and_csum_datagram_iovec+0x2d/0x110
[ 133.142318] RSP: 0018:ffff8803f4c4bbc0 EFLAGS: 00010216
[ 133.142332] RAX: 0000000000000000 RBX: ffff880425cf0380 RCX: 0000000000000000
[ 133.142350] RDX: 0000000000000000 RSI: 0000000000000030 RDI: ffff8803756e7100
[ 133.142369] RBP: ffff8803f4c4bbf8 R08: 0000000000000000 R09: 000000005fe5a01a
[ 133.142388] R10: 0000000000000000 R11: 0000000000000005 R12: 0000000000000008
[ 133.142406] R13: ffff8803756e7100 R14: 0000000000000028 R15: ffff8803756e7100
[ 133.142425] FS: 0000000000000000(0000) GS:ffff88043e2c0000(0000) knlGS:0000000000000000
[ 133.142445] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 133.142460] CR2: 0000000000000008 CR3: 0000000002c0e000 CR4: 00000000001427e0
[ 133.142479] Stack:
[ 133.142486] ffffffff81608836 ffffffff81608880 ffff880425cf0380 ffff8803f4c4bdf8
[ 133.142509] 0000000000000000 0000000000000028 ffff8803756e7100 ffff8803f4c4bc60
[ 133.142532] ffffffff8167c6dc ffff880426ff8028 ffff880425cf03f0 0000000200000000
[ 133.142555] Call Trace:
[ 133.142564] [<ffffffff81608836>] ? skb_checksum+0x26/0x30
[ 133.142580] [<ffffffff81608880>] ? skb_push+0x40/0x40
[ 133.142596] [<ffffffff8167c6dc>] udp_recvmsg+0x1dc/0x380
[ 133.142612] [<ffffffff816875cc>] inet_recvmsg+0x6c/0x80
[ 133.142628] [<ffffffff8160096a>] sock_recvmsg+0x9a/0xd0
[ 133.142644] [<ffffffff8107414a>] ? del_timer_sync+0x4a/0x60
[ 133.142661] [<fffffff...

I can confirm this. The same behaviour occurs with the latest utopic-kernel (3.16.0-51). Going back to 3.16.0-50 solves the problem.
This happens only when using nfs v3 over UDP like so:

mount -o 'vers=3,udp' 192.168.56.1:'/home/andreas/somefolder' /mnt/nfs-somefolder

Using NFS v4 and/or TCP works without problem. For vagrant, you can use nfs_udp: false as a workaround, as I described here:
https://github.com/mitchellh/vagrant/issues/6423

We do suspect of a backport of upstream commit 89c22d8c3b27 ("net: Fix skb csum races when peeking") (which is 2dde51aa5339 in the trusty git tree). I've built a test kernel with this commit reverted on top of 3.13.0-66.108 and uploaded it here:

http://people.canonical.com/~henrix/LP1508510/v1/amd64/

Could you please verify if this solves the issue? Thanks.

Yes, this patch solves the issue for me. Mount command works as expected and kernel-log stays quiet.

Thanks a lot for testing, Andreas. Regarding the utopic kernel
(3.16.0-51) issue you also refer, are you absolutely sure it's the
same problem? Can you please share the kernel log?

I'm assuming you're running trusty lts-utopic for this, so in the
morning I will try to reproduce it (I was able to reproduce it with
the 3.13).

I have kernel 3.16.0-51 and the issue is the same. Going back to 3.16.0-50 solves the problem.

Thanks @marius888.

Yes, behaviour and the log-messages were exactly the same under 3.16.0-51, as you can see in marius' stacktrace.
We were both facing this using vagrant-built virtualbox-machines with NFS-shares on Lenovo Thinkpads W520/30.

I will try to reproduce it also on lts-vivid shortly.

Thank you. Andreas, I believe vivid is not impacted by this bug. Looks like the issue has been reported to the stable mailing-list:

http://thread.gmane.org/gmane.linux.kernel.stable/153526

Thank you all for reporting and testing.

You are right, no problems, neither with 3.19.0-31 nor with 3.19.0-30.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Based on the duplicate bug that I raised, 1509666, I can confirm that with kernel 3.13.0-67-generic loaded, the bug I saw (relating to mounting in OSX) is solved.
I have added the verification-done-trusty tag.

I can confirm that, too. No issue with kernel 3.13.0-67 from trusty-proposed.

I can also confirm that all the kernels have this bug fixed (precise 3.2.0-93.133, trusty 3.13.0-67.110 and lts-utopic 3.16.0-52.71~14.04.1).

This bug was fixed in the package linux - 3.2.0-93.133

---------------
linux (3.2.0-93.133) precise; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1509350

  [ Upstream Kernel Changes ]

  * Revert "net: Fix skb csum races when peeking"
    - LP: #1508510

linux (3.2.0-93.132) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1508939

  [ Upstream Kernel Changes ]

  * Revert "sctp: Fix race between OOTB responce and route removal"
    - LP: #1507665
  * USB: whiteheat: fix potential null-deref at probe
    - LP: #1478826
    - CVE-2015-5257
  * dcache: Handle escaped paths in prepend_path
    - LP: #1441108
    - CVE-2015-2925
  * vfs: Test for and handle paths that are unreachable from their mnt_root
    - LP: #1441108
    - CVE-2015-2925
  * ipv6: Fix build failure when CONFIG_INET disabled
    - LP: #1507665
  * pktgen: Require CONFIG_INET due to use of IPv4 checksum function
    - LP: #1507665
  * xen/gntdev: convert priv->lock to a mutex
    - LP: #1507665
  * xen/gntdevt: Fix race condition in gntdev_release()
    - LP: #1507665
  * crypto: ixp4xx - Remove bogus BUG_ON on scattered dst buffer
    - LP: #1507665
  * USB: sierra: add 1199:68AB device ID
    - LP: #1507665
  * target/iscsi: Fix double free of a TUR followed by a solicited NOPOUT
    - LP: #1507665
  * md/raid1: extend spinlock to protect raid1_end_read_request against
    inconsistencies
    - LP: #1507665
  * target: REPORT LUNS should return LUN 0 even for dynamic ACLs
    - LP: #1507665
  * MIPS: Fix sched_getaffinity with MT FPAFF enabled
    - LP: #1507665
  * xhci: fix off by one error in TRB DMA address boundary check
    - LP: #1507665
  * rds: fix an integer overflow test in rds_info_getsockopt()
    - LP: #1507665
  * perf: Fix fasync handling on inherited events
    - LP: #1507665
  * MIPS: Make set_pte() SMP safe.
    - LP: #1507665
  * ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
    - LP: #1507665
  * net: Clone skb before setting peeked flag
    - LP: #1507665
  * net: Fix skb_set_peeked use-after-free bug
    - LP: #1507665
  * x86/ldt: Make modify_ldt synchronous
    - LP: #1507665
  * x86/ldt: Correct LDT access in single stepping logic
    - LP: #1507665
  * x86/ldt: Correct FPU emulation access to LDT
    - LP: #1507665
  * localmodconfig: Use Kbuild files too
    - LP: #1507665
  * dm btree: add ref counting ops for the leaves of top level btrees
    - LP: #1507665
  * libiscsi: Fix host busy blocking during connection teardown
    - LP: #1507665
  * libfc: Fix fc_fcp_cleanup_each_cmd()
    - LP: #1507665
  * ipc,sem: fix use after free on IPC_RMID after a task using same
    semaphore set exits
    - LP: #1507665
  * x86/ldt: Further fix FPU emulation
    - LP: #1507665
  * net: Fix RCU splat in af_key
    - LP: #1507665
  * sctp: donot reset the overall_error_count in SHUTDOWN_RECEIVE state
    - LP: #1507665
  * sparc64: Fix userspace FPU register corruptions.
    - LP: #1507665
  * rc-core: fix remove uevent generation
    - LP: #1507665
  * PCI: Fix TI816X class code quirk
    - LP: #1507665
  * mac80211: enable assoc check for mesh interfaces
    - LP: #1507665
  * PCI: Add dev_flags bit...

This bug was fixed in the package linux - 3.13.0-67.110

---------------
linux (3.13.0-67.110) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1509341

  [ Upstream Kernel Changes ]

  * Revert "net: Fix skb csum races when peeking"
    - LP: #1508510

linux (3.13.0-67.109) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1507963

  [ Tim Gardner ]

  * [Config] Add MMC modules sufficient for net booting
    - LP: #1502772

  [ Upstream Kernel Changes ]

  * USB: whiteheat: fix potential null-deref at probe
    - LP: #1478826
    - CVE-2015-5257
  * dcache: Handle escaped paths in prepend_path
    - LP: #1441108
    - CVE-2015-2925
  * vfs: Test for and handle paths that are unreachable from their mnt_root
    - LP: #1441108
    - CVE-2015-2925

 -- Luis Henriques <email address hidden> Fri, 23 Oct 2015 11:53:53 +0100

This bug was fixed in the package linux-lts-utopic - 3.16.0-52.71~14.04.1

---------------
linux-lts-utopic (3.16.0-52.71~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1509362

  [ Upstream Kernel Changes ]

  * Revert "net: Fix skb csum races when peeking"
    - LP: #1508510

linux-lts-utopic (3.16.0-52.70~14.04.1) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1508145
  * [Config] updateconfigs after 3.16.7-ckt18 stable update

  [ Tim Gardner ]

  * [Config] Add MMC modules sufficient for net booting
    - LP: #1502772

  [ Upstream Kernel Changes ]

  * USB: whiteheat: fix potential null-deref at probe
    - LP: #1478826
    - CVE-2015-5257
  * dcache: Handle escaped paths in prepend_path
    - LP: #1441108
    - CVE-2015-2925
  * vfs: Test for and handle paths that are unreachable from their mnt_root
    - LP: #1441108
    - CVE-2015-2925
  * hyperv: Add processing of MTU reduced by the host
    - LP: #1494431
  * hv_netvsc: Add support to set MTU reservation from guest side
    - LP: #1494431
  * hv_netvsc: Add close of RNDIS filter into change mtu call
    - LP: #1494431
  * ipv6: addrconf: validate new MTU before applying it
    - LP: #1508133
  * v4l: omap3isp: Fix sub-device power management code
    - LP: #1508133
  * rc-core: fix remove uevent generation
    - LP: #1508133
  * HID: cp2112: fix I2C_SMBUS_BYTE write
    - LP: #1508133
  * HID: cp2112: fix byte order in SMBUS operations
    - LP: #1508133
  * xtensa: fix threadptr reload on return to userspace
    - LP: #1508133
  * ARM: OMAP2+: DRA7: clockdomain: change l4per2_7xx_clkdm to SW_WKUP
    - LP: #1508133
  * mac80211: enable assoc check for mesh interfaces
    - LP: #1508133
  * PCI: Add dev_flags bit to access VPD through function 0
    - LP: #1508133
  * PCI: Add VPD function 0 quirk for Intel Ethernet devices
    - LP: #1508133
  * staging: comedi: usbduxsigma: don't clobber ai_timer in command test
    - LP: #1508133
  * staging: comedi: usbduxsigma: don't clobber ao_timer in command test
    - LP: #1508133
  * clk: exynos4: Fix wrong clock for Exynos4x12 ADC
    - LP: #1508133
  * usb: dwc3: ep0: Fix mem corruption on OUT transfers of more than 512
    bytes
    - LP: #1508133
  * Doc: ABI: testing: configfs-usb-gadget-loopback
    - LP: #1508133
  * Doc: ABI: testing: configfs-usb-gadget-sourcesink
    - LP: #1508133
  * serial: 8250_pci: Add support for Pericom PI7C9X795[1248]
    - LP: #1508133
  * KVM: MMU: fix validation of mmio page fault
    - LP: #1508133
  * auxdisplay: ks0108: fix refcount
    - LP: #1508133
  * devres: fix devres_get()
    - LP: #1508133
  * iio: adis16400: Fix adis16448 gyroscope scale
    - LP: #1508133
  * iio: Add inverse unit conversion macros
    - LP: #1508133
  * iio: adis16480: Fix scale factors
    - LP: #1508133
  * ideapad-laptop: Add Lenovo Yoga 3 14 to no_hw_rfkill dmi list
    - LP: #1508133
  * ASoC: rt5640: fix line out no sound issue
    - LP: #1508133
  * iio: industrialio-buffer: Fix iio_buffer_poll return value
    - LP: #1508133
  * iio: event: Remove negative error code from iio_event_poll
    - LP: #1508133
  * NFSv4: don't set SETATTR for O_...