| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Oct 2013 10:50:26 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: linux-kernel@...r.kernel.org
Subject: [userns-always-map-user-v136] BUG: unable to handle kernel NULL
pointer dereference at (null)
Hi Eric,
It's beyond me why this trivial patch will lead to kernel panic. But
the NULL pointer dereference bug is 100% reproducible since this commit.
commit fd97e87d4112f5ec33223b0bdc3b7b07b273ecbe
Author: Eric W. Biederman <ebiederm@...ssion.com>
Date: Thu Oct 3 14:58:53 2013 -0700
pid: Stop open coding is_idle_task in fork.
This makes the code clearer and it removes one more use of task->pid.
Signed-off-by: "Eric W. Biederman" <ebiederm@...ssion.com>
[ 0.018865] ACPI: Core revision 20130725
[ 0.026468] ACPI: All ACPI Tables successfully acquired
[ 0.028112] Performance Events: unsupported Netburst CPU model 6 no PMU driver, software events only.
[ 0.030074] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 0.031525] IP: [<ffffffff8108e3be>] wake_up_process+0xa/0x37
[ 0.032623] PGD 0
[ 0.033033] Oops: 0000 [#1] PREEMPT
[ 0.033333] CPU: 0 PID: 0 Comm: swapper Not tainted 3.12.0-rc3-00071-gea0225a #452
[ 0.033333] task: ffff880000050040 ti: ffff88000004e000 task.ti: ffff88000004e000
[ 0.033333] RIP: 0010:[<ffffffff8108e3be>] [<ffffffff8108e3be>] wake_up_process+0xa/0x37
[ 0.033333] RSP: 0000:ffff88000004fd10 EFLAGS: 00010246
[ 0.033333] RAX: 0000000000000000 RBX: ffff88000004fd60 RCX: 0000000000000058
[ 0.033333] RDX: ffffffff81c4be90 RSI: ffffffff81085a52 RDI: 0000000000000000
[ 0.033333] RBP: ffff88000004fd18 R08: 0000000000000001 R09: 0000000000000058
[ 0.033333] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff81adbddf
[ 0.033333] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 0.033333] FS: 0000000000000000(0000) GS:ffffffff81c1e000(0000) knlGS:0000000000000000
[ 0.033333] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.033333] CR2: 0000000000000000 CR3: 0000000001c0d000 CR4: 00000000000006b0
[ 0.033333] Stack:
[ 0.033333] ffff88000004fd60 ffff88000004fe10 ffffffff81085a5e 000000000000000a
[ 0.033333] ffff880000050730 ffffffff810a986e ffffffff8108bc76 ffff880000094920
[ 0.033333] 0000000000000000 ffff880000050040 ffff880000000000 dead4ead00000001
[ 0.033333] Call Trace:
[ 0.033333] [<ffffffff81085a5e>] kthread_create_on_node+0x92/0x10c
[ 0.033333] [<ffffffff810a986e>] ? mark_lock+0x2e/0x25a
[ 0.033333] [<ffffffff8108bc76>] ? __smpboot_create_thread+0x9d/0x9d
[ 0.033333] [<ffffffff8108bc10>] ? __smpboot_create_thread+0x37/0x9d
[ 0.033333] [<ffffffff8108bc10>] ? __smpboot_create_thread+0x37/0x9d
[ 0.033333] [<ffffffff81085b70>] kthread_create_on_cpu+0x1b/0x4c
[ 0.033333] [<ffffffff8108bc35>] __smpboot_create_thread+0x5c/0x9d
[ 0.033333] [<ffffffff8108bfe5>] smpboot_register_percpu_thread+0x29/0x8d
[ 0.033333] [<ffffffff81f864c8>] ? ftrace_define_fields_softirq+0x30/0x30
[ 0.033333] [<ffffffff81f864d8>] spawn_ksoftirqd+0x10/0x1a
[ 0.033333] [<ffffffff81f76d9f>] do_one_initcall+0xaa/0x139
[ 0.033333] [<ffffffff810da307>] ? trace_preempt_on+0x12/0x2f
[ 0.033333] [<ffffffff8108e83e>] ? sub_preempt_count+0xb7/0xdc
[ 0.033333] [<ffffffff81f76ece>] kernel_init_freeable+0xa0/0x1c9
[ 0.033333] [<ffffffff816e59cd>] ? rest_init+0xc1/0xc1
[ 0.033333] [<ffffffff816e59db>] kernel_init+0xe/0xd6
[ 0.033333] [<ffffffff816f664a>] ret_from_fork+0x7a/0xb0
[ 0.033333] [<ffffffff816e59cd>] ? rest_init+0xc1/0xc1
[ 0.033333] Code: 44 89 e0 41 5c 41 5d 41 5e 41 5f 5d c3 e8 9b 80 66 00 55 48 8b 7f 08 48 89 e5 e8 dc fe ff ff 5d c3 e8 87 80 66 00 55 48 89 e5 53 <48> 8b 07 48 89 fb a8 0c 74 11 be 2e 06 00 00 48 c7 c7 e5 ee ad
[ 0.033333] RIP [<ffffffff8108e3be>] wake_up_process+0xa/0x37
[ 0.033333] RSP <ffff88000004fd10>
[ 0.033333] CR2: 0000000000000000
[ 0.033356] ---[ end trace 5811b7ce8c4f6c29 ]---
[ 0.034206] Kernel panic - not syncing: Attempted to kill the idle task!
As you may see from the below table, its parent commit 87eac4a7f8dd
- boots fine for 3997 times
- has out of memory for 2 times
- has bad pagetable for 1 time (dmesg attached)
branch BASE parent first bad branch HEAD
+---------------------------------------------------------------+-----------+--------------+--------------+--------------+
| | v3.12-rc3 | 87eac4a7f8dd | fd97e87d4112 | ea0225af2eca |
+---------------------------------------------------------------+-----------+--------------+--------------+--------------+
| good_boots | 30 | 3997 | | |
| has_kernel_error_warning | 0 | 3 | 1000 | 29 |
| Out_of_memory:Kill_process | 0 | 2 | | |
| Bad_pagetable:d_PREEMPT | 0 | 1 | | |
| BUG:unable_to_handle_kernel_NULL_pointer_dereference_at(null) | 0 | 0 | 1000 | 29 |
| Oops:PREEMPT | 0 | 0 | 1000 | 29 |
| Kernel_panic-not_syncing:Attempted_to_kill_the_idle_task | 0 | 0 | 0 | 29 |
+---------------------------------------------------------------+-----------+--------------+--------------+--------------+
git bisect start ea0225af2eca6d14e7f1d33bcb12fa1808273b6f 15c03dd4859ab16f9212238f29dd315654aa94f6 --
git bisect good 6f5f7f4025978c2ab083087f7befc368c7c2c23f # 20:28 20+ 0 pid: Kill task_tgid_nr
git bisect bad 8b58ff728b1aeba33f24da520a19219dbc3b0c24 # 20:28 0- 20 kgdb: Stop using task->pid and task->tgid
git bisect bad 3f0f902ca9e2f611a299373d44306d0c491d8898 # 20:33 0- 1 yama: Stop using task->pid
git bisect good 87eac4a7f8ddcbb3fbf9ade76a975b260d67d7b5 # 23:32 1000+ 1 pid: Modify is_idle_task to test pid pointers instead of pid numbers
git bisect bad e7cd1fe89c39ccc3af68b6adab648b6b065bc4e1 # 23:33 0- 18 pid: Modify request_key_auth to use struct pid instead of pid_t values
git bisect bad fd97e87d4112f5ec33223b0bdc3b7b07b273ecbe # 23:34 0- 6 pid: Stop open coding is_idle_task in fork.
git bisect good 87eac4a7f8ddcbb3fbf9ade76a975b260d67d7b5 # 00:34 3000+ 3 pid: Modify is_idle_task to test pid pointers instead of pid numbers
git bisect bad ea0225af2eca6d14e7f1d33bcb12fa1808273b6f # 00:34 0- 29 pidns: Abandoned approach to cleaning up after the first pid
git bisect good 6481c9b08167dd3520a2f4f42c7edd6d8320a403 # 01:20 3000+ 3 Revert "pid: Stop open coding is_idle_task in fork."
git bisect good bdeeab62a611f1f7cd48fd285ce568e8dcd0455a # 02:26 3000+ 0 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
git bisect good a0cf1abc25ac197dd97b857c0f6341066a8cb1cf # 03:18 3000+ 0 Add linux-next specific files for 20130927
Thanks,
Fengguang
View attachment "dmesg-yocto-bens-4:20131018085048:x86_64-randconfig-x3----1018:3.12.0-rc3-00071-gea0225a:452" of type "text/plain" (15231 bytes)
Download attachment "bisect-ea0225af2eca6d14e7f1d33bcb12fa1808273b6f-x86_64-randconfig-x3----1018-BUG:-unable-to-handle-kernel-NULL-pointer-dereference-120087.log" of type "application/octet-stream" (38997 bytes)
View attachment "config-3.12.0-rc3-00071-gea0225a" of type "text/plain" (79062 bytes)
View attachment "dmesg-yocto-lkp-tt02-12:20131019140221:x86_64-randconfig-x3----1018:3.12.0-rc3-00039-g87eac4a:666" of type "text/plain" (47830 bytes)
Powered by blists - more mailing lists