lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a8e1da0707300258k4ee5ed93yadd9e87af45b9330@mail.gmail.com>
Date:	Mon, 30 Jul 2007 09:58:34 +0000
From:	"Dave Young" <hidave.darkstar@...il.com>
To:	"Grant Wilson" <grant.wilson@....co.uk>
Cc:	"Andrew Morton" <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org
Subject: Re: 2.6.23-rc1-mm1

> Hi,
> I get an oops when trying to mount an ISO file using the loopback device.
> If I revert the patch 'loop-use-unlocked_ioctl.patch' the mount works.
>
> Here's the oops:
>
> [   85.697033] Unable to handle kernel NULL pointer dereference at 0000000000000100 RIP:
> [   85.702528]  [<ffffffff80477885>] lo_ioctl+0x25/0xaa0
> [   85.710066] PGD 73fd067 PUD 735b067 PMD 0
> [   85.714221] Oops: 0000 [1] PREEMPT SMP
> [   85.718117] CPU 1
> [   85.720159] Modules linked in:
> [   85.723242] Pid: 3976, comm: mount Not tainted 2.6.23-rc1-mm1 #4
> [   85.729247] RIP: 0010:[<ffffffff80477885>]  [<ffffffff80477885>] lo_ioctl+0x25/0xaa0
> [   85.737011] RSP: 0018:ffff8100076a3708  EFLAGS: 00010282
> [   85.742326] RAX: ffffffff80477860 RBX: 00000000fffffdfd RCX: 0000000000005310
> [   85.749459] RDX: ffff8100076a3b58 RSI: 0000000000005310 RDI: 0000000000000000
> [   85.756591] RBP: ffff8100076a3908 R08: ffff8100076a3b58 R09: ffff81000649da80
> [   85.763723] R10: 0000000000000000 R11: 2222222222222222 R12: 0000000000005310
> [   85.770856] R13: ffff8100076a3b58 R14: 0000000000005310 R15: 0000000000000000
> [   85.777988] FS:  00002b4fab3a0e20(0000) GS:ffff810004017180(0000) knlGS:0000000000000000
> [   85.786081] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [   85.791829] CR2: 0000000000000100 CR3: 00000000073d7000 CR4: 00000000000006e0
> [   85.798970] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   85.806102] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   85.813235] Process mount (pid: 3976, threadinfo ffff8100076a2000, task ffff8100062f66d0)
> [   85.821413] Stack:  0000000200000001 ffff8100062f6e90 ffff8100062f6e90 000000000013638a
> [   85.829533]  ffffffff80a78ef0 0000000000000000 ffff8100076a37b8 ffffffff8025c690
> [   85.837020]  ffff8100062f66d0 ffff8100062f6e58 0000000200000001 0000000000000000
> [   85.844308] Call Trace:
> [   85.846961]  [<ffffffff8025c690>] __lock_acquire+0x3d0/0x1170
> [   85.852715]  [<ffffffff8025baee>] mark_held_locks+0x3e/0x80
> [   85.858290]  [<ffffffff8064ff0a>] __mutex_lock_slowpath+0x1ca/0x330
> [   85.864565]  [<ffffffff8025baee>] mark_held_locks+0x3e/0x80
> [   85.870139]  [<ffffffff8064fd39>] mutex_unlock+0x9/0x10
> [   85.875366]  [<ffffffff8064fc69>] __mutex_unlock_slowpath+0xd9/0x1a0
> [   85.881720]  [<ffffffff8025bcca>] trace_hardirqs_on+0xda/0x180
> [   85.887555]  [<ffffffff8064fd39>] mutex_unlock+0x9/0x10
> [   85.892782]  [<ffffffff802c3ba1>] do_open+0x231/0x320
> [   85.897839]  [<ffffffff803b7113>] blkdev_driver_ioctl+0x43/0x90
> [   85.903758]  [<ffffffff803b7429>] blkdev_ioctl+0x2c9/0x780
> [   85.909247]  [<ffffffff8065149d>] trace_hardirqs_on_thunk+0x35/0x37
> [   85.915522]  [<ffffffff8020c320>] restore_args+0x0/0x30
> [   85.920751]  [<ffffffff802c2d60>] kill_bdev+0x0/0x40
> [   85.925718]  [<ffffffff802c4084>] ioctl_by_bdev+0x34/0x50
> [   85.931119]  [<ffffffff80336019>] isofs_fill_super+0x969/0xaf0
> [   85.936954]  [<ffffffff80299b9c>] sget+0x3c/0x3f0
> [   85.941662]  [<ffffffff80299760>] test_bdev_super+0x0/0x20
> [   85.947150]  [<ffffffff80651fc0>] _spin_unlock+0x30/0x60
> [   85.952464]  [<ffffffff80299760>] test_bdev_super+0x0/0x20
> [   85.957951]  [<ffffffff80299f4a>] sget+0x3ea/0x3f0
> [   85.962747]  [<ffffffff803c662f>] strlcpy+0x4f/0x70
> [   85.967628]  [<ffffffff8029aa9c>] get_sb_bdev+0x15c/0x190
> [   85.973029]  [<ffffffff803356b0>] isofs_fill_super+0x0/0xaf0
> [   85.978693]  [<ffffffff80334fb3>] isofs_get_sb+0x13/0x20
> [   85.984006]  [<ffffffff8029a4c8>] vfs_kern_mount+0x58/0xc0
> [   85.989494]  [<ffffffff802b2366>] do_mount+0x206/0x850
> [   85.994635]  [<ffffffff8027b891>] __mod_zone_page_state+0x21/0x90
> [   86.000729]  [<ffffffff80273160>] rmqueue_bulk+0x90/0xb0
> [   86.006043]  [<ffffffff80651fc0>] _spin_unlock+0x30/0x60
> [   86.011358]  [<ffffffff80273160>] rmqueue_bulk+0x90/0xb0
> [   86.016673]  [<ffffffff80274425>] get_page_from_freelist+0x395/0x500
> [   86.023026]  [<ffffffff8025bcca>] trace_hardirqs_on+0xda/0x180
> [   86.028860]  [<ffffffff802742b3>] get_page_from_freelist+0x223/0x500
> [   86.035213]  [<ffffffff80274639>] __alloc_pages+0x59/0x3a0
> [   86.040702]  [<ffffffff80246d68>] sigprocmask+0x38/0xf0
> [   86.045929]  [<ffffffff802940e8>] kmem_cache_alloc+0x98/0xd0
> [   86.051590]  [<ffffffff80274a00>] __get_free_pages+0x80/0x90
> [   86.057251]  [<ffffffff802b2a44>] sys_mount+0x94/0xf0
> [   86.062305]  [<ffffffff8065149d>] trace_hardirqs_on_thunk+0x35/0x37
> [   86.068572]  [<ffffffff8020bd7e>] system_call+0x7e/0x83
> [   86.073799]
> [   86.075296] INFO: lockdep is turned off.
> [   86.079226]
> [   86.079227] Code: 48 8b 87 00 01 00 00 49 89 d6 48 8b 18 48 8b 83 10 03 00 00
> [   86.088306] RIP  [<ffffffff80477885>] lo_ioctl+0x25/0xaa0
> [   86.093734]  RSP <ffff8100076a3708>
> [   86.097231] CR2: 0000000000000100
>

Hi, andrew,
I debugged this problem. The oops is caused by NUll file pointer.

I change the unlocked_ioctl to ioctl  in fops.  print some debug info :
 [   51.018272] hidave ### cmd : get_status
[   51.018281] hidave ### cmd : 19459 inode : c2024b9c file : c2e89c00
[   51.052419] hidave ### cmd : set_fd
[   51.052426] hidave ### cmd : 19456 inode : c2024b9c file : c2e89100
[   51.052494] hidave ### cmd : set_status64
[   51.052500] hidave ### cmd : 19460 inode : c2024b9c file : c2e89100
[   51.125241] hidave ### cmd : unknown
>>(The 21264 cmd is a cdrom ioctl command.)
[   51.125248] hidave ### cmd : 21264 inode : c2024b9c file : 00000000
>>if use ioctl interface the inode is transfered, but in the
unlocked_ioctl interface only  the file pointer is transfered, so NULL
caused the panic.

PS: I noticed the fs/block_dev.c: line 1374:
res = blkdev_ioctl(bdev->bd_inode, NULL, cmd, arg);

So, just changeback  from unlocked_ioctl to ioctl, the lock_kernel
remove is still ok.

Regards
dave
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ