lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1287458731.7546.9.camel@marge.simson.net>
Date:	Tue, 19 Oct 2010 05:25:31 +0200
From:	Mike Galbraith <efault@....de>
To:	LKML <linux-kernel@...r.kernel.org>
Cc:	Ingo Molnar <mingo@...e.hu>
Subject: [tip] NULL pointer dereference in free_irte()

v2.6.36-rc8-1869-g13b4713 went boom.


(gdb) list *free_irte+0x43
0xffffffff81170c36 is in free_irte (drivers/pci/intr_remapping.c:254).
249                     return 0;
250
251             iommu = irq_iommu->iommu;
252             index = irq_iommu->irte_index + irq_iommu->sub_handle;
253
254             start = iommu->ir_table->base + index;
255             end = start + (1 << irq_iommu->irte_mask);
256
257             for (entry = start; entry < end; entry++) {
258                     set_64bit(&entry->low, 0);
(gdb)

[   24.508170] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
[   24.512012] IP: [<ffffffff81170c36>] free_irte+0x43/0xc0
[   24.512012] PGD 2233e1067 PUD 226269067 PMD 0 
[   24.512012] Oops: 0000 [#1] SMP 
[   24.512012] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda/size
[   24.512012] CPU 3 
[   24.512012] Modules linked in: cpufreq_conservative cpufreq_ondemand cpufreq_userspace cpufreq_powersave acpi_cpufreq mperf snd_pcm_oss microcode snd_mixer_oss snd_seq snd_seq_device fuse loop dm_mod snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_timer ohci1394 snd ieee1394 usb_storage e1000e processor soundcore firewire_ohci sr_mod usb_libusual rtc_cmos snd_page_alloc thermal rtc_core cdrom firewire_core crc_itu_t i2c_i801 rtc_lib button sg usbhid hid uhci_hcd ehci_hcd sd_mod usbcore edd fan ext3 ext2 mbcache jbd ahci libahci libata scsi_mod
[   24.512012] 
[   24.512012] Pid: 4301, comm: ip Not tainted 2.6.36-tip-smpx #1782 MS-7502/MS-7502
[   24.512012] RIP: 0010:[<ffffffff81170c36>]  [<ffffffff81170c36>] free_irte+0x43/0xc0
[   24.512012] RSP: 0018:ffff880223761618  EFLAGS: 00010046
[   24.512012] RAX: 0000000000000000 RBX: ffffffff815695b0 RCX: 0000000000000000
[   24.512012] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   24.512012] RBP: ffff880223761638 R08: 0000000000000002 R09: 0000000000000029
[   24.512012] R10: 0080ffff8146e0c0 R11: 0000000000000000 R12: 0000000000000282
[   24.512012] R13: ffff880227f645f8 R14: 0000000000000001 R15: 0000000000000001
[   24.512012] FS:  00007f5d886eb700(0000) GS:ffff8800cfd80000(0000) knlGS:0000000000000000
[   24.512012] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[   24.512012] CR2: 0000000000000080 CR3: 0000000222d70000 CR4: 00000000000006e0
[   24.512012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   24.512012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   24.512012] Process ip (pid: 4301, threadinfo ffff880223760000, task ffff880222c92cc0)
[   24.512012] Stack:
[   24.512012]  0000000000000029 ffffffff81569590 0000000000000029 ffffffff81569590
[   24.512012] <0> ffff880223761668 ffffffff8101c1c2 ffff8802237616e6 ffff88022fd32980
[   24.512012] <0> 0000000000000001 ffff880227f645f8 ffff880223761678 ffffffff8101c436
[   24.512012] Call Trace:
[   24.512012]  [<ffffffff8101c1c2>] destroy_irq+0x3a/0x77
[   24.512012]  [<ffffffff8101c436>] arch_teardown_msi_irq+0xe/0x10
[   24.512012]  [<ffffffff8116a6eb>] arch_teardown_msi_irqs+0x56/0x7f
[   24.512012]  [<ffffffff8116a79e>] free_msi_irqs+0x8a/0x10b
[   24.512012]  [<ffffffff8116afcc>] pci_disable_msi+0x35/0x3a
[   24.512012]  [<ffffffffa01d677a>] e1000e_reset_interrupt_capability+0x55/0x63 [e1000e]
[   24.512012]  [<ffffffffa01d71e6>] e1000_open+0x158/0x374 [e1000e]
[   24.512012]  [<ffffffff812242b6>] __dev_open+0x9c/0xcf
[   24.512012]  [<ffffffff812244f6>] __dev_change_flags+0xad/0x131
[   25.008056]  [<ffffffff812245fb>] dev_change_flags+0x21/0x57
[   25.008056]  [<ffffffff8122db03>] do_setlink+0x29e/0x618
[   25.008056]  [<ffffffff8115da5e>] ? __nla_put+0x12/0x26
[   25.008056]  [<ffffffff8122eb67>] rtnl_newlink+0x25e/0x3eb
[   25.008056]  [<ffffffff8122e9d7>] ? rtnl_newlink+0xce/0x3eb
[   25.008056]  [<ffffffff8122e71a>] rtnetlink_rcv_msg+0x1e1/0x1f5
[   25.008056]  [<ffffffff8122e539>] ? rtnetlink_rcv_msg+0x0/0x1f5
[   25.008056]  [<ffffffff81243527>] netlink_rcv_skb+0x45/0x91
[   25.008056]  [<ffffffff8122e49b>] rtnetlink_rcv+0x26/0x2d
[   25.008056]  [<ffffffff81242f74>] netlink_unicast+0x213/0x28a
[   25.008056]  [<ffffffff81243246>] netlink_sendmsg+0x25b/0x2c3
[   25.008056]  [<ffffffff81211bad>] sock_sendmsg+0xe0/0xff
[   25.008056]  [<ffffffff810997b8>] ? find_get_page+0x28/0x85
[   25.008056]  [<ffffffff81099fee>] ? filemap_fault+0xca/0x32a
[   25.008056]  [<ffffffff810999ff>] ? unlock_page+0x2a/0x2f
[   25.008056]  [<ffffffff812133c0>] ? move_addr_to_kernel+0x41/0x54
[   25.008056]  [<ffffffff8121c083>] ? verify_iovec+0x5e/0xa3
[   25.008056]  [<ffffffff812142b9>] sys_sendmsg+0x226/0x28a
[   25.008056]  [<ffffffff81242281>] ? netlink_insert+0x106/0x12b
[   25.008056]  [<ffffffff8101fef9>] ? do_page_fault+0x2f6/0x331
[   25.008056]  [<ffffffff810b648f>] ? do_brk+0x28a/0x2de
[   25.008056]  [<ffffffff81213c2a>] ? sys_getsockname+0x6b/0x91
[   25.008056]  [<ffffffff8121435f>] ? sys_recvmsg+0x42/0x63
[   25.008056]  [<ffffffff8100211b>] system_call_fastpath+0x16/0x1b
[   25.008056] Code: 83 c8 ff 48 85 db 0f 84 95 00 00 00 48 c7 c7 40 fe 60 81 e8 17 0a 18 00 49 89 c4 31 c0 66 83 7b 0a 00 75 51 48 8b 3b 0f b7 73 08 <48> 8b 97 80 00 00 00 48 63 c6 0f b6 4b 0c 48 c1 e0 04 48 03 02 
[   25.008056] RIP  [<ffffffff81170c36>] free_irte+0x43/0xc0
[   25.008056]  RSP <ffff880223761618>
[   25.008056] CR2: 0000000000000080
[   25.008056] ---[ end trace f270ceb2a0ecbb96 ]---


Download attachment "config.gz" of type "application/x-gzip" (17068 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ