| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120315094945.GA3205@localhost>
Date: Thu, 15 Mar 2012 17:49:45 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Tejun Heo <tj@...nel.org>
Cc: Jens Axboe <axboe@...nel.dk>, Vivek Goyal <vgoyal@...hat.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: NULL dereference BUG in cfq_init_queue()
Hi Tejun,
I run into this bug on both 3.3.0-rc6-next-20120309 and
3.3.0-rc7-next-20120314. Vanilla kernel is fine. Attached is my
kconfig.
scripts/decodecode:
[ 0.895765] Code: bc 24 70 07 00 00 e8 55 90 5b 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d cc 6b b1 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 13 d8 cb ff 85
All code
========
0: bc 24 70 07 00 mov $0x77024,%esp
5: 00 e8 add %ch,%al
7: 55 push %rbp
8: 90 nop
9: 5b pop %rbx
a: 00 48 8b add %cl,-0x75(%rax)
d: 43 rex.XB
e: 48 rex.W
f: 48 85 c0 test %rax,%rax
12: 48 89 83 48 03 00 00 mov %rax,0x348(%rbx)
19: 74 07 je 0x22
1b: 4c 8b a8 10 ff ff ff mov -0xf0(%rax),%r13
22: 83 3d cc 6b b1 00 00 cmpl $0x0,0xb16bcc(%rip) # 0xb16bf5
29: 74 1c je 0x47
2b:* 49 8b 45 00 mov 0x0(%r13),%rax <-- trapping instruction
2f: 48 8b b8 70 07 00 00 mov 0x770(%rax),%rdi
36: 48 83 c7 18 add $0x18,%rdi
3a: e8 13 d8 cb ff callq 0xffffffffffcbd852
3f: 85 .byte 0x85
cfq-iosched.s:
movl $1, 808(%rbx) #, MEM[(struct cfq_queue *)cfqd_195 + 624B].pid
orq %rdx, %rax # tmp184, tmp185
movq %rax, 672(%rbx) # tmp185, MEM[(long unsigned int *)cfqd_195 + 672B]
leaq 736(%rbx), %rax #, D.36977
movq %rax, 736(%rbx) # D.36977, MEM[(struct list_head *)cfqd_195 + 736B].next
movq %rax, 744(%rbx) # D.36977, MEM[(struct list_head *)cfqd_195 + 736B].prev
movl $1, 624(%rbx) #, cfqd_195->oom_cfqq.ref
movq 1904(%r12), %rdi # q_3(D)->queue_lock, q_3(D)->queue_lock
call _raw_spin_lock_irq #
movq 72(%rbx), %rax # cfqd_195->root_group, D.32249
testq %rax, %rax # D.32249
movq %rax, 840(%rbx) # D.32249, MEM[(struct cfq_group * *)cfqd_195 + 840B]
je .L112 #,
movq -240(%rax), %r13 # MEM[(struct blkg_policy_data *)D.32249_23 + -240B].blkg, D.36985
.L112:
cmpl $0, debug_locks(%rip) #, debug_locks
je .L117 #,
==> movq 0(%r13), %rax # D.36985_144->q, D.36985_144->q
movq 1904(%rax), %rdi # D.37004_146->queue_lock, D.37004_146->queue_lock
addq $24, %rdi #, tmp189
call lock_is_held #
testl %eax, %eax # D.37001
je .L114 #,
.L117:
cmpl $0, 176(%r13) #, D.36985_144->refcnt
jg .L115 #,
cmpb $1, __warned.29726(%rip) #, __warned
je .L115 #,
movl $296, %esi #,
movq $.LC8, %rdi #,
call warn_slowpath_null #
movb $1, __warned.29726(%rip) #, __warned
.L115:
movl 176(%r13), %eax # D.36985_144->refcnt, D.36985_144->refcnt
decl %eax # D.36990
testl %eax, %eax # D.36990
movl %eax, 176(%r13) # D.36990, D.36985_144->refcnt
[ 0.845481] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 0.846338] IP: [<ffffffff813ee7a6>] cfq_init_queue+0x254/0x3ee
[ 0.846338] PGD 0
[ 0.846338] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 0.846338] CPU 0
[ 0.846338] Modules linked in:
[ 0.846338]
[ 0.846338] Pid: 1, comm: swapper/0 Not tainted 3.3.0-rc7-next-20120314 #1037 Bochs Bochs
[ 0.846338] RIP: 0010:[<ffffffff813ee7a6>] [<ffffffff813ee7a6>] cfq_init_queue+0x254/0x3ee
[ 0.846338] RSP: 0018:ffff88001dc27da0 EFLAGS: 00010002
[ 0.846338] RAX: ffff88001cfe7000 RBX: ffff88001cfe6c00 RCX: 8c6318c6318c6320
[ 0.846338] RDX: ffff88001f40de10 RSI: ffffffff81f2b558 RDI: 0000000000000046
[ 0.846338] RBP: ffff88001dc27dd0 R08: ffff88001dc27c1c R09: ffffffff8233aeb8
[ 0.846338] R10: ffff88001f40b000 R11: ffff88001dc406a0 R12: ffff88001cfc8000
[ 0.846338] R13: 0000000000000000 R14: 0000000000000010 R15: ffff88001cfe7040
[ 0.846338] FS: 0000000000000000(0000) GS:ffff88001f400000(0000) knlGS:0000000000000000
[ 0.846338] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.846338] CR2: 0000000000000000 CR3: 0000000001e99000 CR4: 00000000000006f0
[ 0.846338] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.846338] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 0.846338] Process swapper/0 (pid: 1, threadinfo ffff88001dc26000, task ffff88001dc40000)
[ 0.846338] Stack:
[ 0.846338] 00000000fffffff4 ffff88001cfc8000 ffffffff81f12700 00000000fffffff4
[ 0.846338] ffff88001cfe6800 0000000000000000 ffff88001dc27e00 ffffffff813d7b7f
[ 0.846338] 00000000001d7150 ffff88001cfc8000 ffffffff81f2b540 ffffffff8151d090
[ 0.846338] Call Trace:
[ 0.846338] [<ffffffff813d7b7f>] elevator_init+0xe4/0x11a
[ 0.846338] [<ffffffff8151d090>] ? lock_fdc.isra.22+0x10b/0x10b
[ 0.846338] [<ffffffff813ddf2e>] blk_init_allocated_queue+0x106/0x121
[ 0.846338] [<ffffffff8151d090>] ? lock_fdc.isra.22+0x10b/0x10b
[ 0.846338] [<ffffffff813de206>] blk_init_queue_node+0x3c/0x5c
[ 0.846338] [<ffffffff813e5a0d>] ? alloc_disk_node+0xc0/0xe2
[ 0.846338] [<ffffffff813de237>] blk_init_queue+0x11/0x13
[ 0.846338] [<ffffffff821b6123>] floppy_init+0x78/0xdbd
[ 0.846338] [<ffffffff821b60ab>] ? set_cmos+0x67/0x67
[ 0.846338] [<ffffffff8100020f>] do_one_initcall+0x7f/0x140
[ 0.846338] [<ffffffff82189c60>] kernel_init+0x11f/0x1a3
[ 0.846338] [<ffffffff821894aa>] ? rdinit_setup+0x28/0x28
[ 0.846338] [<ffffffff819b8d74>] kernel_thread_helper+0x4/0x10
[ 0.846338] [<ffffffff819b0f30>] ? retint_restore_args+0x13/0x13
[ 0.846338] [<ffffffff82189b41>] ? start_kernel+0x38f/0x38f
[ 0.846338] [<ffffffff819b8d70>] ? gs_change+0x13/0x13
[ 0.846338] Code: bc 24 70 07 00 00 e8 55 1c 5c 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d 5c 4f b2 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 db da cb ff 85
[ 0.846338] RIP [<ffffffff813ee7a6>] cfq_init_queue+0x254/0x3ee
[ 0.846338] RSP <ffff88001dc27da0>
[ 0.846338] CR2: 0000000000000000
[ 0.846338] ---[ end trace 5d580544713b781e ]---
[ 0.883287] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 0.884120] IP: [<ffffffff813eec06>] cfq_init_queue+0x254/0x3ee
[ 0.884120] PGD 0
[ 0.884120] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 0.884120] CPU 0
[ 0.884120] Modules linked in:
[ 0.884120]
[ 0.884120] Pid: 1, comm: swapper/0 Not tainted 3.3.0-rc7-next-20120314+ #1035 Bochs Bochs
[ 0.884120] RIP: 0010:[<ffffffff813eec06>] [<ffffffff813eec06>] cfq_init_queue+0x254/0x3ee
[ 0.884120] RSP: 0018:ffff88001dc27da0 EFLAGS: 00010002
[ 0.884120] RAX: ffff88001cfbf000 RBX: ffff88001cfbec00 RCX: 8c6318c6318c6320
[ 0.884120] RDX: ffff88001f40de10 RSI: ffffffff81f2b598 RDI: 0000000000000046
[ 0.884120] RBP: ffff88001dc27dd0 R08: ffff88001dc27c1c R09: ffffffff8233aeb8
[ 0.884120] R10: ffff88001f40b000 R11: ffff88001dc406a0 R12: ffff88001cff0000
[ 0.884120] R13: 0000000000000000 R14: 0000000000000010 R15: ffff88001cfbf040
[ 0.884120] FS: 0000000000000000(0000) GS:ffff88001f400000(0000) knlGS:0000000000000000
[ 0.884120] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.884120] CR2: 0000000000000000 CR3: 0000000001e99000 CR4: 00000000000006f0
[ 0.884120] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.884120] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 0.884120] Process swapper/0 (pid: 1, threadinfo ffff88001dc26000, task ffff88001dc40000)
[ 0.884120] Stack:
[ 0.884120] 00000000fffffff4 ffff88001cff0000 ffffffff81f12770 00000000fffffff4
[ 0.884120] ffff88001cfbe800 0000000000000000 ffff88001dc27e00 ffffffff813d7fdf
[ 0.884120] 00000000001d7150 ffff88001cff0000 ffffffff81f2b580 ffffffff8151d4f0
[ 0.884120] Call Trace:
[ 0.884120] [<ffffffff813d7fdf>] elevator_init+0xe4/0x11a
[ 0.884120] [<ffffffff8151d4f0>] ? lock_fdc.isra.22+0x10b/0x10b
[ 0.884120] [<ffffffff813de38e>] blk_init_allocated_queue+0x106/0x121
[ 0.884120] [<ffffffff8151d4f0>] ? lock_fdc.isra.22+0x10b/0x10b
[ 0.884120] [<ffffffff813de666>] blk_init_queue_node+0x3c/0x5c
[ 0.884120] [<ffffffff813e5e6d>] ? alloc_disk_node+0xc0/0xe2
[ 0.884120] [<ffffffff813de697>] blk_init_queue+0x11/0x13
[ 0.884120] [<ffffffff821b6123>] floppy_init+0x78/0xdbd
[ 0.884120] [<ffffffff821b60ab>] ? set_cmos+0x67/0x67
[ 0.884120] [<ffffffff8100020f>] do_one_initcall+0x7f/0x140
[ 0.884120] [<ffffffff82189c60>] kernel_init+0x11f/0x1a3
[ 0.884120] [<ffffffff821894aa>] ? rdinit_setup+0x28/0x28
[ 0.884120] [<ffffffff819b91b4>] kernel_thread_helper+0x4/0x10
[ 0.884120] [<ffffffff819b1370>] ? retint_restore_args+0x13/0x13
[ 0.884120] [<ffffffff82189b41>] ? start_kernel+0x38f/0x38f
[ 0.884120] [<ffffffff819b91b0>] ? gs_change+0x13/0x13
[ 0.884120] Code: bc 24 70 07 00 00 e8 55 1c 5c 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d 6c 4b b2 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 7b d6 cb ff 85
[ 0.884120] RIP [<ffffffff813eec06>] cfq_init_queue+0x254/0x3ee
[ 0.884120] RSP <ffff88001dc27da0>
[ 0.884120] CR2: 0000000000000000
[ 0.884120] ---[ end trace c8ab7eb772c499e5 ]---
[ 0.894949] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 0.895765] IP: [<ffffffff813eeaa6>] cfq_init_queue+0x254/0x3ee
[ 0.895765] PGD 0
[ 0.895765] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[ 0.895765] CPU 0
[ 0.895765] Modules linked in:
[ 0.895765]
[ 0.895765] Pid: 1, comm: swapper/0 Not tainted 3.3.0-rc6-next-20120309+ #1034 Bochs Bochs
[ 0.895765] RIP: 0010:[<ffffffff813eeaa6>] [<ffffffff813eeaa6>] cfq_init_queue+0x254/0x3ee
[ 0.895765] RSP: 0018:ffff88001dc27da0 EFLAGS: 00010002
[ 0.895765] RAX: ffff88001c80b000 RBX: ffff88001c80ac00 RCX: 8c6318c6318c6320
[ 0.895765] RDX: ffff88001f40dc10 RSI: ffffffff81f1d478 RDI: 0000000000000046
[ 0.895765] RBP: ffff88001dc27dd0 R08: ffff88001dc27c1c R09: ffffffff8232ceb8
[ 0.895765] R10: ffff88001f40b000 R11: ffff88001dc406a8 R12: ffff88001cdc0000
[ 0.895765] R13: 0000000000000000 R14: 0000000000000010 R15: ffff88001c80b040
[ 0.895765] FS: 0000000000000000(0000) GS:ffff88001f400000(0000) knlGS:0000000000000000
[ 0.895765] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.895765] CR2: 0000000000000000 CR3: 0000000001e8b000 CR4: 00000000000006f0
[ 0.895765] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.895765] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 0.895765] Process swapper/0 (pid: 1, threadinfo ffff88001dc26000, task ffff88001dc40000)
[ 0.895765] Stack:
[ 0.895765] 00000000fffffff4 ffff88001cdc0000 ffffffff81f04670 00000000fffffff4
[ 0.895765] ffff88001c80a800 0000000000000000 ffff88001dc27e00 ffffffff813d7e7f
[ 0.895765] 00000000001d6f50 ffff88001cdc0000 ffffffff81f1d460 ffffffff8151d368
[ 0.895765] Call Trace:
[ 0.895765] [<ffffffff813d7e7f>] elevator_init+0xe4/0x11a
[ 0.895765] [<ffffffff8151d368>] ? lock_fdc.isra.22+0x10b/0x10b
[ 0.895765] [<ffffffff813de22e>] blk_init_allocated_queue+0x106/0x121
[ 0.895765] [<ffffffff8151d368>] ? lock_fdc.isra.22+0x10b/0x10b
[ 0.895765] [<ffffffff813de506>] blk_init_queue_node+0x3c/0x5c
[ 0.895765] [<ffffffff813e5d0d>] ? alloc_disk_node+0xc0/0xe2
[ 0.895765] [<ffffffff813de537>] blk_init_queue+0x11/0x13
[ 0.895765] [<ffffffff821a80b2>] floppy_init+0x78/0xdbd
[ 0.895765] [<ffffffff821a803a>] ? set_cmos+0x67/0x67
[ 0.895765] [<ffffffff8100020f>] do_one_initcall+0x7f/0x140
[ 0.895765] [<ffffffff8217bc60>] kernel_init+0x11f/0x1a3
[ 0.895765] [<ffffffff8217b4aa>] ? rdinit_setup+0x28/0x28
[ 0.895765] [<ffffffff819b0474>] kernel_thread_helper+0x4/0x10
[ 0.895765] [<ffffffff819a8630>] ? retint_restore_args+0x13/0x13
[ 0.895765] [<ffffffff8217bb41>] ? start_kernel+0x38f/0x38f
[ 0.895765] [<ffffffff819b0470>] ? gs_change+0x13/0x13
[ 0.895765] Code: bc 24 70 07 00 00 e8 55 90 5b 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d cc 6b b1 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 13 d8 cb ff 85
[ 0.895765] RIP [<ffffffff813eeaa6>] cfq_init_queue+0x254/0x3ee
[ 0.895765] RSP <ffff88001dc27da0>
[ 0.895765] CR2: 0000000000000000
[ 0.895765] ---[ end trace 91ab7b260bc38ae6 ]---
Thanks,
Fengguang
View attachment ".config" of type "text/plain" (84704 bytes)
Powered by blists - more mailing lists