| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120402162716.4c93bfd3@pluto.restena.lu>
Date: Mon, 2 Apr 2012 16:27:16 +0200
From: Bruno Prémont <bonbons@...ux-vserver.org>
To: linux-kernel@...r.kernel.org,
"Eric W. Biederman" <ebiederm@...ssion.com>
Cc: Greg KH <gregkh@...uxfoundation.org>,
Linus Torvalds <torvalds@...ux-foundation.org>
Subject: [3.4-rc1 crash]: NULL pointer deref in
fs/sysfs/group.c:create_files -- sysctl related?
Trying to boot a freshly built 3.4-rc1 (x86_64) kernel I'm getting the following
trace (server is HP Proliant G4):
[ 0.986317] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 0.990542] IP: [<ffffffff81152673>] internal_create_group+0x83/0x1a0
[ 0.993693] PGD 0
[ 0.994682] Oops: 0000 [#1] SMP
[ 0.996198] CPU 0
[ 0.996198] Modules linked in:
[ 0.996198]
[ 0.996198] Pid: 1, comm: swapper/0 Not tainted 3.4.0-rc1-x86_64 #3 HP ProLiant DL360 G4
[ 0.996198] RIP: 0010:[<ffffffff81152673>] [<ffffffff81152673>] internal_create_group+0x83/0x1a0
[ 0.996198] RSP: 0018:ffff88019485fd70 EFLAGS: 00010202
[ 0.996198] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000000000001
[ 0.996198] RDX: ffff880192e99908 RSI: ffff880192e99630 RDI: ffffffff81a26c60
[ 0.996198] RBP: ffff88019485fdc0 R08: 0000000000000000 R09: 0000000000000000
[ 0.996198] R10: ffff880192e99908 R11: 0000000000000000 R12: ffffffff81a16a00
[ 0.996198] R13: ffff880192e99908 R14: ffffffff81a16900 R15: 0000000000000000
[ 0.996198] FS: 0000000000000000(0000) GS:ffff88019bc00000(0000) knlGS:0000000000000000
[ 0.996198] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 0.996198] CR2: 0000000000000000 CR3: 0000000001a0c000 CR4: 00000000000007f0
[ 0.996198] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.996198] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 0.996198] Process swapper/0 (pid: 1, threadinfo ffff88019485e000, task ffff880194878000)
[ 0.996198] Stack:
[ 0.996198] ffff88019485fdd0 ffff880192da9d60 0000000000000000 ffff880192e99908
[ 0.996198] ffff880192e995d8 0000000000000001 ffffffff81a16a00 ffff880192da9d60
[ 0.996198] 0000000000000000 0000000000000000 ffff88019485fdd0 ffffffff811527be
[ 0.996198] Call Trace:
[ 0.996198] [<ffffffff811527be>] sysfs_create_group+0xe/0x10
[ 0.996198] [<ffffffff81376ca6>] device_add_groups+0x46/0x80
[ 0.996198] [<ffffffff81377d3d>] device_add+0x46d/0x6a0
[ 0.996198] [<ffffffff81377891>] ? device_private_init+0x51/0x90
[ 0.996198] [<ffffffff81a98975>] ? utsname_sysctl_init+0x14/0x14
[ 0.996198] [<ffffffff810a7228>] pmu_dev_alloc+0x98/0xe0
[ 0.996198] [<ffffffff81a98975>] ? utsname_sysctl_init+0x14/0x14
[ 0.996198] [<ffffffff81a989c0>] perf_event_sysfs_init+0x4b/0x9a
[ 0.996198] [<ffffffff810002ad>] do_one_initcall+0x3d/0x170
[ 0.996198] [<ffffffff81a85cbd>] kernel_init+0x12d/0x1be
[ 0.996198] [<ffffffff81a85505>] ? rdinit_setup+0x28/0x28
[ 0.996198] [<ffffffff815f3714>] kernel_thread_helper+0x4/0x10
[ 0.996198] [<ffffffff81a85b90>] ? start_kernel+0x373/0x373
[ 0.996198] [<ffffffff815f3710>] ? gs_change+0xb/0xb
[ 0.996198] Code: ff 85 c0 0f 85 bc 00 00 00 4c 8b 6d c8 4d 85 ed 74 15 41 8b 45 00 85 c0 0f 84 0b 01 00 00 f0 41 ff 45 00 4c 8b 6d c8 49 8b 5e 10 <48> 8b 03 48 85 c0 74 71 45 31 e4 eb 44 49 8b 46 08 48 85 c0 74
[ 0.996198] RIP [<ffffffff81152673>] internal_create_group+0x83/0x1a0
[ 0.996198] RSP <ffff88019485fd70>
[ 0.996198] CR2: 0000000000000000
[ 1.131357] ---[ end trace 319c95c486d7d9cd ]---
[ 1.133676] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
[ 1.133677]
Short objdump analysis gives me:
ffffffff811525f0 <internal_create_group>:
ffffffff811525f0: 55 push %rbp
ffffffff811525f1: 48 89 e5 mov %rsp,%rbp
ffffffff811525f4: 41 57 push %r15
ffffffff811525f6: 41 89 f7 mov %esi,%r15d
ffffffff811525f9: 41 56 push %r14
ffffffff811525fb: 49 89 d6 mov %rdx,%r14
ffffffff811525fe: 41 55 push %r13
ffffffff81152600: 41 54 push %r12
ffffffff81152602: 53 push %rbx
ffffffff81152603: 48 83 ec 28 sub $0x28,%rsp
ffffffff81152607: 48 89 7d b8 mov %rdi,-0x48(%rbp)
ffffffff8115260b: 48 85 ff test %rdi,%rdi
ffffffff8115260e: 0f 84 5b 01 00 00 je ffffffff8115276f <internal_create_group+0x17f>
ffffffff81152614: 85 f6 test %esi,%esi
ffffffff81152616: 0f 84 48 01 00 00 je ffffffff81152764 <internal_create_group+0x174>
ffffffff8115261c: 48 8b 55 b8 mov -0x48(%rbp),%rdx
ffffffff81152620: b8 ea ff ff ff mov $0xffffffea,%eax
ffffffff81152625: 48 83 7a 30 00 cmpq $0x0,0x30(%rdx)
ffffffff8115262a: 0f 84 dd 00 00 00 je ffffffff8115270d <internal_create_group+0x11d>
ffffffff81152630: 49 8b 36 mov (%r14),%rsi
ffffffff81152633: 48 85 f6 test %rsi,%rsi
ffffffff81152636: 0f 84 e4 00 00 00 je ffffffff81152720 <internal_create_group+0x130>
ffffffff8115263c: 48 8d 55 c8 lea -0x38(%rbp),%rdx
ffffffff81152640: 48 8b 7d b8 mov -0x48(%rbp),%rdi
ffffffff81152644: e8 37 e9 ff ff callq ffffffff81150f80 <sysfs_create_subdir>
ffffffff81152649: 85 c0 test %eax,%eax
ffffffff8115264b: 0f 85 bc 00 00 00 jne ffffffff8115270d <internal_create_group+0x11d>
ffffffff81152651: 4c 8b 6d c8 mov -0x38(%rbp),%r13
ffffffff81152655: 4d 85 ed test %r13,%r13
ffffffff81152658: 74 15 je ffffffff8115266f <internal_create_group+0x7f>
ffffffff8115265a: 41 8b 45 00 mov 0x0(%r13),%eax
ffffffff8115265e: 85 c0 test %eax,%eax
ffffffff81152660: 0f 84 0b 01 00 00 je ffffffff81152771 <internal_create_group+0x181>
ffffffff81152666: f0 41 ff 45 00 lock incl 0x0(%r13)
ffffffff8115266b: 4c 8b 6d c8 mov -0x38(%rbp),%r13
ffffffff8115266f: 49 8b 5e 10 mov 0x10(%r14),%rbx
ffffffff81152673: 48 8b 03 mov (%rbx),%rax
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ffffffff81152676: 48 85 c0 test %rax,%rax
ffffffff81152679: 74 71 je ffffffff811526ec <internal_create_group+0xfc>
ffffffff8115267b: 45 31 e4 xor %r12d,%r12d
ffffffff8115267e: eb 44 jmp ffffffff811526c4 <internal_create_group+0xd4>
ffffffff81152680: 49 8b 46 08 mov 0x8(%r14),%rax
ffffffff81152684: 48 85 c0 test %rax,%rax
ffffffff81152687: 74 56 je ffffffff811526df <internal_create_group+0xef>
ffffffff81152689: 44 89 e2 mov %r12d,%edx
which matches (by comparing objdump with gcc -S fs/sysfs/group.c output):
static int create_files(struct sysfs_dirent *dir_sd, struct kobject *kobj,
const struct attribute_group *grp, int update)
{
struct attribute *const* attr;
int error = 0, i;
for (i = 0, attr = grp->attrs; *attr && !error; i++, attr++) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
umode_t mode = 0;
/* in update mode, we're changing the permissions or
* visibility. Do this by first removing then
* re-adding (if required) the file */
if (update)
sysfs_hash_and_remove(dir_sd, NULL, (*attr)->name);
if (grp->is_visible) {
mode = grp->is_visible(kobj, *attr, i);
if (!mode)
continue;
}
error = sysfs_add_file_mode(dir_sd, *attr, SYSFS_KOBJ_ATTR,
(*attr)->mode | mode);
if (unlikely(error))
break;
}
if (error)
remove_files(dir_sd, kobj, grp);
return error;
}
I've not verified for sure, but from my understanding it must be grp->attrs that is NULL
and causes *attr test to explode.
Any immediate idea what it could be? (config attached)
Thanks,
Bruno
View attachment "3.4-rc1.config" of type "text/plain" (18358 bytes)
Powered by blists - more mailing lists