lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1337409691.95873.YahooMailNeo@web121303.mail.ne1.yahoo.com>
Date:	Fri, 18 May 2012 23:41:31 -0700 (PDT)
From:	Sam Portolla <samportolla@...oo.com>
To:	":" <linux-kernel@...r.kernel.org>
Cc:	"samPortolla@...oo.com" <samPortolla@...oo.com>
Subject: BUG:: NULL ptr de-ref in drop_buffers

Hi,

Please include my email address above in the reply as not a subscriber; reporting a bug and looking for a fix please.


Seen a previous discussion of this in 2.6.26 under bug 395849, but it does not mention a fix.

In this case, the issue happened on 2.6.23 GNU/Linux w/ x86_64 arch. 


Logs showing the issue followed by some analysis:

Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
 [<ffffffff802b3e69>] drop_buffers+0x29/0x120

RIP: 0010:[<ffffffff802b3e69>]  [<ffffffff802b3e69>] drop_buffers+0x29/0x120
RSP: 0000:ffff81026033bb00  EFLAGS: 00010207
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff81025c48c7d8
RDX: 0000000000000000 RSI: ffff81026033bb40 RDI: ffff81026fb7c238
RBP: ffff81026033bb30 R08: 00000000ffffffff R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000003 R12: ffff81024ecc4000
R13: ffff81025c48c7d8 R14: ffff81026fb7c238 R15: ffff81026033bb40
FS:  0000000000000000(0000) GS:ffff810267703400(0000) knlGS:0000000000000000
CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
CR2: 0000000000000000 CR3: 000000002b8a4000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process kswapd0 (pid: 322, threadinfo ffff810260338000, task ffff810262108000)
Stack:  ffff81026f9ac638 ffff81026fb7c238 ffff81025c48c7d8 ffff81025c48c7d8
 ffff81026033bd90 0000000000000001 ffff81026033bb60 ffffffff802b41c6
 0000000000000000 ffff81026fb7c238 ffff81026033be80 ffff81025c48c7d8
Call Trace:
 [<ffffffff802b41c6>] try_to_free_buffers+0x46/0xb0
 [<ffffffff80264c8e>] try_to_release_page+0x2e/0x50
 [<ffffffff8026bf73>] shrink_page_list+0x533/0x6f0
 [<ffffffff8026aa09>] release_pages+0x189/0x1c0
 [<ffffffff8026c273>] isolate_lru_pages+0xd3/0x1e0
 [<ffffffff8026c523>] shrink_inactive_list+0x163/0x410
 [<ffffffff8026cde5>] shrink_zone+0xf5/0x140
 [<ffffffff8026d507>] kswapd+0x387/0x540
 [<ffffffff802475e0>] autoremove_wake_function+0x0/0x40
 [<ffffffff8026d180>] kswapd+0x0/0x540
 [<ffffffff80246ef8>] kthread+0x68/0xa0
 [<ffffffff80229e24>] schedule_tail+0x54/0xc0
 [<ffffffff8020d058>] child_rip+0xa/0x12
 [<ffffffff80246e90>] kthread+0x0/0xa0
 [<ffffffff8020d04e>] child_rip+0x0/0x12

#### from GDB, the bh pointer in the 1st do/while loop in the drop_buffers() is NULL.


struct buffer_head *head(%r12)
This the 1st do/while loop:

0xffffffff802b3e69 <drop_buffers+41>:   mov    (%rbx),%eax

0xffffffff802b3e8d <drop_buffers+77>:   mov    0x8(%rbx),%rbx
0xffffffff802b3e91 <drop_buffers+81>:   cmp    %r12,%rbx
0xffffffff802b3e94 <drop_buffers+84>:   jne    0xffffffff802b3e69 <drop_buffers+41>

RBX: 0000000000000000


2825                    bh = bh->b_this_page;
2826            } while (bh != head);

In this do/while loop, the bh is NULL as %rbx


static int
drop_buffers(struct page *page, struct buffer_head **buffers_to_free)
{
    struct buffer_head *head = page_buffers(page);
    struct buffer_head *bh;

    bh = head;
    do {
        if (buffer_write_io_error(bh) && page->mapping)
            set_bit(AS_EIO, &page->mapping->flags);
        if (buffer_busy(bh))
            goto failed;
        bh = bh->b_this_page;
    } while (bh != head);

    do {
        struct buffer_head *next = bh->b_this_page;

        if (!list_empty(&bh->b_assoc_buffers))
            __remove_assoc_queue(bh);
        bh = next;
    } while (bh != head);
    *buffers_to_free = head;
    __clear_page_buffers(page);
    return 1;
failed:
    return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ