| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Oct 2012 21:44:07 -0700 From: Darren Hart <dvhart@...ux.intel.com> To: Dave Jones <davej@...hat.com>, Linux Kernel <linux-kernel@...r.kernel.org> Subject: Re: pi futex oops in __lock_acquire On 10/24/2012 01:24 PM, Dave Jones wrote: > I've been able to trigger this for the last week or so. > Unclear whether this is a new bug, or my fuzzer got smarter, but I see the > pi-futex code hasn't changed since the last time it found something.. > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 > > IP: [<ffffffff810e185e>] __lock_acquire+0x5e/0x1ba0 > > PGD 8e72c067 PUD 34f07067 PMD 0 > > Oops: 0000 [#1] PREEMPT SMP > > CPU 7 > > Pid: 27513, comm: trinity-child0 Not tainted 3.7.0-rc2+ #43 > > RIP: 0010:[<ffffffff810e185e>] [<ffffffff810e185e>] __lock_acquire+0x5e/0x1ba0 > > RSP: 0018:ffff8800803f7b28 EFLAGS: 00010046 > > RAX: 0000000000000086 RBX: 0000000000000000 RCX: 0000000000000000 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000018 > > RBP: ffff8800803f7c18 R08: 0000000000000002 R09: 0000000000000000 > > R10: 0000000000000000 R11: 2222222222222222 R12: 0000000000000002 > > R13: ffff880051dd8000 R14: 0000000000000002 R15: 0000000000000018 > > FS: 00007f9fc6ccb740(0000) GS:ffff880148a00000(0000) knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000000000018 CR3: 000000008e6fb000 CR4: 00000000001407e0 > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > > Process trinity-child0 (pid: 27513, threadinfo ffff8800803f6000, task ffff880051dd8000) > > Stack: > > ffff8800803f7b48 ffffffff816c5c59 ffff8800803f7b48 ffff88014840ebc0 > > ffff8800803f7b68 ffffffff816c18e3 ffff8800803f7d10 0000000000000001 > > ffff8800803f7ba8 ffffffff810a1e62 ffff8800803f7d10 0000000000000282 > > Call Trace: > > [<ffffffff816c5c59>] ? sub_preempt_count+0x79/0xd0 > > [<ffffffff816c18e3>] ? _raw_spin_unlock_irqrestore+0x73/0xa0 > > [<ffffffff810a1e62>] ? hrtimer_try_to_cancel+0x52/0x210 > > [<ffffffff810eb9e5>] ? debug_rt_mutex_free_waiter+0x15/0x180 > > [<ffffffff816c0107>] ? rt_mutex_slowlock+0x127/0x1b0 > > [<ffffffff810b7039>] ? local_clock+0x89/0xa0 > > [<ffffffff810e3ac2>] lock_acquire+0xa2/0x220 > > [<ffffffff810e812c>] ? futex_lock_pi.isra.18+0x1cc/0x390 > > [<ffffffff816c09e0>] _raw_spin_lock+0x40/0x80 > > [<ffffffff810e812c>] ? futex_lock_pi.isra.18+0x1cc/0x390 > > [<ffffffff810e812c>] futex_lock_pi.isra.18+0x1cc/0x390 > > [<ffffffff810a1980>] ? update_rmtp+0x70/0x70 > > [<ffffffff810e99e4>] do_futex+0x394/0xa50 > > [<ffffffff8119ec43>] ? might_fault+0x53/0xb0 > > [<ffffffff810ea12d>] sys_futex+0x8d/0x190 > > [<ffffffff816ca288>] tracesys+0xe1/0xe6 > > Code: d8 45 0f 45 e0 4c 89 75 f0 4c 89 7d f8 85 c0 0f 84 f8 00 00 00 8b 05 22 fe f3 00 49 89 ff 89 f3 41 89 d2 85 c0 0f 84 02 01 00 00 <49> 8b 07 ba 01 00 00 00 48 3d c0 81 06 82 44 0f 44 e2 83 fb 01 > > RIP [<ffffffff810e185e>] __lock_acquire+0x5e/0x1ba0 > > RSP <ffff8800803f7b28> > > CR2: 0000000000000018 > > It looks like we got all the way to lock_acquire with a NULL 'lock' somehow. > > Darren, any idea how this could happen ? I'm digging. Can you get trinity to provide the arguments it used that trigger the crash? That might help hone in on the exact path. -- Darren Hart Intel Open Source Technology Center Yocto Project - Technical Lead - Linux Kernel -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists