| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140730041235.GJ16537@localhost>
Date: Wed, 30 Jul 2014 12:12:35 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: David Herrmann <dh.herrmann@...il.com>
Cc: Jet Chen <jet.chen@...el.com>, Su Tao <tao.su@...el.com>,
Yuanhan Liu <yuanhan.liu@...el.com>, LKP <lkp@...org>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [fs] BUG: unable to handle kernel NULL pointer dereference at
00000104
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
git://people.freedesktop.org/~dvdhrm/linux fops
commit bc2d5105254034778034487d8f3aec42db2a5285
Author: David Herrmann <dh.herrmann@...il.com>
AuthorDate: Tue Jun 17 22:10:12 2014 +0200
Commit: David Herrmann <dh.herrmann@...il.com>
CommitDate: Tue Jul 22 14:54:07 2014 +0200
fs: add active reference counter to "struct file"
This adds an kactive reference counter to "struct file". This allows to
acquire active references on any file that enabled it. Furthermore, all
file->f_op->xy() callbacks are modified to acquire an active reference
before entering and dropping it afterwards.
Drivers have to opt-in to enable this feature. By using fops_file_attach()
in the ->open() callback, they can enable the active-counter on the file.
From now on they can use fops_file_disable() and fops_file_drain() to
prevent any new active-references from being acquired and waiting for all
those to be released.
All those protected files have to be linked to a parent device (called
"struct fops_device"). A driver has to allocate and manage those. The
parent device can be used to atomically disable and drain all linked
files.
Signed-off-by: David Herrmann <dh.herrmann@...il.com>
===================================================
PARENT COMMIT NOT CLEAN. LOOK OUT FOR WRONG BISECT!
===================================================
Attached dmesg for the parent commit, too, to help confirm whether it is a noise error.
+------------------------------------------------------+------------+------------+
| | 47702c7c4c | bc2d510525 |
+------------------------------------------------------+------------+------------+
| boot_successes | 61 | 0 |
| boot_failures | 2 | 21 |
| BUG:kernel_boot_crashed | 2 | |
| BUG:unable_to_handle_kernel_NULL_pointer_dereference | 0 | 21 |
| Oops | 0 | 21 |
| EIP_is_at_get_unmapped_area | 0 | 21 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 21 |
| backtrace:do_execve | 0 | 21 |
| backtrace:run_init_process | 0 | 21 |
+------------------------------------------------------+------------+------------+
[ 2.054083] debug: unmapping init [mem 0xb48be000-0xb490ffff]
[ 2.054646] Write protecting the kernel text: 6640k
[ 2.055106] Write protecting the kernel read-only data: 4012k
[ 2.056047] BUG: unable to handle kernel NULL pointer dereference at 00000104
[ 2.056648] IP: [<b3c81d3e>] get_unmapped_area+0x40/0xef
[ 2.056905] *pde = 00000000
[ 2.056905] Oops: 0000 [#1] DEBUG_PAGEALLOC
[ 2.056905] CPU: 0 PID: 1 Comm: init Not tainted 3.16.0-rc5-00231-gbc2d510 #2
[ 2.056905] task: b0030010 ti: b0032000 task.ti: b0032000
[ 2.056905] EIP: 0060:[<b3c81d3e>] EFLAGS: 00010246 CPU: 0
[ 2.056905] EIP is at get_unmapped_area+0x40/0xef
[ 2.056905] EAX: c290ddc0 EBX: 00000000 ECX: 00003000 EDX: 00000000
[ 2.056905] ESI: b427f198 EDI: b3c81ed4 EBP: b0033eac ESP: b0033e98
[ 2.056905] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
[ 2.056905] CR0: 8005003b CR2: 00000104 CR3: 12916000 CR4: 00000690
[ 2.056905] Stack:
[ 2.056905] 00000000 00003000 47e77cc0 b427f198 b0030010 b0033ed0 b3c1bff5 00000000
[ 2.056905] 00000000 c290de1c c290ddc0 47e77cc0 47e767c8 c2901800 b0033f50 b3cb5d6c
[ 2.056905] b0032000 00002000 00000006 0001d000 00000000 00000001 47e77cc0 0804fad4
[ 2.056905] Call Trace:
[ 2.056905] [<b3c1bff5>] arch_setup_additional_pages+0x4e/0x188
[ 2.056905] [<b3cb5d6c>] load_elf_binary+0x9c5/0xff7
[ 2.056905] [<b3c95585>] search_binary_handler+0x41/0x95
[ 2.056905] [<b3c95955>] do_execve+0x37c/0x48a
[ 2.056905] [<b3c0035c>] run_init_process+0x1c/0x1e
[ 2.056905] [<b426a586>] kernel_init+0x34/0xb8
[ 2.056905] [<b427a7c0>] ret_from_kernel_thread+0x20/0x30
[ 2.056905] [<b426a552>] ? rest_init+0x10e/0x10e
[ 2.056905] Code: 76 0a be f4 ff ff ff e9 c4 00 00 00 89 c3 a1 20 a9 67 b4 8b 80 10 02 00 00 85 db 8b 78 0c 74 0b 8b 43 14 8b 40 58 85 c0 0f 45 f8 <8b> b3 04 01 00 00 85 f6 74 54 83 c6 14 31 c9 8d 41 01 89 c2 89
[ 2.056905] EIP: [<b3c81d3e>] get_unmapped_area+0x40/0xef SS:ESP 0068:b0033e98
[ 2.056905] CR2: 0000000000000104
[ 2.070596] ---[ end trace 10ed763858844c61 ]---
[ 2.070973] Kernel panic - not syncing: Fatal exception
git bisect start 988a7cce9cf281d8954af4f421419713e2d6499a 9a3c4145af32125c5ee39c0272662b47307a8323 --
git bisect good 0b6fe2b988caee808f3ccb616fa22f2a56a042e8 # 21:58 20+ 1 Merge 'wsa/i2c/for-next' into devel-roam-i386-201407222107
git bisect good d127240d43380e9e1463fd8cde0134f85b66c261 # 22:00 20+ 0 Merge 'linux-sti/sti-dt-for-v3.17-1' into devel-roam-i386-201407222107
git bisect bad 1713b12636b3daab7ea2625efa376119c7b490de # 22:04 1- 10 Merge 'dvdhrm/fops' into devel-roam-i386-201407222107
git bisect good 47702c7c4c9c1e8514ca52e367cf0b71e50177f8 # 22:10 21+ 0 kactive: make kernfs "active-ref" generic
git bisect bad 34e6b7dea8bb2c359c29d4b0021967c6de0f1b7a # 22:17 0- 21 fs: track fops-depth in task_struct
git bisect bad bc2d5105254034778034487d8f3aec42db2a5285 # 22:23 0- 21 fs: add active reference counter to "struct file"
# first bad commit: [bc2d5105254034778034487d8f3aec42db2a5285] fs: add active reference counter to "struct file"
git bisect good 47702c7c4c9c1e8514ca52e367cf0b71e50177f8 # 22:26 63+ 2 kactive: make kernfs "active-ref" generic
git bisect bad 988a7cce9cf281d8954af4f421419713e2d6499a # 22:26 0- 11 0day head guard for 'devel-roam-i386-201407222107'
git bisect good 15ba2236f3556fc01b9ca91394465152b5ea74b6 # 22:36 63+ 1 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
initrd=yocto-minimal-i386.cgz
wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/blob/master/initrd/$initrd
kvm=(
qemu-system-x86_64
-cpu kvm64
-enable-kvm
-kernel $kernel
-initrd $initrd
-m 320
-smp 1
-net nic,vlan=1,model=e1000
-net user,vlan=1
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=10
softlockup_panic=1
nmi_watchdog=panic
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
Thanks,
Fengguang
View attachment "dmesg-yocto-vp-8:20140722222318:i386-randconfig-r2-0722:3.16.0-rc5-00231-gbc2d510:2" of type "text/plain" (104425 bytes)
View attachment "dmesg-quantal-ivb41-121:20140722222354:i386-randconfig-r2-0722::" of type "text/plain" (56845 bytes)
Download attachment "i386-randconfig-r2-0722-988a7cce9cf281d8954af4f421419713e2d6499a-BUG:-unable-to-handle-kernel-NULL-pointer-dereference-47769.log" of type "application/octet-stream" (30832 bytes)
View attachment "config-3.16.0-rc5-00231-gbc2d510" of type "text/plain" (79218 bytes)
_______________________________________________
LKP mailing list
LKP@...ux.intel.com
Powered by blists - more mailing lists