| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151229123945.GB4678@wfg-t540p.sh.intel.com>
Date: Tue, 29 Dec 2015 20:39:45 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: LKP <lkp@...org>, Huang Ying <ying.huang@...el.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: [memdup_user_nul] BUG: unable to handle kernel NULL pointer
dereference at 00000100
https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.misc
commit c7af9d5728bed29ef614324e67e066896d087c8f
Author: Al Viro <viro@...iv.linux.org.uk>
AuthorDate: Thu Dec 24 00:13:10 2015 -0500
Commit: Al Viro <viro@...iv.linux.org.uk>
CommitDate: Thu Dec 24 10:52:16 2015 -0500
kernel/*: switch to memdup_user_nul()
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
+----------------------------------------------+------------+------------+------------+
| | c4af5f8aed | c7af9d5728 | 212424e0f1 |
+----------------------------------------------+------------+------------+------------+
| boot_successes | 84 | 9 | 6 |
| boot_failures | 0 | 19 | 7 |
| BUG:unable_to_handle_kernel | 0 | 12 | 5 |
| Oops | 0 | 12 | 5 |
| EIP_is_at_single_open | 0 | 1 | |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 18 | 6 |
| backtrace:do_sys_open | 0 | 4 | 3 |
| backtrace:SyS_open | 0 | 4 | 3 |
| EIP_is_at_netlink_realloc_groups | 0 | 2 | |
| backtrace:netlink_bind | 0 | 2 | |
| backtrace:SyS_bind | 0 | 2 | |
| backtrace:SyS_socketcall | 0 | 2 | |
| is_trying_to_release_lock(&tty->ldisc_sem)at | 0 | 7 | 1 |
| kernel_BUG_at_mm/slub.c | 0 | 6 | 1 |
| invalid_opcode:#[##]SMP_DEBUG_PAGEALLOC | 0 | 6 | 1 |
| EIP_is_at_kfree | 0 | 6 | 1 |
| backtrace:do_vfs_ioctl | 0 | 5 | 1 |
| backtrace:SyS_ioctl | 0 | 5 | 1 |
| EIP_is_at_check_tty_count | 0 | 2 | 1 |
| backtrace:core_sys_select | 0 | 2 | 1 |
| backtrace:SyS_select | 0 | 2 | 1 |
| backtrace:do_group_exit | 0 | 3 | 2 |
| backtrace:SyS_exit_group | 0 | 3 | 2 |
| EIP_is_at__free_pages | 0 | 3 | |
| EIP_is_at_tty_ldisc_get | 0 | 3 | 2 |
| backtrace:tty_ldisc_init | 0 | 2 | 2 |
| backtrace:pty_unix98_install | 0 | 2 | 2 |
| backtrace:tty_init_dev | 0 | 2 | 2 |
| INFO:rcu_sched_self-detected_stall_on_CPU | 0 | 1 | |
| BUG:spinlock_lockup_suspected_on_CPU | 0 | 1 | 1 |
| BUG:Bad_page_state_in_process | 0 | 1 | |
| EIP_is_at_kstrdup | 0 | 1 | |
| backtrace:vfs_rename | 0 | 1 | |
| backtrace:SyS_renameat2 | 0 | 1 | |
| backtrace:SyS_rename | 0 | 1 | |
| EIP_is_at_no_context | 0 | 0 | 1 |
| backtrace:vfs_read | 0 | 0 | 1 |
| backtrace:SyS_read | 0 | 0 | 1 |
+----------------------------------------------+------------+------------+------------+
udevd[218]: failed to execute '/sbin/modprobe' '/sbin/modprobe -bv serio:ty01pr00id00ex00': No such file or directory
udevd[221]: failed to execute '/sbin/modprobe' '/sbin/modprobe -bv pci:v00008086d00007010sv00001AF4sd00001100bc01sc01i80': No such file or directory
udevd[196]: failed to execute '/sbin/modprobe' '/sbin/modprobe -bv acpi:LNXSYSTM:': No such file or directory
[ 4.617566] BUG: unable to handle kernel NULL pointer dereference at 00000100
[ 4.618628] IP: [<810b27f7>] kstrdup+0x30/0x3c
[ 4.619308] *pdpt = 000000000b681001 *pde = 0000000000000000
[ 4.620168] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC
[ 4.620833] Modules linked in:
[ 4.621324] CPU: 1 PID: 163 Comm: udevd Not tainted 4.4.0-rc4-00029-gc7af9d5 #1
[ 4.622343] task: 8b448000 ti: 8b6e6000 task.ti: 8b6e6000
[ 4.623111] EIP: 0060:[<810b27f7>] EFLAGS: 00010206 CPU: 1
[ 4.623839] EIP is at kstrdup+0x30/0x3c
[ 4.624410] EAX: 00000100 EBX: 0000000b ECX: 0000000b EDX: 00000100
[ 4.625290] ESI: 8c6be03c EDI: 00000100 EBP: 8b6e7e98 ESP: 8b6e7e8c
[ 4.626168] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 4.626878] CR0: 80050033 CR2: 00000100 CR3: 0b688d60 CR4: 000006b0
[ 4.627763] Stack:
[ 4.628094] 00000000 8c6be0c0 00000000 8b6e7ed8 810d483d 8c6be0c0 8b6e7eb4 810db133
[ 4.629330] 006be0c0 8c6e8900 00000000 8c6be000 8c51dd40 8c51dd40 00000000 00000000
[ 4.643589] 8c6be000 8c6be0c0 ffffffd9 8b6e7f68 810d7d95 8c6be0c0 8b6e7f30 00000000
[ 4.644817] Call Trace:
[ 4.645213] [<810d483d>] vfs_rename+0x19c/0x5da
[ 4.645826] [<810db133>] ? d_rehash+0x44/0x48
[ 4.646474] [<810d7d95>] SyS_renameat2+0x295/0x37d
[ 4.647178] [<810d7ea9>] SyS_rename+0x14/0x16
[ 4.647772] [<81000d73>] do_syscall_32_irqs_on+0x42/0x7e
[ 4.648550] [<8126c3da>] entry_INT80_32+0x2a/0x2a
[ 4.649248] Code: 89 e5 57 56 53 89 d7 89 c6 e8 3c 85 09 00 8b 4d 04 8d 58 01 89 fa 89 d8 e8 f2 57 01 00 89 c2 31 c0 85 d2 74 0d 89 d7 89 d9 89 d0 <f3> a4 eb 03 31 c0 c3 5b 5e 5f 5d c3 55 3d 00 f0 26 81 89 e5 72
[ 4.653172] EIP: [<810b27f7>] kstrdup+0x30/0x3c SS:ESP 0068:8b6e7e8c
[ 4.654105] CR2: 0000000000000100
[ 4.654616] ---[ end trace 934fed498af5e931 ]---
[ 4.655302] Kernel panic - not syncing: Fatal exception
git bisect start 212424e0f12362219dc6f53bb13f4af726825044 4ef7675344d687a0ef5b0d7c0cee12da005870c0 --
git bisect bad 45e82e90e5e7072b4e304d19f84d2c1c4b3c7b41 # 17:30 4- 19 Merge 'linux-review/Jann-Horn/android-binder-fix-fput-comment/20151226-045614' into devel-spot-201512261608
git bisect bad 9605f52d2f60ff9d808e3aae3b06651af8748e2b # 17:36 4- 23 Merge 'linux-review/changbin-du-intel-com/usb-gadget-acm-set-notify_req-to-NULL-after-freed-to-avoid-double-free/20151226-120759' into devel-spot-201512261608
git bisect good e4faee14fcf2744599b3774b14c27eb8a1b24cd7 # 17:44 26+ 0 Merge 'linux-review/SF-Markus-Elfring/i2c-core-One-function-call-less-in-acpi_i2c_space_handler-after-error-detection/20151226-151227' into devel-spot-201512261608
git bisect bad cdac7c82b1842fa38e8b877ee841d813b26ae841 # 17:50 1- 13 Merge 'vfs/work.misc' into devel-spot-201512261608
git bisect good 9e6697e26f9888cdb6088664d31c3772b0dff0a4 # 17:58 26+ 0 namei.c: fold set_root_rcu() into set_root()
git bisect good a98e80b2b86d1489d56859c948248738ad932be9 # 18:05 28+ 0 switch wireless debugfs ->write() instances to memdup_user_nul()
git bisect bad 9e38a427c41702e177f7691c6023adde7e6c711e # 18:07 4- 16 put the remnants of ..._user_ret() to rest
git bisect bad c7af9d5728bed29ef614324e67e066896d087c8f # 18:12 4- 13 kernel/*: switch to memdup_user_nul()
git bisect good c4af5f8aed82ef30f6cf91bc3478b52c61cecd18 # 18:19 27+ 0 cciss: switch to memdup_user_nul()
# first bad commit: [c7af9d5728bed29ef614324e67e066896d087c8f] kernel/*: switch to memdup_user_nul()
git bisect good c4af5f8aed82ef30f6cf91bc3478b52c61cecd18 # 18:22 81+ 0 cciss: switch to memdup_user_nul()
# extra tests with DEBUG_INFO
git bisect bad c7af9d5728bed29ef614324e67e066896d087c8f # 18:30 2- 7 kernel/*: switch to memdup_user_nul()
# extra tests on HEAD of linux-devel/devel-spot-201512261608
git bisect bad 212424e0f12362219dc6f53bb13f4af726825044 # 18:30 0- 7 0day head guard for 'devel-spot-201512261608'
# extra tests on tree/branch vfs/work.misc
git bisect bad 15d8d69accf88da38aac73dd873ce56fd39b358a # 18:36 2- 10 saner calling conventions for copy_mount_options()
# extra tests with first bad commit reverted
git bisect good 241dc6cc888af8cc59a6e1c3ddd4ee2e0da6d00d # 18:53 85+ 0 Revert "kernel/*: switch to memdup_user_nul()"
# extra tests on tree/branch linus/master
git bisect good 8db7b3c54401d83a4dc370a59b8692854000ea03 # 19:04 85+ 2 Merge branch 'parisc-4.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
# extra tests on tree/branch linux-next/master
git bisect bad 80c75a0f1d81922bf322c0634d1e1a15825a89e6 # 19:13 0- 1 Add linux-next specific files for 20151223
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
initrd=quantal-core-i386.cgz
wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/raw/master/initrd/$initrd
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu kvm64
-kernel $kernel
-initrd $initrd
-m 300
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
systemd.log_level=err
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
View attachment "dmesg-quantal-ivb41-88:20151226181136:i386-randconfig-sb0-12261706:4.4.0-rc4-00029-gc7af9d5:1" of type "text/plain" (45797 bytes)
View attachment "config-4.4.0-rc4-00029-gc7af9d5" of type "text/plain" (52414 bytes)
Powered by blists - more mailing lists