| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151229124216.GD4678@wfg-t540p.sh.intel.com>
Date: Tue, 29 Dec 2015 20:42:16 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: LKP <lkp@...org>, Huang Ying <ying.huang@...el.com>,
LKML <linux-kernel@...r.kernel.org>
Subject: [memdup_user_nul] init/222 is trying to release lock ((null)) at:
https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git work.misc
commit c7af9d5728bed29ef614324e67e066896d087c8f
Author: Al Viro <viro@...iv.linux.org.uk>
AuthorDate: Thu Dec 24 00:13:10 2015 -0500
Commit: Al Viro <viro@...iv.linux.org.uk>
CommitDate: Thu Dec 24 10:52:16 2015 -0500
kernel/*: switch to memdup_user_nul()
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
+------------------------------------------------+------------+------------+------------+
| | c4af5f8aed | c7af9d5728 | 212424e0f1 |
+------------------------------------------------+------------+------------+------------+
| boot_successes | 303 | 50 | 11 |
| boot_failures | 0 | 54 | 2 |
| BUG:unable_to_handle_kernel | 0 | 38 | 2 |
| Oops | 0 | 40 | 2 |
| RIP:dup_fd | 0 | 1 | |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 54 | 2 |
| backtrace:_do_fork | 0 | 1 | |
| backtrace:SyS_clone | 0 | 1 | |
| invalid_opcode:#[##]PREEMPT | 0 | 6 | |
| RIP:__gcov_.pmic_driver_init | 0 | 1 | |
| backtrace:__gcov_.pmic_driver_init | 0 | 1 | |
| backtrace:core_sys_select | 0 | 10 | |
| backtrace:SyS_select | 0 | 10 | |
| is_trying_to_release_lock((null))at | 0 | 24 | 2 |
| RIP:__kmalloc | 0 | 5 | |
| backtrace:flush_to_ldisc | 0 | 6 | |
| backtrace:SYSC_bind | 0 | 4 | |
| backtrace:SyS_bind | 0 | 4 | |
| backtrace:do_vfs_ioctl | 0 | 23 | 2 |
| backtrace:SyS_ioctl | 0 | 23 | 2 |
| RIP:kmem_cache_alloc_trace | 0 | 6 | |
| backtrace:tty_ldisc_get | 0 | 3 | |
| backtrace:tty_ldisc_init | 0 | 3 | |
| backtrace:alloc_tty_struct | 0 | 3 | |
| backtrace:tty_init_dev | 0 | 5 | |
| backtrace:do_sys_open | 0 | 5 | |
| backtrace:SyS_open | 0 | 5 | |
| RIP:tty_class | 0 | 1 | |
| RIP:pty_unix98_ops | 0 | 1 | |
| backtrace:tty_ldisc_setup | 0 | 1 | |
| RIP:tty_buffer_space_avail | 0 | 2 | |
| WARNING:at_drivers/tty/tty_mutex.c:#tty_lock() | 0 | 1 | |
| RIP:__tty_hangup | 0 | 1 | |
| backtrace:SYSC_readlinkat | 0 | 4 | |
| backtrace:SyS_readlink | 0 | 4 | |
| general_protection_fault:#[##]PREEMPT | 0 | 8 | |
| RIP:print_lockdep_cache | 0 | 3 | |
| RIP:__key | 0 | 2 | |
| RIP:__func | 0 | 4 | |
| RIP:tty_ioctl | 0 | 1 | |
| backtrace:pty_unix98_install | 0 | 1 | |
| backtrace:SYSC_dup3 | 0 | 1 | |
| backtrace:SyS_dup2 | 0 | 1 | |
| RIP:tty_write | 0 | 1 | |
| WARNING:at_include/linux/kref.h:#kref_get() | 0 | 1 | |
| backtrace:vfs_write | 0 | 2 | |
| backtrace:SyS_write | 0 | 2 | |
| RIP:tty_ldisc_hangup | 0 | 1 | |
| RIP:__kmalloc_track_caller | 0 | 2 | |
| backtrace:SYSC_signalfd4 | 0 | 1 | |
| backtrace:SyS_signalfd4 | 0 | 1 | |
| backtrace:do_execve | 0 | 1 | |
| backtrace:SyS_execve | 0 | 1 | |
| RIP:tty_poll | 0 | 2 | |
| backtrace:SYSC_setsockopt | 0 | 1 | |
| backtrace:SyS_setsockopt | 0 | 1 | |
+------------------------------------------------+------------+------------+------------+
[ 33.497209] [ BUG: bad unlock balance detected! ]
[ 33.498229] 4.4.0-rc4-00029-gc7af9d5 #1 Not tainted
[ 33.499282] -------------------------------------
[ 33.500298] init/222 is trying to release lock ((null)) at:
[ 33.501567] [<ffffffff81acbfdc>] tty_ldisc_deref+0x1d/0x26
[ 33.502744] but there are no more locks to release!
[ 33.503800]
[ 33.503800] other info that might help us debug this:
[ 33.505209] 1 lock held by init/222:
[ 33.505989] #0: (&tty->ldisc_sem){......}, at: [<ffffffff82392da7>] ldsem_down_read+0x40/0x4c
[ 33.508013]
[ 33.508013] stack backtrace:
[ 33.508956] CPU: 0 PID: 222 Comm: init Not tainted 4.4.0-rc4-00029-gc7af9d5 #1
[ 33.510522] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[ 33.512538] 0000000000000000 ffff880009477d20 ffffffff81832376 ffff880009477d48
[ 33.514293] ffffffff81167382 ffff880009bf4620 00000000ffffffff ffff880009bf4080
[ 33.516005] ffff880009477db8 ffffffff811693fa 0000960000009600 ffff880009413000
[ 33.517709] Call Trace:
[ 33.518268] [<ffffffff81832376>] dump_stack+0x2e/0x3e
[ 33.519380] [<ffffffff81167382>] print_unlock_imbalance_bug+0x13e/0x14e
[ 33.520817] [<ffffffff811693fa>] lock_release+0x238/0x4de
[ 33.522013] [<ffffffff81ad0317>] ldsem_up_read+0x2d/0xaa
[ 33.523187] [<ffffffff81acbfdc>] tty_ldisc_deref+0x1d/0x26
[ 33.524389] [<ffffffff81ac1ce1>] tty_ioctl+0x1741/0x175d
[ 33.525563] [<ffffffff8130b36f>] vfs_ioctl+0x47/0x89
[ 33.526659] [<ffffffff8130c85c>] do_vfs_ioctl+0xa89/0xaa3
[ 33.527845] [<ffffffff81125769>] ? copy_to_user+0x47/0x54
[ 33.529039] [<ffffffff8130c93e>] SyS_ioctl+0xc8/0x124
[ 33.530155] [<ffffffff82394e6f>] entry_SYSCALL_64_fastpath+0x12/0x76
[ 33.536437] mountall (169) used greatest stack depth: 13776 bytes left
[ 33.539700] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 33.541436] IP: [< (null)>] (null)
[ 33.542548] PGD 0
[ 33.543024] Oops: 0010 [#1] PREEMPT
[ 33.543844] CPU: 0 PID: 1 Comm: init Not tainted 4.4.0-rc4-00029-gc7af9d5 #1
[ 33.545364] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[ 33.547262] task: ffff8800100d0000 ti: ffff8800100d8000 task.ti: ffff8800100d8000
[ 33.548867] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
[ 33.550482] RSP: 0018:ffff8800100dbd60 EFLAGS: 00010202
[ 33.551671] RAX: 0000000000000003 RBX: ffff880009412000 RCX: 0000000000000001
[ 33.553185] RDX: ffffffff81ac5c70 RSI: ffffffff81acc5ae RDI: ffff880009412000
[ 33.554704] RBP: ffff880009412000 R08: 0000000000000000 R09: 0000000000000000
[ 33.556220] R10: ffff8800100d0000 R11: 0000000000000000 R12: 0000000000000002
[ 33.557722] R13: ffff880009a15140 R14: 0000000000000000 R15: 0000000000000000
[ 33.559233] FS: 00007f9235601700(0000) GS:ffffffff83162000(0000) knlGS:0000000000000000
[ 33.560949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 33.562178] CR2: 0000000000000000 CR3: 0000000009a1b000 CR4: 00000000000006b0
[ 33.563694] Stack:
[ 33.564144] ffff8800094123e8 0000000000000000 ffff8800100dbdc8 ffffffff81abd187
[ 33.565806] ffffffff811653f8 ffffffff8374c1c0 0000000000000000 ffff8800ffffffff
[ 33.567452] ffff880009411800 ffff880009411be8 0000000000000000 0000000000000000
[ 33.569105] Call Trace:
[ 33.569645] [<ffffffff81abd187>] ? __tty_hangup+0x528/0x6ab
[ 33.570932] [<ffffffff811653f8>] ? debug_mutex_unlock+0x3c/0x430
[ 33.572270] [<ffffffff81abd321>] ? tty_vhangup+0x17/0x20
[ 33.573427] [<ffffffff81ad146e>] ? pty_close+0x32c/0x367
[ 33.574600] [<ffffffff81abd9c5>] ? tty_release+0x37b/0x9bf
[ 33.575789] [<ffffffff81156a60>] ? __might_sleep+0x166/0x17a
[ 33.577017] [<ffffffff812ed4cf>] ? __fput+0x275/0x4a4
[ 33.578112] [<ffffffff812ed713>] ? ____fput+0x15/0x1e
[ 33.579209] [<ffffffff81142e71>] ? task_work_run+0xb5/0xfb
[ 33.580397] [<ffffffff81003066>] ? prepare_exit_to_usermode+0x1e6/0x265
[ 33.581849] [<ffffffff81003328>] ? syscall_return_slowpath+0x243/0x255
[ 33.583292] [<ffffffff82394fd2>] ? int_ret_from_sys_call+0x25/0x8f
[ 33.584622] Code: Bad RIP value.
[ 33.585387] RIP [< (null)>] (null)
[ 33.586505] RSP <ffff8800100dbd60>
[ 33.587259] CR2: 0000000000000000
[ 33.590022] ---[ end trace b66ad3f0d8226eee ]---
[ 33.591115] Kernel panic - not syncing: Fatal exception
git bisect start 212424e0f12362219dc6f53bb13f4af726825044 4ef7675344d687a0ef5b0d7c0cee12da005870c0 --
git bisect bad 45e82e90e5e7072b4e304d19f84d2c1c4b3c7b41 # 17:13 0- 3 Merge 'linux-review/Jann-Horn/android-binder-fix-fput-comment/20151226-045614' into devel-spot-201512261608
git bisect bad 9605f52d2f60ff9d808e3aae3b06651af8748e2b # 17:28 43- 12 Merge 'linux-review/changbin-du-intel-com/usb-gadget-acm-set-notify_req-to-NULL-after-freed-to-avoid-double-free/20151226-120759' into devel-spot-201512261608
git bisect good e4faee14fcf2744599b3774b14c27eb8a1b24cd7 # 17:38 100+ 2 Merge 'linux-review/SF-Markus-Elfring/i2c-core-One-function-call-less-in-acpi_i2c_space_handler-after-error-detection/20151226-151227' into devel-spot-201512261608
git bisect bad cdac7c82b1842fa38e8b877ee841d813b26ae841 # 17:43 4- 11 Merge 'vfs/work.misc' into devel-spot-201512261608
git bisect good 9e6697e26f9888cdb6088664d31c3772b0dff0a4 # 17:58 104+ 0 namei.c: fold set_root_rcu() into set_root()
git bisect good a98e80b2b86d1489d56859c948248738ad932be9 # 18:07 98+ 0 switch wireless debugfs ->write() instances to memdup_user_nul()
git bisect bad 9e38a427c41702e177f7691c6023adde7e6c711e # 18:15 5- 12 put the remnants of ..._user_ret() to rest
git bisect bad c7af9d5728bed29ef614324e67e066896d087c8f # 18:25 0- 1 kernel/*: switch to memdup_user_nul()
git bisect good c4af5f8aed82ef30f6cf91bc3478b52c61cecd18 # 18:38 96+ 0 cciss: switch to memdup_user_nul()
# first bad commit: [c7af9d5728bed29ef614324e67e066896d087c8f] kernel/*: switch to memdup_user_nul()
git bisect good c4af5f8aed82ef30f6cf91bc3478b52c61cecd18 # 18:49 287+ 0 cciss: switch to memdup_user_nul()
# extra tests with DEBUG_INFO
git bisect bad c7af9d5728bed29ef614324e67e066896d087c8f # 19:01 1- 2 kernel/*: switch to memdup_user_nul()
# extra tests on HEAD of linux-devel/devel-spot-201512261608
git bisect bad 212424e0f12362219dc6f53bb13f4af726825044 # 19:01 0- 2 0day head guard for 'devel-spot-201512261608'
# extra tests on tree/branch vfs/work.misc
git bisect bad 15d8d69accf88da38aac73dd873ce56fd39b358a # 19:10 7- 12 saner calling conventions for copy_mount_options()
# extra tests with first bad commit reverted
git bisect good 241dc6cc888af8cc59a6e1c3ddd4ee2e0da6d00d # 19:19 287+ 0 Revert "kernel/*: switch to memdup_user_nul()"
# extra tests on tree/branch linus/master
git bisect good 8db7b3c54401d83a4dc370a59b8692854000ea03 # 19:35 291+ 3 Merge branch 'parisc-4.4-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
# extra tests on tree/branch linux-next/master
git bisect good 80c75a0f1d81922bf322c0634d1e1a15825a89e6 # 19:47 287+ 2 Add linux-next specific files for 20151223
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
initrd=quantal-core-x86_64.cgz
wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/raw/master/initrd/$initrd
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu kvm64
-kernel $kernel
-initrd $initrd
-m 300
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
systemd.log_level=err
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
View attachment "dmesg-quantal-ivb41-99:20151226182640:x86_64-randconfig-s0-12261648:4.4.0-rc4-00029-gc7af9d5:1" of type "text/plain" (100572 bytes)
View attachment "config-4.4.0-rc4-00029-gc7af9d5" of type "text/plain" (95730 bytes)
Powered by blists - more mailing lists