lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 16 May 2016 16:12:53 -0400 (EDT)
From:	Mikulas Patocka <mpatocka@...hat.com>
To:	Peter Hurley <peter@...leysoftware.com>
cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Jiri Slaby <jslaby@...e.com>, linux-kernel@...r.kernel.org
Subject: tty crash in Linux 4.6

Hi

In the kernel 4.6 I get crashes in the tty layer. I can reproduce the 
crash by logging into the machine with ssh and typing before the prompt 
appears.

The crash is caused by the pointer tty->disc_data being NULL in the 
function n_tty_receive_buf_common. The crash happens on the statement 
smp_load_acquire(&ldata->read_tail).

Bisecting shows that the crashes are caused by the patch 
892d1fa7eaaed9d3c04954cb140c34ebc3393932 ("tty: Destroy ldisc instance on 
hangup").

Kernel Fault: Code=15 regs=000000007d9e0720 (Addr=0000000000002260)
CPU: 0 PID: 3319 Comm: kworker/u8:0 Not tainted 4.6.0 #1
Workqueue: events_unbound flush_to_ldisc
task: 000000007c25ea80 ti: 000000007d9e0000 task.ti: 000000007d9e0000

     YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
PSW: 00001000000001000000000000001111 Not tainted
r00-03  000000000804000f 000000004076cd10 0000000040475fb4 000000007f761800
r04-07  0000000040749510 0000000000000001 000000007f761800 000000007d9e0490
r08-11  000000007e722890 0000000000000000 000000007da4ec00 000000007f763823
r12-15  0000000000000000 000000007fc08ea8 000000007fc08c78 000000004080e080
r16-19  000000007fc08c00 0000000000000001 0000000000000000 0000000000002260
r20-23  000000007f7618b0 000000007c25ea80 0000000000000001 0000000000000001
r24-27  0000000000000000 000000000800000f 000000007f7618ac 0000000040749510
r28-31  0000000000000001 000000007d9e0840 000000007d9e0720 0000000000000001
sr00-03  00000000086c8800 0000000000000000 0000000000000000 00000000086c8800
sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000

IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040475fd4 0000000040475fd8
 IIR: 0e6c00d5    ISR: 0000000000000000  IOR: 0000000000002260
 CPU:        0   CR30: 000000007d9e0000 CR31: ff87e7ffbc9ffffe
 ORIG_R28: 000000004080a180
 IAOQ[0]: n_tty_receive_buf_common+0xb4/0xbe0
 IAOQ[1]: n_tty_receive_buf_common+0xb8/0xbe0
 RP(r2): n_tty_receive_buf_common+0x94/0xbe0
Backtrace:
 [<0000000040476b14>] n_tty_receive_buf2+0x14/0x20
 [<000000004047a208>] tty_ldisc_receive_buf+0x30/0x90
 [<000000004047a544>] flush_to_ldisc+0x144/0x1c8
 [<00000000402556bc>] process_one_work+0x1b4/0x460
 [<0000000040255bbc>] worker_thread+0x1e4/0x5e0
 [<000000004025d454>] kthread+0x134/0x168

Mikulas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ