| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Nov 2022 21:07:20 +0100
From: Roland Ruckerbauer <roland.rucky@...il.com>
To: Steven Rostedt <rostedt@...dmis.org>
Cc: Masami Hiramatsu <mhiramat@...nel.org>,
linux-kernel@...r.kernel.org, Takashi Iwai <tiwai@...e.de>,
regressions@...ts.linux.dev,
Steven Noonan <steven.noonan@...il.com>
Subject: Re: [BUG] NULL pointer dereference probably caused by kernel/trace/ring_buffer.c
I tried it with one extra modification:
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index c3f354cfc5ba..98cae02184e0 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -937,6 +937,9 @@ void ring_buffer_wake_waiters(struct trace_buffer
*buffer, int cpu)
struct ring_buffer_per_cpu *cpu_buffer;
struct rb_irq_work *rbwork;
+ if (!buffer)
+ return;
+
if (cpu == RING_BUFFER_ALL_CPUS) {
/* Wake up individual ones too. One level recursion */
@@ -945,9 +948,16 @@ void ring_buffer_wake_waiters(struct trace_buffer
*buffer, int cpu)
rbwork = &buffer->irq_work;
} else {
+ if (WARN_ON_ONCE(!buffer->buffers))
+ return;
+ if (WARN_ON_ONCE(cpu >= nr_cpu_ids))
+ return;
cpu_buffer = buffer->buffers[cpu];
rbwork = &cpu_buffer->irq_work;
}
+ if (WARN_ON_ONCE(!rbwork))
+ return;
+
rbwork->wait_index++;
/* make sure the waiters see the new index */
None of the warnings triggered. I inspected the BUG message and the
disassembly, and figured the faulting code must be:
960 rbwork->wait_index++;
0xffffffff811b73bd <+77>: addq $0x1,0x50(%rbx)
Meaning the rbwork pointer is not null, but also not a valid pointer.
Subtracting offset of the wait_index gives me address 0x178, which
sure seems wrong.
I think I will try a gdb session with this kernel (but I have not done
this for a long time, might take me a while to get it working).
Thanks,
Roland
Am Di., 1. Nov. 2022 um 20:31 Uhr schrieb Steven Rostedt <rostedt@...dmis.org>:
>
> On Mon, 31 Oct 2022 21:20:33 +0100
> Roland Ruckerbauer <roland.rucky@...il.com> wrote:
>
> > Unfortunately the same thing is still happening.
>
> Can you try this?
>
> If it stops the crash, it should trigger the warning, which hopefully
> will shed more light onto the issue.
>
> Thanks!
>
> -- Steve
>
> diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> index 199759c73519..8dd793833b51 100644
> --- a/kernel/trace/ring_buffer.c
> +++ b/kernel/trace/ring_buffer.c
> @@ -937,6 +937,9 @@ void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu)
> struct ring_buffer_per_cpu *cpu_buffer;
> struct rb_irq_work *rbwork;
>
> + if (!buffer)
> + return;
> +
> if (cpu == RING_BUFFER_ALL_CPUS) {
>
> /* Wake up individual ones too. One level recursion */
> @@ -945,6 +948,10 @@ void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu)
>
> rbwork = &buffer->irq_work;
> } else {
> + if (WARN_ON_ONCE(!buffer->buffers))
> + return;
> + if (WARN_ON_ONCE(cpu >= nr_cpu_ids))
> + return;
> cpu_buffer = buffer->buffers[cpu];
> rbwork = &cpu_buffer->irq_work;
> }
View attachment "dmesg.log" of type "text/x-log" (111827 bytes)
Powered by blists - more mailing lists