lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 10 Dec 2014 15:29:11 -0800
From:	Fengguang Wu <fengguang.wu@...el.com>
To:	Alexei Starovoitov <ast@...mgrid.com>
Cc:	LKP <lkp@...org>, linux-kernel@...r.kernel.org,
	netdev@...r.kernel.org
Subject: [net: sock] BUG: unable to handle kernel NULL pointer dereference at
 0000000000000007

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
commit 89aa075832b0da4402acebd698d0411dcc82d03e
Author:     Alexei Starovoitov <ast@...mgrid.com>
AuthorDate: Mon Dec 1 15:06:35 2014 -0800
Commit:     David S. Miller <davem@...emloft.net>
CommitDate: Fri Dec 5 21:47:32 2014 -0800

    net: sock: allow eBPF programs to be attached to sockets
    
    introduce new setsockopt() command:
    
    setsockopt(sock, SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd))
    
    where prog_fd was received from syscall bpf(BPF_PROG_LOAD, attr, ...)
    and attr->prog_type == BPF_PROG_TYPE_SOCKET_FILTER
    
    setsockopt() calls bpf_prog_get() which increments refcnt of the program,
    so it doesn't get unloaded while socket is using the program.
    
    The same eBPF program can be attached to multiple sockets.
    
    User task exit automatically closes socket which calls sk_filter_uncharge()
    which decrements refcnt of eBPF program
    
    Signed-off-by: Alexei Starovoitov <ast@...mgrid.com>
    Signed-off-by: David S. Miller <davem@...emloft.net>

+------------------------------------------+------------+------------+------------+
|                                          | ddd872bc30 | 89aa075832 | 6c702fab62 |
+------------------------------------------+------------+------------+------------+
| boot_successes                           | 900        | 292        | 20         |
| boot_failures                            | 0          | 8          | 2          |
| BUG:unable_to_handle_kernel              | 0          | 8          | 2          |
| Oops                                     | 0          | 8          | 2          |
| RIP:sk_attach_bpf                        | 0          | 8          | 2          |
| Kernel_panic-not_syncing:Fatal_exception | 0          | 8          | 2          |
| backtrace:sock_setsockopt                | 0          | 8          | 2          |
| backtrace:SyS_setsockopt                 | 0          | 8          | 2          |
+------------------------------------------+------------+------------+------------+

[init] Kernel was tainted on startup. Will ignore flags that are already set.
[init] Started watchdog process, PID is 9354
[main] Main thread is alive.
[   21.233581] BUG: unable to handle kernel NULL pointer dereference at 0000000000000007
[   21.234709] IP: [<ffffffff8156ebda>] sk_attach_bpf+0x39/0xc2
[   21.235503] PGD b12c067 PUD b12d067 PMD 0 
[   21.236124] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[   21.236902] Modules linked in:
[   21.237347] CPU: 1 PID: 318 Comm: trinity-main Not tainted 3.18.0-rc6-g89aa075 #214
[   21.238371] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   21.239146] task: ffff8800001e0000 ti: ffff8800001e4000 task.ti: ffff8800001e4000
[   21.240145] RIP: 0010:[<ffffffff8156ebda>]  [<ffffffff8156ebda>] sk_attach_bpf+0x39/0xc2
[   21.241252] RSP: 0018:ffff8800001e7ea8  EFLAGS: 00010282
[   21.241970] RAX: 00000000ffffffea RBX: ffff88000af305c0 RCX: 0000000000000000
[   21.242107] RDX: 0000000000000000 RSI: 0000000000004000 RDI: 0000000000000000
[   21.242107] RBP: ffff8800001e7ec8 R08: 0000000000003601 R09: 0000000000000209
[   21.242107] R10: 0000000000000000 R11: 0000000000000206 R12: 00000000fffffff2
[   21.242107] R13: fffffffffffffff7 R14: 0000000000000c01 R15: 0000000000000004
[   21.242107] FS:  00007f035d5ed700(0000) GS:ffff880012500000(0000) knlGS:0000000000000000
[   21.242107] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   21.242107] CR2: 0000000000000007 CR3: 000000000b141000 CR4: 00000000000406e0
[   21.242107] Stack:
[   21.242107]  0000000000000000 ffff88000af305c0 00000000fffffff2 0000000000000c01
[   21.242107]  ffff8800001e7f28 ffffffff8154cca3 00000032011e7ef8 00000000008a3000
[   21.242107]  ffff880000000c01 ffff8800001e0000 ffff8800001e7f38 ffff88000b7bb780
[   21.242107] Call Trace:
[   21.242107]  [<ffffffff8154cca3>] sock_setsockopt+0x447/0x5ef
[   21.242107]  [<ffffffff81548dfd>] SyS_setsockopt+0x61/0x94
[   21.242107]  [<ffffffff8158ed69>] system_call_fastpath+0x12/0x17
[   21.242107] Code: 40 00 0f 85 ab 00 00 00 55 48 89 e5 41 55 41 54 53 51 48 89 f3 e8 bf 82 b7 ff 49 89 c5 b8 ea ff ff ff 4d 85 ed 0f 84 81 00 00 00 <49> 8b 45 10 83 78 08 01 74 0f 4c 89 ef e8 60 82 b7 ff b8 ea ff 
[   21.242107] RIP  [<ffffffff8156ebda>] sk_attach_bpf+0x39/0xc2
[   21.242107]  RSP <ffff8800001e7ea8>
[   21.242107] CR2: 0000000000000007
[   21.292711] ---[ end trace 5196e3a283419924 ]---
[   21.293361] Kernel panic - not syncing: Fatal exception

git bisect start 6c702fab626328c33b539b0c618a5511aed23bed 61ed53deb1c6a4386d8710dbbfcee8779c381931 --
git bisect good d7990b0c34623cd54475a0562c607efbaba4899d  # 18:30     75+      0  cxgb4i/cxgb4 : Refactor macros to conform to uniform standards
git bisect good 8b7f8a99906fc21c287ad63ad3a89cf662b0293e  # 18:53     75+      0  Merge branch 'tipc-next'
git bisect  bad 7ee813653e34209a148d928c81d4495dff3a879f  # 19:09      0-      3  Merge branch 'cxgb4-next'
git bisect  bad 60c04aecd8a72a84869308bdf2289a7aabb9a88c  # 19:13     11-      1  udp: Neaten and reduce size of compute_score functions
git bisect good 244ebd9f8fa8beb7b37bdeebd6c5308b61f98aef  # 19:29    130+      0  Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
git bisect good f51a5e82ea9aaf05106c00d976e772ca384a9199  # 19:42    130+      0  tun/macvtap: use consume_skb() instead of kfree_skb() when needed
git bisect  bad 6867b17b26d80cfd419e491141feb75082915979  # 20:10      0-      1  test: bpf: expand DIV_KX to DIV_MOD_KX
git bisect  bad 8d0c4697534a739725e429ff062dea393d8860d1  # 20:22      1-      2  Merge branch 'ebpf-next'
git bisect  bad 03f4723ed7a52bd31da26eefe2cdde563ea0f468  # 20:35     66-      1  samples: bpf: example of stateful socket filtering
git bisect  bad 89aa075832b0da4402acebd698d0411dcc82d03e  # 20:47      0-      1  net: sock: allow eBPF programs to be attached to sockets
git bisect good ddd872bc3098f9d9abe1680a6b2013e59e3337f7  # 21:11    300+      0  bpf: verifier: add checks for BPF_ABS | BPF_IND instructions
# first bad commit: [89aa075832b0da4402acebd698d0411dcc82d03e] net: sock: allow eBPF programs to be attached to sockets
git bisect good ddd872bc3098f9d9abe1680a6b2013e59e3337f7  # 21:41    900+      0  bpf: verifier: add checks for BPF_ABS | BPF_IND instructions
# extra tests on HEAD of netdev-next/master
git bisect  bad 6c702fab626328c33b539b0c618a5511aed23bed  # 21:41      0-      2  dummy: use MODULE_VERSION
# extra tests on tree/branch next/master
git bisect  bad 12fd07251e19050ca979d9ce5d4b6bcb41dc00e9  # 21:45      0-      2  Add linux-next specific files for 20141210
# extra tests on tree/branch linus/master
git bisect good 86c6a2fddf0b89b494c7616f2c06cf915c4bff01  # 22:25    900+      0  Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
# extra tests on tree/branch next/master
git bisect  bad 12fd07251e19050ca979d9ce5d4b6bcb41dc00e9  # 22:25      0-     17  Add linux-next specific files for 20141210


This script may reproduce the error.

----------------------------------------------------------------------------
#!/bin/bash

kernel=$1
initrd=quantal-core-x86_64.cgz

wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/raw/master/initrd/$initrd

kvm=(
	qemu-system-x86_64
	-enable-kvm
	-cpu Haswell,+smep,+smap
	-kernel $kernel
	-initrd $initrd
	-m 320
	-smp 2
	-net nic,vlan=1,model=e1000
	-net user,vlan=1
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-rtc base=localtime
	-serial stdio
	-display none
	-monitor null 
)

append=(
	hung_task_panic=1
	earlyprintk=ttyS0,115200
	debug
	apic=debug
	sysrq_always_enabled
	rcupdate.rcu_cpu_stall_timeout=100
	panic=-1
	softlockup_panic=1
	nmi_watchdog=panic
	oops=panic
	load_ramdisk=2
	prompt_ramdisk=0
	console=ttyS0,115200
	console=tty0
	vga=normal
	root=/dev/ram0
	rw
	drbd.minor_count=8
)

"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------

Thanks,
Fengguang

View attachment "dmesg-quantal-kbuild-2:20141210205228:x86_64-randconfig-s0-12101616:3.18.0-rc6-g89aa075:214" of type "text/plain" (73142 bytes)

View attachment "config-3.18.0-rc6-g89aa075" of type "text/plain" (79157 bytes)

_______________________________________________
LKP mailing list
LKP@...ux.intel.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ