lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1445371600.4157.10.camel@mattb-dl>
Date:	Tue, 20 Oct 2015 20:06:40 +0000
From:	Matt Bennett <Matt.Bennett@...iedtelesis.co.nz>
To:	"nitr0@...i.kr.ua" <nitr0@...i.kr.ua>
CC:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [Bug] Linux 4.1.9, NULL pointer dereference in
 pppoe_release+0x120/0x150

On Tue, 2015-10-20 at 14:00 +0300, Andrew wrote:
> Hi.
> 
> After BRAS software upgrading (PPPoE daemon + kernel from 3.2.x to 
> 4.1.x) I have different kernel bugs/crashes - some of them don't hurt 
> system, other crashes - cause network subsystem lockup (commands like 
> 'ip a' just hungs; and sometimes even 'reboot -f' doesn't help).
> 
> It seems like there's a similar trouble: 
> http://permalink.gmane.org/gmane.linux.ppp/4410
> 
> Here's one of such crashes:
> 
> [98199.605120] BUG: unable to handle kernel NULL pointer dereference at 
> 00000280
> [98199.605219] IP: [<f9a03580>] pppoe_release+0x120/0x150 [pppoe]
> [98199.605275] *pdpt = 00000000345c5001 *pde = 0000000000000000
> [98199.605335] Oops: 0000 [#1] SMP
> [98199.605381] Modules linked in: act_mirred pppoe pppox ppp_generic 
> slhc iptable_filter xt_length xt_TCPMSS xt_tcpudp xt_mark xt_dscp 
> iptable_mangle ip_tables x_tables ipv6 sch_sfq sch_htb cls_u32 
> sch_ingress sch_prio sch_tbf cls_flow cls_fw act_police ifb 8021q mrp 
> garp stp llc softdog parport_pc parport acpi_cpufreq processor 
> thermal_sys i2c_piix4 i2c_core igb(O) sp5100_tco k10temp hwmon ohci_pci 
> ohci_hcd dca ptp pps_core sd_mod pata_acpi pcspkr pata_atiixp ahci 
> libahci ata_generic libata ehci_pci ehci_hcd usbcore scsi_mod usb_common 
> ext4 mbcache jbd2 crc16 vfat fat isofs
> [98199.605858] CPU: 2 PID: 5691 Comm: accel-pppd Tainted: G           
> O    4.1.9-i686 #1
> [98199.605942] Hardware name: MICRO-STAR INTERNATIONAL CO.,LTD 
> MS-7596/760GM-E51(MS-7596), BIOS V3.3 01/12/2012
> [98199.606027] task: f47b0000 ti: dedfc000 task.ti: dedfc000
> [98199.606073] EIP: 0060:[<f9a03580>] EFLAGS: 00210246 CPU: 2
> [98199.606120] EIP is at pppoe_release+0x120/0x150 [pppoe]
> [98199.606165] EAX: 00000000 EBX: d506c400 ECX: 00000000 EDX: fffffe01
> [98199.606210] ESI: f228d800 EDI: f228d81c EBP: dedfdf48 ESP: dedfdf2c
> [98199.606256]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> [98199.606301] CR0: 8005003b CR2: 00000280 CR3: 32e38760 CR4: 000006f0
> [98199.606344] Stack:
> [98199.606385]  e0fcdc08 f5aa09a0 00000008 f228d81c f228d800 f9a03cc0 
> f228d81c dedfdf60
> [98199.606480]  c12f4f70 f52e2190 00000000 e0fcdc00 00000008 dedfdf68 
> c12f4ff0 dedfdf94
> [98199.606574]  c1139dc4 00000001 00000000 00000000 e0fcdc08 f231dc80 
> f52e2190 f47b03c0
> [98199.606668] Call Trace:
> [98199.606717]  [<c12f4f70>] ? sock_release+0x20/0x90
> [98199.606763]  [<c12f4ff0>] ? sock_close+0x10/0x20
> [98199.606810]  [<c1139dc4>] ? __fput+0x84/0x1b0
> [98199.606857]  [<c1063c71>] ? task_work_run+0x91/0xd0
> [98199.606903]  [<c13bad15>] ? work_notifysig+0x16/0x1d
> [98199.606946] Code: 5e 5f 5d c3 8d b4 26 00 00 00 00 89 d8 e8 29 64 8f 
> c7 31 c0 83 c4 10 5b 5e 5f 5d c3 8d b4 26 00 00 00 00 8b 83 f8 01 00 00 
> 31 c9 <8b> 80 80 02 00 00 64 ff 08 89 8b f8 01 00 00 e9 0a ff ff ff 89
> [98199.607180] EIP: [<f9a03580>] pppoe_release+0x120/0x150 [pppoe] 
> SS:ESP 0068:dedfdf2c
> [98199.607267] CR2: 0000000000000280
> [98199.607701] ---[ end trace 61a91a29876c16b9 ]---
> [98232.612193] BUG: unable to handle kernel NULL pointer dereference at 
> 00000280
> [98232.612343] IP: [<f9a03580>] pppoe_release+0x120/0x150 [pppoe]
> [98232.612455] *pdpt = 00000000345c5001 *pde = 0000000000000000
> [98232.612591] Oops: 0000 [#2] SMP
> [98232.612722] Modules linked in: act_mirred pppoe pppox ppp_generic 
> slhc iptable_filter xt_length xt_TCPMSS xt_tcpudp xt_mark xt_dscp 
> iptable_mangle ip_tables x_tables ipv6 sch_sfq sch_htb cls_u32 
> sch_ingress sch_prio sch_tbf cls_flow cls_fw act_police ifb 8021q mrp 
> garp stp llc softdog parport_pc parport acpi_cpufreq processor 
> thermal_sys i2c_piix4 i2c_core igb(O) sp5100_tco k10temp hwmon ohci_pci 
> ohci_hcd dca ptp pps_core sd_mod pata_acpi pcspkr pata_atiixp ahci 
> libahci ata_generic libata ehci_pci ehci_hcd usbcore scsi_mod usb_common 
> ext4 mbcache jbd2 crc16 vfat fat isofs
> [98232.615182] CPU: 1 PID: 2121 Comm: accel-pppd Tainted: G D    O    
> 4.1.9-i686 #1
> [98232.615294] Hardware name: MICRO-STAR INTERNATIONAL CO.,LTD 
> MS-7596/760GM-E51(MS-7596), BIOS V3.3 01/12/2012
> [98232.615407] task: f4966d80 ti: de2d2000 task.ti: de2d2000
> [98232.615483] EIP: 0060:[<f9a03580>] EFLAGS: 00210246 CPU: 1
> [98232.615560] EIP is at pppoe_release+0x120/0x150 [pppoe]
> [98232.615634] EAX: 00000000 EBX: d48bf000 ECX: 00000000 EDX: fffffe01
> [98232.615708] ESI: f226ca80 EDI: f226ca9c EBP: de2d3f48 ESP: de2d3f2c
> [98232.615793]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> [98232.615867] CR0: 8005003b CR2: 00000280 CR3: 32e38760 CR4: 000006f0
> [98232.615940] Stack:
> [98232.616008]  f40e6c08 f5d02cc0 00000008 f226ca9c f226ca80 f9a03cc0 
> f226ca9c de2d3f60
> [98232.616363]  c12f4f70 f52e2190 00000000 f40e6c00 00000008 de2d3f68 
> c12f4ff0 de2d3f94
> [98232.616716]  c1139dc4 00000001 00000000 00000000 f40e6c08 f22c9580 
> f52e2190 f4967140
> [98232.617069] Call Trace:
> [98232.617147]  [<c12f4f70>] ? sock_release+0x20/0x90
> [98232.617221]  [<c12f4ff0>] ? sock_close+0x10/0x20
> [98232.617296]  [<c1139dc4>] ? __fput+0x84/0x1b0
> [98232.617373]  [<c1063c71>] ? task_work_run+0x91/0xd0
> [98232.617449]  [<c13bad15>] ? work_notifysig+0x16/0x1d
> [98232.617533] Code: 5e 5f 5d c3 8d b4 26 00 00 00 00 89 d8 e8 29 64 8f 
> c7 31 c0 83 c4 10 5b 5e 5f 5d c3 8d b4 26 00 00 00 00 8b 83 f8 01 00 00 
> 31 c9 <8b> 80 80 02 00 00 64 ff 08 89 8b f8 01 00 00 e9 0a ff ff ff 89
> [98232.619662] EIP: [<f9a03580>] pppoe_release+0x120/0x150 [pppoe] 
> SS:ESP 0068:de2d3f2c
> [98232.619838] CR2: 0000000000000280
> [98232.620409] ---[ end trace 61a91a29876c16ba ]---
> 
> Here's bug place:
> (gdb) list *pppoe_release+0x120
> 0x1580 is in pppoe_release 
> (/var/testpoint/LEAF-new/source/i486-unknown-linux-uclibc/linux/linux-4.1/drivers/net/ppp/pppoe.c:594).
> 589        }
> 590
> 591        po = pppox_sk(sk);
> 592
> 593        if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND | 
> PPPOX_ZOMBIE)) {
> 594            dev_put(po->pppoe_dev);
> 595            po->pppoe_dev = NULL;
> 596        }
> 597
> 598        pppox_unbind_sock(sk);
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Hi,

This bug is being worked on and discussed in the mailing thread titled
"[PATCH net] ppp: don't override sk->sk_state in pppoe_flush_dev()"

http://www.spinics.net/lists/netdev/msg345528.html

One patch has already been submitted, see commit
e6740165b8f7f06d8caee0fceab3fb9d790a6fed

The second and (hopefully) final patch (which you can see in the mailing
list thread) is currently being tested.

Regards,
Matt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ