107181 – null ptr dereference, regression on commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c

Bug 107181 - null ptr dereference, regression on commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c

Summary: null ptr dereference, regression on commit ba7c95ea3870fe7b847466d39a049ab6f1...

Status:	RESOLVED PATCH_ALREADY_AVAILABLE

Alias:	None

Product:	File System
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 high
Assignee:	other_other

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-11-04 19:52 UTC by Colin Ian King
Modified:	2016-01-18 13:54 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:	4.2+
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
reproducer example (574 bytes, text/x-csrc) 2015-11-04 19:52 UTC, Colin Ian King	Details
Add an attachment (proposed patch, testcase, etc.)

Description Colin Ian King 2015-11-04 19:52:56 UTC

Created attachment 192111 [details]
reproducer example

I'm hitting a null ptr deference bug when running 2 or more instances of
the attached reproducer program.  I've bisected this down to the
following commit:

commit ba7c95ea3870fe7b847466d39a049ab6f156aa2c
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Tue Mar 24 09:53:17 2015 +1100

    rhashtable: Fix sleeping inside RCU critical section in walk_stop

Without this commit, the attached reproducer runs fine for hours. With
the commit, I can oops a 4 core (8 thread) Intel i7-6700 Sharkbay SDP in
a few seconds.

To reproduce the bug:

	gcc oops-procfs.c -o oops-procfs
	./oops-procfs &
	./oops-procfs &
	./oops-procfs &

Oops message:

[  119.252576] BUG: unable to handle kernel NULL pointer dereference at
00000000000002a3
[  119.252596] IP: [<ffffffff81761ef1>] igmp6_mc_get_next.isra.20+0x21/0xa0
[  119.252612] PGD 35a07067 PUD 80821067 PMD 0
[  119.252622] Oops: 0000 [#1] SMP
[  119.252630] Modules linked in: bnep bluetooth xt_conntrack ipt_REJECT
nf_reject_ipv4 ebtable_filter ebtables ip6table_filter ip6_tables
xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4
iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables
binfmt_misc asix usbnet mii snd_hda_codec_hdmi snd_hda_codec_realtek
snd_hda_codec_generic xhci_plat_hcd nls_iso8859_1 dwc3 udc_core
snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep intel_rapl iosf_mbi
x86_pkg_temp_thermal snd_pcm intel_powerclamp coretemp snd_seq_midi
snd_seq_midi_event crct10dif_pclmul snd_rawmidi crc32_pclmul
ghash_clmulni_intel aesni_intel snd_seq aes_x86_64 lrw snd_seq_device
gf128mul snd_timer glue_helper ablk_helper cryptd serio_raw snd soundcore
[  119.252804]  mei_me dwc3_pci mei winbond_cir soc_button_array rc_core
8250_fintek kvm_intel kvm tpm_crb acpi_pad mac_hid parport_pc ppdev lp
parport autofs4 btrfs xor raid6_pq hid_generic usbhid i915 i2c_algo_bit
e1000e drm_kms_helper syscopyarea sysfillrect ptp sysimgblt psmouse
fb_sys_fops pps_core ahci drm libahci i2c_hid wmi hid video
[  119.252883] CPU: 6 PID: 7417 Comm: a.out Tainted: G        W
4.3.0-rc4+ #14
[  119.253829] Hardware name: Intel Corporation Skylake Client
platform/Skylake DT DDR4 RVP8, BIOS SKLSE2R1.R00.B089.B00.1506160228
06/16/2015
[  119.254805] task: ffff88045954e900 ti: ffff880080a38000 task.ti:
ffff880080a38000
[  119.255756] RIP: 0010:[<ffffffff81761ef1>]  [<ffffffff81761ef1>]
igmp6_mc_get_next.isra.20+0x21/0xa0
[  119.256711] RSP: 0018:ffff880080a3bda0  EFLAGS: 00010286
[  119.257665] RAX: ffffffffffffffbb RBX: ffff880457bb4140 RCX:
0000000000000001
[  119.258625] RDX: 000000000000000b RSI: 0000000000000200 RDI:
ffffffff81761f2f
[  119.259583] RBP: ffff880080a3bdb0 R08: 0000000000001000 R09:
0000000000000355
[  119.260539] R10: ffff88045bb0c000 R11: ffff88045bb0c354 R12:
0000000000000000
[  119.261487] R13: ffff88045e0ba300 R14: ffff880035d18240 R15:
ffff8804595ae900
[  119.262429] FS:  00007f9206434700(0000) GS:ffff880473d80000(0000)
knlGS:0000000000000000
[  119.263372] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  119.264318] CR2: 00000000000002a3 CR3: 0000000086d34000 CR4:
00000000003406e0
[  119.265268] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[  119.266214] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[  119.267157] Stack:
[  119.268086]  ffff880080a3be00 ffff880080a3bf20 ffff880080a3bdc8
ffffffff81761f8d
[  119.269021]  0000000000000000 ffff880080a3be30 ffffffff812123fd
0000000000000355
[  119.269951]  00007ffed59b2be0 ffff880035d18280 0000000000001000
000000000000000b
[  119.270877] Call Trace:
[  119.271797]  [<ffffffff81761f8d>] igmp6_mc_seq_next+0x1d/0x30
[  119.272723]  [<ffffffff812123fd>] seq_read+0x28d/0x360
[  119.273648]  [<ffffffff812572c2>] proc_reg_read+0x42/0x70
[  119.274540]  [<ffffffff811eeee8>] __vfs_read+0x28/0xe0
[  119.275438]  [<ffffffff8130e720>] ? security_file_permission+0xa0/0xc0
[  119.276336]  [<ffffffff811ef7ef>] ? rw_verify_area+0x4f/0xe0
[  119.277234]  [<ffffffff811ef903>] vfs_read+0x83/0x130
[  119.278121]  [<ffffffff811f05b6>] SyS_read+0x46/0xa0
[  119.278993]  [<ffffffff8179b076>] entry_SYSCALL_64_fastpath+0x16/0x75

Comment 1 Colin Ian King 2016-01-18 13:54:51 UTC

Fixed with upstream fixes:

f9f51b8070be3e829100614a7372b219723b864f ("rhashtable: Fix walker
list corruption")

and

179ccc0a73641ffd24e44ff10a7bd494efe98d8d ("rhashtable: Kill harmless RCU warning in rhashtable_walk_init"

Note You need to log in before you can comment on or make changes to this bug.