I get a kernel null pointer dereference when sandboxing my program. I have cut a lot of the fat off my program and uploaded this variant to https://gitgud.net/sstewartgallus/linted/tree/fucked-up. You configure it with autoconf (2.69) and then run ./scripts/arch/configure-x86_64-linux-gnu and then run make and then run ./scripts/test. I get the bug on kernel 4.0.2. My system hardware: description: Notebook product: Aspire V3-111P (Aspire V3-111P_0843_1_11) vendor: Acer version: V1.11 serial: NXMP0AA002428180507610 width: 64 bits capabilities: smbios-2.7 dmi-2.7 vsyscall32 configuration: chassis=notebook family=Type1Family sku=Aspire V3-111P_0843_1_11 uuid=FCB19F75-B966-4915-B37A-7DBF1C616D21 *-core description: Motherboard product: Roxy vendor: Acer physical id: 0 version: Type2 - A01 Board Version serial: NBMNU11002428180507610 slot: Type2 - Board Chassis Location *-firmware description: BIOS vendor: Insyde Corp. physical id: 0 version: V1.11 date: 06/13/2014 size: 64KiB capacity: 4032KiB capabilities: pci upgrade shadowing cdboot bootselect edd int9keyboard int14serial int17printer int10video acpi usb zipboot biosbootspecification netboot *-cpu description: CPU product: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz vendor: Intel Corp. physical id: 4 bus info: cpu@0 version: Intel(R) Celeron(R) CPU N2930 @ 1.83GHz slot: CPU 1 size: 1747MHz capacity: 1747MHz width: 64 bits clock: 83MHz capabilities: x86-64 fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 movbe popcnt tsc_deadline_timer rdrand lahf_lm 3dnowprefetch ida arat epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms cpufreq configuration: cores=4 enabledcores=4 threads=1 *-cache:0 description: L1 cache physical id: 7 slot: Unknown size: 32KiB capacity: 32KiB capabilities: synchronous internal write-back instruction *-cache:1 description: L2 cache physical id: 8 slot: Unknown size: 1MiB capacity: 1MiB capabilities: synchronous internal write-back unified *-cache description: L1 cache physical id: 6 slot: Unknown size: 24KiB capacity: 24KiB capabilities: synchronous internal write-back data *-memory description: System Memory physical id: e slot: System board or motherboard size: 4GiB *-bank description: SODIMM DDR3 Synchronous 1333 MHz (0.8 ns) product: M471B5173DB0-YK0 vendor: Samsung physical id: 0 serial: 22141621 slot: DIMM0 size: 4GiB width: 64 bits clock: 1333MHz (0.8ns) *-pci description: Host bridge product: Atom Processor Z36xxx/Z37xxx Series SoC Transaction Register vendor: Intel Corporation physical id: 100 bus info: pci@0000:00:00.0 version: 0e width: 32 bits clock: 33MHz configuration: driver=iosf_mbi_pci resources: irq:0 *-display description: VGA compatible controller product: Atom Processor Z36xxx/Z37xxx Series Graphics & Display vendor: Intel Corporation physical id: 2 bus info: pci@0000:00:02.0 version: 0e width: 32 bits clock: 33MHz capabilities: pm msi vga_controller bus_master cap_list rom configuration: driver=i915 latency=0 resources: irq:264 memory:90000000-903fffff memory:80000000-8fffffff ioport:2050(size=8) *-storage description: SATA controller product: Intel Corporation vendor: Intel Corporation physical id: 13 bus info: pci@0000:00:13.0 version: 0e width: 32 bits clock: 66MHz capabilities: storage msi pm ahci_1.0 bus_master cap_list configuration: driver=ahci latency=0 resources: irq:262 ioport:2048(size=8) ioport:205c(size=4) ioport:2040(size=8) ioport:2058(size=4) ioport:2020(size=32) memory:9091f000-9091f7ff *-usb description: USB controller product: Atom Processor Z36xxx/Z37xxx Series USB xHCI vendor: Intel Corporation physical id: 14 bus info: pci@0000:00:14.0 version: 0e width: 64 bits clock: 33MHz capabilities: pm msi xhci bus_master cap_list configuration: driver=xhci_hcd latency=0 resources: irq:261 memory:90900000-9090ffff *-generic description: Encryption controller product: Atom Processor Z36xxx/Z37xxx Series Trusted Execution Engine vendor: Intel Corporation physical id: 1a bus info: pci@0000:00:1a.0 version: 0e width: 32 bits clock: 33MHz capabilities: pm msi bus_master cap_list configuration: driver=mei_txe latency=0 resources: irq:265 memory:90800000-908fffff memory:90700000-907fffff *-multimedia description: Audio device product: Atom Processor Z36xxx/Z37xxx Series High Definition Audio Controller vendor: Intel Corporation physical id: 1b bus info: pci@0000:00:1b.0 version: 0e width: 64 bits clock: 33MHz capabilities: pm msi bus_master cap_list configuration: driver=snd_hda_intel latency=0 resources: irq:266 memory:90910000-90913fff *-pci:0 description: PCI bridge product: Intel Corporation vendor: Intel Corporation physical id: 1c bus info: pci@0000:00:1c.0 version: 0e width: 32 bits clock: 33MHz capabilities: pci pciexpress msi pm normal_decode cap_list configuration: driver=pcieport resources: irq:16 ioport:3000(size=4096) *-pci:1 description: PCI bridge product: Intel Corporation vendor: Intel Corporation physical id: 1c.1 bus info: pci@0000:00:1c.1 version: 0e width: 32 bits clock: 33MHz capabilities: pci pciexpress msi pm normal_decode bus_master cap_list configuration: driver=pcieport resources: irq:17 ioport:4000(size=4096) memory:90600000-906fffff *-network description: Wireless interface product: QCA9565 / AR9565 Wireless Network Adapter vendor: Qualcomm Atheros physical id: 0 bus info: pci@0000:02:00.0 logical name: wlan0 version: 01 serial: 9c:ad:97:a4:01:c5 width: 64 bits clock: 33MHz capabilities: pm msi pciexpress bus_master cap_list rom ethernet physical wireless configuration: broadcast=yes driver=ath9k driverversion=4.0.2-gnu firmware=N/A ip=10.19.159.85 latency=0 link=yes multicast=yes wireless=IEEE 802.11bgn resources: irq:17 memory:90600000-9067ffff memory:90680000-9068ffff *-pci:2 description: PCI bridge product: Intel Corporation vendor: Intel Corporation physical id: 1c.2 bus info: pci@0000:00:1c.2 version: 0e width: 32 bits clock: 33MHz capabilities: pci pciexpress msi pm normal_decode bus_master cap_list configuration: driver=pcieport resources: irq:18 ioport:1000(size=4096) memory:90500000-905fffff ioport:90400000(size=1048576) *-network description: Ethernet interface product: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller vendor: Realtek Semiconductor Co., Ltd. physical id: 0 bus info: pci@0000:03:00.0 logical name: eth0 version: 0c serial: c4:54:44:a0:e9:73 size: 10Mbit/s capacity: 1Gbit/s width: 64 bits clock: 33MHz capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.3LK-NAPI duplex=half latency=0 link=no multicast=yes port=MII speed=10Mbit/s resources: irq:263 ioport:1000(size=256) memory:90500000-90500fff memory:90400000-90403fff *-isa description: ISA bridge product: Atom Processor Z36xxx/Z37xxx Series Power Control Unit vendor: Intel Corporation physical id: 1f bus info: pci@0000:00:1f.0 version: 0e width: 32 bits clock: 33MHz capabilities: isa bus_master cap_list configuration: driver=lpc_ich latency=0 resources: irq:0 *-serial UNCLAIMED description: SMBus product: Intel Corporation vendor: Intel Corporation physical id: 1f.3 bus info: pci@0000:00:1f.3 version: 0e width: 32 bits clock: 33MHz capabilities: pm cap_list configuration: latency=0 resources: memory:90919000-9091901f ioport:2000(size=32) *-scsi physical id: 1 logical name: scsi0 capabilities: emulated *-disk description: ATA Disk product: WDC WD5000LPVX-2 vendor: Western Digital physical id: 0.0.0 bus info: scsi@0:0.0.0 logical name: /dev/sda version: 1A01 serial: WD-WX41A644RK22 size: 465GiB (500GB) capabilities: gpt-1.00 partitioned partitioned:gpt configuration: ansiversion=5 guid=63473c3c-79ec-466e-a780-96225f1b13f9 sectorsize=4096 *-volume:0 description: Windows FAT volume vendor: mkfs.fat physical id: 1 bus info: scsi@0:0.0.0,1 logical name: /dev/sda1 logical name: /boot/efi version: FAT32 serial: f3c3-b9c5 size: 510MiB capacity: 511MiB capabilities: boot fat initialized configuration: FATs=2 filesystem=fat mount.fstype=vfat mount.options=rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro state=mounted *-volume:1 description: EXT4 volume vendor: Linux physical id: 2 bus info: scsi@0:0.0.0,2 logical name: /dev/sda2 logical name: / version: 1.0 serial: d19acfc0-af48-4114-acea-7fb0e2e60ea2 size: 461GiB capacity: 461GiB capabilities: journaled extended_attributes large_files huge_files dir_nlink recover extents ext4 ext2 initialized configuration: created=2014-10-17 17:07:24 filesystem=ext4 lastmountpoint=/ modified=2015-05-13 12:43:49 mount.fstype=ext4 mount.options=rw,relatime,errors=remount-ro,data=ordered mounted=2015-05-13 12:43:49 state=mounted *-volume:2 description: Linux swap volume vendor: Linux physical id: 3 bus info: scsi@0:0.0.0,3 logical name: /dev/sda3 version: 1 serial: 764d72d2-e3ff-4e5b-aeaf-b8ad7e3e85fc size: 3976MiB capacity: 3976MiB capabilities: nofs swap initialized configuration: filesystem=swap pagesize=4095
The bug still occurs on Linux 4.04. Also, I took a picture of the backtrace that shows up on the console my phone. The information on the screen says the NULL dereference occurs at pin_remove. It also shows a backtrace of drop_mountpoint pin_kill ? woken_wake_function mnt_pin_kill cleanup_mnt __cleanup_mnt task_work_run do_notify_resume int_signal
This appears to be the same or a similar bug as described at http://permalink.gmane.org/gmane.linux.kernel.containers/29340
Rereading over information on how to submit bug reports I found that I should record the output of the script ./scripts/ver_linux. It gives: Linux proteus 4.0.4-gnu #1 SMP Mon May 18 12:12:23 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux Gnu C 4.8 Gnu make 3.81 binutils 2.24 util-linux 2.20.1 mount support module-init-tools 15 e2fsprogs 1.42.9 jfsutils 1.1.15 reiserfsprogs 3.6.24 reiser4progs 1.0.7 xfsprogs 3.1.9 pcmciautils 018 quota-tools 4.01. PPP 2.4.5 Linux C Library 2.19 Dynamic linker (ldd) 2.19 Procps 3.3.9 Net-tools 1.60 Kbd 1.15.5 oprofile 0.9.9 Sh-utils 8.21 wireless-tools 30 Modules Loaded uas usb_storage ctr ccm bnep rfcomm binfmt_misc intel_rapl intel_soc_dts_thermal intel_powerclamp coretemp snd_hda_codec_hdmi snd_hda_codec_realtek joydev ath3k kvm_intel snd_hda_codec_generic btusb acer_wmi snd_hda_intel sparse_keymap snd_hda_controller bluetooth snd_hda_codec kvm snd_hwdep snd_pcm hid_multitouch arc4 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_seq_midi ath9k snd_seq_midi_event uvcvideo ath9k_common ath9k_hw snd_rawmidi dm_multipath videobuf2_vmalloc ath videobuf2_memops videobuf2_core snd_seq mac80211 scsi_dh v4l2_common snd_seq_device cfg80211 videodev snd_timer media snd iosf_mbi cryptd soundcore serio_raw lpc_ich shpchp mei_txe 8250_fintek mei dw_dmac dw_dmac_core int3400_thermal processor_thermal_device int3403_thermal intel_smartconnect acpi_thermal_rel int340x_thermal_zone i2c_hid pwm_lpss_platform pwm_lpss spi_pxa2xx_platform i2c_designware_platform i2c_designware_core mac_hid nls_iso8859_1 parport_pc ppdev lp parport btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear dm_mirror dm_region_hash dm_log hid_generic usbhid hid i915 i2c_algo_bit r8169 drm_kms_helper ahci mii libahci drm wmi video
This was introduced in 4.0.2 and is fixed by: commit 820f9f147dcce2602eefd9b575bbbd9ea14f0953 Author: Eric W. Biederman <ebiederm@xmission.com> Date: Thu Apr 2 16:35:48 2015 -0500 fs_pin: Allow for the possibility that m_list or s_list go unused. This is needed to support lazily umounting locked mounts. Because the entire unmounted subtree needs to stay together until there are no users with references to any part of the subtree. To support this guarantee that the fs_pin m_list and s_list nodes are initialized by initializing them in init_fs_pin allowing for the possibility that pin_insert_group does not touch them. Further use hlist_del_init in pin_remove so that there is a hlist_unhashed test before the list we attempt to update the previous list item. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> commit cd4a40174b71acd021877341684d8bb1dc8ea4ae Author: Eric W. Biederman <ebiederm@xmission.com> Date: Wed Jan 7 14:28:26 2015 -0600 mnt: Fail collect_mounts when applied to unmounted mounts The only users of collect_mounts are in audit_tree.c In audit_trim_trees and audit_add_tree_rule the path passed into collect_mounts is generated from kern_path passed an audit_tree pathname which is guaranteed to be an absolute path. In those cases collect_mounts is obviously intended to work on mounted paths and if a race results in paths that are unmounted when collect_mounts it is reasonable to fail early. The paths passed into audit_tag_tree don't have the absolute path check. But are used to play with fsnotify and otherwise interact with the audit_trees, so again operating only on mounted paths appears reasonable. Avoid having to worry about what happens when we try and audit unmounted filesystems by restricting collect_mounts to mounts that appear in the mount tree.
Can confirm this bug is fixed.