This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
[Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry
- From: "penguin-kernel at i-love dot sakura dot ne dot jp" <sourceware-bugzilla at sourceware dot org>
- To: systemtap at sourceware dot org
- Date: Wed, 20 Sep 2017 10:23:37 +0000
- Subject: [Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry
- Auto-submitted: auto-generated
- References: <bug-22155-6586@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22155
--- Comment #6 from Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> ---
F.Y.I. KASAN reports that this is use-after-free bug.
[ 103.454147] Injecting mdelay() at __stp_call_mmap_callbacks_for_task()
[ 103.519926]
==================================================================
[ 103.519940] BUG: KASAN: use-after-free in d_path+0xb0/0x420
[ 103.519943] Read of size 8 at addr ffff880067e09fd8 by task a.out/3147
[ 103.519945]
[ 103.519949] CPU: 2 PID: 3147 Comm: a.out Tainted: G O 4.13.0
#150
[ 103.519952] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 103.519953] Call Trace:
[ 103.519959] dump_stack+0x68/0x99
[ 103.519965] print_address_description+0x5d/0x270
[ 103.519971] kasan_report+0x25a/0x370
[ 103.519974] ? d_path+0xb0/0x420
[ 103.519981] __asan_load8+0x54/0x90
[ 103.519984] d_path+0xb0/0x420
[ 103.519988] ? lock_downgrade+0x2c0/0x2c0
[ 103.519994] ? prepend_path+0x790/0x790
[ 103.520010] ? __stp_call_mmap_callbacks.part.40+0xd0/0x100
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520026] __stp_call_mmap_callbacks_for_task+0x2e6/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520043] __stp_utrace_task_finder_target_quiesce+0x32d/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520055] ? __stp_tf_quiesce_worker+0x1e0/0x1e0
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520063] start_callback.isra.18+0xd7/0x180
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520077] utrace_resume+0x20b/0x580
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520079] ? __lock_is_held+0x2d/0x100
[ 103.520090] ? utrace_control+0x470/0x470
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520102] task_work_run+0xa7/0xe0
[ 103.520110] exit_to_usermode_loop+0xaa/0xb0
[ 103.520116] syscall_return_slowpath+0xc3/0x110
[ 103.520121] ret_from_fork+0x15/0x40
[ 103.520124] RIP: 0033:0x7ff1a0764311
[ 103.520126] RSP: 002b:00000000022bd320 EFLAGS: 00000202 ORIG_RAX:
0000000000000038
[ 103.520129] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007ff1a0764311
[ 103.520131] RDX: 0000000000001000 RSI: 00000000022bd320 RDI:
0000000000000100
[ 103.520133] RBP: 00007ffde649b740 R08: 0000000000001000 R09:
0000000000001000
[ 103.520135] R10: 00007ffde649b828 R11: 0000000000000202 R12:
0000000000400640
[ 103.520137] R13: 00007ffde649b820 R14: 0000000000000000 R15:
0000000000000000
[ 103.520150]
[ 103.520152] Allocated by task 2842:
[ 103.520157] save_stack_trace+0x16/0x20
[ 103.520159] kasan_kmalloc+0xee/0x190
[ 103.520161] kasan_slab_alloc+0x12/0x20
[ 103.520165] kmem_cache_alloc+0xf8/0x370
[ 103.520169] get_empty_filp+0x68/0x260
[ 103.520172] path_openat+0xb8/0x1180
[ 103.520175] do_filp_open+0x121/0x1c0
[ 103.520177] do_sys_open+0x1a4/0x2a0
[ 103.520180] SyS_open+0x19/0x20
[ 103.520182] do_syscall_64+0xe5/0x250
[ 103.520185] return_from_SYSCALL_64+0x0/0x7a
[ 103.520186]
[ 103.520187] Freed by task 2841:
[ 103.520190] save_stack_trace+0x16/0x20
[ 103.520192] kasan_slab_free+0xaf/0x190
[ 103.520195] kmem_cache_free+0x9c/0x330
[ 103.520197] file_free_rcu+0x46/0x70
[ 103.520201] rcu_process_callbacks+0x425/0xae0
[ 103.520204] __do_softirq+0x104/0x5e3
[ 103.520205]
[ 103.520207] The buggy address belongs to the object at ffff880067e09fc0
[ 103.520207] which belongs to the cache filp of size 456
[ 103.520209] The buggy address is located 24 bytes inside of
[ 103.520209] 456-byte region [ffff880067e09fc0, ffff880067e0a188)
[ 103.520211] The buggy address belongs to the page:
[ 103.520214] page:ffffea00019f8200 count:1 mapcount:0 mapping:
(null) index:0xffff880067e0b4c0 compound_mapcount: 0
[ 103.520219] flags: 0x1ffe00000008100(slab|head)
[ 103.520223] raw: 01ffe00000008100 0000000000000000 ffff880067e0b4c0
000000010024001d
[ 103.520227] raw: ffffea000196f620 ffff88006a81c2c0 ffff88006cd8de80
0000000000000000
[ 103.520228] page dumped because: kasan: bad access detected
[ 103.520229]
[ 103.520230] Memory state around the buggy address:
[ 103.520233] ffff880067e09e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 103.520235] ffff880067e09f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[ 103.520237] >ffff880067e09f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
fb
[ 103.520239] ^
[ 103.520241] ffff880067e0a000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 103.520243] ffff880067e0a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 103.520244]
==================================================================
[ 103.520246] Disabling lock debugging due to kernel taint
[ 103.520256] BUG: unable to handle kernel NULL pointer dereference at
00000000000000c0
[ 103.520260] IP: d_path+0xc1/0x420
[ 103.520262] PGD 69187067
[ 103.520262] P4D 69187067
[ 103.520263] PUD 69186067
[ 103.520264] PMD 0
[ 103.520265]
[ 103.520267] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[ 103.520269] Modules linked in: stap_0bb496b0c0998e4178af5110538c49d_2830(O)
coretemp pcspkr sg vmw_vmci i2c_piix4 shpchp sd_mod ata_generic pata_acpi
serio_raw vmwgfx drm_kms_helper syscopyarea ahci sysfillrect libahci sysimgblt
fb_sys_fops e1000 ttm drm ata_piix mptspi scsi_transport_spi mptscsih mptbase
i2c_core libata ipv6
[ 103.520295] CPU: 2 PID: 3147 Comm: a.out Tainted: G B O 4.13.0
#150
[ 103.520297] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 103.520298] task: ffff880061214b40 task.stack: ffff880061230000
[ 103.520300] RIP: 0010:d_path+0xc1/0x420
[ 103.520302] RSP: 0018:ffff880061237be8 EFLAGS: 00010282
[ 103.520304] RAX: 0000000000000000 RBX: 1ffff1000c246f81 RCX:
ffffffff8136c701
[ 103.520305] RDX: 0000000000000000 RSI: 0000000000000008 RDI:
00000000000000c0
[ 103.520306] RBP: ffff880061237cd8 R08: 0000000000000000 R09:
0000000000000000
[ 103.520308] R10: fbfbfbfbfbfbfbfb R11: fffffbfff067fc25 R12:
ffff880067e09fd0
[ 103.520309] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000001000
[ 103.520311] FS: 00007ff1a0c3e740(0000) GS:ffff88006d280000(0000)
knlGS:0000000000000000
[ 103.520317] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 103.520319] CR2: 00000000000000c0 CR3: 000000006c4d4000 CR4:
00000000001406e0
[ 103.520320] Call Trace:
[ 103.520323] ? lock_downgrade+0x2c0/0x2c0
[ 103.520327] ? prepend_path+0x790/0x790
[ 103.520338] ? __stp_call_mmap_callbacks.part.40+0xd0/0x100
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520348] __stp_call_mmap_callbacks_for_task+0x2e6/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520360] __stp_utrace_task_finder_target_quiesce+0x32d/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520369] ? __stp_tf_quiesce_worker+0x1e0/0x1e0
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520376] start_callback.isra.18+0xd7/0x180
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520385] utrace_resume+0x20b/0x580
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520387] ? __lock_is_held+0x2d/0x100
[ 103.520396] ? utrace_control+0x470/0x470
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[ 103.520402] task_work_run+0xa7/0xe0
[ 103.520406] exit_to_usermode_loop+0xaa/0xb0
[ 103.520410] syscall_return_slowpath+0xc3/0x110
[ 103.520413] ret_from_fork+0x15/0x40
[ 103.520414] RIP: 0033:0x7ff1a0764311
[ 103.520416] RSP: 002b:00000000022bd320 EFLAGS: 00000202 ORIG_RAX:
0000000000000038
[ 103.520418] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007ff1a0764311
[ 103.520419] RDX: 0000000000001000 RSI: 00000000022bd320 RDI:
0000000000000100
[ 103.520421] RBP: 00007ffde649b740 R08: 0000000000001000 R09:
0000000000001000
[ 103.520422] R10: 00007ffde649b828 R11: 0000000000000202 R12:
0000000000400640
[ 103.520423] R13: 00007ffde649b820 R14: 0000000000000000 R15:
0000000000000000
[ 103.520429] Code: 48 89 85 50 ff ff ff 48 8d 47 08 48 89 c7 48 89 85 18 ff
ff ff e8 40 96 f9 ff 4d 8b 74 24 08 49 8d be c0 00 00 00 e8 2f 96 f9 ff <4d> 8b
ae c0 00 00 00 4d 85 ed 0f 84 9c 00 00 00 49 8d 7d 48 e8
[ 103.520471] RIP: d_path+0xc1/0x420 RSP: ffff880061237be8
[ 103.520472] CR2: 00000000000000c0
[ 103.520474] ---[ end trace 1cb14de0bcaa41fd ]---
--
You are receiving this mail because:
You are the assignee for the bug.