This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry

From: "penguin-kernel at i-love dot sakura dot ne dot jp" <sourceware-bugzilla at sourceware dot org>
To: systemtap at sourceware dot org
Date: Wed, 20 Sep 2017 10:23:37 +0000
Subject: [Bug runtime/22155] kernel panic due to NULL vma_cache_p->f_path.dentry
Auto-submitted: auto-generated
References: <bug-22155-6586@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=22155

--- Comment #6 from Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> ---
F.Y.I. KASAN reports that this is use-after-free bug.

[  103.454147] Injecting mdelay() at __stp_call_mmap_callbacks_for_task()
[  103.519926]
==================================================================
[  103.519940] BUG: KASAN: use-after-free in d_path+0xb0/0x420
[  103.519943] Read of size 8 at addr ffff880067e09fd8 by task a.out/3147
[  103.519945] 
[  103.519949] CPU: 2 PID: 3147 Comm: a.out Tainted: G           O    4.13.0
#150
[  103.519952] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[  103.519953] Call Trace:
[  103.519959]  dump_stack+0x68/0x99
[  103.519965]  print_address_description+0x5d/0x270
[  103.519971]  kasan_report+0x25a/0x370
[  103.519974]  ? d_path+0xb0/0x420
[  103.519981]  __asan_load8+0x54/0x90
[  103.519984]  d_path+0xb0/0x420
[  103.519988]  ? lock_downgrade+0x2c0/0x2c0
[  103.519994]  ? prepend_path+0x790/0x790
[  103.520010]  ? __stp_call_mmap_callbacks.part.40+0xd0/0x100
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520026]  __stp_call_mmap_callbacks_for_task+0x2e6/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520043]  __stp_utrace_task_finder_target_quiesce+0x32d/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520055]  ? __stp_tf_quiesce_worker+0x1e0/0x1e0
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520063]  start_callback.isra.18+0xd7/0x180
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520077]  utrace_resume+0x20b/0x580
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520079]  ? __lock_is_held+0x2d/0x100
[  103.520090]  ? utrace_control+0x470/0x470
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520102]  task_work_run+0xa7/0xe0
[  103.520110]  exit_to_usermode_loop+0xaa/0xb0
[  103.520116]  syscall_return_slowpath+0xc3/0x110
[  103.520121]  ret_from_fork+0x15/0x40
[  103.520124] RIP: 0033:0x7ff1a0764311
[  103.520126] RSP: 002b:00000000022bd320 EFLAGS: 00000202 ORIG_RAX:
0000000000000038
[  103.520129] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007ff1a0764311
[  103.520131] RDX: 0000000000001000 RSI: 00000000022bd320 RDI:
0000000000000100
[  103.520133] RBP: 00007ffde649b740 R08: 0000000000001000 R09:
0000000000001000
[  103.520135] R10: 00007ffde649b828 R11: 0000000000000202 R12:
0000000000400640
[  103.520137] R13: 00007ffde649b820 R14: 0000000000000000 R15:
0000000000000000
[  103.520150] 
[  103.520152] Allocated by task 2842:
[  103.520157]  save_stack_trace+0x16/0x20
[  103.520159]  kasan_kmalloc+0xee/0x190
[  103.520161]  kasan_slab_alloc+0x12/0x20
[  103.520165]  kmem_cache_alloc+0xf8/0x370
[  103.520169]  get_empty_filp+0x68/0x260
[  103.520172]  path_openat+0xb8/0x1180
[  103.520175]  do_filp_open+0x121/0x1c0
[  103.520177]  do_sys_open+0x1a4/0x2a0
[  103.520180]  SyS_open+0x19/0x20
[  103.520182]  do_syscall_64+0xe5/0x250
[  103.520185]  return_from_SYSCALL_64+0x0/0x7a
[  103.520186] 
[  103.520187] Freed by task 2841:
[  103.520190]  save_stack_trace+0x16/0x20
[  103.520192]  kasan_slab_free+0xaf/0x190
[  103.520195]  kmem_cache_free+0x9c/0x330
[  103.520197]  file_free_rcu+0x46/0x70
[  103.520201]  rcu_process_callbacks+0x425/0xae0
[  103.520204]  __do_softirq+0x104/0x5e3
[  103.520205] 
[  103.520207] The buggy address belongs to the object at ffff880067e09fc0
[  103.520207]  which belongs to the cache filp of size 456
[  103.520209] The buggy address is located 24 bytes inside of
[  103.520209]  456-byte region [ffff880067e09fc0, ffff880067e0a188)
[  103.520211] The buggy address belongs to the page:
[  103.520214] page:ffffea00019f8200 count:1 mapcount:0 mapping:         
(null) index:0xffff880067e0b4c0 compound_mapcount: 0
[  103.520219] flags: 0x1ffe00000008100(slab|head)
[  103.520223] raw: 01ffe00000008100 0000000000000000 ffff880067e0b4c0
000000010024001d
[  103.520227] raw: ffffea000196f620 ffff88006a81c2c0 ffff88006cd8de80
0000000000000000
[  103.520228] page dumped because: kasan: bad access detected
[  103.520229] 
[  103.520230] Memory state around the buggy address:
[  103.520233]  ffff880067e09e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  103.520235]  ffff880067e09f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc
[  103.520237] >ffff880067e09f80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb
fb
[  103.520239]                                                     ^
[  103.520241]  ffff880067e0a000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[  103.520243]  ffff880067e0a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[  103.520244]
==================================================================
[  103.520246] Disabling lock debugging due to kernel taint
[  103.520256] BUG: unable to handle kernel NULL pointer dereference at
00000000000000c0
[  103.520260] IP: d_path+0xc1/0x420
[  103.520262] PGD 69187067 
[  103.520262] P4D 69187067 
[  103.520263] PUD 69186067 
[  103.520264] PMD 0 
[  103.520265] 
[  103.520267] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN
[  103.520269] Modules linked in: stap_0bb496b0c0998e4178af5110538c49d_2830(O)
coretemp pcspkr sg vmw_vmci i2c_piix4 shpchp sd_mod ata_generic pata_acpi
serio_raw vmwgfx drm_kms_helper syscopyarea ahci sysfillrect libahci sysimgblt
fb_sys_fops e1000 ttm drm ata_piix mptspi scsi_transport_spi mptscsih mptbase
i2c_core libata ipv6
[  103.520295] CPU: 2 PID: 3147 Comm: a.out Tainted: G    B      O    4.13.0
#150
[  103.520297] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 07/02/2015
[  103.520298] task: ffff880061214b40 task.stack: ffff880061230000
[  103.520300] RIP: 0010:d_path+0xc1/0x420
[  103.520302] RSP: 0018:ffff880061237be8 EFLAGS: 00010282
[  103.520304] RAX: 0000000000000000 RBX: 1ffff1000c246f81 RCX:
ffffffff8136c701
[  103.520305] RDX: 0000000000000000 RSI: 0000000000000008 RDI:
00000000000000c0
[  103.520306] RBP: ffff880061237cd8 R08: 0000000000000000 R09:
0000000000000000
[  103.520308] R10: fbfbfbfbfbfbfbfb R11: fffffbfff067fc25 R12:
ffff880067e09fd0
[  103.520309] R13: 0000000000000000 R14: 0000000000000000 R15:
0000000000001000
[  103.520311] FS:  00007ff1a0c3e740(0000) GS:ffff88006d280000(0000)
knlGS:0000000000000000
[  103.520317] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  103.520319] CR2: 00000000000000c0 CR3: 000000006c4d4000 CR4:
00000000001406e0
[  103.520320] Call Trace:
[  103.520323]  ? lock_downgrade+0x2c0/0x2c0
[  103.520327]  ? prepend_path+0x790/0x790
[  103.520338]  ? __stp_call_mmap_callbacks.part.40+0xd0/0x100
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520348]  __stp_call_mmap_callbacks_for_task+0x2e6/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520360]  __stp_utrace_task_finder_target_quiesce+0x32d/0x380
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520369]  ? __stp_tf_quiesce_worker+0x1e0/0x1e0
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520376]  start_callback.isra.18+0xd7/0x180
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520385]  utrace_resume+0x20b/0x580
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520387]  ? __lock_is_held+0x2d/0x100
[  103.520396]  ? utrace_control+0x470/0x470
[stap_0bb496b0c0998e4178af5110538c49d_2830]
[  103.520402]  task_work_run+0xa7/0xe0
[  103.520406]  exit_to_usermode_loop+0xaa/0xb0
[  103.520410]  syscall_return_slowpath+0xc3/0x110
[  103.520413]  ret_from_fork+0x15/0x40
[  103.520414] RIP: 0033:0x7ff1a0764311
[  103.520416] RSP: 002b:00000000022bd320 EFLAGS: 00000202 ORIG_RAX:
0000000000000038
[  103.520418] RAX: 0000000000000000 RBX: 0000000000000000 RCX:
00007ff1a0764311
[  103.520419] RDX: 0000000000001000 RSI: 00000000022bd320 RDI:
0000000000000100
[  103.520421] RBP: 00007ffde649b740 R08: 0000000000001000 R09:
0000000000001000
[  103.520422] R10: 00007ffde649b828 R11: 0000000000000202 R12:
0000000000400640
[  103.520423] R13: 00007ffde649b820 R14: 0000000000000000 R15:
0000000000000000
[  103.520429] Code: 48 89 85 50 ff ff ff 48 8d 47 08 48 89 c7 48 89 85 18 ff
ff ff e8 40 96 f9 ff 4d 8b 74 24 08 49 8d be c0 00 00 00 e8 2f 96 f9 ff <4d> 8b
ae c0 00 00 00 4d 85 ed 0f 84 9c 00 00 00 49 8d 7d 48 e8 
[  103.520471] RIP: d_path+0xc1/0x420 RSP: ffff880061237be8
[  103.520472] CR2: 00000000000000c0
[  103.520474] ---[ end trace 1cb14de0bcaa41fd ]---

-- 
You are receiving this mail because:
You are the assignee for the bug.

References:
- [Bug runtime/22155] New: kernel panic due to NULL vma_cache_p->f_path.dentry
  - From: penguin-kernel at i-love dot sakura dot ne dot jp

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]