Kernel Oops - unable to handle kernel NULL pointer dereference at (null); Call Trace: [<ffffffff810fb39b>] ? audit_compare_dname_path+0x2b/0xa0

This change was made by a bot.

I suspect commit 4a92843601ad0f5067f441d2f0dca55bbe18c076.

Commit fcf22d8267ad2601fe9b6c549d1be96401c23e0b is also needed to fix that, I'll build a test kernel with this in it so you can verify.

This change was made by a bot.

Alex,
Can you test the following build to see if it fixes your issue?
http://people.canonical.com/~arges/lp1450442/

Thanks

It looks like this might be related? https://bugs.launchpad.net/ubuntu/+source/linux-lts-trusty/+bug/1450643

I've tested the build from http://people.canonical.com/~arges/lp1450442/ - and i'm no longer able to replicate this issue. This looks like it works for me.

Sent patches for 3.13/3.16 to kernel team ML for review.

Hi Chris, thanks for the speedy response to this.

To add another confirmation: I've tested your build on a couple of our servers, and I'm no longer seeing the Oops, so this looks to have addressed the issue.

thanks,
Alex

What's the ETA for trusty?

The fix is currently in the -proposed kernel. (3.13.0-52.85)

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1451360 is marked as duplicate. The fix from here changes the behaviour of the duplicate (SSH login now working again, but still kernel OOPS).

So if both have common cause (very likely), then 3.13.0-52.85 is only incomplete fix.

Scratch that last comment...

I see (from http://kernel.ubuntu.com/git/ubuntu/ubuntu-trusty.git/log/) that the fix is not in Ubuntu 3.13.0-52.85. We'll need to wait for 3.13.0-52.86...

I encountered this issue on a Hetzner VPS. It is a KVM based virtual server, not VMware. After rebooting I was unable to login through ssh. Accessing the system from console was possible thugh running many commands resulted in "Killed". The kernel stack trace was the same as in the original bug report.

There is no quick and dirty workaround documented yet on this bug report, so I add it.

Do the following to get your system quickly back to usable state while waiting for the patched kernel:

1) disable starting "auditd" at boot (for example "chmod 000 /etc/init.d/auditd" is an easy and ugly way to do it)

2) reboot the system (in my case the "reboot" command did not work, I had to hard-reset the system)

Done.

Janne, good point. There's another possible workaround in certain circumstances. You can also clear the auditd rules which should allow you to continue working on a running system. This would be done by issuing an "auditctl -D", after which you should be able to use the running system, albeit without any auditing.

> Janne, good point. There's another possible workaround in certain circumstances. You can also clear the auditd rules which should allow you to continue working on a running system. This would be done by issuing an "auditctl -D", after which you should be able to use the running system, albeit without any auditing.

 I have various systems with auditing that trigger the null reference without audit rules on the specific pieces. Ie. `chmod 0755 /run/foobar` hangs, even though a system only has a fs write rule for /etc/something; I am not sure that clearing the rules is enough. Like you said: "possible" and "certain circumstances".

3.13.0.52-85 still has the same panic related to the audit subsystem....

Right, the fix is in 3.13.0-52.86, not 3.13.0-52.85.

This kernel has the patches that fix the issue:
https://launchpad.net/ubuntu/+source/linux/3.13.0-52.86

If you can please verify this this kernel and post the results to this bug.
Thanks,

3.13.0-52.86 DOES work and no longer exhibits the crash/oops when booted.

David,
Woo hoo. Thanks and sorry about the confusion regarding kernel versions earlier.

This bug was fixed in the package linux - 3.13.0-52.86

---------------
linux (3.13.0-52.86) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1451288

  [ Upstream Kernel Changes ]

  * audit: create private file name copies when auditing inodes
    - LP: #1450442

 -- Brad Figg <email address hidden> Sun, 03 May 2015 18:36:19 -0700

This bug was fixed in the package linux - 3.16.0-37.51

---------------
linux (3.16.0-37.51) utopic; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1451489

  [ Upstream Kernel Changes ]

  * Fix a broken backport causing boot failure on gen8 Intel
    - LP: #1449401

 -- Brad Figg <email address hidden> Mon, 04 May 2015 09:42:43 -0700

I'm still able to recreate this issue with kernel version 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:17 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

It looks like a different set of audit rules causes the same issue.

To replicate:
Install 3.13.0-52-generic kernel
apt-get install auditd

in /etc/audit/audit.rules
---
-D
-b 5000
-f 0
-r 15000
-a exit,always -F arch=b64 -S execve -S exit -S exit_group -S fork -S clone -S vfork -S accept -S accept4 -S connect -S bind -S listen
---

restart auditd
below stacktrace happens.

Stacktrace:

[ 186.897309] BUG: unable to handle kernel NULL pointer dereference at 0000000000000690
[ 186.897322] IP: [<ffffffff8136cbb0>] strlen+0x0/0x30
[ 186.897331] PGD 0
[ 186.897334] Oops: 0000 [#1] SMP
[ 186.897339] Modules linked in: dm_crypt crct10dif_pclmul crc32_pclmul ghash_clmulni_intel isofs aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd
[ 186.897357] CPU: 0 PID: 2206 Comm: sudo Not tainted 3.13.0-52-generic #85-Ubuntu
[ 186.897363] task: ffff880003286000 ti: ffff880002a04000 task.ti: ffff880002a04000
[ 186.897368] RIP: e030:[<ffffffff8136cbb0>] [<ffffffff8136cbb0>] strlen+0x0/0x30
[ 186.897375] RSP: e02b:ffff880002a05df0 EFLAGS: 00010286
[ 186.897379] RAX: ffff880002a05d40 RBX: 0000000000000690 RCX: 0000000000000000
[ 186.897382] RDX: 0000000000000036 RSI: 0000000000000690 RDI: 0000000000000690
[ 186.897385] RBP: ffff880002a05e08 R08: 0000000000000000 R09: 000000000000fffe
[ 186.897389] R10: 0000000000000000 R11: ffff880002a05c06 R12: ffff8801d298f340
[ 186.897393] R13: 0000000000000000 R14: ffff8801d0fa2000 R15: 0000000000000000
[ 186.897401] FS: 00007f4a94370840(0000) GS:ffff8801dee00000(0000) knlGS:0000000000000000
[ 186.897408] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 186.897412] CR2: 0000000000000690 CR3: 00000000031f5000 CR4: 0000000000002660
[ 186.897418] Stack:
[ 186.897420] ffffffff810f7fda ffff8801d298f340 ffff8801d0fa2060 ffff880002a05e78
[ 186.897425] ffffffff810f9581 ffffffff8172a480 ffffffff81c55740 ffff880002a05e60
[ 186.897430] ffffffff8172a480 ffff880002a05ef0 ffff880002a05e60 ffffffff810f6b93
[ 186.897435] Call Trace:
[ 186.897441] [<ffffffff810f7fda>] ? audit_log_untrustedstring+0x1a/0x30
[ 186.897445] [<ffffffff810f9581>] audit_log_name+0x281/0x320
[ 186.897451] [<ffffffff8172a480>] ? _raw_spin_unlock_irqrestore+0x20/0x40
[ 186.897455] [<ffffffff8172a480>] ? _raw_spin_unlock_irqrestore+0x20/0x40
[ 186.897459] [<ffffffff810f6b93>] ? audit_buffer_free+0x73/0xa0
[ 186.897463] [<ffffffff810fbe37>] audit_log_exit+0x3d7/0xb90
[ 186.897467] [<ffffffff810fe5bf>] __audit_syscall_exit+0x27f/0x2e0
[ 186.897472] [<ffffffff81733224>] sysret_audit+0x17/0x21
[ 186.897474] Code: 89 f8 48 89 e5 f6 82 40 c7 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 40 c7 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80
[ 186.897508] RIP [<ffffffff8136cbb0>] strlen+0x0/0x30
[ 186.897511] RSP <ffff880002a05df0>
[ 186.897513] CR2: 0000000000000690
[ 186.897516] ---[ end trace 2626030fc35ecb54 ]---

The problem was resolved in #86, not #85

--
David J. Andruczyk
Systems Administrator
University IT - Enterprise Applications
44 Celebration Drive, Suite 3-100
Rochester, NY 14627
E-mail: <email address hidden>
Office: 585-275-9106

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Pete Cheslock
Sent: Friday, May 15, 2015 11:55 AM
To: Andruczyk, David
Subject: [Bug 1450442] Re: Kernel Oops - unable to handle kernel NULL pointer dereference at (null); Call Trace: [<ffffffff810fb39b>] ? audit_compare_dname_path+0x2b/0xa0

I'm still able to recreate this issue with kernel version 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:17 UTC 2015 x86_64
x86_64 x86_64 GNU/Linux

It looks like a different set of audit rules causes the same issue.

To replicate:
Install 3.13.0-52-generic kernel
apt-get install auditd

in /etc/audit/audit.rules
---
-D
-b 5000
-f 0
-r 15000
-a exit,always -F arch=b64 -S execve -S exit -S exit_group -S fork -S clone -S vfork -S accept -S accept4 -S connect -S bind -S listen
---

restart auditd
below stacktrace happens.

Stacktrace:

[ 186.897309] BUG: unable to handle kernel NULL pointer dereference at 0000000000000690
[ 186.897322] IP: [<ffffffff8136cbb0>] strlen+0x0/0x30
[ 186.897331] PGD 0
[ 186.897334] Oops: 0000 [#1] SMP
[ 186.897339] Modules linked in: dm_crypt crct10dif_pclmul crc32_pclmul ghash_clmulni_intel isofs aesni_intel aes_x86_64 glue_helper lrw gf128mul ablk_helper cryptd
[ 186.897357] CPU: 0 PID: 2206 Comm: sudo Not tainted 3.13.0-52-generic #85-Ubuntu
[ 186.897363] task: ffff880003286000 ti: ffff880002a04000 task.ti: ffff880002a04000
[ 186.897368] RIP: e030:[<ffffffff8136cbb0>] [<ffffffff8136cbb0>] strlen+0x0/0x30
[ 186.897375] RSP: e02b:ffff880002a05df0 EFLAGS: 00010286
[ 186.897379] RAX: ffff880002a05d40 RBX: 0000000000000690 RCX: 0000000000000000
[ 186.897382] RDX: 0000000000000036 RSI: 0000000000000690 RDI: 0000000000000690
[ 186.897385] RBP: ffff880002a05e08 R08: 0000000000000000 R09: 000000000000fffe
[ 186.897389] R10: 0000000000000000 R11: ffff880002a05c06 R12: ffff8801d298f340
[ 186.897393] R13: 0000000000000000 R14: ffff8801d0fa2000 R15: 0000000000000000
[ 186.897401] FS: 00007f4a94370840(0000) GS:ffff8801dee00000(0000) knlGS:0000000000000000
[ 186.897408] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 186.897412] CR2: 0000000000000690 CR3: 00000000031f5000 CR4: 0000000000002660
[ 186.897418] Stack:
[ 186.897420] ffffffff810f7fda ffff8801d298f340 ffff8801d0fa2060 ffff880002a05e78
[ 186.897425] ffffffff810f9581 ffffffff8172a480 ffffffff81c55740 ffff880002a05e60
[ 186.897430] ffffffff8172a480 ffff880002a05ef0 ffff880002a05e60 ffffffff810f6b93
[ 186.897435] Call Trace:
[ 186.897441] [<ffffffff810f7fda>] ? audit_log_untrustedstring+0x1a/0x30
[ 186.897445] [<ffffffff810f9581>] audit_log_name+0x281/0x320
[ 186.897451] [<ffffffff8172a480>] ? _raw_spin_unlock_irqrestore+0x20/0x40
[ 186.897455] [<ffffffff8172a480>] ? _raw_spin_unlock_irqrestore+0x20/0x40
[ 186.897459] [<ffffffff810f6b93>] ? audit_buffer_free+0x73/0xa0
[ 186.897463] [<...

On 05/15/2015 11:55 AM, Pete Cheslock wrote:
> I'm still able to recreate this issue with kernel version
> 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:17 UTC 2015 x86_64
> x86_64 x86_64 GNU/Linux

The fix landed in the kernel (#86) right after the one you are running
(#85).

Ah - crap - sorry about that. You are right. Thanks!