Ubuntu
linux-hwe package

kernel NULL pointer dereference on B-5.3 i386 with bind04 from ubuntu_ltp_syscalls

Bug #1878888 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
New
Undecided
Unassigned
linux-hwe (Ubuntu)
New
Undecided
Unassigned

Bug Description

Issue found on i386 instance pepe with 5.3.0-51-generic

Steps to reproduce:
git clone --depth=1 git://kernel.ubuntu.com/ubuntu/autotest-client-tests
git clone --depth=1 git://kernel.ubuntu.com/ubuntu/autotest
rm -fr autotest/client/tests
ln -sf ~/autotest-client-tests autotest/client/tests
sudo apt-get install git python-minimal python-yaml gdb python-pkg-resources -y
AUTOTEST_PATH=/home/ubuntu/autotest sudo -E autotest/client/autotest-local --verbose autotest/client/tests/ubuntu_ltp_syscalls/control

Or you can terminate the test with ctrl+c when you see the following message:
INFO | START ubuntu_ltp_syscalls.syscalls ubuntu_ltp_syscalls.syscalls timestamp=1589535339 timeout=7200 localtime=May 15 09:35:39

And:
echo "bind04 bind04" > /tmp/bind04
sudo /opt/ltp/runltp -f /tmp/bind04

Test log:
<<<test_start>>>
tag=bind04 stime=1589535760
cmdline="bind04"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
tst_test.c:1246: INFO: Timeout per run is 0h 05m 00s
bind04.c:117: INFO: Testing AF_UNIX pathname stream
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing AF_UNIX pathname seqpacket
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing AF_UNIX abstract stream
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing AF_UNIX abstract seqpacket
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv4 loop TCP variant 1
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv4 loop TCP variant 2
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv4 loop SCTP
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv4 any TCP variant 1
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv4 any TCP variant 2
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv4 any SCTP
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv6 loop TCP variant 1
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv6 loop TCP variant 2
bind04.c:150: PASS: Communication successful
bind04.c:117: INFO: Testing IPv6 loop SCTP
bind04.c:150: PASS: Communication successful
tst_test.c:1286: INFO: If you are running on slow machine, try exporting LTP_TIMEOUT_MUL > 1
tst_test.c:1287: BROK: Test killed! (timeout?)

Summary:
passed 13
failed 0
skipped 0
warnings 0
<<<execution_status>>>

dmesg output:
[ 242.717444] LTP: starting bind04
[ 242.758656] sctp: Hash tables configured (bind 512/512)
[ 242.761776] BUG: kernel NULL pointer dereference, address: 00000008
[ 242.761834] #PF: supervisor read access in kernel mode
[ 242.761877] #PF: error_code(0x0000) - not-present page
[ 242.761920] *pdpt = 0000000025330001 *pde = 0000000000000000
[ 242.761970] Oops: 0000 [#1] SMP PTI
[ 242.762002] CPU: 3 PID: 2194 Comm: bind04 Not tainted 5.3.0-51-generic #44~18.04.2-Ubuntu
[ 242.762073] Hardware name: Dell Inc. PowerEdge R310/05XKKK, BIOS 1.8.2 08/17/2011
[ 242.762147] EIP: sctp_ulpevent_free+0x24/0x70 [sctp]
[ 242.762192] Code: c2 f4 94 e0 66 90 66 66 66 66 90 55 89 e5 57 56 53 66 83 78 20 00 89 c3 78 3b 8b 78 3c 8b 40 40 85 c0 74 20 8b 83 88 00 00 00 <8b> 70 08 85 f6 74 13 90 8d 74 26 00 8d 46 18 e8 48 ec ff ff 8b 36
[ 242.762329] EAX: 00000000 EBX: e3c09718 ECX: 00000246 EDX: e3c09700
[ 242.762371] ESI: e3c19700 EDI: 00000000 EBP: e456deac ESP: e456dea0
[ 242.762414] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010202
[ 242.762460] CR0: 80050033 CR2: 00000008 CR3: 24530000 CR4: 000006f0
[ 242.762502] Call Trace:
[ 242.762531] sctp_queue_purge_ulpevents+0x22/0x40 [sctp]
[ 242.762576] sctp_close+0x69/0x270 [sctp]
[ 242.762605] ? tty_write_unlock+0x2a/0x30
[ 242.762635] ? tty_ldisc_deref+0x13/0x20
[ 242.762663] inet_release+0x2f/0x60
[ 242.762689] inet6_release+0x28/0x40
[ 242.762716] __sock_release+0x32/0xb0
[ 242.762742] sock_close+0x12/0x20
[ 242.762767] __fput+0xb3/0x240
[ 242.762789] ____fput+0xd/0x10
[ 242.762813] task_work_run+0x82/0xa0
[ 242.762840] exit_to_usermode_loop+0xed/0x110
[ 242.762871] do_fast_syscall_32+0x1c7/0x240
[ 242.762901] entry_SYSENTER_32+0xaf/0x102
[ 242.762929] EIP: 0xb7eedaa5
[ 242.762950] Code: d3 5b 5e 5f 5d c3 8d b4 26 00 00 00 00 b8 00 09 3d 00 eb b5 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
[ 242.763075] EAX: 00000000 EBX: 00000007 ECX: 00000002 EDX: 00000000
[ 242.763120] ESI: b7edc000 EDI: 00000006 EBP: 00523210 ESP: bfc10ef0
[ 242.763163] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000293
[ 242.763209] Modules linked in: sctp ipmi_ssif intel_powerclamp coretemp kvm_intel ipmi_si kvm ipmi_devintf irqbypass gpio_ich acpi_power_meter dcdbas ipmi_msghandler intel_cstate i7core_edac mac_hid lpc_ich sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear mgag200 drm_vram_helper i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops mpt3sas drm raid_class pata_acpi bnx2 scsi_transport_sas
[ 242.763677] CR2: 0000000000000008
[ 242.763726] ---[ end trace aa4a222d63d4ba7d ]---
[ 242.766853] EIP: sctp_ulpevent_free+0x24/0x70 [sctp]
[ 242.766890] Code: c2 f4 94 e0 66 90 66 66 66 66 90 55 89 e5 57 56 53 66 83 78 20 00 89 c3 78 3b 8b 78 3c 8b 40 40 85 c0 74 20 8b 83 88 00 00 00 <8b> 70 08 85 f6 74 13 90 8d 74 26 00 8d 46 18 e8 48 ec ff ff 8b 36
[ 242.770320] EAX: 00000000 EBX: e3c09718 ECX: 00000246 EDX: e3c09700
[ 242.772090] ESI: e3c19700 EDI: 00000000 EBP: e456deac ESP: e456dea0
[ 242.773796] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010202
[ 242.775546] CR0: 80050033 CR2: 00000008 CR3: 24530000 CR4: 000006f0

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-5.3.0-51-generic 5.3.0-51.44~18.04.2
ProcVersionSignature: User Name 5.3.0-51.44~18.04.2-generic 5.3.18
Uname: Linux 5.3.0-51-generic i686
ApportVersion: 2.20.9-0ubuntu7.14
Architecture: i386
Date: Fri May 15 09:42:53 2020
SourcePackage: linux-hwe
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
tags: added: 5.3 kqa-blocker sru-20200427 ubuntu-ltp
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

This is not a blocker to the current kernel in -proposed (5.3.0-53.47~18.04.1)

As it can be reproduced with 5.3.0-51-generic

description: updated
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Test case here:
https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/bind/bind04.c

Po-Hsu Lin (cypressyew)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.