"kernel BUG at /build/linux-lts-wily-Vv6Eyd/linux-lts-wily-4.2.0/mm/memory.c:3146!"

Bug #1545401 reported by jose
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Trusty
Undecided
Unassigned
Wily
Medium
Unassigned
linux-lts-wily (Ubuntu)
Undecided
Unassigned
Trusty
Medium
Unassigned
Wily
Undecided
Unassigned

Bug Description

I was trying to attach gdb to chromium-browser, by passing the PID to gdb (gdb -p $PID). The first attempt as non-root user crashed gdb and I got this message:

------------[ cut here ]------------
kernel BUG at /build/linux-lts-wily-Vv6Eyd/linux-lts-wily-4.2.0/mm/memory.c:3146!
invalid opcode: 0000 [#1] SMP
Modules linked in: vboxpci(OE) vboxnetadp(OE) r8168(OE) vboxnetflt(OE) vboxdrv(OE) ib_cm ib_sa ib_mad ib_core ib_addr libfc qla2xxx scsi_transport_fc configfs pci_stub drbg ansi_cprng ctr ccm dm_crypt ip6table_filter ip6_tables iptable_filter ip_tables x_tables binfmt_misc uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core v4l2_common videodev media arc4 hp_wmi sparse_keymap rtsx_pci_ms memstick dm_multipath scsi_dh snd_hda_codec_idt ath9k snd_hda_codec_generic ath9k_common snd_hda_codec_hdmi joydev ath9k_hw input_leds snd_hda_intel serio_raw ath snd_hda_codec snd_hda_core snd_hwdep k10temp snd_pcm_oss mac80211 snd_mixer_oss snd_pcm snd_seq_midi i2c_piix4 snd_seq_midi_event snd_rawmidi cfg80211 snd_seq snd_seq_device snd_timer snd soundcore shpchp parport_pc hp_accel lis3lv02d ppdev input_polldev mac_hid cpuid msr ircomm_tty ircomm irda crc_ccitt lp parport btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear pata_acpi rtsx_pci_sdmmc amdkfd amd_iommu_v2 radeon i2c_algo_bit ttm drm_kms_helper psmouse ahci drm pata_atiixp libahci rtsx_pci wmi video [last unloaded: vboxpci]
CPU: 3 PID: 25702 Comm: gdb Tainted: G OE 4.2.0-27-generic #32~14.04.1-Ubuntu
Hardware name: Hewlett-Packard HP Pavilion dv6 Notebook PC/3590, BIOS F.21 09/13/2011
task: ffff8800cb54d780 ti: ffff88000a8f0000 task.ti: ffff88000a8f0000
RIP: 0010:[<ffffffff811a6a90>] [<ffffffff811a6a90>] handle_mm_fault+0x17e0/0x1840
RSP: 0018:ffff88000a8f3bb8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00003ffffffff000
RDX: ffff8801697c04f8 RSI: 0000000000000120 RDI: 00000001697c0067
RBP: ffff88000a8f3c78 R08: 00000001edddb120 R09: 0000000000000120
R10: 0000000000000001 R11: ffff8800000004f8 R12: ffff88003265bc00
R13: ffff880007a18808 R14: 00007f856029fe68 R15: ffff8800aa3843c0
FS: 00007f3d95334740(0000) GS:ffff88020ed80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000002b69528 CR3: 000000012a9ad000 CR4: 00000000000006e0
Stack:
 0000001600000000 ffff880000000016 ffffea0005a5f030 ffffffff817b0e73
 ffff88003265bc00 00007f856029fe68 0000001700000000 ffff8800000004f8
 ffff880000000000 0000000000000017 00007f856029fe68 ffff88003265bc00
Call Trace:
 [<ffffffff817b0e73>] ? follow_page_pte+0xae/0x307
 [<ffffffff811a070e>] ? follow_page_mask+0x1ce/0x320
 [<ffffffff811a095b>] __get_user_pages+0xfb/0x5b0
 [<ffffffff811a1222>] get_user_pages+0x52/0x60
 [<ffffffff811a16a7>] __access_remote_vm+0xb7/0x1c0
 [<ffffffff811a7620>] access_process_vm+0x50/0x70
 [<ffffffff81081aa9>] ptrace_request+0x2c9/0x5a0
 [<ffffffff817ae9da>] ? queued_spin_lock_slowpath+0xb/0xf
 [<ffffffff810a0efa>] ? wait_task_inactive+0xea/0x1e0
 [<ffffffff811eb508>] ? vfs_write+0x148/0x190
 [<ffffffff81022f51>] arch_ptrace+0x261/0x2b0
 [<ffffffff81080a2f>] ? ptrace_check_attach+0x5f/0x140
 [<ffffffff81081726>] SyS_ptrace+0xa6/0x110
 [<ffffffff817bc3b2>] entry_SYSCALL_64_fastpath+0x16/0x75
Code: d8 50 a8 81 e8 92 0f ed ff 4c 8b 9d 78 ff ff ff e9 fa ee ff ff 48 8b 7d 98 89 45 80 e8 2a dd fd ff 8b 45 80 89 c3 e9 ba eb ff ff <0f> 0b c7 45 80 01 00 00 00 e9 a5 f7 ff ff 4c 89 c7 48 89 95 68
RIP [<ffffffff811a6a90>] handle_mm_fault+0x17e0/0x1840
 RSP <ffff88000a8f3bb8>
---[ end trace c5ec208e5d4b9c66 ]---

Then I tried running it as root (sudo gdb -p $PID). gdb got stuck at "Attaching to process ...". I tried killing gdb as root from another terminal, by running "killall gdb", but killall got stuck, too. pidof and ps also got stuck...

This is the line referenced in the error message: http://lxr.free-electrons.com/source/mm/memory.c?v=4.2#L3146 , I'm not sure if Ubuntu runs a modified version of this file, though. Also, I'm not sure if this affects Wily (I guess it does) or if this has been patched upstream.

There is a similar bug report here: https://bugzilla.redhat.com/show_bug.cgi?id=1296505 , but it doesn't involve gdb.

Should I report this bug upstream?

My system is:
$ lsb_release -a
LSB Version: core-2.0-amd64:core-2.0-noarch:core-3.0-amd64:core-3.0-noarch:core-3.1-amd64:core-3.1-noarch:core-3.2-amd64:core-3.2-noarch:core-4.0-amd64:core-4.0-noarch:core-4.1-amd64:core-4.1-noarch:security-4.0-amd64:security-4.0-noarch:security-4.1-amd64:security-4.1-noarch
Distributor ID: Ubuntu
Description: Ubuntu 14.04.3 LTS
Release: 14.04
Codename: trusty
$ uname -r
4.2.0-27-generic
$ dpkg -l | grep linux-image-generic
ii linux-image-generic-lts-wily 4.2.0.27.21 amd64 Generic Linux kernel image
---
ApportVersion: 2.14.1-0ubuntu3.19
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: pepee 3001 F.... pulseaudio
 /dev/snd/controlC1: pepee 3001 F.... pulseaudio
CurrentDesktop: KDE
DistroRelease: Ubuntu 14.04
EcryptfsInUse: Yes
MachineType: Hewlett-Packard HP Pavilion dv6 Notebook PC
Package: linux (not installed)
ProcFB:
 0 radeondrmfb
 1 radeondrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.2.0-34-generic root=UUID=5510f07e-5967-4508-b715-e371124b439b ro radeon.dpm=1 radeon.audio=1 clocksource=hpet hpet=enable nomdmonddf nomdmonisw radeon.lockup_timeout=20000 crashkernel=384M-:128M crashkernel=384M-:128M
ProcVersionSignature: Ubuntu 4.2.0-34.39~14.04.1-generic 4.2.8-ckt4
RelatedPackageVersions:
 linux-restricted-modules-4.2.0-34-generic N/A
 linux-backports-modules-4.2.0-34-generic N/A
 linux-firmware 1.134~gd~t
Tags: trusty trusty
Uname: Linux 4.2.0-34-generic x86_64
UpgradeStatus: Upgraded to trusty on 2014-06-06 (648 days ago)
UserGroups: adm admin audio cdrom debian-tor dialout disk fuse kismet libvirtd lpadmin lxd messagebus netdev plugdev sambashare uml-net uucp vboxusers video wireshark
_MarkForUpload: True
dmi.bios.date: 09/13/2011
dmi.bios.vendor: Hewlett-Packard
dmi.bios.version: F.21
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: 3590
dmi.board.vendor: Hewlett-Packard
dmi.board.version: 33.18
dmi.chassis.asset.tag: Chassis Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: Hewlett-Packard
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnHewlett-Packard:bvrF.21:bd09/13/2011:svnHewlett-Packard:pnHPPaviliondv6NotebookPC:pvr0590110000244610000610100:rvnHewlett-Packard:rn3590:rvr33.18:cvnHewlett-Packard:ct10:cvrChassisVersion:
dmi.product.name: HP Pavilion dv6 Notebook PC
dmi.product.version: 0590110000244610000610100
dmi.sys.vendor: Hewlett-Packard

jose (o1485726)
description: updated
jose (o1485726)
description: updated
jose (o1485726)
summary: "kernel BUG at /build/linux-lts-wily-Vv6Eyd/linux-lts-
- wily-4.2.0/mm/memory.c:3146!" when starting gdb as root, gdb freezes
+ wily-4.2.0/mm/memory.c:3146!"
information type: Public → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

3133 static int do_numa_page(struct mm_struct *mm, struct vm_area_struct *vma,
3134 unsigned long addr, pte_t pte, pte_t *ptep, pmd_t *pmd)
3135 {
/* ... */
3144
3145 /* A PROT_NONE fault should not end up here */
3146 BUG_ON(!(vma->vm_flags & (VM_READ | VM_EXEC | VM_WRITE)));
3147

3235 static int handle_pte_fault(struct mm_struct *mm,
3236 struct vm_area_struct *vma, unsigned long address,
3237 pte_t *pte, pmd_t *pmd, unsigned int flags)
3238 {
/* ... */
3265 if (pte_protnone(entry))
3266 return do_numa_page(mm, vma, address, entry, pte, pmd);
3267

handle_pte_fault() appears to ensure that it calls do_numa_page() only on the exact condition do_numa_page() considers a bug.

http://lxr.free-electrons.com/source/mm/memory.c?v=4.2#L3146
http://lxr.free-electrons.com/source/mm/memory.c?v=4.2#L3266

Changed in linux-lts-wily (Ubuntu):
status: New → Confirmed
Andy Whitcroft (apw)
Changed in linux-lts-wily (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Trusty):
status: New → Invalid
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1545401

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Wily):
status: New → Incomplete
tags: added: trusty
Andy Whitcroft (apw)
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Trusty):
importance: Undecided → Medium
status: New → Incomplete
Revision history for this message
jose (o1485726) wrote : AlsaInfo.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
jose (o1485726) wrote : BootDmesg.txt

apport information

Revision history for this message
jose (o1485726) wrote : CRDA.txt

apport information

Revision history for this message
jose (o1485726) wrote : CurrentDmesg.txt

apport information

Revision history for this message
jose (o1485726) wrote : IwConfig.txt

apport information

Revision history for this message
jose (o1485726) wrote : Lspci.txt

apport information

Revision history for this message
jose (o1485726) wrote : Lsusb.txt

apport information

Revision history for this message
jose (o1485726) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
jose (o1485726) wrote : ProcEnviron.txt

apport information

Revision history for this message
jose (o1485726) wrote : ProcInterrupts.txt

apport information

Revision history for this message
jose (o1485726) wrote : ProcModules.txt

apport information

Revision history for this message
jose (o1485726) wrote : PulseList.txt

apport information

Revision history for this message
jose (o1485726) wrote : RfKill.txt

apport information

Revision history for this message
jose (o1485726) wrote : UdevDb.txt

apport information

Revision history for this message
jose (o1485726) wrote : UdevLog.txt

apport information

Revision history for this message
jose (o1485726) wrote : WifiSyslog.txt

apport information

Revision history for this message
jose (o1485726) wrote : WpaSupplicantLog.txt

apport information

Revision history for this message
jose (o1485726) wrote :

dmesg after running GDB 3 times. Note: GDB is only the trigger of this bug...

Changed in linux-lts-wily (Ubuntu Trusty):
status: Incomplete → Confirmed
Revision history for this message
Christopher M. Peñalver (penalvch) wrote :

jose, could you please provide the full computer model as noted on the sticker of the computer itself (not from the Bug Description)?

Changed in linux-lts-wily (Ubuntu Trusty):
status: Confirmed → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'm marking it Confirmed again based on source inspection.

Thanks

Changed in linux-lts-wily (Ubuntu Trusty):
status: Incomplete → Confirmed
Changed in linux (Ubuntu Wily):
status: Incomplete → Confirmed
Revision history for this message
jose (o1485726) wrote :

I can now confirm that this bug does NOT affect kernel 4.4.0-18-generic (from linux-image-4.4.0-18-generic).

Revision history for this message
Christopher M. Peñalver (penalvch) wrote :

Resolved as per original reporter in Xenial+.

Changed in linux (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Christopher M. Peñalver (penalvch) wrote :
Changed in linux (Ubuntu Wily):
status: Confirmed → Incomplete
Revision history for this message
jose (o1485726) wrote :

@penalvch: sorry, I didn't notice the model isn't shown anywhere... It's an HP laptop, HP pavilion dv6-6174la.

tags: added: latest-bios-f.21
tags: added: needs-reverse-bisect
Changed in linux (Ubuntu Wily):
status: Incomplete → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers