VIA C7-D machine "kernel NULL pointer dereference" in skcipher_recvmsg_async

Bug #1556562 reported by Jeffrey Walton on 2016-03-13
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Critical
Kamal Mostafa
Wily
Critical
Kamal Mostafa

Bug Description

I'm working on an Lubuntu 15 machine. It was chosen because it supports VIA C7-D processor and the VIA PM400 chipset without crashing (also see ). Lubuntu 15 uses the 4.2 kernel:

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description: Ubuntu 15.10
  Release: 15.10
  Codename: wily

And:

  $ uname -a
  Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux

When running a particular program (details below), it hangs in syscall 248 and results in the following dmesg/syslog output. The process cannot be killed, the machine does not respond to a 'shutdown -r now', and the machine requires a hard reset.

...
[ 4505.429577] BUG: unable to handle kernel NULL pointer dereference at 00000008
[ 4505.429593] IP: [<f8a6ccf2>] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher]
[ 4505.429607] *pdpt = 0000000034ee3001 *pde = 0000000000000000
[ 4505.429614] Oops: 0000 [#3] SMP
[ 4505.429621] Modules linked in: jitterentropy_rng drbg ansi_cprng algif_skcipher af_alg snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi padlock_sha snd_seq padlock_aes snd_seq_device via_cputemp snd_timer hwmon_vid via_rng snd input_leds serio_raw soundcore i2c_viapro shpchp 8250_fintek mac_hid parport_pc ppdev lp parport autofs4 pata_acpi hid_generic usbhid hid psmouse r8169 pata_via sata_via mii
[ 4505.429689] CPU: 0 PID: 1532 Comm: afalgtest Tainted: G D 4.2.0-30-generic #36-Ubuntu
[ 4505.429695] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Weibu, BIOS 080014 11/17/2011
[ 4505.429700] task: f4e0e040 ti: f4e3c000 task.ti: f4e3c000
[ 4505.429705] EIP: 0060:[<f8a6ccf2>] EFLAGS: 00010202 CPU: 0
[ 4505.429712] EIP is at skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher]
[ 4505.429717] EAX: f3f97c00 EBX: f3f3ee00 ECX: f3f97c00 EDX: 00000000
[ 4505.429722] ESI: f3f3ee00 EDI: 00000ff0 EBP: f4e3ddc8 ESP: f4e3dd70
[ 4505.429726] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 4505.429731] CR0: 80050033 CR2: 00000008 CR3: 3247a520 CR4: 000006b0
[ 4505.429735] Stack:
[ 4505.429738] f3f97df4 f3f97c00 f3f97de0 00000000 f3f97c04 00000020 f4e3dd00 00000018
[ 4505.429750] 00001ff0 f3fb4400 f3f97c04 00000ff0 f4e3de40 f3f97de8 f4e3de38 f3fa0000
[ 4505.429761] 00000002 00000002 f3f97c00 f1f58180 c1210510 f4e3de38 f4e3ddf4 f8a6cd6b
[ 4505.429772] Call Trace:
[ 4505.429788] [<c1210510>] ? free_ioctx_users+0xa0/0xa0
[ 4505.429795] [<f8a6cd6b>] skcipher_recvmsg+0x2b/0x1f0 [algif_skcipher]
[ 4505.429803] [<f8a6c71a>] ? skcipher_check_key.isra.8+0x2a/0xb0 [algif_skcipher]
[ 4505.429810] [<f8a6cf61>] skcipher_recvmsg_nokey+0x31/0x40 [algif_skcipher]
[ 4505.429820] [<c164e1fd>] sock_recvmsg+0x3d/0x50
[ 4505.429826] [<c164e294>] sock_read_iter+0x84/0xd0
[ 4505.429833] [<c164e210>] ? sock_recvmsg+0x50/0x50
[ 4505.429839] [<c12108b0>] aio_run_iocb+0x110/0x2c0
[ 4505.429846] [<c164e210>] ? sock_recvmsg+0x50/0x50
[ 4505.429854] [<c1767b8f>] ? error_code+0x67/0x6c
[ 4505.429865] [<c11b25e4>] ? kmem_cache_alloc+0x1b4/0x1e0
[ 4505.429875] [<c11e5112>] ? __fdget+0x12/0x20
[ 4505.429881] [<c121168f>] do_io_submit+0x1ef/0x4a0
[ 4505.429893] [<c12ddd2f>] ? security_file_alloc+0x2f/0x50
[ 4505.429900] [<c1211960>] SyS_io_submit+0x20/0x30
[ 4505.429911] [<c176695f>] sysenter_do_call+0x12/0x12
[ 4505.429915] Code: 00 00 00 75 24 8b 45 ac ff 52 0c 89 c7 83 ff 8d 75 8f 8b 45 e4 3e ff 80 fc 01 00 00 bf ef fd ff ff e9 62 fc ff ff 8d 76 00 89 c8 <ff> 52 08 89 c7 eb db 8b 45 e4 31 d2 8b 80 20 02 00 00 8b 58 1c
[ 4505.429982] EIP: [<f8a6ccf2>] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] SS:ESP 0068:f4e3dd70
[ 4505.429991] CR2: 0000000000000008
[ 4505.429997] ---[ end trace 3cce7cc6be0ad960 ]---

**********

The process details is this is a failed self test for the upcoming OpenSSL 1.1.0. The OpenSSL RT bug report for this issue is at http://rt.openssl.org/Ticket/Display.html?id=4411. Two attempts to debug it resulted in two hung processes:

$ ps -A | grep afalgtest
1030 pts/0 00:00:00 afalgtest
1196 pts/0 00:00:00 afalgtest

And:

via:test$ sudo cat /proc/1030/syscall
248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8
via:test$ sudo cat /proc/1196/syscall
248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8

Its not clear to me what that particular syscall is:

$ cat /usr/include/asm-generic/unistd.h
...
/*
 * Architectures may provide up to 16 syscalls of their own
 * starting with this value.
 */
#define __NR_arch_specific_syscall 244

#define __NR_wait4 260
__SC_COMP(__NR_wait4, sys_wait4, compat_sys_wait4)
#define __NR_prlimit64 261
__SYSCALL(__NR_prlimit64, sys_prlimit64)
#define __NR_fanotify_init 262
__SYSCALL(__NR_fanotify_init, sys_fanotify_init)
#define __NR_fanotify_mark 263
...

**********

If interested, you should be able to duplicate it with the following. That's resuming you have the hardware.

$ git clone git://git.openssl.org/openssl.git
$ cd openssl

$ ./config -d
$ make
$ make test/afalgtest
$ cd test
$ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest

**********

In this case, the hardware was selected for the VIA C7-D processor and the Padlock engine. Its relatively low-end, and can be found at http://www.amazon.com/gp/product/B01AXR2KBQ.
---
ApportVersion: 2.19.1-0ubuntu5
Architecture: i386
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: jwalton 16458 F.... lxpanel
DistroRelease: Ubuntu 15.10
HibernationDevice: RESUME=UUID=e056d1a4-73ea-4667-a51f-604158d1b9fb
InstallationDate: Installed on 2016-03-22 (1 days ago)
InstallationMedia: Lubuntu 15.10 "Wily Werewolf" - Release i386 (20151021)
IwConfig:
 lo no wireless extensions.

 enp3s0 no wireless extensions.
MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
Package: linux (not installed)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 VESA VGA
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.2.0-35-generic root=UUID=ed37a08c-3f91-4903-b20a-ba9829326044 ro ipv6.disable=1 biosdevname=0 audit=0 quiet splash vt.handoff=7
ProcVersionSignature: Ubuntu 4.2.0-35.40-generic 4.2.8-ckt5
RelatedPackageVersions:
 linux-restricted-modules-4.2.0-35-generic N/A
 linux-backports-modules-4.2.0-35-generic N/A
 linux-firmware 1.149.3
RfKill:

Tags: wily wily
UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
Uname: Linux 4.2.0-35-generic i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

_MarkForUpload: True
dmi.bios.date: 11/17/2011
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 080014
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: Weibu
dmi.board.vendor: WB
dmi.board.version: 1.0
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr080014:bd11/17/2011:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnWB:rnWeibu:rvr1.0:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: To Be Filled By O.E.M.
dmi.product.version: To Be Filled By O.E.M.
dmi.sys.vendor: To Be Filled By O.E.M.

affects: ubuntu → linux-kernel-no-pae
Changed in linux-kernel-no-pae:
assignee: nobody → Kamal Mostafa (kamalmostafa)
affects: linux-kernel-no-pae → linux
no longer affects: linux
Changed in linux (Ubuntu Wily):
status: New → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1556562

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
summary: - VIA C7-D machine and "unable to handle kernel NULL pointer dereference
- at 00000008"
+ VIA C7-D machine "kernel NULL pointer dereference" in
+ skcipher_recvmsg_async
Kamal Mostafa (kamalmostafa) wrote :

No additional logs are required at this time.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Kamal Mostafa (kamalmostafa) wrote :

@Jeffrey-

Please try this test kernel: http://kernel.ubuntu.com/~kamal/lp1556562.0/

(For reference, this is 4.2.0-35.40 plus backports of these mainline commits:)
6454c2b crypto: algif_skcipher - Do not dereference ctx without socket lock
ec69bbf crypto: algif_skcipher - Do not assume that req is unchanged
6e8d8ec crypto: algif_skcipher - Add key check exception for cipher_null
a1383cd crypto: skcipher - Add crypto_skcipher_has_setkey

apport information

tags: added: apport-collected wily
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Jeffrey Walton (noloader) wrote :

Kamal - to avoid confusion, the log files were uploaded based on the 4.2.0-35-generic kernel without the patches (re: Luis' request).

I'm getting to the updated 4.2.0-35-generic now (re: Kamal's request).

Jeffrey Walton (noloader) wrote :

Kamal - the updated kernel files cleared the issue. Thank you so much.

Dmesg shows only the following, which I believe is expected when creating a socket with "AF_ALG" domain:

    [ 806.458783] NET: Registered protocol family 38

Kamal Mostafa (kamalmostafa) wrote :

Jeffrey- Thanks for testing and confirming the fix. We'll get those patches into the (likely next) Wily 4.2 kernel. A message will be posted to this bug once the fix lands in -proposed.

Jeffrey Walton (noloader) wrote :

I wanted to provide some feedback, if interested. Using Kamal's test kernel and asynchronus test vectors from Taruk's GitHub (https://github.com/tstruk/afalg_async_test)...

The SKCIPHER asynchronous test program passed.

However, the the AEAD asynchronous test program failed with:

  $ cd aead
  $ make
  $ ...

  $ ./test
  $ doing copy,
  $ bind error 2

HASH, MAC, etc were not tested.

-----------

I also noticed Torvalds has some tests at:

  linux$ find . -name '*tcrypt*'
  ./crypto/tcrypt.c
  ./crypto/tcrypt.h

I'm going to try and get them running on this kernel tonight or tomorrow.

Jeffrey Walton (noloader) wrote :

It looks like this is why the AEAD test is failing (if I am parsing things correctly): http://patchwork.kernel.org/patch/8182971/. The current kernel sources are missing struct aead_async_rsgl, struct aead_async_req, et al.

Also, from comment 18: s/Taruk's GitHub/Tadeusz GitHub/g. I'm not sure how I managed to munge the name.

Brad Figg (brad-figg) on 2016-03-29
Changed in linux (Ubuntu Wily):
status: In Progress → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :

Jeffrey, my understanding here is that this bug report is now resolved (or will be) by the patch set you confirmed in comment #16.

If I understand correctly, the AEAD test failure you mention in comment #18 is a separate issue -- it would require a separate bug report. I note though, that the patch you reference in #19 doesn't appear upstream (yet at least). It seems like it would be considered a "new feature" (so "Wishlist" importance, if you file a new bug for it).

Changed in linux (Ubuntu):
importance: Undecided → Critical
status: Confirmed → Fix Committed
Changed in linux (Ubuntu Wily):
importance: Undecided → Critical
Changed in linux (Ubuntu):
assignee: nobody → Kamal Mostafa (kamalmostafa)
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-wily
Kamal Mostafa (kamalmostafa) wrote :

Hi Jeffrey- Can you confirm that the Wily kernel (4.2.0-36.41) currently in -proposed fixes this bug? Thanks!

> Can you confirm that the Wily kernel (4.2.0-36.41)
> currently in -proposed fixes this bug? Thanks!

All looks good when installing the three packages from wily-proposed:
linux-headers-4.2.0-36-generic linux-image-4.2.0-36-generic
linux-image-extra-4.2.0-36-generic. The kernel did not deference the
NULL pointer, and the particular OpenSSL self test passed:

    make test
    ../test/recipes/25-test_x509.t ............. ok
    ../test/recipes/30-test_afalg.t ............ ok
    ../test/recipes/30-test_engine.t ........... ok

And the only thing I see under dmesg:

    $ dmesg
    ...
    [ 913.294639] NET: Registered protocol family 38
    $

A small nit, which is probably due to my misunderstanding of the way
dependencies are handled when using Selective Upgrades
(http://wiki.ubuntu.com/Testing/EnableProposed#Selective_upgrading_from_-proposed).
When I performed only 'apt-get install
linux-image-4.2.0-36-generic/wily-proposed', the machine did not boot,
and it was stuck at the initramfs prompt. I needed to install
linux-image-extra-4.2.0-36-generic manually.

tags: added: verification-done-wily
removed: verification-needed-wily
Launchpad Janitor (janitor) wrote :
Download full text (30.4 KiB)

This bug was fixed in the package linux - 4.2.0-36.41

---------------
linux (4.2.0-36.41) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1571667

  [ Benjamin Tissoires ]

  * SAUCE: Input: synaptics - handle spurious release of trackstick
    buttons, again
    - LP: #1553811

  [ dann frazier ]

  * Revert "SAUCE: arm64, numa, dt: adding dt based numa support using dt
    node property arm, associativity"
    - LP: #1558828
  * Revert "SAUCE: Documentation: arm64/arm: dt bindings for numa."
    - LP: #1558828
  * Revert "SAUCE: arm64, numa: adding numa support for arm64 platforms."
    - LP: #1558828
  * Revert "[Config] Enable NUMA on ARM64"
    - LP: #1558828

  [ K. Y. Srinivasan ]

  * SAUCE: (noup): Drivers: hv: vmbus: Fix a bug in
    hv_need_to_signal_on_read()
    - LP: #1556264

  [ Kamal Mostafa ]

  * [debian] BugLink: close LP: bugs only for Launchpad urls
  * [Config] updateconfigs after v4.2.8-ckt7

  [ Upstream Kernel Changes ]

  * Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
    - LP: #1561677
  * tipc: fix connection abort during subscription cancel
    - LP: #1561677
  * tipc: fix nullptr crash during subscription cancel
    - LP: #1561677
  * s390/mm: four page table levels vs. fork
    - LP: #1561677
  * Input: aiptek - fix crash on detecting device without endpoints
    - LP: #1561677
  * wext: fix message delay/ordering
    - LP: #1561677
  * cfg80211/wext: fix message ordering
    - LP: #1561677
  * mac80211: fix use of uninitialised values in RX aggregation
    - LP: #1561677
  * mac80211: minstrel: Change expected throughput unit back to Kbps
    - LP: #1561677
  * libata: fix HDIO_GET_32BIT ioctl
    - LP: #1561677
  * iwlwifi: mvm: inc pending frames counter also when txing non-sta
    - LP: #1561677
  * [media] adv7604: fix tx 5v detect regression
    - LP: #1561677
  * ahci: add new Intel device IDs
    - LP: #1561677
  * ahci: Order SATA device IDs for codename Lewisburg
    - LP: #1561677
  * Adding Intel Lewisburg device IDs for SATA
    - LP: #1561677
  * ASoC: samsung: Use IRQ safe spin lock calls
    - LP: #1561677
  * mac80211: minstrel_ht: set default tx aggregation timeout to 0
    - LP: #1561677
  * usb: chipidea: otg: change workqueue ci_otg as freezable
    - LP: #1561677
  * jffs2: Fix page lock / f->sem deadlock
    - LP: #1561677
  * Fix directory hardlinks from deleted directories
    - LP: #1561677
  * iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - LP: #1561677
  * iommu/amd: Apply workaround for ATS write permission check
    - LP: #1561677
  * libata: Align ata_device's id on a cacheline
    - LP: #1561677
  * can: gs_usb: fixed disconnect bug by removing erroneous use of kfree()
    - LP: #1561677
  * fbcon: set a default value to blink interval
    - LP: #1561677
  * KVM: x86: fix root cause for missed hardware breakpoints
    - LP: #1561677
  * arm64: vmemmap: use virtual projection of linear region
    - LP: #1561677
  * vfio: fix ioctl error handling
    - LP: #1561677
  * ALSA: ctl: Fix ioctls for X32 ABI
    - LP: #1561677
  * ALSA: pcm: Fix ioctls for X32 ABI
    - LP: #1561677
  * ALSA: rawmidi: Fix ioct...

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
Dimitrenko (paviliong6) on 2017-07-04
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers