NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+

Bug #1721065 reported by regmka on 2017-10-03
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Joseph Salisbury
Xenial
High
Joseph Salisbury

Bug Description

Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way:

[ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 11.185778] IP: [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
[ 11.186115] PGD 0
[ 11.186270] Oops: 0000 [#1] SMP
[ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s
nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto
fs4 psmouse ahci libahci pata_acpi fjes
[ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu
[ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor
m, BIOS 13.1.0 (43104) 09/26/2017
[ 11.189156] task: ffff88003db80000 ti: ffff88003db88000 task.ti: ffff88003db88000
[ 11.189546] RIP: 0010:[<ffffffff814f9cf3>] [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
[ 11.189964] RSP: 0000:ffff88003db8bcc8 EFLAGS: 00010246
[ 11.190255] RAX: 0000000000000000 RBX: ffff8800392dd800 RCX: 0000000000000000
[ 11.190628] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800392dd828
[ 11.191002] RBP: ffff88003db8bd18 R08: ffff88003db88000 R09: 0000000000000000
[ 11.191398] R10: 000000000000005c R11: 0000000000401ce0 R12: 000000000000002f
[ 11.191775] R13: ffff88003584ae70 R14: 000055c8eab15f20 R15: ffff88003584ae00
[ 11.192152] FS: 00007f649d1418c0(0000) GS:ffff88003de00000(0000) knlGS:0000000000000000
[ 11.192573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.192882] CR2: 0000000000000000 CR3: 000000003d3b6000 CR4: 00000000000006f0
[ 11.193264] Stack:
[ 11.193404] 0000000000000000 ffffffff813953ba ffff88003db8bd08 ffffffff813493bd
[ 11.193837] 000000000000002f ffff88003584ae00 000055c8eab15f20 ffff88003584ae70
[ 11.194267] 000000000000002f ffff88003db8bf18 ffff88003db8bd28 ffffffff8120f878
[ 11.194700] Call Trace:
[ 11.194884] [<ffffffff813953ba>] ? apparmor_file_permission+0x1a/0x20
[ 11.195248] [<ffffffff813493bd>] ? security_file_permission+0x3d/0xc0
[ 11.195621] [<ffffffff8120f878>] __vfs_write+0x18/0x40
[ 11.195916] [<ffffffff81210209>] vfs_write+0xa9/0x1a0
[ 11.196202] [<ffffffff814f9fa0>] redirected_tty_write+0x60/0xa0
[ 11.196532] [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0
[ 11.196830] [<ffffffff8120f5d5>] do_loop_readv_writev+0x75/0xa0
[ 11.197160] [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0
[ 11.197458] [<ffffffff81210512>] do_readv_writev+0x212/0x230
[ 11.198439] [<ffffffff81223faf>] ? do_vfs_ioctl+0x29f/0x490
[ 11.199374] [<ffffffff812105b9>] vfs_writev+0x39/0x50
[ 11.200268] [<ffffffff812112e9>] SyS_writev+0x59/0xf0
[ 11.201144] [<ffffffff81224219>] ? SyS_ioctl+0x79/0x90
[ 11.202049] [<ffffffff81843272>] entry_SYSCALL_64_fastpath+0x16/0x71
[ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff
[ 11.208047] RIP [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
[ 11.208942] RSP <ffff88003db8bcc8>
[ 11.209713] CR2: 0000000000000000
[ 11.210517] ---[ end trace 3b933544655b49b8 ]---
[ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
[ 11.335210]
[ 11.337095] Kernel Offset: disabled
[ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009

The crash occurs here

1227 static ssize_t tty_write(struct file *file, const char __user *buf,
[...]
1243 ld = tty_ldisc_ref_wait(tty);
1244 if (!ld->ops->write) // <===
1245 ret = -EIO;
1246 else
1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count);

because tty_ldisc_ref_wait() returned NULL.

It seems the issue has been introduced into 4.4.0-93+ kernels
by the fix for the bug #1709126: according to the version 4.4.0-93.116
changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed
tty_ldisc_ref_wait() to return NULL has been backported
into the Ubuntu Linux kernel 4.4.0-93+. However, the patch
"tty: Prepare for destroying line discipline on hangup"
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230)
from the same patchset (https://lkml.org/lkml/2015/11/27/476)
that prepares tty_ldisc_ref_wait() callers
for this hasn't been backported.

Additional info:

Kernel version:

Linux version 4.4.0-96-generic (buildd@lgw01-10) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017

lsb_release -rd output:

Description: Ubuntu 16.04.3 LTS
Release: 16.04

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1721065

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: xenial
Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-da-key
Changed in linux (Ubuntu):
status: Incomplete → Triaged
Changed in linux (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → High
Joseph Salisbury (jsalisbury) wrote :

I built a X test kernel with a pick of commit e55afd11a4835. The test kernel can be downloaded from:

http://kernel.ubuntu.com/~jsalisbury/lp1721065/

Can you test this kernel and see if it resolves this bug?

Changed in linux (Ubuntu Xenial):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Xenial):
status: Triaged → In Progress
Changed in linux (Ubuntu):
status: Triaged → In Progress
regmka (regmka) wrote :

> http://kernel.ubuntu.com/~jsalisbury/lp1721065/
> Can you test this kernel and see if it resolves this bug?

Hi Joseph,

I've tested the kernel and I confirm that the issue
does not reproduce in my environment with this kernel.

Thanks!

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
regmka (regmka) wrote :

The issue has been verified with the kernel 4.4.0-100.123.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (14.3 KiB)

This bug was fixed in the package linux - 4.4.0-101.124

---------------
linux (4.4.0-101.124) xenial; urgency=low

  * linux: 4.4.0-101.124 -proposed tracker (LP: #1731264)

  * s390/mm: fix write access check in gup_huge_pmd() (LP: #1730596)
    - s390/mm: fix write access check in gup_huge_pmd()

linux (4.4.0-100.123) xenial; urgency=low

  * linux: 4.4.0-100.123 -proposed tracker (LP: #1729273)

  * Xenial update to 4.4.95 stable release (LP: #1729107)
    - USB: devio: Revert "USB: devio: Don't corrupt user memory"
    - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
    - USB: serial: metro-usb: add MS7820 device id
    - usb: cdc_acm: Add quirk for Elatec TWN3
    - usb: quirks: add quirk for WORLDE MINI MIDI keyboard
    - usb: hub: Allow reset retry for USB2 devices on connect bounce
    - ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
    - can: gs_usb: fix busy loop if no more TX context is available
    - usb: musb: sunxi: Explicitly release USB PHY on exit
    - usb: musb: Check for host-mode using is_host_active() on reset interrupt
    - can: esd_usb2: Fix can_dlc value for received RTR, frames
    - drm/nouveau/bsp/g92: disable by default
    - drm/nouveau/mmu: flush tlbs before deleting page tables
    - ALSA: seq: Enable 'use' locking in all configurations
    - ALSA: hda: Remove superfluous '-' added by printk conversion
    - i2c: ismt: Separate I2C block read from SMBus block read
    - brcmsmac: make some local variables 'static const' to reduce stack size
    - bus: mbus: fix window size calculation for 4GB windows
    - clockevents/drivers/cs5535: Improve resilience to spurious interrupts
    - rtlwifi: rtl8821ae: Fix connection lost problem
    - KEYS: encrypted: fix dereference of NULL user_key_payload
    - lib/digsig: fix dereference of NULL user_key_payload
    - KEYS: don't let add_key() update an uninstantiated key
    - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
    - parisc: Avoid trashing sr2 and sr3 in LWS code
    - parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
    - sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
    - f2fs crypto: replace some BUG_ON()'s with error checks
    - f2fs crypto: add missing locking for keyring_key access
    - fscrypt: fix dereference of NULL user_key_payload
    - KEYS: Fix race between updating and finding a negative key
    - fscrypto: require write access to mount to set encryption policy
    - FS-Cache: fix dereference of NULL user_key_payload
    - Linux 4.4.95

  * Xenial update to 4.4.94 stable release (LP: #1729105)
    - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
    - drm/dp/mst: save vcpi with payloads
    - MIPS: Fix minimum alignment requirement of IRQ stack
    - sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
    - bpf/verifier: reject BPF_ALU64|BPF_END
    - udpv6: Fix the checksum computation when HW checksum does not apply
    - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
    - net: emac: Fix napi poll list corruption
    - packet: hold bind lock when rebinding to fa...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers