BUG: unable to handle kernel NULL pointer dereference at 0000000000000009

Bug #1748671 reported by Simon Déziel on 2018-02-10
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned

Bug Description

Got this bug/oops while running with the linux-image-4.4.0-113-generic (4.4.0-113.136) kernel from -proposed:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000009
IP: [<ffffffffab413ad5>] csum_and_copy_from_iter+0x55/0x4c0
PGD 0
Oops: 0000 [#1] SMP
Modules linked in: ctr ccm veth xt_CHECKSUM iptable_mangle xt_comment ec_sys bridge stp llc nf_log_ipv6 ip6table_filter ip6t_MASQUERADE nf_nat_masquerade_ipv6 ip6table_nat nf_nat_ipv6 ip6_tables nf_log_ip
 snd ghash_clmulni_intel soundcore r8169 psmouse input_leds cfg80211 rtsx_pci mii vhost_net vhost media ahci libahci macvtap macvlan mei_me mei kvm_intel kvm irqbypass tpm_crb i2c_hid intel_lpss_acpi inte
CPU: 2 PID: 3997 Comm: dnsmasq Tainted: P W O 4.4.0-113-generic #136-Ubuntu
Hardware name: System76 Lemur/Lemur, BIOS 5.12 02/17/2017
task: ffff880830269e00 ti: ffff880035c44000 task.ti: ffff880035c44000
RIP: 0010:[<ffffffffab413ad5>] [<ffffffffab413ad5>] csum_and_copy_from_iter+0x55/0x4c0
RSP: 0018:ffff880035c47a18 EFLAGS: 00010246
RAX: 00000000ab729fd0 RBX: 000000000000001c RCX: ffff880035c47e98
RDX: ffff880035c47a94 RSI: 000000000000001c RDI: ffff8807ef1a7424
RBP: ffff880035c47a80 R08: 0000000000000000 R09: ffff8807ef1a7424
R10: ffff8807ef1a7424 R11: ffff8807ef1a7400 R12: ffff880035c47e98
R13: 0000000000000000 R14: 00ffffffabea6920 R15: 0000000000000001
FS: 00007ff2b234d880(0000) GS:ffff88086ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000009 CR3: 0000000035c1e000 CR4: 0000000000360670
Stack:
 ffff88084e001600 ffffffffab72d1d7 ffff880830f18500 ffff880035c47aaf
 ffff880035c47a94 00000000000001c0 00000000ffffffff b0f4001fc4815eea
 000000000000001c ffff880830f18500 0000000000000000 ffff880035c47d30
Call Trace:
 [<ffffffffab72d1d7>] ? __alloc_skb+0x87/0x1f0
 [<ffffffffab782cb6>] ip_generic_getfrag+0x56/0xe0
 [<ffffffffab7abc0f>] raw_getfrag+0xaf/0x100
 [<ffffffffab78450a>] __ip_append_data.isra.45+0x98a/0xb90
 [<ffffffffab7abb60>] ? raw_recvmsg+0x1c0/0x1c0
 [<ffffffffab7abb60>] ? raw_recvmsg+0x1c0/0x1c0
 [<ffffffffab78478a>] ip_append_data.part.46+0x7a/0xe0
 [<ffffffffab785474>] ip_append_data+0x34/0x40
 [<ffffffffab7ac8a4>] raw_sendmsg+0x724/0xc00
 [<ffffffffab3a4ea0>] ? aa_sk_perm+0x70/0x210
 [<ffffffffab3a5761>] ? aa_sock_msg_perm+0x61/0x150
 [<ffffffffab7bc91b>] inet_sendmsg+0x6b/0xa0
 [<ffffffffab723b5e>] sock_sendmsg+0x3e/0x50
 [<ffffffffab724151>] SYSC_sendto+0x101/0x190
 [<ffffffffab729fd0>] ? sock_setsockopt+0x180/0x830
 [<ffffffffab397072>] ? apparmor_socket_setsockopt+0x22/0x30
 [<ffffffffab724c7e>] SyS_sendto+0xe/0x10
 [<ffffffffab84df9f>] entry_SYSCALL_64_fastpath+0x1c/0x93
Code: f3 48 0f 47 de 48 85 db 0f 84 8b 01 00 00 8b 02 49 89 f9 49 89 cc 4c 8b 71 08 89 45 c4 8b 01 a8 04 0f 85 79 01 00 00 4c 8b 79 18 <4d> 8b 6f 08 4d 29 f5 49 39 dd 4c 0f 47 eb a8 02 0f 85 36 02 00
RIP [<ffffffffab413ad5>] csum_and_copy_from_iter+0x55/0x4c0
 RSP <ffff880035c47a18>
CR2: 0000000000000009
---[ end trace bdd9157c94a456b6 ]---

The trigger is when I start an artful lxd container and it tries to get an IPv4/IPv6. Oddly enough, the same thing works perfectly for my xenial container. My lxd-bridge has dnsmasq contained by Apparmor which is non standard but always worked flawlessly.

I can trigger the bug 100% of the time so validating any tentative fix should be easy.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-113-generic 4.4.0-113.136
ProcVersionSignature: Ubuntu 4.4.0-112.135-generic 4.4.98
Uname: Linux 4.4.0-112-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: simon 7244 F.... pulseaudio
CurrentDesktop: Unity
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
Date: Sat Feb 10 16:45:26 2018
HibernationDevice: RESUME=/dev/mapper/nvme0n1p3_crypt
InstallationDate: Installed on 2016-12-06 (431 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161206)
MachineType: System76 Lemur
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-112-generic.efi.signed root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4 nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-112-generic N/A
 linux-backports-modules-4.4.0-112-generic N/A
 linux-firmware 1.157.16
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 02/17/2017
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 5.12
dmi.board.asset.tag: Tag 12345
dmi.board.name: Lemur
dmi.board.vendor: System76
dmi.board.version: lemu7
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: System76
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A:
dmi.product.name: Lemur
dmi.product.version: lemu7
dmi.sys.vendor: System76
---
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: simon 7244 F.... pulseaudio
CurrentDesktop: Unity
CurrentDmesg: Error: command ['dmesg'] failed with exit code 1: dmesg: read kernel buffer failed: Operation not permitted
DistroRelease: Ubuntu 16.04
HibernationDevice: RESUME=/dev/mapper/nvme0n1p3_crypt
InstallationDate: Installed on 2016-12-06 (431 days ago)
InstallationMedia: Ubuntu-Server 16.04.1 LTS "Xenial Xerus" - Beta amd64 (20161206)
MachineType: System76 Lemur
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-112-generic.efi.signed root=UUID=49432620-38ed-44bd-912a-7bc51eec3a35 ro quiet splash possible_cpus=4 nmi_watchdog=0 kaslr vsyscall=none vt.handoff=7
ProcVersionSignature: Ubuntu 4.4.0-112.135-generic 4.4.98
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-112-generic N/A
 linux-backports-modules-4.4.0-112-generic N/A
 linux-firmware 1.157.16
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial
Uname: Linux 4.4.0-112-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip libvirtd lpadmin lxd plugdev sambashare sudo wireshark
_MarkForUpload: True
dmi.bios.date: 02/17/2017
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 5.12
dmi.board.asset.tag: Tag 12345
dmi.board.name: Lemur
dmi.board.vendor: System76
dmi.board.version: lemu7
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: System76
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr5.12:bd02/17/2017:svnSystem76:pnLemur:pvrlemu7:rvnSystem76:rnLemur:rvrlemu7:cvnSystem76:ct10:cvrN/A:
dmi.product.name: Lemur
dmi.product.version: lemu7
dmi.sys.vendor: System76

Simon Déziel (sdeziel) wrote :

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1748671

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete

apport information

tags: added: apport-collected
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Simon Déziel (sdeziel) on 2018-02-10
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Simon Déziel (sdeziel) wrote :

I could reproduce with kernel 4.4.0-115.139. Removing dnsmasq's Apparmor profile doesn't change anything.
Once the artful container boots, the host's dnsmasq (lxd-bridge) hangs (state D) and stracing it showed absolutely nothing.

Simon Déziel (sdeziel) wrote :

apw's test kernel (https://people.canonical.com/~apw/lp1748671/fix-not-xenial/) fixed the problem, thanks!

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
status: Incomplete → Triaged
Changed in linux (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Simon Déziel (sdeziel) wrote :

The -proposed kernel 4.4.0-116.140 fixes the issue, thanks!

tags: added: verification-done-xenial
removed: verification-needed-xenial
Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (10.7 KiB)

This bug was fixed in the package linux - 4.4.0-116.140

---------------
linux (4.4.0-116.140) xenial; urgency=medium

  * linux: 4.4.0-116.140 -proposed tracker (LP: #1748990)

  * BUG: unable to handle kernel NULL pointer dereference at 0000000000000009
    (LP: #1748671)
    - SAUCE: net: ipv4: fix for a race condition in raw_sendmsg -- fix backport

linux (4.4.0-115.139) xenial; urgency=medium

  * linux: 4.4.0-115.138 -proposed tracker (LP: #1748745)

  * CVE-2017-5715 (Spectre v2 Intel)
    - Revert "UBUNTU: SAUCE: turn off IBPB when full retpoline is present"
    - SAUCE: turn off IBRS when full retpoline is present
    - [Packaging] retpoline files must be sorted
    - [Packaging] pull in retpoline files

linux (4.4.0-114.137) xenial; urgency=medium

  * linux: 4.4.0-114.137 -proposed tracker (LP: #1748484)

  * ALSA backport missing NVIDIA GPU codec IDs to patch table to
    Ubuntu 16.04 LTS Kernel (LP: #1744117)
    - ALSA: hda - Add missing NVIDIA GPU codec IDs to patch table

  * Shutdown hang on 16.04 with iscsi targets (LP: #1569925)
    - scsi: libiscsi: Allow sd_shutdown on bad transport

  * libata: apply MAX_SEC_1024 to all LITEON EP1 series devices (LP: #1743053)
    - libata: apply MAX_SEC_1024 to all LITEON EP1 series devices

  * KVM patches for s390x to provide facility bits 81 (ppa15) and 82 (bpb)
    (LP: #1747090)
    - KVM: s390: wire up bpb feature
    - KVM: s390: Enable all facility bits that are known good for passthrough

  * CVE-2017-5715 (Spectre v2 Intel)
    - SAUCE: drop lingering gmb() macro
    - x86/feature: Enable the x86 feature to control Speculation
    - x86/feature: Report presence of IBPB and IBRS control
    - x86/enter: MACROS to set/clear IBRS and set IBPB
    - x86/enter: Use IBRS on syscall and interrupts
    - x86/idle: Disable IBRS entering idle and enable it on wakeup
    - x86/idle: Disable IBRS when offlining cpu and re-enable on wakeup
    - x86/mm: Set IBPB upon context switch
    - x86/mm: Only set IBPB when the new thread cannot ptrace current thread
    - x86/kvm: add MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD to kvm
    - x86/kvm: Set IBPB when switching VM
    - x86/kvm: Toggle IBRS on VM entry and exit
    - x86/spec_ctrl: Add sysctl knobs to enable/disable SPEC_CTRL feature
    - x86/spec_ctrl: Add lock to serialize changes to ibrs and ibpb control
    - x86/cpu/amd, kvm: Satisfy guest kernel reads of IC_CFG MSR
    - x86/cpu/AMD: Add speculative control support for AMD
    - x86/microcode: Extend post microcode reload to support IBPB feature
    - KVM: SVM: Do not intercept new speculative control MSRs
    - x86/svm: Set IBRS value on VM entry and exit
    - x86/svm: Set IBPB when running a different VCPU
    - KVM: x86: Add speculative control CPUID support for guests
    - SAUCE: Fix spec_ctrl support in KVM
    - SAUCE: turn off IBPB when full retpoline is present

linux (4.4.0-113.136) xenial; urgency=low

  * linux: 4.4.0-113.136 -proposed tracker (LP: #1746936)

  [ Stefan Bader ]
  * Missing install-time driver for QLogic QED 25/40/100Gb Ethernet NIC
    (LP: #1743638)
    - [d-i] Add qede to nic-modules udeb

  * CVE-2017-5753 (Spectre v1 Intel)
    - x86/cpu/AMD: Make t...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.