NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned |
Bug Description
Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way:
[ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 11.185778] IP: [<ffffffff814f9
[ 11.186115] PGD 0
[ 11.186270] Oops: 0000 [#1] SMP
[ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s
nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto
fs4 psmouse ahci libahci pata_acpi fjes
[ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu
[ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor
m, BIOS 13.1.0 (43104) 09/26/2017
[ 11.189156] task: ffff88003db80000 ti: ffff88003db88000 task.ti: ffff88003db88000
[ 11.189546] RIP: 0010:[<
[ 11.189964] RSP: 0000:ffff88003d
[ 11.190255] RAX: 0000000000000000 RBX: ffff8800392dd800 RCX: 0000000000000000
[ 11.190628] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800392dd828
[ 11.191002] RBP: ffff88003db8bd18 R08: ffff88003db88000 R09: 0000000000000000
[ 11.191398] R10: 000000000000005c R11: 0000000000401ce0 R12: 000000000000002f
[ 11.191775] R13: ffff88003584ae70 R14: 000055c8eab15f20 R15: ffff88003584ae00
[ 11.192152] FS: 00007f649d1418c
[ 11.192573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.192882] CR2: 0000000000000000 CR3: 000000003d3b6000 CR4: 00000000000006f0
[ 11.193264] Stack:
[ 11.193404] 0000000000000000 ffffffff813953ba ffff88003db8bd08 ffffffff813493bd
[ 11.193837] 000000000000002f ffff88003584ae00 000055c8eab15f20 ffff88003584ae70
[ 11.194267] 000000000000002f ffff88003db8bf18 ffff88003db8bd28 ffffffff8120f878
[ 11.194700] Call Trace:
[ 11.194884] [<ffffffff81395
[ 11.195248] [<ffffffff81349
[ 11.195621] [<ffffffff8120f
[ 11.195916] [<ffffffff81210
[ 11.196202] [<ffffffff814f9
[ 11.196532] [<ffffffff814f9
[ 11.196830] [<ffffffff8120f
[ 11.197160] [<ffffffff814f9
[ 11.197458] [<ffffffff81210
[ 11.198439] [<ffffffff81223
[ 11.199374] [<ffffffff81210
[ 11.200268] [<ffffffff81211
[ 11.201144] [<ffffffff81224
[ 11.202049] [<ffffffff81843
[ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff
[ 11.208047] RIP [<ffffffff814f9
[ 11.208942] RSP <ffff88003db8bcc8>
[ 11.209713] CR2: 0000000000000000
[ 11.210517] ---[ end trace 3b933544655b49b8 ]---
[ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
[ 11.335210]
[ 11.337095] Kernel Offset: disabled
[ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
The crash occurs here
1227 static ssize_t tty_write(struct file *file, const char __user *buf,
[...]
1243 ld = tty_ldisc_
1244 if (!ld->ops->write) // <===
1245 ret = -EIO;
1246 else
1247 ret = do_tty_
because tty_ldisc_
It seems the issue has been introduced into 4.4.0-93+ kernels
by the fix for the bug #1709126: according to the version 4.4.0-93.116
changelog the patch "tty: Destroy ldisc instance on hangup" (https:/
tty_ldisc_
into the Ubuntu Linux kernel 4.4.0-93+. However, the patch
"tty: Prepare for destroying line discipline on hangup"
(https:/
from the same patchset (https:/
that prepares tty_ldisc_
for this hasn't been backported.
Additional info:
Kernel version:
Linux version 4.4.0-96-generic (buildd@lgw01-10) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~
lsb_release -rd output:
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
tags: | added: kernel-da-key |
Changed in linux (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in linux (Ubuntu Xenial): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
tags: | added: cscc |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1721065
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.