Re: linux 5.14.3: free_user_ns causes NULL pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 07 Oct 2021 13:28:29 +0000 Jordan Glover wrote:
>
>For me above patch changed slightly the printed output. Now the warning
>comes from 'cleanup_net' instead of 'free_user_ns'. My system was also
>still responsive after the bug occurred which didn't happen previously.
>I can't say if this means anything or if this is result of above patch
>or instability of my reproducer.

Thanks for your report.

It is the same issue as reported before and my patch did not help.

Hillf
>
>------------[ cut here ]------------
>WARNING: CPU: 2 PID: 27643 at kernel/ucount.c:256 dec_ucount+0x43/0x50
>Modules linked in: <cut>
>CPU: 2 PID: 27643 Comm: kworker/u8:3 Not tainted 5.14.9 #1 0274f3d0712a6dad=
>c9a2cf8341ae333de732a31a
>Workqueue: netns cleanup_net
>RIP: 0010:dec_ucount+0x43/0x50
>Code: 14 01 48 8b 02 48 89 c6 48 83 ee 01 78 1c f0 48 0f b1 32 75 f0 48 8b =
>41 10 48 8b 88 e8 01 00 00 48 85 c9 75 d9 e9 fd fc ff ff <0f> 0b eb e7 66 0=
>f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 f8 48
>RSP: 0018:ffffb34fc34cfe30 EFLAGS: 00010297
>RAX: 0000000000000000 RBX: ffffa448eec5f3b0 RCX: ffffa447cfe1f540
>RDX: ffffa447cfe1f580 RSI: ffffffffffffffff RDI: ffffa447c445c780
>RBP: ffffa448eec5f380 R08: 0000000000000040 R09: ffffa44a196ac040
>R10: 00000000001436be R11: 0000000000000259 R12: ffffb34fc34cfe10
>R13: ffffb34fc34cfe40 R14: 00000000ffffffff R15: ffffa448eec5d414
>FS:  0000000000000000(0000) GS:ffffa44a19700000(0000) knlGS:000000000000000=
>0
>CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>CR2: 000072a95d359030 CR3: 000000000b20e005 CR4: 00000000003706e0
>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>Call Trace:
> cleanup_net+0x2e2/0x370
> process_one_work+0x1e1/0x380
> worker_thread+0x50/0x3a0
> ? rescuer_thread+0x360/0x360
> kthread+0x127/0x150
> ? set_kthread_struct+0x40/0x40
> ret_from_fork+0x22/0x30
>---[ end trace e5fdc3317f00d0e8 ]---
>BUG: kernel NULL pointer dereference, address: 00000000000001e8
>#PF: supervisor read access in kernel mode
>#PF: error_code(0x0000) - not-present page
>PGD 0 P4D 0
>Oops: 0000 [#1] SMP PTI
>CPU: 2 PID: 27643 Comm: kworker/u8:3 Tainted: G        W         5.14.9 #1 =
>0274f3d0712a6dadc9a2cf8341ae333de732a31a
>Workqueue: netns cleanup_net
>RIP: 0010:dec_ucount+0x32/0x50
>Code: 74 34 89 f6 48 89 f9 4c 8d 04 f5 20 00 00 00 4a 8d 14 01 48 8b 02 48 =
>89 c6 48 83 ee 01 78 1c f0 48 0f b1 32 75 f0 48 8b 41 10 <48> 8b 88 e8 01 0=
>0 00 48 85 c9 75 d9 e9 fd fc ff ff 0f 0b eb e7 66
>RSP: 0018:ffffb34fc34cfe30 EFLAGS: 00010297
>RAX: 0000000000000000 RBX: ffffa448eec5f3b0 RCX: ffffa447cfe1f540
>RDX: ffffa447cfe1f580 RSI: ffffffffffffffff RDI: ffffa447c445c780
>RBP: ffffa448eec5f380 R08: 0000000000000040 R09: ffffa44a196ac040
>R10: 00000000001436be R11: 0000000000000259 R12: ffffb34fc34cfe10
>R13: ffffb34fc34cfe40 R14: 00000000ffffffff R15: ffffa448eec5d414
>FS:  0000000000000000(0000) GS:ffffa44a19700000(0000) knlGS:000000000000000=
>0
>CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>CR2: 00000000000001e8 CR3: 000000000b20e005 CR4: 00000000003706e0
>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>Call Trace:
> cleanup_net+0x2e2/0x370
> process_one_work+0x1e1/0x380
> worker_thread+0x50/0x3a0
> ? rescuer_thread+0x360/0x360
> kthread+0x127/0x150
> ? set_kthread_struct+0x40/0x40
> ret_from_fork+0x22/0x30
>Modules linked in: <cut>
>CR2: 00000000000001e8
>---[ end trace e5fdc3317f00d0e9 ]---
>RIP: 0010:dec_ucount+0x32/0x50
>Code: 74 34 89 f6 48 89 f9 4c 8d 04 f5 20 00 00 00 4a 8d 14 01 48 8b 02 48 =
>89 c6 48 83 ee 01 78 1c f0 48 0f b1 32 75 f0 48 8b 41 10 <48> 8b 88 e8 01 0=
>0 00 48 85 c9 75 d9 e9 fd fc ff ff 0f 0b eb e7 66
>RSP: 0018:ffffb34fc34cfe30 EFLAGS: 00010297
>RAX: 0000000000000000 RBX: ffffa448eec5f3b0 RCX: ffffa447cfe1f540
>RDX: ffffa447cfe1f580 RSI: ffffffffffffffff RDI: ffffa447c445c780
>RBP: ffffa448eec5f380 R08: 0000000000000040 R09: ffffa44a196ac040
>R10: 00000000001436be R11: 0000000000000259 R12: ffffb34fc34cfe10
>R13: ffffb34fc34cfe40 R14: 00000000ffffffff R15: ffffa448eec5d414
>FS:  0000000000000000(0000) GS:ffffa44a19700000(0000) knlGS:000000000000000=
>0
>CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>CR2: 00000000000001e8 CR3: 000000000b20e005 CR4: 00000000003706e0
>DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux