http://bugzilla.opensuse.org/show_bug.cgi?id=1205597 Bug ID: 1205597 Summary: ltp:pyt03:slcan: null-ptr-deref in process_one_work Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-bugs@opensuse.org Reporter: richard.palethorpe@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The LTP test pty03 is causing a null pointer dereference on Tumbleweed in OpenQA: https://openqa.opensuse.org/tests/2891345#step/pty03/9 https://openqa.opensuse.org/tests/2891345/logfile?filename=serial0.txt This has been happening for a month or more: https://openqa.opensuse.org/tests/2891345#next_previous I can't reproduce this on the upstream kernel (v6.0.9). Plus I can't see the connection to SLCAN although I guess it could have submitted faulty data to the workqueue. Or else this is actually a use-after-free of some sort. AFAIK enabling the SLCAN ldisc requires privs. I'd be in favour of moving the module to a separate package or blacklisting it. Below is the decoded stack trace. [ 173.520584][ T348] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 173.521211][ T348] #PF: supervisor read access in kernel mode [ 173.521711][ T348] #PF: error_code(0x0000) - not-present page [ 173.522197][ T348] PGD 0 P4D 0 [ 173.522641][ T348] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 173.523287][ T348] CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab [ 173.524682][ T348] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014 [ 173.525978][ T348] Workqueue: 0x0 (events) [ 173.526562][ T348] RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) [ 173.527114][ T348] Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e All code ======== 0: 49 89 ff mov %rdi,%r15 3: 41 56 push %r14 5: 41 55 push %r13 7: 41 54 push %r12 9: 55 push %rbp a: 53 push %rbx b: 48 89 f3 mov %rsi,%rbx e: 48 83 ec 10 sub $0x10,%rsp 12: 48 8b 06 mov (%rsi),%rax 15: 48 8b 6f 48 mov 0x48(%rdi),%rbp 19: 49 89 c4 mov %rax,%r12 1c: 45 30 e4 xor %r12b,%r12b 1f: a8 04 test $0x4,%al 21: b8 00 00 00 00 mov $0x0,%eax 26: 4c 0f 44 e0 cmove %rax,%r12 2a:* 49 8b 44 24 08 mov 0x8(%r12),%rax <-- trapping instruction 2f: 44 8b a8 00 01 00 00 mov 0x100(%rax),%r13d 36: 41 83 e5 20 and $0x20,%r13d 3a: f6 45 10 04 testb $0x4,0x10(%rbp) 3e: 75 0e jne 0x4e Code starting with the faulting instruction =========================================== 0: 49 8b 44 24 08 mov 0x8(%r12),%rax 5: 44 8b a8 00 01 00 00 mov 0x100(%rax),%r13d c: 41 83 e5 20 and $0x20,%r13d 10: f6 45 10 04 testb $0x4,0x10(%rbp) 14: 75 0e jne 0x24 [ 173.528748][ T348] RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 [ 173.529401][ T348] RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 [ 173.530031][ T348] RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 [ 173.530660][ T348] RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 [ 173.531300][ T348] R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 [ 173.531959][ T348] R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 [ 173.532620][ T348] FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 [ 173.533412][ T348] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 173.534064][ T348] CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 [ 173.534827][ T348] Call Trace: [ 173.535315][ T348] <TASK> [ 173.535753][ T348] worker_thread (/home/rich/kernel/linux/kernel/workqueue.c:2436) [ 173.536379][ T348] ? process_one_work (/home/rich/kernel/linux/./include/trace/events/workqueue.h:82 /home/rich/kernel/linux/kernel/workqueue.c:2288) [ 173.536947][ T348] kthread (/home/rich/kernel/linux/kernel/kthread.c:376) [ 173.537396][ T348] ? kthread_complete_and_exit (/home/rich/kernel/linux/kernel/kthread.c:331) [ 173.537912][ T348] ret_from_fork (/home/rich/kernel/linux/arch/x86/entry/entry_64.S:312) [ 173.538370][ T348] </TASK> [ 173.538754][ T348] Modules linked in: slcan can_dev ppp_synctty n_hdlc mkiss ax25 ppp_async ppp_generic slip slhc serport af_packet rfkill qrtr snd_hda_codec_generic ledtrig_audio tiny_power_button snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec ppdev snd_hda_core snd_hwdep snd_pcm snd_timer pcspkr virtio_net net_failover snd soundcore failover i2c_piix4 parport_pc button parport joydev nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs dmi_sysfs ip_tables x_tables hid_generic usbhid xhci_pci xhci_pci_renesas xhci_hcd sr_mod cdrom ata_generic usbcore bochs virtio_blk virtio_scsi drm_vram_helper drm_ttm_helper ttm ata_piix floppy serio_raw btrfs blake2b_generic libcrc32c xor raid6_pq sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua qemu_fw_cfg virtio_rng [ 173.544273][ T348] CR2: 0000000000000008 [ 173.544764][ T348] ---[ end trace 0000000000000000 ]--- [ 173.545331][ T348] RIP: 0010:process_one_work (/home/rich/kernel/linux/kernel/workqueue.c:706 /home/rich/kernel/linux/kernel/workqueue.c:2185) [ 173.545891][ T348] Code: 49 89 ff 41 56 41 55 41 54 55 53 48 89 f3 48 83 ec 10 48 8b 06 48 8b 6f 48 49 89 c4 45 30 e4 a8 04 b8 00 00 00 00 4c 0f 44 e0 <49> 8b 44 24 08 44 8b a8 00 01 00 00 41 83 e5 20 f6 45 10 04 75 0e All code ======== 0: 49 89 ff mov %rdi,%r15 3: 41 56 push %r14 5: 41 55 push %r13 7: 41 54 push %r12 9: 55 push %rbp a: 53 push %rbx b: 48 89 f3 mov %rsi,%rbx e: 48 83 ec 10 sub $0x10,%rsp 12: 48 8b 06 mov (%rsi),%rax 15: 48 8b 6f 48 mov 0x48(%rdi),%rbp 19: 49 89 c4 mov %rax,%r12 1c: 45 30 e4 xor %r12b,%r12b 1f: a8 04 test $0x4,%al 21: b8 00 00 00 00 mov $0x0,%eax 26: 4c 0f 44 e0 cmove %rax,%r12 2a:* 49 8b 44 24 08 mov 0x8(%r12),%rax <-- trapping instruction 2f: 44 8b a8 00 01 00 00 mov 0x100(%rax),%r13d 36: 41 83 e5 20 and $0x20,%r13d 3a: f6 45 10 04 testb $0x4,0x10(%rbp) 3e: 75 0e jne 0x4e Code starting with the faulting instruction =========================================== 0: 49 8b 44 24 08 mov 0x8(%r12),%rax 5: 44 8b a8 00 01 00 00 mov 0x100(%rax),%r13d c: 41 83 e5 20 and $0x20,%r13d 10: f6 45 10 04 testb $0x4,0x10(%rbp) 14: 75 0e jne 0x24 [ 173.547458][ T348] RSP: 0018:ffffaf7b40f47e98 EFLAGS: 00010046 [ 173.548063][ T348] RAX: 0000000000000000 RBX: ffff9d644e1b8b48 RCX: ffff9d649e439968 [ 173.548766][ T348] RDX: 00000000ffff8455 RSI: ffff9d644e1b8b48 RDI: ffff9d64764aa6c0 [ 173.549488][ T348] RBP: ffff9d649e4335c0 R08: 0000000000000c00 R09: ffff9d64764aa734 [ 173.550193][ T348] R10: 0000000000000007 R11: 0000000000000001 R12: 0000000000000000 [ 173.550898][ T348] R13: ffff9d649e4335e8 R14: ffff9d64490da780 R15: ffff9d64764aa6c0 [ 173.551604][ T348] FS: 0000000000000000(0000) GS:ffff9d649e400000(0000) knlGS:0000000000000000 [ 173.552358][ T348] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 173.552998][ T348] CR2: 0000000000000008 CR3: 0000000036424000 CR4: 00000000000006f0 [ 173.553729][ T348] note: kworker/0:3[348] exited with preempt_count 1 -- You are receiving this mail because: You are the assignee for the bug.