On Sun, 2012-01-22 at 15:11 -0500, Daniel Kahn Gillmor wrote: > Subject: linux-image-3.2.0-1-686-pae: kernel NULL pointer dereference in > vsnprintf > Package: linux-2.6 > Version: 3.2.1-1 > Severity: normal > > Hi debian kernel team-- > > i just upgraded to 3.2 from unstable on this Asus EeePC 900. The > machine was only up for about 20 minutes (i was already logged in, > though), when i got the OOPS recorded below. [...] > [ 2158.263290] BUG: unable to handle kernel NULL pointer dereference at > (null) > [ 2158.263455] IP: [<c1161254>] vsnprintf+0xb4/0x247 > [ 2158.263561] *pdpt = 0000000034bbe001 *pde = 0000000000000000 > [ 2158.263682] Oops: 0002 [#1] SMP > [ 2158.263759] Modules linked in: bnep bluetooth crc16 binfmt_misc uinput > fuse arc4 ath5k ath mac80211 cfg80211 loop snd_hda_codec_realtek joydev > snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm > snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device > i915 drm_kms_helper snd drm uvcvideo i2c_algo_bit iTCO_wdt videodev > iTCO_vendor_support media psmouse soundcore i2c_core evdev serio_raw rng_core > snd_page_alloc video battery eeepc_laptop ac sparse_keymap power_supply > rfkill processor pci_hotplug button ext3 jbd mbcache btrfs zlib_deflate > crc32c libcrc32c sha256_generic cryptd aes_i586 aes_generic cbc dm_crypt > usb_storage uas dm_mod raid1 md_mod sd_mod crc_t10dif ata_generic ata_piix > ahci libahci libata uhci_hcd scsi_mod ehci_hcd usbcore atl2 thermal > thermal_sys usb_common [last unloaded: scsi_wait_scan] > [ 2158.265208] > [ 2158.265208] Pid: 7282, comm: ps Not tainted 3.2.0-1-686-pae #1 ASUSTeK > Computer INC. 900/900 > [ 2158.265208] EIP: 0060:[<c1161254>] EFLAGS: 00010283 CPU: 0 > [ 2158.265208] EIP is at vsnprintf+0xb4/0x247 > [ 2158.265208] EAX: 00000008 EBX: 00402100 ECX: 00000008 EDX: 0805c800 > [ 2158.265208] ESI: 0805c7fc EDI: 00000000 EBP: 00000000 ESP: f4453d3c > [ 2158.265208] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 > [ 2158.265208] Process ps (pid: 7282, ti=f4452000 task=f730c660 > task.ti=f4452000) > [ 2158.265208] Stack: > [ 2158.265208] 00001000 00000000 00001000 0805c804 00000000 00000000 > f44b3e40 00000000 > [ 2158.265208] 00000000 bfd547e0 c10dfbb8 00402100 c11058e0 f44b3e40 > c136bd24 00001c72 > [ 2158.265208] f4453ef4 00000052 00001c70 000006b1 000006b1 00000000 > ffffffff 00402100 > [ 2158.265208] Call Trace: > [ 2158.265208] [<c10dfbb8>] ? seq_printf+0x22/0x3d > [ 2158.265208] [<c11058e0>] ? do_task_stat+0x67c/0x6b7 > [ 2158.265208] [<c1105eb4>] ? proc_tgid_stat+0xb/0xe > [ 2158.265208] [<c1102c16>] ? proc_single_show+0x3c/0x57 > [ 2158.265208] [<c10dfe65>] ? seq_read+0x167/0x32d > [ 2158.265208] [<c10dfcfe>] ? seq_lseek+0x12b/0x12b > [ 2158.265208] [<c10cb8b4>] ? vfs_read+0x80/0xd1 > [ 2158.265208] [<c10cb942>] ? sys_read+0x3d/0x61 > [ 2158.265208] [<c12bd85f>] ? sysenter_do_call+0x12/0x28 > [ 2158.265208] Code: 54 24 0c 8a 54 24 10 80 fa 11 0f 87 17 01 00 00 0f b6 ca > ff 24 8d a4 9c 2d c1 3b 2c 24 73 0e 8b 0c 24 89 ef 29 e9 39 c8 0f 4e c8 <f3> > a4 01 c5 e9 56 01 00 00 8b 03 66 89 44 24 14 eb 07 8b 03 66 > [ 2158.265208] EIP: [<c1161254>] vsnprintf+0xb4/0x247 SS:ESP 0068:f4453d3c > [ 2158.265208] CR2: 0000000000000000 > [ 2158.305216] ---[ end trace 051bab8bc912e56a ]--- [...]
It looks like we got to the memcpy() in vsnprintf() with str == NULL.
Which seems to mean that seq_file is seriously broken. But it hasn't
changed between 3.1 and 3.2, so I doubt it's really the source of the
problem.
Have you seen any more of these? Do you remember doing anything in
particular before this crash (aside from running ps)?
Ben.
--
Ben Hutchings
Horngren's Observation:
Among economists, the real world is often a special case.
signature.asc
Description: This is a digitally signed message part
