From: Sasha Levin <sasha.levin@oracle.com>
To: Arnaldo Carvalho de Melo <acme@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Dave Jones <davej@redhat.com>
Subject: net: llc: NULL ptr deref in llc_ui_sendmsg
Date: Fri, 06 Jun 2014 11:08:33 -0400 [thread overview]
Message-ID: <5391D971.4030001@oracle.com> (raw)
Hi all,
While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel I've stumbled on the following spew:
[ 269.531162] BUG: unable to handle kernel NULL pointer dereference at 000000000000021e
[ 269.531217] IP: llc_ui_sendmsg (net/llc/af_llc.c:912)
[ 269.531232] PGD b6584067 PUD b6585067 PMD 0
[ 269.531246] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 269.531287] Dumping ftrace buffer:
[ 269.531451] (ftrace buffer empty)
[ 269.531472] Modules linked in:
[ 269.531483] CPU: 10 PID: 9450 Comm: trinity-c77 Not tainted 3.15.0-rc8-next-20140605-sasha-00021-ga95d8d2 #593
[ 269.531487] task: ffff8800b6563000 ti: ffff8800b659c000 task.ti: ffff8800b659c000
[ 269.531498] RIP: llc_ui_sendmsg (net/llc/af_llc.c:912)
[ 269.531501] RSP: 0018:ffff8800b659fcb8 EFLAGS: 00010286
[ 269.531505] RAX: 0000000000000000 RBX: ffff88006b5b8000 RCX: 0000000000000006
[ 269.531510] RDX: 0000000000007110 RSI: ffffffff9584f0f3 RDI: ffffffff957e75bd
[ 269.531515] RBP: ffff8800b659fd38 R08: 0000000000000000 R09: 0000000000000000
[ 269.531519] R10: 0000000000000001 R11: 0000000000000000 R12: ffff88006e177900
[ 269.531521] R13: ffff8800b659feb0 R14: 00000000007ffff7 R15: ffff8800b659fe78
[ 269.531524] FS: 00007f2b119bb700(0000) GS:ffff880292e00000(0000) knlGS:0000000000000000
[ 269.531528] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 269.531530] CR2: 000000000000021e CR3: 00000000b6583000 CR4: 00000000000006a0
[ 269.531610] DR0: 00000000006d6000 DR1: 0000000000000000 DR2: 0000000000000000
[ 269.531612] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000070602
[ 269.531616] Stack:
[ 269.531686] ffff8800b659fcc8 ffffffff911c488e ffff8800b659fce8 ffffffff00004002
[ 269.531695] 00000000b648d118 ffffffff912b923a ffff8800b659fd88 ffffffff911cb5be
[ 269.531709] ffff880000000000 ffffffff911a6ba8 000000000049c24f ffff8800b659fd48
[ 269.531712] Call Trace:
[ 269.531730] ? put_lock_stats.isra.12 (./arch/x86/include/asm/preempt.h:98 kernel/locking/lockdep.c:254)
[ 269.531746] ? might_fault (mm/memory.c:3735)
[ 269.531755] ? lock_release_non_nested (kernel/locking/lockdep.c:3397)
[ 269.531771] ? sched_clock_cpu (kernel/sched/clock.c:311)
[ 269.531779] sock_sendmsg (net/socket.c:654)
[ 269.531787] ? might_fault (mm/memory.c:3736)
[ 269.531793] ? might_fault (mm/memory.c:3735)
[ 269.531800] ? move_addr_to_kernel (./arch/x86/include/asm/uaccess.h:713 net/socket.c:197)
[ 269.531805] SYSC_sendto (net/socket.c:1812)
[ 269.531819] ? syscall_trace_enter (include/trace/events/syscalls.h:16 arch/x86/kernel/ptrace.c:1488)
[ 269.531827] SyS_sendto (net/socket.c:1779)
[ 269.531837] tracesys (arch/x86/kernel/entry_64.S:542)
[ 269.532403] Code: c6 c0 37 b2 98 4c 89 ef e8 95 a5 b6 fd 85 c0 74 d5 90 48 8b 83 f8 01 00 00 f6 c4 01 75 1c 48 8b 83 28 05 00 00 66 41 83 7d 04 00 <0f> b7 90 1e 02 00 00 75 1e eb 24 0f 1f 40 00 49 8b 7c 24 20 4c
All code
========
0: c6 c0 37 mov $0x37,%al
3: b2 98 mov $0x98,%dl
5: 4c 89 ef mov %r13,%rdi
8: e8 95 a5 b6 fd callq 0xfffffffffdb6a5a2
d: 85 c0 test %eax,%eax
f: 74 d5 je 0xffffffffffffffe6
11: 90 nop
12: 48 8b 83 f8 01 00 00 mov 0x1f8(%rbx),%rax
19: f6 c4 01 test $0x1,%ah
1c: 75 1c jne 0x3a
1e: 48 8b 83 28 05 00 00 mov 0x528(%rbx),%rax
25: 66 41 83 7d 04 00 cmpw $0x0,0x4(%r13)
2b:* 0f b7 90 1e 02 00 00 movzwl 0x21e(%rax),%edx <-- trapping instruction
32: 75 1e jne 0x52
34: eb 24 jmp 0x5a
36: 0f 1f 40 00 nopl 0x0(%rax)
3a: 49 8b 7c 24 20 mov 0x20(%r12),%rdi
3f: 4c rex.WR
...
Code starting with the faulting instruction
===========================================
0: 0f b7 90 1e 02 00 00 movzwl 0x21e(%rax),%edx
7: 75 1e jne 0x27
9: eb 24 jmp 0x2f
b: 0f 1f 40 00 nopl 0x0(%rax)
f: 49 8b 7c 24 20 mov 0x20(%r12),%rdi
14: 4c rex.WR
...
[ 269.532565] RIP llc_ui_sendmsg (net/llc/af_llc.c:912)
[ 269.532572] RSP <ffff8800b659fcb8>
[ 269.532575] CR2: 000000000000021e
Thanks,
Sasha
next reply other threads:[~2014-06-06 15:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-06 15:08 Sasha Levin [this message]
2014-06-06 15:42 ` net: llc: NULL ptr deref in llc_ui_sendmsg Dave Jones
2014-06-06 17:51 ` Sergei Shtylyov
2014-06-06 17:53 ` Sasha Levin
2014-06-07 15:02 ` Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5391D971.4030001@oracle.com \
--to=sasha.levin@oracle.com \
--cc=acme@redhat.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.