TTY: NULL dereference when closing a pty file

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Sasha Levin <levinsasha928@gmail.com>
To: Jiri Slaby <jirislaby@gmail.com>, Greg KH <greg@kroah.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: TTY: NULL dereference when closing a pty file
Date: Sun, 19 Feb 2012 22:36:36 +0200	[thread overview]
Message-ID: <1329683796.10124.21.camel@lappy> (raw)

Hi all,

I got the following BUG() when running trinity on the KVM tool:

[  665.738774] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
[  665.739651] IP: [<ffffffff81257e2b>] devpts_pty_kill+0x1b/0xa0
[  665.739651] PGD 22eba067 PUD 22eaf067 PMD 0 
[  665.739651] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[  665.739651] CPU 5 
[  665.739651] Pid: 3061, comm: trinity Not tainted 3.3.0-rc3-next-20120217-sasha-00001-gfa56acb #18  
[  665.739651] RIP: 0010:[<ffffffff81257e2b>]  [<ffffffff81257e2b>] devpts_pty_kill+0x1b/0xa0
[  665.739651] RSP: 0018:ffff880022ecfd88  EFLAGS: 00010286
[  665.739651] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  665.739651] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff880022921148
[  665.739651] RBP: ffff880022ecfda8 R08: 0000000000000000 R09: 0000000000000001
[  665.739651] R10: 0000000000000001 R11: 0000000000000001 R12: ffff880022921148
[  665.739651] R13: ffff880022934840 R14: ffff880026831970 R15: ffff880026831970
[  665.739651] FS:  00007f29c344e700(0000) GS:ffff88002a400000(0000) knlGS:0000000000000000
[  665.739651] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  665.739651] CR2: 0000000000000028 CR3: 0000000022e1c000 CR4: 00000000000406e0
[  665.739651] DR0: ffffffff810adc50 DR1: 0000000000000000 DR2: 0000000000000000
[  665.739651] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  665.739651] Process trinity (pid: 3061, threadinfo ffff880022ece000, task ffff880022d88000)
[  665.739651] Stack:
[  665.739651]  ffff880022ecfd98 ffff8800229267b0 ffff880022921148 ffff880022934840
[  665.739651]  ffff880022ecfdc8 ffffffff819407f1 ffff880022934840 ffff8800229267b0
[  665.739651]  ffff880022ecfeb8 ffffffff819374a6 ffff880022ecfe18 ffffffff81078e76
[  665.739651] Call Trace:
[  665.739651]  [<ffffffff819407f1>] pty_close+0x121/0x140
[  665.739651]  [<ffffffff819374a6>] tty_release+0x186/0x610
[  665.739651]  [<ffffffff81078e76>] ? kvm_clock_read+0x46/0x80
[  665.739651]  [<ffffffff81054973>] ? sched_clock+0x13/0x20
[  665.739651]  [<ffffffff811d9b16>] fput+0xf6/0x330
[  665.739651]  [<ffffffff811d68b4>] filp_close+0x64/0x90
[  665.739651]  [<ffffffff811d699b>] sys_close+0xbb/0x1b0
[  665.739651]  [<ffffffff8267c079>] system_call_fastpath+0x16/0x1b
[  665.739651] Code: 4c 8b a3 08 04 00 00 eb df 0f 0b 0f 1f 44 00 00 55 48 89 e5 48 83 ec 20 48 89 5d e8 4c 89 65 f0 4c 89 6d f8 48 8b 9f 28 04 00 00 <48> 8b 43 28 48 81 78 58 d1 1c 00 00 74 0b 48 8b 05 f0 17 26 03 
[  665.739651] RIP  [<ffffffff81257e2b>] devpts_pty_kill+0x1b/0xa0
[  665.739651]  RSP <ffff880022ecfd88>
[  665.739651] CR2: 0000000000000028
[  665.782570] ---[ end trace 5b128b9a8217de35 ]---

Looking further, it looks like devpts_pty_kill was called with tty->link==NULL.

I've bisected it down to d3bda529 ("TTY: get rid of BTM around devpts_*"), which has moved devpts_pty_kill() out of the tty_lock() protection.

next             reply	other threads:[~2012-02-19 20:36 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-19 20:36 Sasha Levin [this message]
2012-02-19 21:08 ` [PATCH 1/1] TTY: fix PTY hangup vs close race Jiri Slaby
2012-02-19 21:10 ` TTY: NULL dereference when closing a pty file Jiri Slaby
2012-02-19 23:08   ` Sasha Levin
2012-02-19 21:19 ` [PATCH 1/1] TTY: fix PTY hangup vs close race Jiri Slaby
2012-02-19 21:41   ` Jiri Slaby
2012-02-20 10:20     ` Sasha Levin
2012-02-20 11:15       ` Jiri Slaby
2012-02-24 21:57         ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1329683796.10124.21.camel@lappy \
    --to=levinsasha928@gmail.com \
    --cc=greg@kroah.com \
    --cc=jirislaby@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).