Bug#708737: BUG: unable to handle kernel NULL pointer dereference

To: Rob Leslie <rob@mars.org>, 708737@bugs.debian.org
Subject: Bug#708737: BUG: unable to handle kernel NULL pointer dereference
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 19 May 2013 01:06:09 +0100
Message-id: <[🔎] 1368921969.3469.83.camel@deadeye.wl.decadent.org.uk>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 708737@bugs.debian.org
In-reply-to: <[🔎] 20130518083750.6076.97988.reportbug@phobos.mars.org>
References: <[🔎] 20130518083750.6076.97988.reportbug@phobos.mars.org>

Control: merge 707867 708064 -1

On Sat, 2013-05-18 at 01:37 -0700, Rob Leslie wrote:
> Package: src:linux
> Version: 3.2.41-2+deb7u2
> Severity: important
> 
> This crash was soon followed by an unscheduled reboot:
> 
> [33983.076838] BUG: unable to handle kernel NULL pointer dereference at 000000d8
> [33983.080006] IP: [<c10dc57d>] inode_init_always+0x139/0x18a
> [33983.080006] *pdpt = 00000000139ee001 *pde = 0000000000000000 
> [33983.080006] Oops: 0000 [#1] SMP 
> [33983.080006] Modules linked in: iptable_filter ip_tables x_tables loop ext4 crc16 jbd2 autofs4 sha1_generic hmac cts video ac power_supply binfmt_misc fuse rpcsec_gss_krb5 nfsd nfs nfs_acl auth_rpcgss fscache lockd sunrpc reiserfs sha256_generic cryptd aes_i586 aes_generic cbc dm_crypt raid1 i82875p_edac edac_core md_mod snd_intel8x0 snd_ac97_codec snd_pcm_oss snd_mixer_oss snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer iTCO_wdt snd iTCO_vendor_support pcspkr soundcore evdev ac97_bus i2c_i801 rng_core i2c_core parport_pc parport shpchp button processor ext3 mbcache jbd btrfs crc32c libcrc32c zlib_deflate dm_mod sg sr_mod cdrom sd_mod crc_t10dif usb_storage ata_generic floppy sata_sil fan uhci_hcd firewire_ohci ata_piix thermal thermal_sys libata firewire_core crc_itu_t ehci_hcd scsi_mod e1000 usbcore usb_common [last unloaded: scsi_wait_scan]
> [33983.109134] 
> [33983.109134] Pid: 17603, comm: sed Not tainted 3.2.0-4-686-pae #1 Debian 3.2.41-2+deb7u2        /IC7/IC7-G(Intel i875P-ICH5)
> [33983.109134] EIP: 0060:[<c10dc57d>] EFLAGS: 00010202 CPU: 1
> [33983.109134] EIP is at inode_init_always+0x139/0x18a
> [33983.109134] EAX: 000000d0 EBX: c5ef8be8 ECX: c14f94e8 EDX: c5ef8c58
> [33983.109134] ESI: f442a000 EDI: c5ef8d18 EBP: f2f41db8 ESP: f2f41d80
> [33983.109134]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
> [33983.109134] Process sed (pid: 17603, ti=f2f40000 task=f1c4fb00 task.ti=f2f40000)
> [33983.109134] Stack:
> [33983.109134]  00000000 00000001 00000000 c1412c80 f79e5394 c1024949 c1029105 00002c2d
> [33983.109134]  00002c2d f4bbe000 c1024949 c5ef8be8 f442a000 f2f41e00 f792d234 c10dc5ff
> [33983.109134]  c102901b 00000000 f4425e00 00000246 000000d0 00000246 c10c1a79 000000d0
> [33983.109134] Call Trace:
> [33983.109134]  [<c1024949>] ? arch_flush_lazy_mmu_mode+0x5/0x14
> [33983.109134]  [<c1029105>] ? kmap_atomic_prot+0xcc/0xe0
> [33983.109134]  [<c1024949>] ? arch_flush_lazy_mmu_mode+0x5/0x14
> [33983.109134]  [<c10dc5ff>] ? alloc_inode+0x31/0x5b
> [33983.109134]  [<c102901b>] ? __kunmap_atomic+0x62/0x6f
> [33983.109134]  [<c10c1a79>] ? kmem_cache_alloc+0x39/0x89
> [33983.109134]  [<c11027bf>] ? proc_alloc_inode+0x58/0x6f
> [33983.292009]  [<c10dc5ff>] ? alloc_inode+0x31/0x5b
> [33983.292009]  [<c10dce1c>] ? iget_locked+0x45/0xb4
> [33983.292009]  [<c1102c11>] ? proc_get_inode+0xb/0xbb
> [33983.292009]  [<c1106c83>] ? proc_lookup_de+0x44/0x90
> [33983.292009]  [<c1102dc2>] ? proc_root_lookup+0xe/0x26
> [33983.292009]  [<c10d38d8>] ? d_alloc_and_lookup+0x2c/0x49
> [33983.292009]  [<c10d42b9>] ? walk_component+0x1f2/0x384
> [33983.292009]  [<c10d5cb7>] ? do_last+0xf3/0x513
> [33983.292009]  [<c10d637e>] ? path_openat+0xa1/0x28b
> [33983.292009]  [<c10d6611>] ? do_filp_open+0x23/0x5c
> [33983.292009]  [<c102a119>] ? should_resched+0x5/0x1e
> [33983.292009]  [<c12c1631>] ? _cond_resched+0x5/0x18
> [33983.292009]  [<c10cc068>] ? do_sys_open+0x54/0xcd
> [33983.292009]  [<c10cc0ff>] ? sys_open+0x1e/0x23
> [33983.292009]  [<c12c6e1f>] ? sysenter_do_call+0x12/0x28
> [33983.292009] Code: 00 02 00 c7 83 24 01 00 00 00 00 00 00 c7 83 14 01 00 00 c0 dc 3e c1 c7 83 08 01 00 00 00 00 00 00 8b 86 d0 00 00 00 85 c0 74 0f <8b> 40 08 8b 40 20 8b 40 4c 89 83 14 01 00 00 8d 83 c8 00 00 00 
> [33983.292009] EIP: [<c10dc57d>] inode_init_always+0x139/0x18a SS:ESP 0068:f2f41d80
> [33983.292009] CR2: 00000000000000d8
> [33983.395919] ---[ end trace 06671fc6cb61b9cb ]---
> 
> See also bugs #707867 and #708064 for possibly related instability.
[...]

I think these very likely have the same cause - some kind of memory
corruption, probably use-after-free - so I'm merging them.

I notice that you're using reiserfs, which is unmaintained and is likely
to regress as the kernel changes.  I suspect this could be the source of
the bug, and I would strongly recommend migrating to another filesystem
(but boot back into Linux 2.6.32 before doing so!).

Ben.

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
                                                            - Robert Coveyou

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Bug#708737: BUG: unable to handle kernel NULL pointer dereference
  - From: Rob Leslie <rob@mars.org>

Prev by Date: linux-latest_48_multi.changes ACCEPTED into unstable
Next by Date: Processed: Re: Bug#708737: BUG: unable to handle kernel NULL pointer dereference
Previous by thread: Bug#708737: BUG: unable to handle kernel NULL pointer dereference
Next by thread: Processed: Re: Bug#708737: BUG: unable to handle kernel NULL pointer dereference
Index(es):
- Date
- Thread