← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+

 

** Changed in: linux (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1721065

Title:
  NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way:

  [   11.185347] BUG: unable to handle kernel NULL pointer dereference at           (null)
  [   11.185778] IP: [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
  [   11.186115] PGD 0 
  [   11.186270] Oops: 0000 [#1] SMP 
  [   11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s
  nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto
  fs4 psmouse ahci libahci pata_acpi fjes
  [   11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P           OE   4.4.0-96-generic #119-Ubuntu
  [   11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor
  m, BIOS 13.1.0 (43104) 09/26/2017
  [   11.189156] task: ffff88003db80000 ti: ffff88003db88000 task.ti: ffff88003db88000
  [   11.189546] RIP: 0010:[<ffffffff814f9cf3>]  [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
  [   11.189964] RSP: 0000:ffff88003db8bcc8  EFLAGS: 00010246
  [   11.190255] RAX: 0000000000000000 RBX: ffff8800392dd800 RCX: 0000000000000000
  [   11.190628] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800392dd828
  [   11.191002] RBP: ffff88003db8bd18 R08: ffff88003db88000 R09: 0000000000000000
  [   11.191398] R10: 000000000000005c R11: 0000000000401ce0 R12: 000000000000002f
  [   11.191775] R13: ffff88003584ae70 R14: 000055c8eab15f20 R15: ffff88003584ae00
  [   11.192152] FS:  00007f649d1418c0(0000) GS:ffff88003de00000(0000) knlGS:0000000000000000
  [   11.192573] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   11.192882] CR2: 0000000000000000 CR3: 000000003d3b6000 CR4: 00000000000006f0
  [   11.193264] Stack:
  [   11.193404]  0000000000000000 ffffffff813953ba ffff88003db8bd08 ffffffff813493bd
  [   11.193837]  000000000000002f ffff88003584ae00 000055c8eab15f20 ffff88003584ae70
  [   11.194267]  000000000000002f ffff88003db8bf18 ffff88003db8bd28 ffffffff8120f878
  [   11.194700] Call Trace:
  [   11.194884]  [<ffffffff813953ba>] ? apparmor_file_permission+0x1a/0x20
  [   11.195248]  [<ffffffff813493bd>] ? security_file_permission+0x3d/0xc0
  [   11.195621]  [<ffffffff8120f878>] __vfs_write+0x18/0x40
  [   11.195916]  [<ffffffff81210209>] vfs_write+0xa9/0x1a0
  [   11.196202]  [<ffffffff814f9fa0>] redirected_tty_write+0x60/0xa0
  [   11.196532]  [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0
  [   11.196830]  [<ffffffff8120f5d5>] do_loop_readv_writev+0x75/0xa0
  [   11.197160]  [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0
  [   11.197458]  [<ffffffff81210512>] do_readv_writev+0x212/0x230
  [   11.198439]  [<ffffffff81223faf>] ? do_vfs_ioctl+0x29f/0x490
  [   11.199374]  [<ffffffff812105b9>] vfs_writev+0x39/0x50
  [   11.200268]  [<ffffffff812112e9>] SyS_writev+0x59/0xf0
  [   11.201144]  [<ffffffff81224219>] ? SyS_ioctl+0x79/0x90
  [   11.202049]  [<ffffffff81843272>] entry_SYSCALL_64_fastpath+0x16/0x71
  [   11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff 
  [   11.208047] RIP  [<ffffffff814f9cf3>] tty_write+0x83/0x2d0
  [   11.208942]  RSP <ffff88003db8bcc8>
  [   11.209713] CR2: 0000000000000000
  [   11.210517] ---[ end trace 3b933544655b49b8 ]---
  [   11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009
  [   11.335210] 
  [   11.337095] Kernel Offset: disabled
  [   11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009

  The crash occurs here

  1227 static ssize_t tty_write(struct file *file, const char __user *buf,
  [...]
  1243         ld = tty_ldisc_ref_wait(tty);
  1244         if (!ld->ops->write) // <===
  1245                 ret = -EIO;
  1246         else
  1247                 ret = do_tty_write(ld->ops->write, tty, file, buf, count);

  because tty_ldisc_ref_wait() returned NULL.

  It seems the issue has been introduced into 4.4.0-93+ kernels
  by the fix for the bug #1709126: according to the version 4.4.0-93.116
  changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed
  tty_ldisc_ref_wait() to return NULL has been backported 
  into the Ubuntu Linux kernel 4.4.0-93+. However, the patch
  "tty: Prepare for destroying line discipline on hangup"
  (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230)
  from the same patchset (https://lkml.org/lkml/2015/11/27/476)
  that prepares tty_ldisc_ref_wait() callers
  for this hasn't been backported.

  Additional info:

  Kernel version:

  Linux version 4.4.0-96-generic (buildd@lgw01-10) (gcc version 5.4.0
  20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #119-Ubuntu SMP Tue Sep 12
  14:59:54 UTC 2017

  lsb_release -rd output:

  Description:    Ubuntu 16.04.3 LTS
  Release:        16.04

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1721065/+subscriptions