kernel-packages team mailing list archive

Thread
Date
[Bug 1556562] Re: VIA C7-D machine "kernel NULL pointer dereference" in skcipher_recvmsg_async

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Kamal Mostafa <kamal@xxxxxxxxxxxxx>
Date: Wed, 23 Mar 2016 17:09:55 -0000
Reply-to: Bug 1556562 <1556562@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
@Jeffrey-

Please try this test kernel:
http://kernel.ubuntu.com/~kamal/lp1556562.0/

(For reference, this is 4.2.0-35.40 plus backports of these mainline commits:)
6454c2b crypto: algif_skcipher - Do not dereference ctx without socket lock
ec69bbf crypto: algif_skcipher - Do not assume that req is unchanged
6e8d8ec crypto: algif_skcipher - Add key check exception for cipher_null
a1383cd crypto: skcipher - Add crypto_skcipher_has_setkey

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1556562

Title:
  VIA C7-D machine "kernel NULL pointer dereference" in
  skcipher_recvmsg_async

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Wily:
  In Progress

Bug description:
  I'm working on an Lubuntu 15 machine. It was chosen because it
  supports VIA C7-D processor and the VIA PM400 chipset without crashing
  (also see ). Lubuntu 15 uses the 4.2 kernel:

    $ lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 15.10
    Release:	15.10
    Codename:	wily

  And:

    $ uname -a
    Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux

  When running a particular program (details below), it hangs in syscall
  248 and results in the following dmesg/syslog output. The process
  cannot be killed, the machine does not respond to a 'shutdown -r now',
  and the machine requires a hard reset.

  ...
  [ 4505.429577] BUG: unable to handle kernel NULL pointer dereference at 00000008
  [ 4505.429593] IP: [<f8a6ccf2>] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher]
  [ 4505.429607] *pdpt = 0000000034ee3001 *pde = 0000000000000000 
  [ 4505.429614] Oops: 0000 [#3] SMP 
  [ 4505.429621] Modules linked in: jitterentropy_rng drbg ansi_cprng algif_skcipher af_alg snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi padlock_sha snd_seq padlock_aes snd_seq_device via_cputemp snd_timer hwmon_vid via_rng snd input_leds serio_raw soundcore i2c_viapro shpchp 8250_fintek mac_hid parport_pc ppdev lp parport autofs4 pata_acpi hid_generic usbhid hid psmouse r8169 pata_via sata_via mii
  [ 4505.429689] CPU: 0 PID: 1532 Comm: afalgtest Tainted: G      D         4.2.0-30-generic #36-Ubuntu
  [ 4505.429695] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Weibu, BIOS 080014  11/17/2011
  [ 4505.429700] task: f4e0e040 ti: f4e3c000 task.ti: f4e3c000
  [ 4505.429705] EIP: 0060:[<f8a6ccf2>] EFLAGS: 00010202 CPU: 0
  [ 4505.429712] EIP is at skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher]
  [ 4505.429717] EAX: f3f97c00 EBX: f3f3ee00 ECX: f3f97c00 EDX: 00000000
  [ 4505.429722] ESI: f3f3ee00 EDI: 00000ff0 EBP: f4e3ddc8 ESP: f4e3dd70
  [ 4505.429726]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
  [ 4505.429731] CR0: 80050033 CR2: 00000008 CR3: 3247a520 CR4: 000006b0
  [ 4505.429735] Stack:
  [ 4505.429738]  f3f97df4 f3f97c00 f3f97de0 00000000 f3f97c04 00000020 f4e3dd00 00000018
  [ 4505.429750]  00001ff0 f3fb4400 f3f97c04 00000ff0 f4e3de40 f3f97de8 f4e3de38 f3fa0000
  [ 4505.429761]  00000002 00000002 f3f97c00 f1f58180 c1210510 f4e3de38 f4e3ddf4 f8a6cd6b
  [ 4505.429772] Call Trace:
  [ 4505.429788]  [<c1210510>] ? free_ioctx_users+0xa0/0xa0
  [ 4505.429795]  [<f8a6cd6b>] skcipher_recvmsg+0x2b/0x1f0 [algif_skcipher]
  [ 4505.429803]  [<f8a6c71a>] ? skcipher_check_key.isra.8+0x2a/0xb0 [algif_skcipher]
  [ 4505.429810]  [<f8a6cf61>] skcipher_recvmsg_nokey+0x31/0x40 [algif_skcipher]
  [ 4505.429820]  [<c164e1fd>] sock_recvmsg+0x3d/0x50
  [ 4505.429826]  [<c164e294>] sock_read_iter+0x84/0xd0
  [ 4505.429833]  [<c164e210>] ? sock_recvmsg+0x50/0x50
  [ 4505.429839]  [<c12108b0>] aio_run_iocb+0x110/0x2c0
  [ 4505.429846]  [<c164e210>] ? sock_recvmsg+0x50/0x50
  [ 4505.429854]  [<c1767b8f>] ? error_code+0x67/0x6c
  [ 4505.429865]  [<c11b25e4>] ? kmem_cache_alloc+0x1b4/0x1e0
  [ 4505.429875]  [<c11e5112>] ? __fdget+0x12/0x20
  [ 4505.429881]  [<c121168f>] do_io_submit+0x1ef/0x4a0
  [ 4505.429893]  [<c12ddd2f>] ? security_file_alloc+0x2f/0x50
  [ 4505.429900]  [<c1211960>] SyS_io_submit+0x20/0x30
  [ 4505.429911]  [<c176695f>] sysenter_do_call+0x12/0x12
  [ 4505.429915] Code: 00 00 00 75 24 8b 45 ac ff 52 0c 89 c7 83 ff 8d 75 8f 8b 45 e4 3e ff 80 fc 01 00 00 bf ef fd ff ff e9 62 fc ff ff 8d 76 00 89 c8 <ff> 52 08 89 c7 eb db 8b 45 e4 31 d2 8b 80 20 02 00 00 8b 58 1c
  [ 4505.429982] EIP: [<f8a6ccf2>] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] SS:ESP 0068:f4e3dd70
  [ 4505.429991] CR2: 0000000000000008
  [ 4505.429997] ---[ end trace 3cce7cc6be0ad960 ]---

  **********

  The process details is this is a failed self test for the upcoming
  OpenSSL 1.1.0. The OpenSSL RT bug report for this issue is at
  http://rt.openssl.org/Ticket/Display.html?id=4411. Two attempts to
  debug it resulted in two hung processes:

  $ ps -A | grep afalgtest
  1030 pts/0    00:00:00 afalgtest
  1196 pts/0    00:00:00 afalgtest

  And:

  via:test$ sudo cat /proc/1030/syscall 
  248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8
  via:test$ sudo cat /proc/1196/syscall 
  248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8

  Its not clear to me what that particular syscall is:

  $ cat /usr/include/asm-generic/unistd.h
  ...
  /*
   * Architectures may provide up to 16 syscalls of their own
   * starting with this value.
   */
  #define __NR_arch_specific_syscall 244

  #define __NR_wait4 260
  __SC_COMP(__NR_wait4, sys_wait4, compat_sys_wait4)
  #define __NR_prlimit64 261
  __SYSCALL(__NR_prlimit64, sys_prlimit64)
  #define __NR_fanotify_init 262
  __SYSCALL(__NR_fanotify_init, sys_fanotify_init)
  #define __NR_fanotify_mark 263
  ...

  **********

  If interested, you should be able to duplicate it with the following.
  That's resuming you have the hardware.

  $ git clone git://git.openssl.org/openssl.git
  $ cd openssl

  $ ./config -d
  $ make
  $ make test/afalgtest
  $ cd test
  $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest

  **********

  In this case, the hardware was selected for the VIA C7-D processor and
  the Padlock engine. Its relatively low-end, and can be found at
  http://www.amazon.com/gp/product/B01AXR2KBQ.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1556562/+subscriptions