Re: 2.6.31-rc2: BUG: unable to handle kernel NULL pointerdereference

From: Eric Paris
Date: Sun Jul 12 2009 - 17:57:21 EST


On Sun, 2009-07-12 at 22:26 +0200, Jiri Slaby wrote:
> On 07/12/2009 07:30 PM, Parag Warudkar wrote:
> > static void selinux_write_opts(struct seq_file *m,
> > 1012 struct security_mnt_opts *opts)
> > 1013 {
> > 1014 int i;
> > 1015 char *prefix;
> > 1016
> > 1017 for (i = 0; i < opts->num_mnt_opts; i++) {
> > 1018 char *has_comma;
> > 1019
> > 1020 if (opts->mnt_opts[i])
> > 1021 has_comma = strchr(opts->mnt_opts[i], ',');
> > ^^^^^^^^^^^^^^^^^^^^^^^^^
> > And that is a NULL pointer dereference - but we just checked for
> > opts->mnt_opts[i] for not NULL.
>
> Note, that there is not a NULL dereference. It dereferences 0x40 which
> came in as %rdi. Looks like somebody assigned garbage in there.
>
> Or a single bit mem error. Is memtest OK with this machine?
>
> What warning tainted the kernel before this oops is still interesting...

I just looked over the selinux code where we build the
security_mnt_opts. We can do a 0 length kmalloc, but that should hurt
aything. I should probably not be doing any allocations and leaving the
opts->mnt_opts and opts->mnt_opts_flags == NULL, but 0x40 !=
ZERO_SIZE_PTR(0x10) nor is the security_mnt_opts structure anywhere near
large enough to hit an offset of 0x40.....

I really think I'd like to see any previous BUG/WARN messages you got
and like Jiri said, see if memtest86+ runs cleanly....

-Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/