kernel NULL pointer dereference at rb_erase+0x1a3/0x370

From: Shuah Khan
Date: Tue Oct 02 2012 - 13:58:43 EST

Next message: Ben Myers: "[GIT PULL] XFS update for 3.7-rc1"
Previous message: Andy Shevchenko: "Re: [PATCH 1/7] string: introduce helper to get base file name fromgiven path"
Next in thread: Hugh Dickins: "Re: kernel NULL pointer dereference at rb_erase+0x1a3/0x370"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I started seeing the following null pointer dereference on
a linux-next sept 21 git and still seeing it on linux-next
Sep 27th git.

Can be reproduced easily. I have been able to reproduce every
time I do a complete build of a kernel on fresh checkout or
touch a header file that forces full build.

Related to lib/rbtree.c commits that went into September 21 perhaps.
I didn't get a chance to investigate this yet, thought I would share
just in case others have seen it.

[ 346.676805] audit_printk_skb: 24 callbacks suppressed
[ 346.676814] type=1400 audit(1349010919.383:28): apparmor="DENIED" operation="capable" parent=1 profile="/usr/sbin/cupsd" pid=905 comm="cupsd" pid=905 comm="cupsd" capability=36 capname="block_suspend"
[ 2219.660124] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 2219.660182] IP: [<ffffffff81323c93>] rb_erase+0x1a3/0x370
[ 2219.660209] PGD 73f2f067 PUD 67246067 PMD 0
[ 2219.660235] Oops: 0000 [#1] SMP
[ 2219.660257] Modules linked in: bnep arc4 iwldvm rfcomm bluetooth mac80211 coretemp radeon kvm_intel kvm snd_hda_codec_analog snd_hda_intel snd_hda_codec iwlwifi snd_hwdep snd_pcm snd_seq_midi snd_rawmidi ttm drm_kms_helper snd_seq_midi_event snd_seq drm pata_pcmcia cfg80211 psmouse snd_timer binfmt_misc pcmcia tpm_infineon hp_wmi snd_seq_device snd sparse_keymap joydev ppdev yenta_socket microcode hp_accel lis3lv02d soundcore wmi i2c_algo_bit parport_pc serio_raw pcmcia_rsrc pcmcia_core tpm_tis input_polldev snd_page_alloc lpc_ich mac_hid video lp parport firewire_ohci firewire_core crc_itu_t sdhci_pci sdhci e1000e
[ 2219.660632] CPU 0
[ 2219.660644] Pid: 1660, comm: recordmcount Not tainted 3.6.0-rc6-next-20120921+ #4 Hewlett-Packard HP EliteBook 6930p/30DC
[ 2219.660684] RIP: 0010:[<ffffffff81323c93>] [<ffffffff81323c93>] rb_erase+0x1a3/0x370
[ 2219.660714] RSP: 0018:ffff880073f318e8 EFLAGS: 00010246
[ 2219.662042] RAX: ffff88007911ea80 RBX: 000000000000003b RCX: 0000000000000000
[ 2219.663345] RDX: 0000000000000000 RSI: ffff88007a4e1c08 RDI: 0000000000000001
[ 2219.664007] RBP: ffff880073f318e8 R08: ffff88007911ea40 R09: 0000000000000000
[ 2219.664007] R10: ffff88007911ea00 R11: 0000000000000018 R12: ffff88007a4e19a0
[ 2219.664007] R13: 0000000000000001 R14: 0000000000000001 R15: 000000000000003c
[ 2219.664007] FS: 00002b380a82bb40(0000) GS:ffff88007fa00000(0000) knlGS:0000000000000000
[ 2219.664007] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2219.664007] CR2: 0000000000000000 CR3: 0000000079428000 CR4: 00000000000407f0
[ 2219.664007] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2219.664007] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2219.664007] Process recordmcount (pid: 1660, threadinfo ffff880073f30000, task ffff88002fe9ada0)
[ 2219.664007] Stack:
[ 2219.664007] ffff880073f31948 ffffffff8125af6e ffff88007911eaa0 ffff88007911ea80
[ 2219.664007] ffff88002fe7c400 ffff88002fe7c400 0000000000000002 ffff88007a4e19a0
[ 2219.664007] ffff88007aa4e6e8 ffff88002fe7c400 0000000000000001 000000000000003b
[ 2219.664007] Call Trace:
[ 2219.664007] [<ffffffff8125af6e>] ext4_es_insert_extent+0x28e/0x2f0
[ 2219.664007] [<ffffffff81219e1d>] ext4_da_get_block_prep+0x11d/0x3b0
[ 2219.664007] [<ffffffff811afa63>] ? alloc_buffer_head+0x43/0x50
[ 2219.664007] [<ffffffff811afbde>] ? alloc_page_buffers+0x7e/0xf0
[ 2219.664007] [<ffffffff811b218e>] __block_write_begin+0x1ce/0x520
[ 2219.664007] [<ffffffff81219d00>] ? do_journal_get_write_access+0xb0/0xb0
[ 2219.664007] [<ffffffff81126b8f>] ? grab_cache_page_write_begin+0x8f/0xf0
[ 2219.664007] [<ffffffff8121d778>] ext4_da_write_begin+0xc8/0x210
[ 2219.664007] [<ffffffff81126082>] generic_file_buffered_write+0x112/0x290
[ 2219.664007] [<ffffffff81127826>] __generic_file_aio_write+0x1b6/0x3b0
[ 2219.664007] [<ffffffff81127a9f>] generic_file_aio_write+0x7f/0x100
[ 2219.664007] [<ffffffff81216640>] ext4_file_write+0xa0/0x460
[ 2219.664007] [<ffffffff8104a787>] ? pte_alloc_one+0x37/0x50
[ 2219.664007] [<ffffffff8167f3be>] ? _raw_spin_lock+0xe/0x20
[ 2219.664007] [<ffffffff8114c269>] ? __pte_alloc+0xa9/0x160
[ 2219.664007] [<ffffffff8117eed3>] do_sync_write+0xa3/0xe0
[ 2219.664007] [<ffffffff8117f563>] vfs_write+0xb3/0x180
[ 2219.664007] [<ffffffff8117f88a>] sys_write+0x4a/0x90
[ 2219.664007] [<ffffffff8168375e>] ? do_page_fault+0xe/0x10
[ 2219.664007] [<ffffffff81687da9>] system_call_fastpath+0x16/0x1b
[ 2219.664007] Code: 10 f6 c2 01 0f 84 4e 01 00 00 48 83 e2 fc 0f 84 10 ff ff ff 48 89 c1 48 89 d0 48 8b 50 08 48 39 ca 0f 85 71 ff ff ff 48 8b 50 10 <f6> 02 01 75 3a 48 8b 7a 08 48 89 c1 48 83 c9 01 48 89 78 10 48
[ 2219.664007] RIP [<ffffffff81323c93>] rb_erase+0x1a3/0x370
[ 2219.664007] RSP <ffff880073f318e8>
[ 2219.664007] CR2: 0000000000000000
[ 2219.724809] ---[ end trace dc0112a541a4c9dc ]---

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ben Myers: "[GIT PULL] XFS update for 3.7-rc1"
Previous message: Andy Shevchenko: "Re: [PATCH 1/7] string: introduce helper to get base file name fromgiven path"
Next in thread: Hugh Dickins: "Re: kernel NULL pointer dereference at rb_erase+0x1a3/0x370"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]