NULL pointer deref at drm_lock_free()

From: Tommi Rantala
Date: Tue Feb 19 2013 - 12:43:13 EST

Next message: Tommi Rantala: "NULL pointer deref at drm_newctx()"
Previous message: Tommi Rantala: "idr_remove called for id=4096 which is not allocated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Hit this oops a few times while fuzzing the kernel with Trinity in a
qemu virtual machine:

[ 133.012360] BUG: unable to handle kernel NULL pointer dereference
at (null)
[ 133.013015] IP: [<ffffffff814424d0>] drm_lock_free+0x90/0x110
[ 133.013015] PGD 2fed8067 PUD 2fed9067 PMD 0
[ 133.013015] Oops: 0000 [#1] SMP
[ 133.013015] CPU 0
[ 133.013015] Pid: 2718, comm: trinity-child20 Not tainted 3.8.0+ #87
Bochs Bochs
[ 133.013015] RIP: 0010:[<ffffffff814424d0>] [<ffffffff814424d0>]
drm_lock_free+0x90/0x110
[ 133.013015] RSP: 0018:ffff88001400fd28 EFLAGS: 00010292
[ 133.013015] RAX: ffff8800140c2290 RBX: 0000000000000000 RCX: 0000000000000006
[ 133.013015] RDX: 0000000000001580 RSI: ffff8800140c2960 RDI: ffff8800140c2290
[ 133.013015] RBP: ffff88001400fd68 R08: 0000000000000000 R09: 0000000000000000
[ 133.013015] R10: 0000000000000000 R11: 0000000000000001 R12: 000000000055f4ff
[ 133.013015] R13: ffff88003b335c58 R14: ffff88003b335cc8 R15: ffff88001400fdd8
[ 133.013015] FS: 00007fb6cb6b6700(0000) GS:ffff88003fc00000(0000)
knlGS:0000000000000000
[ 133.013015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 133.013015] CR2: 0000000000000000 CR3: 000000001402f000 CR4: 00000000000006f0
[ 133.013015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 133.013015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 133.013015] Process trinity-child20 (pid: 2718, threadinfo
ffff88001400e000, task ffff8800140c2290)
[ 133.013015] Stack:
[ 133.013015] 2222222222222222 2222222222222222 2222222222222222
2222222222222222
[ 133.013015] ffff88003ca08000 ffff88003a9a4800 fffffffffffffff2
000000004008642b
[ 133.013015] ffff88001400fd78 ffffffff814425a2 ffff88001400fe88
ffffffff8143d710
[ 133.013015] Call Trace:
[ 133.013015] [<ffffffff814425a2>] drm_unlock+0x52/0x60
[ 133.013015] [<ffffffff8143d710>] drm_ioctl+0x3d0/0x4d0
[ 133.013015] [<ffffffff81442550>] ? drm_lock_free+0x110/0x110
[ 133.013015] [<ffffffff812fb640>] ? avc_has_perm_flags+0x1d0/0x2a0
[ 133.013015] [<ffffffff812fb498>] ? avc_has_perm_flags+0x28/0x2a0
[ 133.013015] [<ffffffff810f5b18>] ? trace_hardirqs_off_caller+0x28/0xd0
[ 133.013015] [<ffffffff810f5bcd>] ? trace_hardirqs_off+0xd/0x10
[ 133.013015] [<ffffffff811b5ff2>] do_vfs_ioctl+0x532/0x580
[ 133.013015] [<ffffffff812fc7d3>] ? file_has_perm+0x83/0xa0
[ 133.013015] [<ffffffff811b609d>] sys_ioctl+0x5d/0xa0
[ 133.013015] [<ffffffff813571de>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[ 133.013015] [<ffffffff81ca07e9>] system_call_fastpath+0x16/0x1b
[ 133.013015] Code: 00 00 01 00 00 00 4c 89 f7 e8 2d ce 85 00 b8 01
00 00 00 e9 82 00 00 00 0f 1f 00 4c 89 f7 e8 18 ce 85 00 0f 1f 84 00
00 00 00 00 <44> 8b 03 44 89 c1 44 89 45 cc 81 e1 ff ff ff 3f 89 4d d0
44 8b
[ 133.013015] RIP [<ffffffff814424d0>] drm_lock_free+0x90/0x110
[ 133.013015] RSP <ffff88001400fd28>
[ 133.013015] CR2: 0000000000000000
[ 133.062048] ---[ end trace 3d5401684feb563f ]---

Tommi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tommi Rantala: "NULL pointer deref at drm_newctx()"
Previous message: Tommi Rantala: "idr_remove called for id=4096 which is not allocated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]