tty: GPF in n_tty_receive_buf_common
From: Dmitry Vyukov
Date: Thu Jun 30 2016 - 04:42:27 EST
Hello,
I've got a GPF after booting kernel and trying to ssh:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 462 Comm: kworker/u9:3 Not tainted 4.7.0-rc5+ #22
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: events_unbound flush_to_ldisc
task: ffff88003de997c0 ti: ffff88003da38000 task.ti: ffff88003da38000
RIP: 0010:[<ffffffff8311a0c5>]
[< inline >] __read_once_size include/linux/compiler.h:222
[<ffffffff8311a0c5>] n_tty_receive_buf_common+0xe5/0x24a0
drivers/tty/n_tty.c:1690
RSP: 0018:ffff88003da3fa50 EFLAGS: 00010202
RAX: 000000000000044c RBX: ffff880035c9b7b8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff880035c9bb60 RDI: 0000000000000286
RBP: ffff88003da3fb40 R08: ffffffff89c761d0 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff8a1a4360 R12: ffff8800360a0ab8
R13: 0000000000000000 R14: 0000000000000002 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055c252926dd0 CR3: 0000000034ba2000 CR4: 00000000000006f0
Stack:
ffff88003da3fa98 ffff880035c9b9f0 0000000000000000 ffff88003de9a000
ffffffff86a91815 0000000000000001 0000000000002260 ffff8800360a3fb8
ffff8800360a3fb0 ffff880035c9bd30 ffff8800360a0ab8 dffffc0000000000
Call Trace:
[<ffffffff8311c4b3>] n_tty_receive_buf2+0x33/0x40 drivers/tty/n_tty.c:1746
[<ffffffff831223b9>] tty_ldisc_receive_buf+0xa9/0x1b0
drivers/tty/tty_buffer.c:429
[< inline >] receive_buf drivers/tty/tty_buffer.c:448
[<ffffffff83123471>] flush_to_ldisc+0x291/0x360 drivers/tty/tty_buffer.c:507
[<ffffffff813c4543>] process_one_work+0x793/0x1670 kernel/workqueue.c:2097
[<ffffffff813c54fb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2231
[<ffffffff813d576f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff86a9b5cf>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:389
Code: ff ff ff 48 05 b4 03 00 00 48 89 45 80 48 c1 e8 03 4c 01 f8 48
89 85 78 ff ff ff e8 d6 c8 47 fe 48 8b 85 40 ff ff ff 48 c1 e8 03 <42>
80 3c 38 00 0f 85 97 1d 00 00 48 8b 45 88 4c 8b b0 60 22 00
RIP [< inline >] __read_once_size include/linux/compiler.h:222
RIP [<ffffffff8311a0c5>] n_tty_receive_buf_common+0xe5/0x24a0
drivers/tty/n_tty.c:1690
RSP <ffff88003da3fa50>
---[ end trace d0c27f5538dd1a3c ]---
I can reproduce it by doing ssh/exit several dozens of times.
The crash happens in n_tty_receive_buf_common on this line:
size_t tail = smp_load_acquire(&ldata->read_tail);
This is with CONFIG_KASAN. Faulting address divided by 8 is RAX=44c.
So the access was done to address 8800. n_tty_data struct is large, so
it means that ldata == NULL.
On commit 00bf377d19ad3d80cbc7a036521279a86e397bfb (Jun 27).