Bug 1031287

Summary: [abrt] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
Product: [Fedora] Fedora Reporter: arctgalex
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, michele
Target Milestone: ---Flags: jforbes: needinfo?
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/031ac297e6b007983314d34eea6207c3f4e0b4e8
Whiteboard: abrt_hash:573eb806e4c585f5072754ab899484283145cfa4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 14:58:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: dmesg none

Description arctgalex 2013-11-16 11:01:42 UTC 
Additional info:
reporter:       libreport-2.1.9
BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
IP: [<ffffffff811c1077>] touch_atime+0x17/0x140
PGD 594b5067 PUD 594b6067 PMD 0 
Oops: 0000 [#1] SMP 
Modules linked in: fuse nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE bnep bluetooth rfkill ip6t_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ppdev snd_hda_codec_hdmi snd_hda_codec_via snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device iTCO_wdt iTCO_vendor_support coretemp i2c_i801 kvm_intel kvm snd_pcm snd_page_alloc snd_timer snd r8169 mii shpchp soundcore serio_raw parport_pc parport microcode lpc_ich mfd_core asus_atk0110 acpi_cpufreq mperf uinput nouveau video mxm_wmi wmi i2c_algo_bit drm_kms_helper ata_generic ttm pata_acpi drm usb_storage pata_jmicron i2c_core
CPU: 1 PID: 8877 Comm: kio_thumbnail Not tainted 3.11.7-200.fc19.x86_64 #1
Hardware name: System manufacturer System Product Name/P5QL/EPU, BIOS 0408    07/20/2009
task: ffff8800594044a0 ti: ffff880051bae000 task.ti: ffff880051bae000
RIP: 0010:[<ffffffff811c1077>]  [<ffffffff811c1077>] touch_atime+0x17/0x140
RSP: 0018:ffff880051bafd88  EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff880051eb1398 RCX: 0000000000000000
RDX: 00000000000000b8 RSI: ffff880051eb1398 RDI: ffff880059b56d10
RBP: ffff880051bafda8 R08: 0000000000000000 R09: ffff880051eb1398
R10: 00007f0a557b0000 R11: 00007f0a557b0000 R12: 0000000000000000
R13: ffff880022db5698 R14: ffff88006f750400 R15: ffff88008cbf5398
FS:  00007f0a5c1d48c0(0000) GS:ffff8800bfa80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000030 CR3: 00000000594b4000 CR4: 00000000000007e0
Stack:
 00000000000080d0 ffff8800bf42b600 ffff880051eb1398 ffff880051fedca0
 ffff880051bafdc0 ffffffff8115348c ffff880051eb1398 ffff880051bafde8
 ffffffff8128abc6 ffff880022db5698 ffff880022db56a8 00007f0a557a0000
Call Trace:
 [<ffffffff8115348c>] shmem_mmap+0x1c/0x30
 [<ffffffff8128abc6>] shm_mmap+0x26/0x70
 [<ffffffff8116d53b>] mmap_region+0x40b/0x610
 [<ffffffff8116da45>] do_mmap_pgoff+0x305/0x3c0
 [<ffffffff8129da53>] ? file_map_prot_check+0x63/0xd0
 [<ffffffff8128bba3>] do_shmat+0x3b3/0x4b0
 [<ffffffff8128bcbc>] SyS_shmat+0x1c/0x30
 [<ffffffff81656999>] system_call_fastpath+0x16/0x1b
Code: 01 80 83 88 00 00 00 01 8b 54 24 04 48 8b 74 24 08 eb 8a 90 66 66 66 66 90 55 48 89 e5 41 54 53 48 83 ec 10 48 8b 47 08 4c 8b 27 <48> 8b 58 30 f6 43 0c 02 75 0f 48 8b 7b 28 48 8b 47 50 a9 01 04 
RIP  [<ffffffff811c1077>] touch_atime+0x17/0x140
 RSP <ffff880051bafd88>
CR2: 0000000000000030
Comment 1 arctgalex 2013-11-16 11:01:56 UTC 
Created attachment 824890 [details]
File: dmesg
Comment 2 Justin M. Forbes 2014-01-03 22:06:46 UTC 
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 19 kernel bugs.

Fedora 19 has now been rebased to 3.12.6-200.fc19.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 20, and are still experiencing this issue, please change the version to Fedora 20.

If you experience different issues, please open a new bug report for those.
Comment 3 Michele Baldessari 2014-01-04 13:22:57 UTC 
http://oops.kernel.org/oops/bug-unable-to-handle-kernel-null-pointer-dereference-at-touch_atime/

This is fixed in 3.11.10 via:
Author: Greg Thelen <gthelen>
Date:   Thu Nov 21 14:32:00 2013 -0800

    ipc,shm: fix shm_file deletion races
    
    commit a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1 upstream.
    
    When IPC_RMID races with other shm operations there's potential for
    use-after-free of the shm object's associated file (shm_file).

Workload 2: while true; do id=$(shmget 1 4096) shmat $id 4096 & shm_rmid $id & wait done The oops stack is similar to workload 1 due to NULL f_inode: touch_atime shmem_mmap shm_mmap mmap_region do_mmap_pgoff do_shmat SyS_shmat