248840 – sysfs_hash_and_remove NULL pointer dereference

Bug 248840 - sysfs_hash_and_remove NULL pointer dereference

Summary: sysfs_hash_and_remove NULL pointer dereference

Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	7
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-07-19 05:25 UTC by Eric Harney
Modified:	2007-12-12 17:09 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit)
Clone Of:
Environment:	(edit)
Last Closed:	2007-12-12 17:09:59 UTC
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eric Harney 2007-07-19 05:25:38 UTC

Description of problem:
NULL pointer dereference from the kernel.

Version-Release number of selected component (if applicable):
kernel-2.6.21-1.3228.fc7
selinux-policy-2.6.4-26.fc7

How reproducible:
Seems random, has happened twice.
Has not happened many times in the same circumstances.

Steps to Reproduce:
The first time this happened was right when I typed "setenforce 1" from a root
console (tty1).
The second time, the system was in enforcing mode and I was running a "fixfiles
relabel".

This is probably somehow selinux-related as I am just starting to setup selinux
on this machine, and saw both of these while playing with selinux utilities...
  
Actual results:

Unable to handle kernel NULL pointer dereference at 0000000000000003 RIP:
 [<ffffffff802f7acc>] sysfs_hash_and_remove+0x17/0x122
PGD 0 
Oops: 0000 [1] SMP 
last sysfs file: /block/dm-2/stat 
CPU 1 Jul 19 01:11:45 packetbane kernel: Modules linked in: w83627hf hwmon_vid
i2c_isa eeprom sunrpc ipv6 nf_conntrack_ftp nf_conntrack_netbios_ns
nf_conntrack_ipv4 xt_state nf_conntrack nfnetlink xt_tcpudp ipt_REJECT
iptable_filter ip_tables x_tables fuse vfat fat reiserfs dm_multipath video sbs
i2c_ec button dock battery ac parport_pc lp parport loop sr_mod cdrom snd_ca0106
snd_rawmidi snd_ac97_codec nvidia(P)(U) snd_seq_dummy snd_seq_oss
snd_seq_midi_event snd_seq snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm
snd_timer snd soundcore k8temp usblp ac97_bus hwmon snd_page_alloc shpchp
forcedeth pcspkr i2c_nforce2 k8_edac edac_mc i2c_core pata_amd sg joydev
dm_snapshot dm_zero dm_mirror dm_mod sata_nv ata_generic libata sd_mod scsi_mod
raid456 xor raid0 ext3 jbd mbcache ehci_hcd ohci_hcd uhci_hcd
Pid: 3374, comm: login Tainted: P       2.6.21-1.3228.fc7 #1
RIP: 0010:[<ffffffff802f7acc>]  [<ffffffff802f7acc>]
sysfs_hash_and_remove+0x17/0x122
RSP: 0018:ffff81006e6d7cc8  EFLAGS: 00010286
RAX: ffffffff8057c2e0 RBX: ffffffff8057c2d8 RCX: 0000000000100000
RDX: 0000000000000007 RSI: ffffffff8051527c RDI: fffffffffffffff3
RBP: fffffffffffffff3 R08: ffff81006e6d7bd8 R09: 00000000fffffff3
R10: ffff81007fed0007 R11: ffffffff8057c2a0 R12: fffffffffffffff3
R13: 0000000000000000 R14: ffffffff8051527c R15: ffff8100327b9c80Jul 19 01:11:45
packetbane kernel: FS:  00002aaaaaac3ed0(0000) GS:ffff81007fe0f940(0000)
knlGS:00000000f7fe56d0
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000003 CR3: 0000000000201000 CR4: 00000000000006e0
Process login (pid: 3374, threadinfo ffff81006e6d6000, task ffff81006b16e100)
Stack:  ffffffff8057c2d8 fffffffffffffff3 ffff810037dc0000 0000000000000000
 ffff81007feda080 ffffffff802f9f06 0000000512fd28db fffffffffffffff3
 ffffffff8057c2c0 ffffffff802f9f67 ffff810037dc00f0 ffffffff8057c2a0
Call Trace: 
 [<ffffffff802f9f06>] remove_files+0x1e/0x2a
 [<ffffffff802f9f67>] sysfs_remove_group+0x55/0x6f
 [<ffffffff803a241c>] device_pm_remove+0x40/0x8a
 [<ffffffff8039c1bf>] device_del+0x1de/0x210
 [<ffffffff8039c1fa>] device_unregister+0x9/0x12
 [<ffffffff80382e63>] vcs_remove_sysfs+0x1b/0x37
 [<ffffffff80388099>] con_close+0x52/0x66
 [<ffffffff8037fcdc>] release_dev+0x212/0x618 
 [<ffffffff8020aad1>] release_pages+0x13e/0x14b
 [<ffffffff8024cfc0>] tty_release+0x11/0x1a
 [<ffffffff8021140b>] __fput+0xc2/0x191
 [<ffffffff8022284c>] filp_close+0x5d/0x65
 [<ffffffff80235f8a>] put_files_struct+0x66/0xc5
 [<ffffffff80213edc>] do_exit+0x28d/0x7e0
 [<ffffffff80244144>] cpuset_exit+0x0/0x6b
 [<ffffffff8025729c>] tracesys+0xdc/0xe1


Code: 48 8b 47 10 48 85 c0 0f 84 f0 00 00 00 4c 8b af 98 00 00 00
RIP  [<ffffffff802f7acc>] sysfs_hash_and_remove+0x17/0x122
 RSP <ffff81006e6d7cc8>
CR2: 0000000000000003
Fixing recursive fault but reboot is needed!

Comment 1 Eric Harney 2007-07-19 05:57:07 UTC

Ok, this is actually 100% reproduceable on my system.
1.  Boot machine.
2.  Login as root on tty1.  Run "setenforce 1".
3.  Login as root on tty2 -- crash.

I should note that I am running selinux-policy-strict (2.6.4-26.fc7).  This
occurs with no extra local policy loaded.

Comment 2 Christopher Brown 2007-09-20 10:44:29 UTC

Hello Eric,

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug and will try and assist you in resolving it if I can.

There hasn't been much activity on this bug for a while. Could you tell me if
you are still having problems with the latest kernel?

If the problem no longer exists then please close this bug or I'll do so in a
few days if there is no additional information lodged.

Cheers
Chris

Comment 3 Eric Harney 2007-12-12 17:09:59 UTC

No longer seen in current releases.

Note You need to log in before you can comment on or make changes to this bug.