[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230) from the same patchset (https://lkml.org/lkml/2015/11/27/476) that prepares tty_ldisc_ref_wait() callers for this hasn't been backported. Additional info: Kernel version: Linux version 4.4.0-96-generic (buildd@lgw01-10) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ub
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
** Changed in: linux (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230) from the same patchset (https://lkml.org/lkml/2015/11/27/476) that prepares tty_ldisc_ref_wait() callers for this hasn't been backported. Additional info: Kernel version: Linux version 4.4.0-96-generic (buildd@lgw0
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
This bug was fixed in the package linux - 4.4.0-101.124 --- linux (4.4.0-101.124) xenial; urgency=low * linux: 4.4.0-101.124 -proposed tracker (LP: #1731264) * s390/mm: fix write access check in gup_huge_pmd() (LP: #1730596) - s390/mm: fix write access check in gup_huge_pmd() linux (4.4.0-100.123) xenial; urgency=low * linux: 4.4.0-100.123 -proposed tracker (LP: #1729273) * Xenial update to 4.4.95 stable release (LP: #1729107) - USB: devio: Revert "USB: devio: Don't corrupt user memory" - USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() - USB: serial: metro-usb: add MS7820 device id - usb: cdc_acm: Add quirk for Elatec TWN3 - usb: quirks: add quirk for WORLDE MINI MIDI keyboard - usb: hub: Allow reset retry for USB2 devices on connect bounce - ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital - can: gs_usb: fix busy loop if no more TX context is available - usb: musb: sunxi: Explicitly release USB PHY on exit - usb: musb: Check for host-mode using is_host_active() on reset interrupt - can: esd_usb2: Fix can_dlc value for received RTR, frames - drm/nouveau/bsp/g92: disable by default - drm/nouveau/mmu: flush tlbs before deleting page tables - ALSA: seq: Enable 'use' locking in all configurations - ALSA: hda: Remove superfluous '-' added by printk conversion - i2c: ismt: Separate I2C block read from SMBus block read - brcmsmac: make some local variables 'static const' to reduce stack size - bus: mbus: fix window size calculation for 4GB windows - clockevents/drivers/cs5535: Improve resilience to spurious interrupts - rtlwifi: rtl8821ae: Fix connection lost problem - KEYS: encrypted: fix dereference of NULL user_key_payload - lib/digsig: fix dereference of NULL user_key_payload - KEYS: don't let add_key() update an uninstantiated key - pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. - parisc: Avoid trashing sr2 and sr3 in LWS code - parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels - sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task() - f2fs crypto: replace some BUG_ON()'s with error checks - f2fs crypto: add missing locking for keyring_key access - fscrypt: fix dereference of NULL user_key_payload - KEYS: Fix race between updating and finding a negative key - fscrypto: require write access to mount to set encryption policy - FS-Cache: fix dereference of NULL user_key_payload - Linux 4.4.95 * Xenial update to 4.4.94 stable release (LP: #1729105) - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts - drm/dp/mst: save vcpi with payloads - MIPS: Fix minimum alignment requirement of IRQ stack - sctp: potential read out of bounds in sctp_ulpevent_type_enabled() - bpf/verifier: reject BPF_ALU64|BPF_END - udpv6: Fix the checksum computation when HW checksum does not apply - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header - net: emac: Fix napi poll list corruption - packet: hold bind lock when rebinding to fanout hook - bpf: one perf event close won't free bpf program attached by another perf event - isdn/i4l: fetch the ppp_write buffer in one shot - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit - l2tp: Avoid schedule while atomic in exit_net - l2tp: fix race condition in l2tp_tunnel_delete - tun: bail out from tun_get_user() if the skb is empty - packet: in packet_do_bind, test fanout with bind_lock held - packet: only test po->has_vnet_hdr once in packet_snd - net: Set sk_prot_creator when cloning sockets to the right proto - tipc: use only positive error codes in messages - Revert "bsg-lib: don't free job in bsg_prepare_job" - locking/lockdep: Add nest_lock integrity test - watchdog: kempld: fix gcc-4.3 build - irqchip/crossbar: Fix incorrect type of local variables - mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length - mac80211: fix power saving clients handling in iwlwifi - net/mlx4_en: fix overflow in mlx4_en_init_timestamp() - netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value. - iio: adc: xilinx: Fix error handling - Btrfs: send, fix failure to rename top level inode due to name collision - f2fs: do not wait for writeback in write_begin - md/linear: shutup lockdep warnning - sparc64: Migrate hvcons irq to panicked cpu - net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs - crypto: xts - Add ECB dependency - ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock - slub: do not merge cache if slub_debug contains a never-merge flag - scsi: scsi_dh_emc: return success in clariion_std_inquiry() - net: mvpp2: release reference to txq_cpu[] entry after unmapping - i
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
The issue has been verified with the kernel 4.4.0-100.123. ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: Fix Committed Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230) from the same patchset (https://lkml.org/lkml/2015/11/27/476) that prepares tty_ldisc_ref_wait() callers for this hasn't been backported. Additional
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: Fix Committed Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
** Changed in: linux (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: Fix Committed Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230) from the same patchset (https://lkml.org/lkml/2015/11/27/476) that prepares tty_ldisc_ref_wait() callers for this hasn't been backported. Additional info: Kernel version: Linux version 4.4.0-96-generic (bui
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
> http://kernel.ubuntu.com/~jsalisbury/lp1721065/ > Can you test this kernel and see if it resolves this bug? Hi Joseph, I've tested the kernel and I confirm that the issue does not reproduce in my environment with this kernel. Thanks! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230) from the same patchset (https://lkml.org/lkml/2015/11/27/476)
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
I built a X test kernel with a pick of commit e55afd11a4835. The test kernel can be downloaded from: http://kernel.ubuntu.com/~jsalisbury/lp1721065/ Can you test this kernel and see if it resolves this bug? ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Joseph Salisbury (jsalisbury) ** Changed in: linux (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: linux (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: In Progress Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported
[Kernel-packages] [Bug 1721065] Re: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+
** Changed in: linux (Ubuntu) Importance: Undecided => High ** Tags added: kernel-da-key ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Status: Incomplete => Triaged ** Changed in: linux (Ubuntu Xenial) Status: New => Triaged ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: 88003db8 ti: 88003db88000 task.ti: 88003db88000 [ 11.189546] RIP: 0010:[] [] tty_write+0x83/0x2d0 [ 11.189964] RSP: :88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: RBX: 8800392dd800 RCX: [ 11.190628] RDX: RSI: RDI: 8800392dd828 [ 11.191002] RBP: 88003db8bd18 R08: 88003db88000 R09: [ 11.191398] R10: 005c R11: 00401ce0 R12: 002f [ 11.191775] R13: 88003584ae70 R14: 55c8eab15f20 R15: 88003584ae00 [ 11.192152] FS: 7f649d1418c0() GS:88003de0() knlGS: [ 11.192573] CS: 0010 DS: ES: CR0: 80050033 [ 11.192882] CR2: CR3: 3d3b6000 CR4: 06f0 [ 11.193264] Stack: [ 11.193404] 813953ba 88003db8bd08 813493bd [ 11.193837] 002f 88003584ae00 55c8eab15f20 88003584ae70 [ 11.194267] 002f 88003db8bf18 88003db8bd28 8120f878 [ 11.194700] Call Trace: [ 11.194884] [] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [] ? security_file_permission+0x3d/0xc0 [ 11.195621] [] __vfs_write+0x18/0x40 [ 11.195916] [] vfs_write+0xa9/0x1a0 [ 11.196202] [] redirected_tty_write+0x60/0xa0 [ 11.196532] [] ? tty_write+0x2d0/0x2d0 [ 11.196830] [] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [] ? tty_write+0x2d0/0x2d0 [ 11.197458] [] do_readv_writev+0x212/0x230 [ 11.198439] [] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [] vfs_writev+0x39/0x50 [ 11.200268] [] SyS_writev+0x59/0xf0 [ 11.201144] [] ? SyS_ioctl+0x79/0x90 [ 11.202049] [] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [] tty_write+0x83/0x2d0 [ 11.208942] RSP [ 11.209713] CR2: [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/