The issue seems to occur when /dev/snapshot is opened but not closed by
a userspace program. In this case, the close is instead done
automatically by the kernel when the opening program exits.
For example, the following C program causes a panic reliably in an LXD
VM running 6.14.0-15-generic:
root@plucky-vm:~# cat test.c
#include <fcntl.h>
#include <stdio.h>
int main() {
int fd;
fd = open("/dev/snapshot", O_RDONLY);
if (fd == -1)
perror("open");
return 0;
}
root@plucky-vm:~# gcc -o test test.c
root@plucky-vm:~# ./test
----
[ 166.826999] BUG: kernel NULL pointer dereference, address: 0000000000000028
[ 166.830942] #PF: supervisor read access in kernel mode
[ 166.831702] #PF: error_code(0x0000) - not-present page
[ 166.832664] PGD 0 P4D 0
[ 166.833237] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[ 166.834420] CPU: 7 UID: 0 PID: 1197 Comm: test Not tainted 6.14.0-15-generic
#15-Ubuntu
[ 166.835975] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS
unknown 2/2/2022
[ 166.837733] RIP: 0010:alloc_fs_context+0x98/0x2c0
[ 166.838754] Code: 49 89 47 28 48 8b 82 e0 0c 00 00 48 85 c0 74 0f c7 80 a8
00 00 00 00 00 00 00 f0 48 83 00 01 49 89 47 58 48 8b 82 48 0d 00 00 <4c> 8b 70
28 b8 01 00 00 00 49 8d be 8c 00 00 00 f0 41 0f c1 86 8c
[ 166.841843] RSP: 0018:ffffb83d01a97c68 EFLAGS: 00010206
[ 166.842828] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 166.843878] RDX: ffff8b04c9b00000 RSI: 0000000000000000 RDI: 0000000000000000
[ 166.844964] RBP: ffffb83d01a97c98 R08: 0000000000000000 R09: 0000000000000000
[ 166.845989] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa8caf840
[ 166.847189] R13: 0000000000000000 R14: 0000000000000000 R15: ffff8b04c9ad70c0
[ 166.848519] FS: 0000000000000000(0000) GS:ffff8b053bb80000(0000)
knlGS:0000000000000000
[ 166.849674] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 166.850528] CR2: 0000000000000028 CR3: 000000015aa40003 CR4: 0000000000372ef0
[ 166.851694] Call Trace:
[ 166.852089] <TASK>
[ 166.852503] ? show_trace_log_lvl+0x1be/0x310
[ 166.853215] ? show_trace_log_lvl+0x1be/0x310
[ 166.853902] ? fs_context_for_mount+0x17/0x30
[ 166.854560] ? show_regs.part.0+0x22/0x30
[ 166.855170] ? __die_body.cold+0x8/0x10
[ 166.855702] ? __die+0x2a/0x40
[ 166.856230] ? page_fault_oops+0x16e/0x180
[ 166.856801] ? do_user_addr_fault+0x4c9/0x7e0
[ 166.857448] ? exc_page_fault+0x85/0x1e0
[ 166.858061] ? asm_exc_page_fault+0x27/0x30
[ 166.858680] ? alloc_fs_context+0x98/0x2c0
[ 166.859259] ? alloc_fs_context+0x66/0x2c0
[ 166.859866] fs_context_for_mount+0x17/0x30
[ 166.860600] vfs_kern_mount.part.0+0x19/0xd0
[ 166.861222] vfs_kern_mount+0x13/0x40
[ 166.861797] efivarfs_pm_notify+0xfe/0x130
[ 166.862442] ? __pfx_efivarfs_actor+0x10/0x10
[ 166.863098] notifier_call_chain+0x5e/0xe0
[ 166.863723] blocking_notifier_call_chain+0x41/0x70
[ 166.864474] pm_notifier_call_chain+0x1a/0x30
[ 166.865053] snapshot_release+0x71/0xb0
[ 166.865757] __fput+0xea/0x2d0
[ 166.866188] ____fput+0x15/0x20
[ 166.866687] task_work_run+0x5d/0xa0
[ 166.867223] do_exit+0x26e/0x4c0
[ 166.867679] do_group_exit+0x34/0x90
[ 166.868469] __x64_sys_exit_group+0x18/0x20
[ 166.869235] x64_sys_call+0x141e/0x2310
[ 166.870255] do_syscall_64+0x7e/0x170
[ 166.871109] ? clear_bhb_loop+0x15/0x70
[ 166.871869] entry_SYSCALL_64_after_hwframe+0x76/0x7e
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2113990
Title:
NULL pointer dereference caught by ubuntu_stress_smoke_test:sut-scan
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113990/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
