The issue has been verified with the kernel 4.4.0-100.123. ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1721065 Title: NULL pointer dereference in tty_write() in kernel 4.4.0-93.116+ Status in linux package in Ubuntu: In Progress Status in linux source package in Xenial: Fix Committed Bug description: Sometimes an Ubuntu kernel 4.4.0-93+ panics in the following way: [ 11.185347] BUG: unable to handle kernel NULL pointer dereference at (null) [ 11.185778] IP: [<ffffffff814f9cf3>] tty_write+0x83/0x2d0 [ 11.186115] PGD 0 [ 11.186270] Oops: 0000 [#1] SMP [ 11.186506] Modules linked in: prl_fs(POE) prl_eth(POE) gpio_ich ppdev snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm s nd_timer input_leds snd serio_raw soundcore lpc_ich shpchp sbs prl_tg(POE) sbshc pvpanic parport_pc parport mac_hid auto fs4 psmouse ahci libahci pata_acpi fjes [ 11.188034] CPU: 0 PID: 1 Comm: systemd Tainted: P OE 4.4.0-96-generic #119-Ubuntu [ 11.188482] Hardware name: Parallels Software International Inc. Parallels Virtual Platform/Parallels Virtual Platfor m, BIOS 13.1.0 (43104) 09/26/2017 [ 11.189156] task: ffff88003db80000 ti: ffff88003db88000 task.ti: ffff88003db88000 [ 11.189546] RIP: 0010:[<ffffffff814f9cf3>] [<ffffffff814f9cf3>] tty_write+0x83/0x2d0 [ 11.189964] RSP: 0000:ffff88003db8bcc8 EFLAGS: 00010246 [ 11.190255] RAX: 0000000000000000 RBX: ffff8800392dd800 RCX: 0000000000000000 [ 11.190628] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800392dd828 [ 11.191002] RBP: ffff88003db8bd18 R08: ffff88003db88000 R09: 0000000000000000 [ 11.191398] R10: 000000000000005c R11: 0000000000401ce0 R12: 000000000000002f [ 11.191775] R13: ffff88003584ae70 R14: 000055c8eab15f20 R15: ffff88003584ae00 [ 11.192152] FS: 00007f649d1418c0(0000) GS:ffff88003de00000(0000) knlGS:0000000000000000 [ 11.192573] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 11.192882] CR2: 0000000000000000 CR3: 000000003d3b6000 CR4: 00000000000006f0 [ 11.193264] Stack: [ 11.193404] 0000000000000000 ffffffff813953ba ffff88003db8bd08 ffffffff813493bd [ 11.193837] 000000000000002f ffff88003584ae00 000055c8eab15f20 ffff88003584ae70 [ 11.194267] 000000000000002f ffff88003db8bf18 ffff88003db8bd28 ffffffff8120f878 [ 11.194700] Call Trace: [ 11.194884] [<ffffffff813953ba>] ? apparmor_file_permission+0x1a/0x20 [ 11.195248] [<ffffffff813493bd>] ? security_file_permission+0x3d/0xc0 [ 11.195621] [<ffffffff8120f878>] __vfs_write+0x18/0x40 [ 11.195916] [<ffffffff81210209>] vfs_write+0xa9/0x1a0 [ 11.196202] [<ffffffff814f9fa0>] redirected_tty_write+0x60/0xa0 [ 11.196532] [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0 [ 11.196830] [<ffffffff8120f5d5>] do_loop_readv_writev+0x75/0xa0 [ 11.197160] [<ffffffff814f9f40>] ? tty_write+0x2d0/0x2d0 [ 11.197458] [<ffffffff81210512>] do_readv_writev+0x212/0x230 [ 11.198439] [<ffffffff81223faf>] ? do_vfs_ioctl+0x29f/0x490 [ 11.199374] [<ffffffff812105b9>] vfs_writev+0x39/0x50 [ 11.200268] [<ffffffff812112e9>] SyS_writev+0x59/0xf0 [ 11.201144] [<ffffffff81224219>] ? SyS_ioctl+0x79/0x90 [ 11.202049] [<ffffffff81843272>] entry_SYSCALL_64_fastpath+0x16/0x71 [ 11.202980] Code: 47 02 00 00 48 8b 93 e0 01 00 00 83 e2 02 0f 85 37 02 00 00 48 83 78 50 00 0f 84 38 02 00 00 48 89 df e8 11 7f 00 00 48 89 45 b0 <48> 8b 00 48 8b 40 40 48 89 c2 48 89 45 c0 48 c7 c0 fb ff ff ff [ 11.208047] RIP [<ffffffff814f9cf3>] tty_write+0x83/0x2d0 [ 11.208942] RSP <ffff88003db8bcc8> [ 11.209713] CR2: 0000000000000000 [ 11.210517] ---[ end trace 3b933544655b49b8 ]--- [ 11.335210] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 [ 11.335210] [ 11.337095] Kernel Offset: disabled [ 11.338184] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 The crash occurs here 1227 static ssize_t tty_write(struct file *file, const char __user *buf, [...] 1243 ld = tty_ldisc_ref_wait(tty); 1244 if (!ld->ops->write) // <=== 1245 ret = -EIO; 1246 else 1247 ret = do_tty_write(ld->ops->write, tty, file, buf, count); because tty_ldisc_ref_wait() returned NULL. It seems the issue has been introduced into 4.4.0-93+ kernels by the fix for the bug #1709126: according to the version 4.4.0-93.116 changelog the patch "tty: Destroy ldisc instance on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=892d1fa7eaaed9d3c04954cb140c34ebc3393932) that allowed tty_ldisc_ref_wait() to return NULL has been backported into the Ubuntu Linux kernel 4.4.0-93+. However, the patch "tty: Prepare for destroying line discipline on hangup" (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e55afd11a48354c810caf6b6ad4c103016a88230) from the same patchset (https://lkml.org/lkml/2015/11/27/476) that prepares tty_ldisc_ref_wait() callers for this hasn't been backported. Additional info: Kernel version: Linux version 4.4.0-96-generic (buildd@lgw01-10) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #119-Ubuntu SMP Tue Sep 12 14:59:54 UTC 2017 lsb_release -rd output: Description: Ubuntu 16.04.3 LTS Release: 16.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1721065/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
