exercising ptys causes a kernel oops
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Colin Ian King | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Vivid |
Fix Released
|
Undecided
|
Unassigned | ||
Wily |
Won't Fix
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Colin Ian King | ||
Yakkety |
Fix Released
|
Medium
|
Colin Ian King |
Bug Description
[SRU JUSTIFICATION]
Running stress-ng --pty 1 with a very low vmalloc memory available can trip an oops. This can be generally only be reproduced when memory is under a high amount of pressure. I was able to reproduce reliably by forcefully injecting vmalloc to return NULL when the stress-ng pty was running.
[FIX]
Upstream commit 5353ed8deedee9e
[TEST]
Forcefully inject vmalloc to return NULL when running the pty stressor. Without the fix, an oops can be tripped, with the fix, no issues occur.
-------
running: "stress-ng --pty 1" and this occurs in less than 1 second:
[ 67.753230] alloc_vmap_area: 9 callbacks suppressed
[ 67.753233] vmap allocation for size 16384 failed: use vmalloc=<size> to increase size.
[ 67.753235] vmalloc: allocation failure: 8844 bytes
[ 67.753237] stress-ng-pty: page allocation failure: order:0, mode:0x24000c2
[ 67.753240] CPU: 2 PID: 2150 Comm: stress-ng-pty Not tainted 4.4.0-23-generic #41-Ubuntu
[ 67.753241] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-
[ 67.753243] c1abf967 0832d3cc 00000286 f2497c8c c139fe1f c19ce22c 00000001 f2497cbc
[ 67.753248] c1177396 c19cc624 f506b5f0 00000000 024000c2 f2497cd0 c19ce22c f2497ca4
[ 67.753252] 0832d3cc 0000228c 00000000 f2497cec c11ad2ff 024000c2 00000000 c19ce22c
[ 67.753256] Call Trace:
[ 67.753264] [<c139fe1f>] dump_stack+
[ 67.753267] [<c1177396>] warn_alloc_
[ 67.753272] [<c11ad2ff>] __vmalloc_
[ 67.753276] [<c148f590>] ? tty_get_
[ 67.753278] [<c11ad386>] __vmalloc_
[ 67.753280] [<c1494e46>] ? n_tty_open+
[ 67.753283] [<c11ad408>] vmalloc+0x38/0x40
[ 67.753284] [<c1494e46>] ? n_tty_open+
[ 67.753290] [<c1494e46>] n_tty_open+
[ 67.753293] [<c1498fd8>] tty_ldisc_
[ 67.753295] [<c14997fc>] tty_ldisc_
[ 67.753297] [<c14935bc>] tty_init_
[ 67.753301] [<c124fee1>] ? devpts_
[ 67.753303] [<c149b7a5>] ptmx_open+
[ 67.753306] [<c11e0a14>] chrdev_
[ 67.753310] [<c11da62c>] do_dentry_
[ 67.753312] [<c11e0970>] ? cdev_put+0x20/0x20
[ 67.753314] [<c11db60f>] vfs_open+0x4f/0x60
[ 67.753316] [<c11ea109>] path_openat+
[ 67.753318] [<c11eae94>] ? putname+0x54/0x60
[ 67.753321] [<c11ebde8>] do_filp_
[ 67.753324] [<c11f8d16>] ? __alloc_
[ 67.753326] [<c11db9c8>] do_sys_
[ 67.753329] [<c11dbb72>] SyS_open+0x22/0x30
[ 67.753332] [<c100393d>] do_fast_
[ 67.753336] [<c17a98dc>] sysenter_
[ 67.753338] Mem-Info:
[ 67.753342] active_anon:5790 inactive_anon:1203 isolated_anon:0
[ 67.753349] DMA free:9616kB min:788kB low:984kB high:1180kB active_anon:288kB inactive_anon:112kB active_file:2436kB inactive_
[ 67.753350] lowmem_reserve[]: 0 818 949 949
[ 67.753357] Normal free:567248kB min:41608kB low:52008kB high:62412kB active_anon:18440kB inactive_
[ 67.753358] lowmem_reserve[]: 0 0 1055 1055
[ 67.753364] HighMem free:87464kB min:128kB low:1804kB high:3480kB active_anon:4432kB inactive_
[ 67.753365] lowmem_reserve[]: 0 0 0 0
[ 67.753367] DMA: 2*4kB (UM) 1*8kB (E) 2*16kB (UE) 1*32kB (U) 3*64kB (ME) 3*128kB (UME) 1*256kB (M) 3*512kB (UME) 3*1024kB (UME) 2*2048kB (UM) 0*4096kB = 9616kB
[ 67.753378] Normal: 1*4kB (U) 25*8kB (ME) 38*16kB (UM) 25*32kB (ME) 14*64kB (UME) 9*128kB (UM) 9*256kB (UM) 8*512kB (UME) 8*1024kB (UME) 0*2048kB 134*4096kB (M) = 567116kB
[ 67.753389] HighMem: 1*4kB (U) 0*8kB 1*16kB (U) 0*32kB 1*64kB (M) 0*128kB 3*256kB (UM) 3*512kB (UM) 5*1024kB (UM) 1*2048kB (U) 19*4096kB (M) = 87380kB
[ 67.753435] Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_
[ 67.753436] 47051 total pagecache pages
[ 67.753437] 0 pages in swap cache
[ 67.753439] Swap cache stats: add 0, delete 0, find 0/0
[ 67.753440] Free swap = 1046524kB
[ 67.753444] Total swap = 1046524kB
[ 67.753450] 262013 pages RAM
[ 67.753459] 33761 pages HighMem/MovableOnly
[ 67.753461] 6126 pages reserved
[ 67.753483] 0 pages cma reserved
[ 67.753486] tty_init_dev: ldisc open failed, clearing slot 3474
[ 67.753525] BUG: unable to handle kernel NULL pointer dereference at 0000001c
[ 67.755622] IP: [<c124ff1a>] devpts_
[ 67.756058] *pdpt = 000000002f82f001 *pde = 0000000000000000
[ 67.756461] Oops: 0000 [#1] SMP
[ 67.756866] Modules linked in: snd_hda_
[ 67.759038] CPU: 2 PID: 2150 Comm: stress-ng-pty Not tainted 4.4.0-23-generic #41-Ubuntu
[ 67.759396] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-
[ 67.759758] task: f506b200 ti: f2496000 task.ti: f2496000
[ 67.760109] EIP: 0060:[<c124ff1a>] EFLAGS: 00010246 CPU: 2
[ 67.760460] EIP is at devpts_
[ 67.760806] EAX: 00000000 EBX: 00000000 ECX: 00000033 EDX: 00000d92
[ 67.761165] ESI: fffffff4 EDI: 00000d92 EBP: f2497d54 ESP: f2497d4c
[ 67.761500] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[ 67.761830] CR0: 80050033 CR2: 0000001c CR3: 355d6ca0 CR4: 001406f0
[ 67.762166] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 67.762497] DR6: fffe0ff0 DR7: 00000400
[ 67.762822] Stack:
[ 67.763139] 00000000 fffffff4 f2497d60 c149b509 e65caa00 f2497d6c c1492bb0 e65caa00
[ 67.763497] f2497d98 c14935e9 c1a2cf78 00000d92 f64aa7d0 f2497d98 c124fee1 00000d92
[ 67.763860] e65e66c0 f64aa7d0 f64aa7d0 f2497db4 c149b7a5 00000000 00000d92 c1d20ae0
[ 67.764228] Call Trace:
[ 67.764568] [<c149b509>] pty_unix98_
[ 67.764917] [<c1492bb0>] release_
[ 67.765272] [<c14935e9>] tty_init_
[ 67.765623] [<c124fee1>] ? devpts_
[ 67.765974] [<c149b7a5>] ptmx_open+
[ 67.766323] [<c11e0a14>] chrdev_
[ 67.766668] [<c11da62c>] do_dentry_
[ 67.767013] [<c11e0970>] ? cdev_put+0x20/0x20
[ 67.767352] [<c11db60f>] vfs_open+0x4f/0x60
[ 67.767690] [<c11ea109>] path_openat+
[ 67.768030] [<c11eae94>] ? putname+0x54/0x60
[ 67.768367] [<c11ebde8>] do_filp_
[ 67.768704] [<c11f8d16>] ? __alloc_
[ 67.769051] [<c11db9c8>] do_sys_
[ 67.769385] [<c11dbb72>] SyS_open+0x22/0x30
[ 67.769717] [<c100393d>] do_fast_
[ 67.770052] [<c17a98dc>] sysenter_
[ 67.770385] Code: 00 b8 fb ff ff ff eb 9d b8 ed ff ff ff eb 96 e8 9d 01 e2 ff 8d b6 00 00 00 00 8d bc 27 00 00 00 00 55 89 e5 56 53 3e 8d 74 26 00 <8b> 40 1c 89 d6 81 78 38 d1 1c 00 00 74 0c a1 f8 59 d1 c1 85 c0
[ 67.771232] EIP: [<c124ff1a>] devpts_
[ 67.771607] CR2: 000000000000001c
[ 67.772009] ---[ end trace 40e08a6f48f9983e ]---
description: | updated |
information type: | Private Security → Public Security |
information type: | Public Security → Public |
Changed in linux (Ubuntu Yakkety): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Wily): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Colin Ian King (colin-king) |
importance: | Undecided → Medium |
More concerning is that once one logs out, no more ptys are available, so one cannot log back in