| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Sep 2016 12:44:37 -0400 (EDT)
From: Vince Weaver <vincent.weaver@...ne.edu>
To: LKML <linux-kernel@...r.kernel.org>
cc: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...nel.org>,
Stephane Eranian <eranian@...il.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>
Subject: perf: perf_fuzzer crashing due to slab poison
Trying to replicate the cgroup problem on my haswell machine and tripped
over this other (probably unrelated) bug that not only crashed the machine
but took out the whole local network (due to the ethernet card getting
stuck somehow).
It looks like slab poison in some of those registers :( Are there any
options I should be enabling to help debug this kind of thing? Could we
somehow write useful info (rather than just 6b6b6b) into the freed memory
to give hints when debugging?
Vince
Linux version 4.8.0-rc6+ x86_64
Processor: Intel 6/60/3
/proc/sys/kernel/perf_event_max_sample_rate currently: 1750/s
/proc/sys/kernel/perf_event_paranoid currently: 0
To reproduce, try: ./perf_fuzzer -s 30000 -r 1473974214
[33967.807734] general protection fault: 0000 [#1] SMP
[33967.813503] Modules linked in: binfmt_misc intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm snd_hda_codec_realtek snd_hda_codec_hdmi iTCO_wdt snd_hda_codec_generic irqbypass iTCO_vendor_support snd_hda_intel crct10dif_pclmul snd_hda_codec crc32_pclmul ghash_clmulni_intel snd_hda_core ppdev aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper evdev snd_hwdep snd_pcm cryptd i915 snd_timer psmouse pcspkr serio_raw drm_kms_helper snd mei_me tpm_tis tpm_tis_core video battery soundcore sg lpc_ich mei mfd_core parport_pc wmi drm i2c_i801 i2c_algo_bit i2c_smbus parport tpm button sr_mod cdrom sd_mod xhci_pci xhci_hcd ahci ehci_pci libahci ehci_hcd libata e1000e ptp usbcore crc32c_intel scsi_mod usb_common pps_core fan thermal
[33967.890749] CPU: 0 PID: 8251 Comm: perf_fuzzer Tainted: G W 4.8.0-rc6+ #194
[33967.899990] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[33967.908498] task: ffff8801163ae700 task.stack: ffff880115e90000
[33967.915441] RIP: 0010:[<ffffffff81079886>] [<ffffffff81079886>] wait_consider_task+0x16/0xc50
[33967.925281] RSP: 0018:ffff880115e93de8 EFLAGS: 00010296
[33967.931544] RAX: 6b6b6b6b6b6b6b6b RBX: ffff880115e93eb0 RCX: ffff8801191acc00
[33967.939740] RDX: 6b6b6b6b6b6b675b RSI: 0000000000000000 RDI: ffff880115e93eb0
[33967.947927] RBP: ffff880115e93e48 R08: 00000000b085cee5 R09: 4522cf5100000000
[33967.956100] R10: 00000000001fa23f R11: 0000000000000000 R12: ffff8801163aeb00
[33967.964270] R13: ffff8801163ae700 R14: ffff8801163ae700 R15: 6b6b6b6b6b6b675b
[33967.972445] FS: 00007f1dc0a19700(0000) GS:ffff88011ea00000(0000) knlGS:0000000000000000
[33967.981633] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[33967.988283] CR2: 00007ffd20fbb058 CR3: 000000011825c000 CR4: 00000000001407f0
[33967.996446] DR0: 0000000000000000 DR1: 0000000000000ff0 DR2: 0000000000000000
[33968.004615] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[33968.012753] Stack:
[33968.015417] 0000000000000282 000000011ea18c18 ffffffff81c05098 ffffffff81c05080
[33968.023943] ffff8801163aeb28 ffff8801163ae700 ffff8801163ae700 ffff880115e93eb0
[33968.032492] ffff8801163aeb00 ffff8801163ae700 ffff8801163ae700 6b6b6b6b6b6b675b
[33968.040996] Call Trace:
[33968.044109] [<ffffffff8107a5cf>] do_wait+0x10f/0x250
[33968.050021] [<ffffffff8107b886>] SyS_wait4+0x66/0xd0
[33968.055975] [<ffffffff810791d0>] ? task_stopped_code+0x60/0x60
[33968.062833] [<ffffffff81003b5e>] do_syscall_64+0x5e/0xc0
[33968.069103] [<ffffffff817250ea>] entry_SYSCALL64_slow_path+0x25/0x25
[33968.076515] Code: 02 00 e9 62 ff ff ff 4c 89 ef e8 16 5f 07 00 e9 38 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 38 <44> 8b b2 7c 03 00 00 41 83 fe 10 74 29 8b 07 49 89 fd 89 f3 49
[33968.099081] RIP [<ffffffff81079886>] wait_consider_task+0x16/0xc50
[33968.106371] RSP <ffff880115e93de8>
[33968.112742] ---[ end trace dfb54c93a465ccd8 ]---
[33968.112743] general protection fault: 0000 [#2] SMP
[33968.112756] Modules linked in: binfmt_misc intel_rapl iosf_mbi x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm snd_hda_codec_realtek snd_hda_codec_hdmi iTCO_wdt snd_hda_codec_generic irqbypass iTCO_vendor_support snd_hda_intel crct10dif_pclmul snd_hda_codec crc32_pclmul ghash_clmulni_intel snd_hda_core ppdev aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper evdev snd_hwdep snd_pcm cryptd i915 snd_timer psmouse pcspkr serio_raw drm_kms_helper snd mei_me tpm_tis tpm_tis_core video battery soundcore sg lpc_ich mei mfd_core parport_pc wmi drm i2c_i801 i2c_algo_bit i2c_smbus parport tpm button sr_mod cdrom sd_mod xhci_pci xhci_hcd ahci ehci_pci libahci ehci_hcd libata e1000e ptp usbcore crc32c_intel scsi_mod usb_common pps_core fan thermal
[33968.112757] CPU: 1 PID: 9323 Comm: perf_fuzzer Tainted: G D W 4.8.0-rc6+ #194
[33968.112757] Hardware name: LENOVO 10AM000AUS/SHARKBAY, BIOS FBKT72AUS 01/26/2014
[33968.112758] task: ffff880114a9e300 task.stack: ffff880115c4c000
[33968.112761] RIP: 0010:[<ffffffff811320b5>] [<ffffffff811320b5>] syscall_unregfunc+0x45/0x90
[33968.112761] RSP: 0018:ffff880115c4faf0 EFLAGS: 00010283
[33968.112762] RAX: 6b6b6b6b6b6b6b6b RBX: ffffffff81d1c7c8 RCX: ffff8801170af010
[33968.112762] RDX: ffff8801170aeb70 RSI: ffff8801155d67a0 RDI: ffff8801155d64c0
[33968.112762] RBP: ffff880115c4faf0 R08: 0000000000000000 R09: 0000000000000000
[33968.112763] R10: ffff880114a9e300 R11: 0000000000000000 R12: ffffffff81d1c7c0
[33968.112763] R13: ffffffff81c107a0 R14: ffff880114acacd0 R15: ffffffff81003030
[33968.112764] FS: 00007f1dc0a19700(0000) GS:ffff88011ea40000(0000) knlGS:0000000000000000
[33968.112764] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[33968.112764] CR2: 00007ffe09882bdc CR3: 0000000001c06000 CR4: 00000000001406e0
[33968.112765] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[33968.112765] DR3: 0000000000008788 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[33968.112766] Stack:
[33968.112767] ffff880115c4fb28 ffffffff81131c68 ffffffff81c107a0 0000000000000003
[33968.112768] ffff880116dd4c00 ffff880116dd4c40 ffff880114cfaaa0 ffff880115c4fb50
[33968.112769] ffffffff8114cf13 0000000000000082 ffffffff81c107a0 0000000000000000
[33968.112769] Call Trace:
[33968.112771] [<ffffffff81131c68>] tracepoint_probe_unregister+0x188/0x1e0
[33968.112772] [<ffffffff8114cf13>] trace_event_reg+0x43/0xd0
[33968.112773] [<ffffffff81150713>] perf_trace_event_unreg.isra.2+0x33/0x90
[33968.112774] [<ffffffff81150a78>] perf_trace_destroy+0x38/0x50
[33968.112776] [<ffffffff8116a859>] tp_perf_event_destroy+0x9/0x10
[33968.112777] [<ffffffff81172e45>] _free_event+0xd5/0x330
[33968.112778] [<ffffffff81173534>] put_event+0x14/0x20
[33968.112779] [<ffffffff81173770>] perf_event_release_kernel+0x230/0x2d0
[33968.112780] [<ffffffff81173573>] ? perf_event_release_kernel+0x33/0x2d0
[33968.112781] [<ffffffff81173820>] perf_release+0x10/0x20
[33968.112784] [<ffffffff81211a9f>] __fput+0xdf/0x1f0
[33968.112785] [<ffffffff81211bee>] ____fput+0xe/0x10
[33968.112786] [<ffffffff81095f2e>] task_work_run+0x7e/0xa0
[33968.112788] [<ffffffff8107ad36>] do_exit+0x2f6/0xb10
[33968.112789] [<ffffffff81086a92>] ? get_signal+0xc2/0x6d0
[33968.112790] [<ffffffff8107b5e0>] do_group_exit+0x50/0xd0
[33968.112791] [<ffffffff81086c5f>] get_signal+0x28f/0x6d0
[33968.112793] [<ffffffff8109dec7>] ? finish_task_switch+0xa7/0x220
[33968.112795] [<ffffffff8102d518>] do_signal+0x28/0x760
[33968.112796] [<ffffffff8116c2a6>] ? perf_trace_run_bpf_submit+0x76/0xb0
[33968.112797] [<ffffffff810030e5>] ? perf_trace_sys_exit+0xb5/0xd0
[33968.112798] [<ffffffff8100329c>] exit_to_usermode_loop+0x8c/0xd0
[33968.112799] [<ffffffff81003a87>] prepare_exit_to_usermode+0x37/0x50
[33968.112800] [<ffffffff817259a5>] retint_user+0x8/0x10
[33968.112810] Code: e5 e8 90 29 5f 00 48 c7 c7 40 d5 c0 81 48 8b b7 e0 02 00 00 48 8d be 20 fd ff ff 48 81 ff 40 d5 c0 81 74 44 48 8b 86 30 03 00 00 <48> 8b 48 10 48 83 c0 10 48 39 c8 48 8d 91 60 fb ff ff 74 ce 48
[33968.112812] RIP [<ffffffff811320b5>] syscall_unregfunc+0x45/0x90
[33968.112812] RSP <ffff880115c4faf0>
[33968.112816] ---[ end trace dfb54c93a465ccd9 ]---
[33968.112817] Fixing recursive fault but reboot is needed!
[33989.573587] INFO: rcu_sched detected stalls on CPUs/tasks:
[33989.579895] 1-...: (1 GPs behind) idle=4b9/140000000000000/0 softirq=1278733/1278734 fqs=2446
[33989.589632] (detected by 0, t=5256 jiffies, g=1198134, c=1198133, q=79)
[33989.597186] Task dump for CPU 1:
[33989.601057] perf_fuzzer S 0000000000000000 0 8251 3914 0x0000000a
[33989.609084] 0000000000000000 0000000000000000 ffff880115e93eb8 0000000000000086
[33989.617545] ffffffff8107ad6a ffff880100000000 ffffffff00000000 0000000000000086
[33989.626041] 0000000115c3d000 ffffffff81c05098 ffffffff81c05080 ffffffff81c05080
[33989.634494] Call Trace:
[33989.637532] [<ffffffff8107ad6a>] ? do_exit+0x32a/0xb10
[33989.643525] [<ffffffff810c7e58>] ? do_raw_write_lock+0x48/0xc0
[33989.650259] [<ffffffff81724be0>] ? _raw_write_lock_irq+0x40/0x50
[33989.657201] [<ffffffff8107ad6a>] ? do_exit+0x32a/0xb10
[33989.663229] [<ffffffff8107ad6a>] ? do_exit+0x32a/0xb10
[33989.669250] [<ffffffff81726737>] ? rewind_stack_do_exit+0x17/0x20
Powered by blists - more mailing lists