lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Tue, 6 Sep 2016 15:53:08 +0800
From:   Xiong Zhou <xzhou@...hat.com>
To:     linux-ext4@...r.kernel.org
Subject: LTP proc01 panic when ext4_validate_block_bitmap

Hi,

Attached reproducer can crash kernel in several minutes. It's
looping a subset of LTP testcases consisting of proc01 and
ftruncate04:

$cat /opt/ltp/runtest/tfile
proc01 proc01 -m 128
ftruncate04 ftruncate04
ftruncate04_64 ftruncate04

After commented out ftruncate calls in ftruncate04.c, it's still
reproduciable.

Latest kernel commit:
commit bc4dee5aa72723632a1f83fd0d3720066c93b433
Merge: 56291b2 8b18e23
Author: Linus Torvalds <torvalds@...ux-foundation.org>
Date:   Mon Sep 5 11:10:00 2016 -0700

    Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6


Calltrace:

[  497.567282] ltptest proc01 start
[  497.584599] general protection fault: 0000 [#1] SMP
[  497.609178] Modules linked in: binfmt_misc ext4 jbd2 mbcache loop intel_rapl sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel nd_pmem dax_pmem aesni_intel nd_btt dax lrw gf128mul ipmi_ssif glue_helper nd_e820 ablk_helper iTCO_wdt cryptd hpilo hpwdt libnvdimm iTCO_vendor_support sg nfsd ipmi_si pcspkr ioatdma shpchp i2c_i801 ipmi_msghandler dca pcc_cpufreq lpc_ich acpi_power_meter acpi_cpufreq i2c_smbus wmi auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm tg3 ptp hpsa serio_raw crc32c_intel pps_core i2c_core scsi_transport_sas fjes dm_mirror dm_region_hash dm_log dm_mod
[  497.918435] CPU: 21 PID: 3214 Comm: proc01 Not tainted 4.8.0-rc5+ #1
[  497.947019] Hardware name: HP ProLiant DL360 Gen9, BIOS P89 05/06/2015
[  497.976447] task: ffff88085b610000 task.stack: ffff880840a54000
[  498.003184] RIP: 0010:[<ffffffff81372d90>]  [<ffffffff81372d90>] _find_next_bit.part.0+0x10/0x70
[  498.042662] RSP: 0018:ffff880840a57a60  EFLAGS: 00010a06
[  498.066543] RAX: 03ffffffffffff00 RBX: ffff88106ca0b000 RCX: 00000000ffffc000
[  498.099534] RDX: ffffffffffffc000 RSI: ffffffffffffc0fd RDI: ffff88084822a000
[  498.134230] RBP: ffff880840a57a70 R08: ffffffffffffffff R09: ffffffffffffffff
[  498.167599] R10: 0000000000000000 R11: 0000000000000040 R12: ffffffffffffc000
[  498.199576] R13: 0000000000000002 R14: ffff88106ca0c800 R15: ffff8808559f7208
[  498.231538] FS:  00007f08b4c95800(0000) GS:ffff88085fd40000(0000) knlGS:0000000000000000
[  498.268080] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  498.293825] CR2: 00007ffd1f4688f8 CR3: 0000000841682000 CR4: 00000000001406e0
[  498.325787] Stack:
[  498.334748]  ffff880840a57a70 ffffffff81372e2e ffff880840a57ad0 ffffffffa07844aa
[  498.367913]  0000000000000000 ffff880855aff110 ffff88106ca0b000 0000000000000002
[  498.401539]  ffff88106ca0b000 ffff88106ca0c800 ffff88084822a840 0000000000000002
[  498.434763] Call Trace:
[  498.445666]  [<ffffffff81372e2e>] ? find_next_zero_bit+0x1e/0x20
[  498.472276]  [<ffffffffa07844aa>] ext4_validate_block_bitmap+0x2da/0x3a0 [ext4]
[  498.505375]  [<ffffffffa07850b7>] ext4_read_block_bitmap_nowait+0x277/0x5e0 [ext4]
[  498.542504]  [<ffffffff81202cae>] ? __kmalloc+0x1ce/0x200
[  498.566777]  [<ffffffffa07c4bb8>] ? ext4_mb_init_cache+0x98/0x750 [ext4]
[  498.596890]  [<ffffffffa07c4c94>] ext4_mb_init_cache+0x174/0x750 [ext4]
[  498.630241]  [<ffffffff811ac16e>] ? lru_cache_add+0xe/0x10
[  498.657499]  [<ffffffff8119b6ca>] ? add_to_page_cache_lru+0x8a/0xf0
[  498.689362]  [<ffffffff8119c67e>] ? pagecache_get_page+0x8e/0x250
[  498.717082]  [<ffffffffa07c53e1>] ext4_mb_init_group+0x171/0x2b0 [ext4]
[  498.746880]  [<ffffffffa07c5b2c>] ext4_mb_load_buddy_gfp+0x47c/0x520 [ext4]
[  498.778204]  [<ffffffffa07c5d2c>] ext4_mb_seq_groups_show+0x15c/0x1e0 [ext4]
[  498.809757]  [<ffffffff8124d714>] ? mntput+0x24/0x40
[  498.832072]  [<ffffffff8123670d>] ? terminate_walk+0xbd/0xd0
[  498.859406]  [<ffffffff81251b17>] seq_read+0x247/0x390
[  498.884253]  [<ffffffff8129cced>] proc_reg_read+0x3d/0x70
[  498.909589]  [<ffffffff8122b647>] __vfs_read+0x37/0x150
[  498.933715]  [<ffffffff812de463>] ? security_file_permission+0xa3/0xc0
[  498.963390]  [<ffffffff8122bc0e>] vfs_read+0x8e/0x140
[  498.986086]  [<ffffffff8122d105>] SyS_read+0x55/0xc0
[  499.008492]  [<ffffffff81003a47>] do_syscall_64+0x67/0x160
[  499.033269]  [<ffffffff816f8b21>] entry_SYSCALL64_slow_path+0x25/0x25
[  499.062252] Code: 48 8d 04 0a 5d 48 39 f0 48 0f 47 c6 c3 31 c0 5d c3 66 2e 0f 1f 84 00 00 00 00 00 48 89 d0 55 49 89 c8 48 c1 e8 06 49 89 c9 89 d1 <4c> 33 04 c7 48 c7 c0 ff ff ff ff 48 83 e2 c0 48 d3 e0 48 89 e5
[  499.147466] RIP  [<ffffffff81372d90>] _find_next_bit.part.0+0x10/0x70
[  499.178821]  RSP <ffff880840a57a60>
[  499.196144] ---[ end trace fc25249ef11fbba9 ]---
[  499.221378] Kernel panic - not syncing: Fatal exception
[  499.244979] Kernel Offset: disabled
[  499.264961] ---[ end Kernel panic - not syncing: Fatal exception


Download attachment "proc01.sh" of type "application/x-sh" (878 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ