lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1380115449.4430.21.camel@deadeye.wl.decadent.org.uk>
Date:	Wed, 25 Sep 2013 14:24:09 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Thomas Gleixner <tglx@...utronix.de>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Steven Rostedt <rostedt@...tedt.homelinux.com>,
	Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Cc:	723180@...s.debian.org, Brian Silverman <bsilver16384@...il.com>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Double fault when single-stepping compat task with PREEMPT_RT

On Tue, 2013-09-24 at 13:43 -0700, Brian Silverman wrote:
[...]
> I got down to a really simple program that reproduces this bug:
> 
> 
> #include <sys/syscall.h>
> #include <unistd.h>
> int main() {
>   // I've tried SYS_getpid, SYS_write, and SYS_read here too.
>   syscall(SYS_gettid);
> }
> 
> 
> Any syscall I put in there seems to give the same results. In order
> for it to trigger the bug, you have to compile it with `gcc -m32
> whatever.c` (I'm testing with the standard Wheezy gcc (4:4.7.2-1) and
> gdb (7.4.1+dfsg-0.1)). I would imagine that something in gcc and/or
> gdb is contributing to this too.
> 
> 
> I also minimized the gdb commands down to:
> 
> 
> break main
> run
> record

I assume this enables single-stepping.

> continue
[...]

I can reproduce this in VMs running the latest Debian RT kernel versions
(based on 3.2.51-rt72, and on 3.10.11 with the 3.10.10-rt7 patch).

As Brian says, x86_64 userland on x86_64 kernel works, and similarly for
i386 on i386.  So it is specifically the 'compat' case that's broken.

Here's what I got:

[   68.394276] double fault: 0000 [#1] PREEMPT SMP 
[   68.394304] Modules linked in: rfcomm bnep bluetooth rfkill crc16 nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc loop fuse joydev hid_generic usbhid hid snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq snd_seq_device snd_timer snd processor evdev ttm drm_kms_helper thermal_sys psmouse soundcore drm i2c_piix4 serio_raw virtio_balloon button i2c_core pcspkr microcode ext3 mbcache jbd sg sr_mod cdrom ata_generic virtio_net virtio_blk floppy uhci_hcd ata_piix ehci_hcd libata usbcore virtio_pci scsi_mod usb_common virtio_ring virtio
[   68.394307] CPU: 0 PID: 3044 Comm: bug723180 Not tainted 3.10-3-rt-amd64 #1 Debian 3.10.11-1
[   68.394307] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   68.394309] task: ffff88001df34300 ti: ffff88001b564000 task.ti: ffff88001b564000
[   68.394316] RIP: 0010:[<ffffffff8139ec30>]  [<ffffffff8139ec30>] native_irq_enable_sysexit+0x10/0x10
[   68.394317] RSP: 0018:0000000000000000  EFLAGS: 00010192
[   68.394318] RAX: 00000000000000e0 RBX: 0000000000000000 RCX: 000000000804842b
[   68.394319] RDX: 00000000f7fc7000 RSI: 0000000008048420 RDI: 0000000000000000
[   68.394319] RBP: 00000000ffffd53c R08: 0000000000000000 R09: 0000000000000000
[   68.394320] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   68.394320] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   68.394321] FS:  0000000000000000(0000) GS:ffff88001fc00000(0063) knlGS:00000000f7e1b900
[   68.394322] CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
[   68.394323] CR2: fffffffffffffff8 CR3: 000000001f121000 CR4: 00000000000006f0
[   68.394326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   68.394329] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[   68.394329] Stack:
[   68.394331]  ffff88001fc05e68 ffff88001fc05f58 0000000000000ac0 0000000000000000
[   68.394332]  0000000000000000 0000000000000000 0000000000000040 ffffffff8100ef56
[   68.394334]  0000000081837a35 00000000ffffffff ffff88001fc05f58 ffffffff814011e8
[   68.394334] Call Trace:
[   68.394336]  <#DF> 
[   68.394340]  [<ffffffff8100ef56>] ? show_regs+0x6d/0x1bd
[   68.394343]  [<ffffffff81399cbe>] ? __die+0x9e/0xdb
[   68.394345]  [<ffffffff8100fbe9>] ? die+0x3d/0x56
[   68.394346]  [<ffffffff8100de24>] ? do_double_fault+0x5c/0x5e
[   68.394348]  [<ffffffff8139e888>] ? double_fault+0x28/0x30
[   68.394350]  [<ffffffff8139ec30>] ? native_irq_enable_sysexit+0x10/0x10
[   68.394351]  <<EOE>> 
[   68.394361] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 0f 01 f8 0f 07 66 66 2e 0f 1f 84 00 00 00 00 00 0f 01 f8 fb 0f 35 66 2e 0f 1f 84 00 00 00 00 00 <0f> 01 f8 65 48 8b 24 25 e0 a7 00 00 48 83 c4 28 fb 0f 1f 80 00 
[   68.394362] RIP  [<ffffffff8139ec30>] native_irq_enable_sysexit+0x10/0x10
[   68.394362]  RSP <0000000000000000>
[   68.394385] ---[ end trace 0000000000000002 ]---
[   68.394434] ------------[ cut here ]------------
[   68.394442] WARNING: at /build/linux-BPzSEt/linux-3.10.11/debian/build/source_rt/kernel/smp.c:244 smp_call_function_single+0x71/0x157()
[   68.394454] Modules linked in: rfcomm bnep bluetooth rfkill crc16 nfsd auth_rpcgss oid_registry nfs_acl nfs lockd dns_resolver fscache sunrpc loop fuse joydev hid_generic usbhid hid snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq snd_seq_device snd_timer snd processor evdev ttm drm_kms_helper thermal_sys psmouse soundcore drm i2c_piix4 serio_raw virtio_balloon button i2c_core pcspkr microcode ext3 mbcache jbd sg sr_mod cdrom ata_generic virtio_net virtio_blk floppy uhci_hcd ata_piix ehci_hcd libata usbcore virtio_pci scsi_mod usb_common virtio_ring virtio
[   68.394456] CPU: 0 PID: 3044 Comm: bug723180 Tainted: G      D      3.10-3-rt-amd64 #1 Debian 3.10.11-1
[   68.394459] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[   68.394460]  0000000000000000 ffffffff8103cced 0000000000000000 0000000000000000
[   68.394461]  0000000000000000 ffffffff810c08d9 ffff88001fc05e50 ffffffff810830f6
[   68.394462]  0000000000000000 0000000000000000 0000000000000000 0000000000000000
[   68.394463] Call Trace:
[   68.394466]  <#DF>  [<ffffffff8103cced>] ? warn_slowpath_common+0x5b/0x70
[   68.394470]  [<ffffffff810c08d9>] ? perf_cgroup_exit+0x16/0x16
[   68.394472]  [<ffffffff810830f6>] ? smp_call_function_single+0x71/0x157
[   68.394473]  [<ffffffff810bff63>] ? task_function_call+0x42/0x4c
[   68.394475]  [<ffffffff810c3f87>] ? perf_cgroup_switch+0x141/0x141
[   68.394477]  [<ffffffff810924af>] ? cgroup_exit+0xc8/0xd3
[   68.394478]  [<ffffffff81041cbd>] ? do_exit+0x404/0x946
[   68.394480]  [<ffffffff81399c1b>] ? oops_end+0xa9/0xae
[   68.394482]  [<ffffffff8100de24>] ? do_double_fault+0x5c/0x5e
[   68.394484]  [<ffffffff8139e888>] ? double_fault+0x28/0x30
[   68.394485]  [<ffffffff8139ec30>] ? native_irq_enable_sysexit+0x10/0x10
[   68.394486]  <<EOE>> 
[   68.394486] ---[ end trace 0000000000000003 ]---

Ben.

-- 
Ben Hutchings
Humans are not rational beings; they are rationalising beings.

Download attachment "signature.asc" of type "application/pgp-signature" (829 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ