| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Sep 2014 16:44:04 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Shan Wei <davidshan@...cent.com>
Cc: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
Jet Chen <jet.chen@...el.com>, Su Tao <tao.su@...el.com>,
Yuanhan Liu <yuanhan.liu@...el.com>, LKP <lkp@...org>,
linux-kernel@...r.kernel.org
Subject: [rcu] BUG: unable to handle kernel NULL pointer dereference at
000000da
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit d860d40327dde251d508a234fa00bd0d90fbb656
Author: Shan Wei <davidshan@...cent.com>
AuthorDate: Thu Jun 19 14:12:44 2014 -0700
Commit: Paul E. McKenney <paulmck@...ux.vnet.ibm.com>
CommitDate: Wed Jul 9 09:15:21 2014 -0700
rcu: Use __this_cpu_read() instead of per_cpu_ptr()
The __this_cpu_read() function produces better code than does
per_cpu_ptr() on both ARM and x86. For example, gcc (Ubuntu/Linaro
4.7.3-12ubuntu1) 4.7.3 produces the following:
ARMv7 per_cpu_ptr():
force_quiescent_state:
mov r3, sp @,
bic r1, r3, #8128 @ tmp171,,
ldr r2, .L98 @ tmp169,
bic r1, r1, #63 @ tmp170, tmp171,
ldr r3, [r0, #220] @ __ptr, rsp_6(D)->rda
ldr r1, [r1, #20] @ D.35903_68->cpu, D.35903_68->cpu
mov r6, r0 @ rsp, rsp
ldr r2, [r2, r1, asl #2] @ tmp173, __per_cpu_offset
add r3, r3, r2 @ tmp175, __ptr, tmp173
ldr r5, [r3, #12] @ rnp_old, D.29162_13->mynode
ARMv7 __this_cpu_read():
force_quiescent_state:
ldr r3, [r0, #220] @ rsp_7(D)->rda, rsp_7(D)->rda
mov r6, r0 @ rsp, rsp
add r3, r3, #12 @ __ptr, rsp_7(D)->rda,
ldr r5, [r2, r3] @ rnp_old, *D.29176_13
Using gcc 4.8.2:
x86_64 per_cpu_ptr():
movl %gs:cpu_number,%edx # cpu_number, pscr_ret__
movslq %edx, %rdx # pscr_ret__, pscr_ret__
movq __per_cpu_offset(,%rdx,8), %rdx # __per_cpu_offset, tmp93
movq %rdi, %r13 # rsp, rsp
movq 1000(%rdi), %rax # rsp_9(D)->rda, __ptr
movq 24(%rdx,%rax), %r12 # _15->mynode, rnp_old
x86_64 __this_cpu_read():
movq %rdi, %r13 # rsp, rsp
movq 1000(%rdi), %rax # rsp_9(D)->rda, rsp_9(D)->rda
movq %gs:24(%rax),%r12 # _10->mynode, rnp_old
Because this change produces significant benefits for these two very
diverse architectures, this commit makes this change.
Signed-off-by: Shan Wei <davidshan@...cent.com>
Acked-by: Christoph Lameter <cl@...ux.com>
Signed-off-by: Pranith Kumar <bobby.prani@...il.com>
Signed-off-by: Paul E. McKenney <paulmck@...ux.vnet.ibm.com>
Reviewed-by: Josh Triplett <josh@...htriplett.org>
Reviewed-by: Lai Jiangshan <laijs@...fujitsu.com>
+---------------------------------------------------------------+------------+------------+------------+
| | bc1dce514e | d860d40327 | 9687fd9101 |
+---------------------------------------------------------------+------------+------------+------------+
| boot_successes | 60 | 0 | 0 |
| boot_failures | 0 | 20 | 586 |
| BUG:unable_to_handle_kernel_NULL_pointer_dereference | 0 | 20 | |
| Oops | 0 | 20 | 586 |
| EIP_is_at_update_curr | 0 | 20 | |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 20 | 586 |
| backtrace:register_tracer | 0 | 20 | 586 |
| backtrace:init_branch_tracer | 0 | 20 | 586 |
| backtrace:kernel_init_freeable | 0 | 20 | 586 |
| WARNING:at_kernel/trace/ring_buffer.c:rb_reserve_next_event() | 0 | 0 | 10 |
| BUG:spinlock_bad_magic_on_CPU | 0 | 0 | 586 |
| BUG:unable_to_handle_kernel_paging_request | 0 | 0 | 586 |
| EIP_is_at_spin_dump | 0 | 0 | 586 |
| backtrace:init_irqsoff_tracer | 0 | 0 | 10 |
+---------------------------------------------------------------+------------+------------+------------+
[ 0.317670] Testing tracer wakeup_dl: ret = 0
[ 0.420620] PASSED
[ 0.420978] Testing tracer branch:
[ 0.421701] BUG: unable to handle kernel NULL pointer dereference at 000000da
[ 0.422857] IP: [<c1061074>] update_curr+0x1a3/0x2c3
[ 0.423639] *pdpt = 0000000000000000 *pde = f000ff53f000ff53
[ 0.424000] Thread overran stack, or stack corrupted
[ 0.424000] Oops: 0000 [#1] PREEMPT
[ 0.424000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.16.0-rc1-00015-gd860d40 #13
[ 0.424000] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 0.424000] task: d2034000 ti: d2036000 task.ti: d2036000
[ 0.424000] EIP: 0060:[<c1061074>] EFLAGS: 00010046 CPU: 0
[ 0.424000] EIP is at update_curr+0x1a3/0x2c3
[ 0.424000] EAX: 00000002 EBX: 00000000 ECX: d2191000 EDX: c10a7570
[ 0.424000] ESI: d203402c EDI: c1a41714 EBP: d2037dac ESP: d2037d8c
[ 0.424000] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068
[ 0.424000] CR0: 80050033 CR2: 000000da CR3: 01bb9000 CR4: 000406b0
[ 0.424000] Stack:
[ 0.424000] c1959c60 0543a506 00000000 001833f6 00000000 c1a41714 d203402c 00000001
[ 0.424000] d2037dd0 c10614ce d2191b98 d2037dc0 c106ae67 d2037dec d203402c c1a41714
[ 0.424000] c1a416c0 d2037dec c10616df 00000001 00000001 c1a416c0 d2034000 c16bf6e0
[ 0.424000] Call Trace:
[ 0.424000] [<c10614ce>] dequeue_entity+0x14/0x1fb
[ 0.424000] [<c106ae67>] ? trace_hardirqs_off+0xb/0xd
[ 0.424000] [<c10616df>] dequeue_task_fair+0x2a/0x94
[ 0.424000] [<c105b7fc>] dequeue_task+0x9f/0xa7
[ 0.424000] [<c105bd86>] deactivate_task+0x1c/0x1f
[ 0.424000] [<c16ac296>] __schedule+0x1c0/0x8a1
[ 0.424000] [<c106ad31>] ? trace_hardirqs_on+0xb/0xd
[ 0.424000] [<c106ab81>] ? trace_hardirqs_on_caller+0x11/0x1b6
[ 0.424000] [<c106ad31>] ? trace_hardirqs_on+0xb/0xd
[ 0.424000] [<c16ac986>] schedule+0xf/0x11
[ 0.424000] [<c16abd32>] schedule_timeout+0x17a/0x22e
[ 0.424000] [<c103fc0a>] ? cascade+0x75/0x75
[ 0.424000] [<c16abe26>] schedule_timeout_uninterruptible+0x14/0x16
[ 0.424000] [<c1040f3f>] msleep+0x12/0x16
[ 0.424000] [<c10a3849>] trace_selftest_startup_branch+0x34/0x72
[ 0.424000] [<c10a3bcf>] register_tracer+0x113/0x204
[ 0.424000] [<c1b437aa>] ? init_wakeup_tracer+0x2b/0x2b
[ 0.424000] [<c1b437d7>] init_branch_tracer+0x2d/0x2f
[ 0.424000] [<c1b2dc65>] do_one_initcall+0x188/0x197
[ 0.424000] [<c1b2d400>] ? do_early_param+0x28/0x73
[ 0.424000] [<c105159f>] ? parse_args+0x188/0x235
[ 0.424000] [<c1b2dd4a>] kernel_init_freeable+0xd6/0x14e
[ 0.424000] [<c1699f0c>] kernel_init+0x8/0xb8
[ 0.424000] [<c16b0ea0>] ret_from_kernel_thread+0x20/0x30
[ 0.424000] [<c1699f04>] ? rest_init+0x10c/0x10c
[ 0.424000] Code: ff 0d 5c 46 a3 c1 0f 84 df 00 00 00 31 db 31 c9 89 da b8 f0 b6 af c1 e8 ec 63 04 00 85 db 74 05 e8 92 75 fa ff 8b 86 d8 03 00 00 <83> b8 d8 00 00 00 00 89 45 e4 74 21 83 be dc 03 00 00 00 b8 dc
[ 0.424000] EIP: [<c1061074>] update_curr+0x1a3/0x2c3 SS:ESP 0068:d2037d8c
[ 0.424000] CR2: 00000000000000da
[ 0.424000] ---[ end trace a6f0f5be4ed0ab92 ]---
[ 0.424000] Kernel panic - not syncing: Fatal exception
git bisect start 9687fd9101afaa1c4b1de7ffd2f9d7e53f45b29f v3.16 --
git bisect bad ad0200f72d9875caa2023c59240ee677df66918e # 12:13 0- 20 drivers/rtc/Kconfig: move DS2404 entry where it belongs
git bisect bad ed5c41d30ef2ce578fd6b6e2f7ec23f2a58b1eba # 12:17 0- 57 x86: MCE: Add raw_lock conversion again
git bisect bad 19d402c1e75077e2bcfe17f7fe5bcfc8deb74991 # 12:22 0- 20 Merge branches 'x86-build-for-linus', 'x86-cleanups-for-linus' and 'x86-debug-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good c7ed326fa7cafb83ced5a8b02517a61672fe9e90 # 12:37 20+ 20 Merge tag 'ktest-v3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-ktest
git bisect good 489f50be56185fa3492690caedc099d507bf7c98 # 12:40 20+ 20 Merge tag 'please-pull-misc-3.17' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux
git bisect bad 8efb90cf1e80129fad197b916714e1d01ee183d2 # 12:45 0- 20 Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good a45c657f28f82b056173d1afc2e7ed1f1f68829f # 12:50 20+ 20 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k
git bisect bad 5bda4f638f36ef4c4e3b1397b02affc3db94356e # 12:53 0- 20 Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad b41d1b924d0bd41a225a17f39297b9de0dca93d9 # 12:56 0- 20 rcu: Fix a sparse warning in rcu_report_unblock_qs_rnp()
git bisect good dfeb9765ce3c33cb3cbc5f16db423f1c58a4cc55 # 13:12 20+ 20 rcu: Allow post-unlock reference for rt_mutex
git bisect good bc1dce514e9b29b64df28a533015885862f47814 # 13:15 20+ 0 rcu: Don't use NMIs to dump other CPUs' stacks
git bisect bad 11992c703a1c7d95f5d8759498d7617d4a504819 # 13:21 0- 3 rcu: Remove CONFIG_PROVE_RCU_DELAY
git bisect bad d860d40327dde251d508a234fa00bd0d90fbb656 # 13:24 0- 9 rcu: Use __this_cpu_read() instead of per_cpu_ptr()
# first bad commit: [d860d40327dde251d508a234fa00bd0d90fbb656] rcu: Use __this_cpu_read() instead of per_cpu_ptr()
git bisect good bc1dce514e9b29b64df28a533015885862f47814 # 13:29 60+ 0 rcu: Don't use NMIs to dump other CPUs' stacks
git bisect bad d7cf2b3139909a354a71e2885c942e21a60ea062 # 13:29 0- 51 Add linux-next specific files for 20140829
git bisect bad 69e273c0b0a3c337a521d083374c918dc52c666f # 13:29 0- 60 Linux 3.17-rc3
git bisect bad d7cf2b3139909a354a71e2885c942e21a60ea062 # 13:29 0- 51 Add linux-next specific files for 20140829
This script may reproduce the error.
----------------------------------------------------------------------------
#!/bin/bash
kernel=$1
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu Haswell,+smep,+smap
-kernel $kernel
-m 320
-smp 2
-net nic,vlan=1,model=e1000
-net user,vlan=1
-boot order=nc
-no-reboot
-watchdog i6300esb
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
hung_task_panic=1
earlyprintk=ttyS0,115200
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
console=ttyS0,115200
console=tty0
vga=normal
root=/dev/ram0
rw
drbd.minor_count=8
)
"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------
Thanks,
Fengguang
View attachment "dmesg-quantal-kbuild-8:20140901132230:i386-randconfig-x0-09010313:3.16.0-rc1-00015-gd860d40:13" of type "text/plain" (25777 bytes)
Download attachment "i386-randconfig-x0-09010313-9687fd9101afaa1c4b1de7ffd2f9d7e53f45b29f-Kernel-panic---not-syncing:-Fatal-exception-33702.log" of type "application/octet-stream" (191703 bytes)
View attachment "config-3.16.0-rc1-00015-gd860d40" of type "text/plain" (72287 bytes)
_______________________________________________
LKP mailing list
LKP@...ux.intel.com
Powered by blists - more mailing lists