lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1414128345.23080.47.camel@marge.simpson.net>
Date:	Fri, 24 Oct 2014 07:25:45 +0200
From:	Mike Galbraith <umgwanakikbuti@...il.com>
To:	Brian Silverman <bsilver16384@...il.com>
Cc:	tglx@...utronix.de, Austin Schuh <austin.linux@...il.com>,
	linux-kernel@...r.kernel.org, Darren Hart <dvhart@...ux.intel.com>,
	Peter Zijlstra <peterz@...radead.org>,
	Ingo Molnar <mingo@...nel.org>,
	Davidlohr Bueso <dave@...olabs.net>,
	"PaulE.McKenney" <paulmck@...ux.vnet.ibm.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] futex: fix a race condition between REQUEUE_PI and task
 death

(CCs more eyeballs)

On Thu, 2014-10-23 at 15:28 -0400, Brian Silverman wrote: 
> Here's the test code:

Which took a 2 socket 28 core box (NOPREEMPT) out in short order.  With
patchlet applied, looks like it'll stay up (37 minutes and counting),
I'll squeak if it explodes.

Tested-by: Mike Galbraith <umgwanakikbuti@...il.com>

[  387.396020] BUG: unable to handle kernel NULL pointer dereference at 0000000000000b34
[  387.414177] IP: [<ffffffff810d411e>] free_pi_state+0x4e/0xb0
[  387.427638] PGD 8394fe067 PUD 847c37067 PMD 0
[  387.438457] Oops: 0002 [#1] SMP
[  387.446534] Modules linked in: nfs(E) lockd(E) grace(E) sunrpc(E) fscache(E) iscsi_ibft(E) iscsi_boot_sysfs(E) af_packet(E) ext4(E) crc16(E) mbcache(E) jbd2(E) joydev(E) hid_generic(E) intel_rapl(E) usbhid(E) x86_pkg_temp_thermal(E) iTCO_wdt(E) intel_powerclamp(E) iTCO_vendor_support(E) coretemp(E) kvm_intel(E) kvm(E) crct10dif_pclmul(E) crc32_pclmul(E) ghash_clmulni_intel(E) aesni_intel(E) aes_x86_64(E) lrw(E) ixgbe(E) gf128mul(E) glue_helper(E) ptp(E) ablk_helper(E) pps_core(E) cryptd(E) sb_edac(E) pcspkr(E) mdio(E) edac_core(E) ipmi_si(E) dca(E) ipmi_msghandler(E) lpc_ich(E) mfd_core(E) wmi(E) acpi_power_meter(E) xhci_pci(E) mei_me(E) i2c_i801(E) acpi_pad(E) processor(E) mei(E) xhci_hcd(E) shpchp(E) button(E) dm_mod(E) btrfs(E) xor(E) raid6_pq(E) sr_mod(E) cdrom(E) sd_mod(E) mgag200(E) syscopyarea(E)
[  387.610406]  sysfillrect(E) sysimgblt(E) i2c_algo_bit(E) drm_kms_helper(E) ehci_pci(E) ttm(E) ahci(E) ehci_hcd(E) crc32c_intel(E) libahci(E) drm(E) usbcore(E) libata(E) usb_common(E) sg(E) scsi_mod(E) autofs4(E)
[  387.651513] CPU: 27 PID: 136696 Comm: futex-exit-race Tainted: G            E  3.18.0-default #51
[  387.672339] Hardware name: Intel Corporation S2600WTT/S2600WTT, BIOS GRNDSDP1.86B.0030.R03.1405061547 05/06/2014
[  387.696066] task: ffff880833002250 ti: ffff880830d04000 task.ti: ffff880830d04000
[  387.713855] RIP: 0010:[<ffffffff810d411e>]  [<ffffffff810d411e>] free_pi_state+0x4e/0xb0
[  387.733015] RSP: 0018:ffff880830d07d78  EFLAGS: 00010046
[  387.746030] RAX: 0000000000000000 RBX: ffff8804592ea340 RCX: 0000000000000bb6
[  387.763089] RDX: ffff8804592ea340 RSI: ffff880866c3fb48 RDI: ffff88083b40cb84
[  387.780167] RBP: ffff880830d07d88 R08: ffffc900136b8a70 R09: ffff88046afe8150
[  387.797255] R10: 0000000000000000 R11: 00000000000101b0 R12: ffff880830d07e08
[  387.814360] R13: 0000000000000000 R14: ffffc900136b8a70 R15: 0000000000000001
[  387.831476] FS:  00007fb2637c5700(0000) GS:ffff88087f1a0000(0000) knlGS:0000000000000000
[  387.850710] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  387.864766] CR2: 0000000000000b34 CR3: 00000008374e7000 CR4: 00000000001407e0
[  387.881901] Stack:
[  387.887707]  ffff880830d07d88 00000000ffffffff ffff880830d07e58 ffffffff810d52c4
[  387.905497]  0000001b00000001 ffff880830d07e20 0002018230d07dc8 0000000000000001
[  387.923290]  ffffc900136b8a84 ffff880830d07f08 00007fb2637d838c 0000000100000001
[  387.941071] Call Trace:
[  387.947864]  [<ffffffff810d52c4>] futex_requeue+0x2b4/0x8e0
[  387.961578]  [<ffffffff810d5e89>] do_futex+0xa9/0x580
[  387.974128]  [<ffffffff81585502>] ? do_nanosleep+0x82/0x110
[  387.987814]  [<ffffffff810c414c>] ? hrtimer_nanosleep+0xac/0x160
[  388.002458]  [<ffffffff810d63d1>] SyS_futex+0x71/0x150
[  388.015181]  [<ffffffff815868a9>] system_call_fastpath+0x12/0x17
[  388.029826] Code: 30 48 85 ff 74 41 48 81 c7 34 0b 00 00 e8 7b 1f 4b 00 48 8b 43 08 48 8b 13 48 89 42 08 48 89 10 48 89 1b 48 89 5b 08 48 8b 43 30 <66> 83 80 34 0b 00 00 01 fb 66 0f 1f 44 00 00 48 8b 73 30 48 8d
[  388.075136] RIP  [<ffffffff810d411e>] free_pi_state+0x4e/0xb0
[  388.089266]  RSP <ffff880830d07d78>
[  388.098386] CR2: 0000000000000b34


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ