lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <s5h619reiog.wl-tiwai@suse.de>
Date:	Mon, 23 Mar 2015 18:18:39 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	Denys Vlasenko <dvlasenk@...hat.com>
Cc:	Andy Lutomirski <luto@...capital.net>,
	Denys Vlasenko <vda.linux@...glemail.com>,
	Jiri Kosina <jkosina@...e.cz>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Stefan Seyfried <stefan.seyfried@...glemail.com>,
	X86 ML <x86@...nel.org>, LKML <linux-kernel@...r.kernel.org>,
	Tejun Heo <tj@...nel.org>
Subject: Re: PANIC: double fault, error_code: 0x0 in 4.0.0-rc3-2, kvm related?

At Mon, 23 Mar 2015 17:07:15 +0100,
Denys Vlasenko wrote:
> 
> On 03/23/2015 02:22 PM, Takashi Iwai wrote:
> > At Mon, 23 Mar 2015 10:35:41 +0100,
> > Takashi Iwai wrote:
> >>
> >> At Mon, 23 Mar 2015 10:02:52 +0100,
> >> Takashi Iwai wrote:
> >>>
> >>> At Fri, 20 Mar 2015 19:16:53 +0100,
> >>> Denys Vlasenko wrote:
> >>>> Takashi, are you willing to reproduce the panic one more time,
> >>>> with this patch? I would like to see whether oops messages
> >>>> are more informative with it.
> >>>
> >>> It can't be applied to 4.0-rc5, unfortunately.
> >>>
> >>> arch/x86/kernel/entry_64.S: Assembler messages:
> >>> arch/x86/kernel/entry_64.S:1725: Error: no such instruction: `alloc_pt_gpregs_on_stack'
> >>> arch/x86/kernel/entry_64.S:1716: Error: invalid operands (*UND* and *UND* sections) for `+'
> >>> scripts/Makefile.build:294: recipe for target 'arch/x86/kernel/entry_64.o' failed
> >>
> >> I pulled tip tree on top of 4.0-rc5, built with your patch and now
> >> succeeded to get a better message:
> >>
> >>  kvm: zapping shadow pages for mmio generation wraparound
> >>  kvm [5126]: vcpu0 disabled perfctr wrmsr: 0xc1 data 0xffff
> >>  Exception on user stack 00007ffd22c23ef0: RSP: 0018:00007ffd22c23f28  EFLAGS: 00010006
> >>  RIP: 0010:[<ffffffff8162681d>]  [<ffffffff8162681d>] netlink_attachskb+0x1d/0x1d0
> >>  PANIC: double fault, error_code: 0x0
> >>  CPU: 1 PID: 10819 Comm: cc1 Tainted: G        W       4.0.0-rc5-debug1+ #2
> >>  Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A12 01/10/2013
> >>  task: ffff8800d1b34b10 ti: ffff8800d1b30000 task.ti: ffff8800d1b30000
> >>  RIP: 0010:[<ffffffff8162681d>]  [<ffffffff8162681d>] netlink_attachskb+0x1d/0x1d0
> >>  RSP: 0018:00007ffd22c23f28  EFLAGS: 00010006
> >>  RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000c0000101
> >>  RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00007ffd22c23ef0
> >>  RBP: 0000000000000ea7 R08: 0000000000001ea7 R09: ffffffffffffffff
> >>  R10: 000000000309dbf8 R11: 0000000000000246 R12: 0000000000000001
> >>  R13: 0000000000000000 R14: 0000000003026e40 R15: 000000000309cd50
> >>  FS:  00007f89c83c2800(0000) GS:ffff88021d240000(0000) knlGS:0000000000000000
> >>  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >>  CR2: 000000000000016d CR3: 00000000d90a0000 CR4: 00000000001427e0
> >>  Stack:
> >>   0000000000000ea7 0000000000000000 0000000003099c10 0000000000000ea7
> >>   0000000000000ea7 0000000000000001 0000000003099c10 0000000000000ea7
> >>   0000000000c84696 0000000003099c88 00007f0122c23fb8 000000000302f610
> >>  Call Trace:
> >>   <UNK> 
> >>  Code: 
> >>  10 75 ee f0 ff 42 6c 48 89 d0 5d c3 66 90 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 49 89 d5 41 54 49 89 f4 53 48 89 fb 48 83 ec 30 <8b> 87 68 01 00 00 39 87 9c 01 00 00 7c 25 48 8b 87 88 04 00 00 
> >>  Kernel panic - not syncing: Machine halted.
> >>  CPU: 1 PID: 10819 Comm: cc1 Tainted: G        W       4.0.0-rc5-debug1+ #2
> >>  Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A12 01/10/2013
> >>   0000000000000000 ffff8800d1b33e28 ffffffff816f80d2 0000000000000000
> >>   ffffffff81a22f81 ffff8800d1b33ea8 ffffffff816f2358 00000000000058d7
> >>   0000000000000008 ffff8800d1b33eb8 ffff8800d1b33e58 ffff8800d1b33ea8
> >>  Call Trace:
> >>   [<ffffffff816f80d2>] dump_stack+0x4c/0x6e
> >>   [<ffffffff816f2358>] panic+0xc0/0x1f3
> >>   [<ffffffff81046e65>] df_debug+0x35/0x40
> >>   [<ffffffff81003fe7>] do_double_fault+0x87/0x100
> >>   [<ffffffff81004167>] do_userpsace_rsp_in_kernel+0x107/0x140
> >>   [<ffffffff8162681d>] ? netlink_attachskb+0x1d/0x1d0
> >>   [<ffffffff81703ca6>] userpsace_rsp_in_kernel+0x36/0x40
> >>   [<ffffffff8162681d>] ? netlink_attachskb+0x1d/0x1d0
> >>
> >>
> >> So, it seems hitting in netlink_attachskb().
> >> I'd need to check whether this consistently hits there or just at
> >> random.
> > 
> > I managed to reproduce the bug two more times, and all three show the
> > very same stack trace like the above.  So, it's well reproducible.
> 
> FYI: the disassembly of netlink_attachskb (from "Code:" line) is:
> 
>    0:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
>    5:   55                      push   %rbp
>    6:   48 89 e5                mov    %rsp,%rbp
>    9:   41 56                   push   %r14
>    b:   41 55                   push   %r13
>    d:   49 89 d5                mov    %rdx,%r13
>   10:   41 54                   push   %r12
>   12:   49 89 f4                mov    %rsi,%r12
>   15:   53                      push   %rbx
>   16:   48 89 fb                mov    %rdi,%rbx
>   19:   48 83 ec 30             sub    $0x30,%rsp
>   1d:   8b 87 68 01 00 00       mov    0x168(%rdi),%eax
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   23:   39 87 9c 01 00 00       cmp    %eax,0x19c(%rdi)
>   29:   7c 25                   jl     50 <_start+0x50>
>   2b:   48 8b 87 88 04 00 00    mov    0x488(%rdi),%rax
> 
> The ^^^^^ instruction is the one which faults. Since you said it
> consistently happens here, this should be a page fault, not an external
> hardware interrupt.
> 
> The code corresponds to the comparison in if():
> 
> int netlink_attachskb(struct sock *sk, struct sk_buff *skb,
>                       long *timeo, struct sock *ssk)
> {
>         struct netlink_sock *nlk;
> 
>         nlk = nlk_sk(sk);
> 
>         if ((atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf ||
> 
> %rdi (which is 1st param, "struct sock *sk") is 00007ffd22c23ef0
> (userspace address), but it's just because my patch clobbers %rdi,   :(
> we don't know which value it had at that moment.
> 
> > I'm really puzzled now.  We have a few pieces of information:
> > 
> > - git bisection pointed the commit 96b6352c1271:
> >     x86_64, entry: Remove the syscall exit audit and schedule optimizations
> >   and reverting this "fixes" the problem indeed.  Even just moving two
> >   lines
> >     LOCKDEP_SYS_EXIT
> >     DISABLE_INTERRUPTS(CLBR_NONE) 
> >   at the beginning of ret_from_sys_call already fixes.  (Of course I
> >   can't prove the fix but it stabilizes for a day without crash while
> >   usually I hit the bug in 10 minutes in full test running.)
> 
> The commit 96b6352c1271 moved TIF_ALLWORK_MASK check from
> interrupt-disabled region to interrupt-enabled:
> 
>         cmpq $__NR_syscall_max,%rax
>         ja ret_from_sys_call
>         movq %r10,%rcx
>         call *sys_call_table(,%rax,8)  # XXX:    rip relative
>         movq %rax,RAX-ARGOFFSET(%rsp)
> ret_from_sys_call:
> 	testl $_TIF_ALLWORK_MASK,TI_flags+THREAD_INFO(%rsp,RIP-ARGOFFSET)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 	jnz int_ret_from_sys_call_fixup	/* Go the the slow path */
>  	LOCKDEP_SYS_EXIT
>  	DISABLE_INTERRUPTS(CLBR_NONE)
>  	TRACE_IRQS_OFF
> ...
> ...
> int_ret_from_sys_call_fixup:
>         FIXUP_TOP_OF_STACK %r11, -ARGOFFSET
>         jmp int_ret_from_sys_call
> ...
> ...
> GLOBAL(int_ret_from_sys_call)
>         DISABLE_INTERRUPTS(CLBR_NONE)
>         TRACE_IRQS_OFF
> 
> You reverted that by moving this insn to be after first DISABLE_INTERRUPTS(CLBR_NONE).

Oh yes.  I forgot to mention that I tested also only moving
DISABLE_INTERRUPTS(CLBR_NONE) at the beginning.  But this didn't
help by some reason.

And, I tested also without all kernel debug options (both
CONFIG_DEBUG_LOCK_ALLOC and CONFIG_TRACE_IRQFLAGS are off), but this
kernel also showed the same crash.

> I also don't see how moving that check (even if it is wrong in a more
> benign way) can have such a drastic effect.
> 
> 
> Shot-in-the-dark idea. At this code revision we did not yet
> store user's %rsp in pt_regs->sp, we used a fixup to populate it:
> 
>         .macro FIXUP_TOP_OF_STACK tmp offset=0
>         movq PER_CPU_VAR(old_rsp),\tmp
>         movq \tmp,RSP+\offset(%rsp)
> 
> (There are pending patches to fix this mess).
> 
> If an interrupt interrupting *kernel code* would go into a code path
> which does FIXUP_TOP_OF_STACK, it'd overwrite the correct saved %rsp
> with a user's one. The iret from interrupt would work,
> but the resulting CPU state would be inconsistent. But I don't see
> such a code path from interrupts to FIXUP_TOP_OF_STACK...
> 
> 
> > - Another piece is that the bug happens only when a KVM is running.
> >   The kernel ran without problem over days with similar tasks
> >   (compiling kernel, etc) when no KVM was used.
> 
> Conceivably virtualization support in CPUs can have nasty erratas.
> However, you and other reporter have different CPUs - yours
> is Ivy Bridge, his CPU is a Penryn.
> 
> I don't see the path how KVM helps to trigger this.
> 
> > - And now I get the trace as above, pointing netlink_attachskb().
> > 
> > I have a difficulty to imagine how all these pieces fit into a single
> > picture.  Is something already screwed up before that?
> 
> Well, a tiny bit more info will be seen if you'd change %rdi
> to, say, %r15 in these two lines in my patch:
> 
>        /* Save bogus RSP value */
>        movq    %rsp,%rdi
> ...
>        push    %rdi            /* pt_regs->sp */
> 
> Then original %rdi will be visible in the crash message.

OK, here we go.

 kvm: zapping shadow pages for mmio generation wraparound
 kvm [5490]: vcpu0 disabled perfctr wrmsr: 0xc1 data 0xffff
 Exception on user stack 00007fff1d7e5ec0: RSP: 0018:00007fff1d7e5ef8  EFLAGS: 00010002
 RIP: 0010:[<ffffffff8162681d>]  [<ffffffff8162681d>] netlink_attachskb+0x1d/0x1d0
 PANIC: double fault, error_code: 0x0
 CPU: 5 PID: 14285 Comm: fixdep Tainted: G        W       4.0.0-rc5-debug1+ #3
 Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A12 01/10/2013
 task: ffff88020ba1c690 ti: ffff880206ba4000 task.ti: ffff880206ba4000
 RIP: 0010:[<ffffffff8162681d>]  [<ffffffff8162681d>] netlink_attachskb+0x1d/0x1d0
 RSP: 0018:00007fff1d7e5ef8  EFLAGS: 00010002
 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000c0000101
 RDX: 0000000000000000 RSI: 0000000000001ebb RDI: 0000000000000000
 RBP: 0000000000000022 R08: 0000000000000004 R09: 0000000000000000
 R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000001ebb
 R13: 00007fb642fcc6e4 R14: 00007fb642fcdc18 R15: 00007fff1d7e5ec0
 FS:  00007fb642fa9700(0000) GS:ffff88021d340000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000168 CR3: 00000000ce1b4000 CR4: 00000000001427e0
 Stack:
  0000000000000005 0000000000401582 00007fb642fcb180 0000000000000053
  0000000000400d8a 0000000000000000 0000000000000000 000000005d152a17
  0000000000400f8c 0000000000000000 0000000100000004 00007fb642fcb000
 Call Trace:
  <UNK> 
 Code: 
 10 75 ee f0 ff 42 6c 48 89 d0 5d c3 66 90 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 49 89 d5 41 54 49 89 f4 53 48 89 fb 48 83 ec 30 <8b> 87 68 01 00 00 39 87 9c 01 00 00 7c 25 48 8b 87 88 04 00 00 
 Kernel panic - not syncing: Machine halted.
 CPU: 5 PID: 14285 Comm: fixdep Tainted: G        W       4.0.0-rc5-debug1+ #3
 Hardware name: Dell Inc. OptiPlex 9010/0M9KCM, BIOS A12 01/10/2013
  0000000000000000 ffff880206ba7e28 ffffffff816f80d2 0000000000000000
  ffffffff81a22f81 ffff880206ba7ea8 ffffffff816f2358 00000000000050da
  0000000000000008 ffff880206ba7eb8 ffff880206ba7e58 ffff880206ba7ea8
 Call Trace:
  [<ffffffff816f80d2>] dump_stack+0x4c/0x6e
  [<ffffffff816f2358>] panic+0xc0/0x1f3
  [<ffffffff81046e65>] df_debug+0x35/0x40
  [<ffffffff81003fe7>] do_double_fault+0x87/0x100
  [<ffffffff81004167>] do_userpsace_rsp_in_kernel+0x107/0x140
  [<ffffffff8162681d>] ? netlink_attachskb+0x1d/0x1d0
  [<ffffffff81703ca7>] userpsace_rsp_in_kernel+0x37/0x40
  [<ffffffff8162681d>] ? netlink_attachskb+0x1d/0x1d0


I have to leave my office now.  If you need any further tests, let me
know; I'll do it tomorrow.  In anyway I'll need to double-check
whether I tested properly.


thanks,

Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ