lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 10 Mar 2017 20:28:06 +0100
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Lai Jiangshan <jiangshanlai@...il.com>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        Josh Triplett <josh@...htriplett.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     syzkaller <syzkaller@...glegroups.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>
Subject: srcu: BUG in __synchronize_srcu

Hi,

I've got the following error report while fuzzing the kernel with
syzkaller on an arm64 board.

On linux-next commit 56b8bad5e066c23e8fa273ef5fba50bd3da2ace8 (Mar 8).

A reproducer and .config are attached.

The bug happens while executing the following syzkaller program in a loop.
While it looks kvm-related, it might be that kvm just stresses the
srcu subsystem.

mmap(&(0x7f0000000000/0xfff000)=nil, (0xfff000), 0x3, 0x32,
0xffffffffffffffff, 0x0)
r0 = openat$kvm(0xffffffffffffff9c,
&(0x7f0000a05000)="2f6465762f6b766d00", 0x0, 0x0)
ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)

------------[ cut here ]------------
kernel BUG at kernel/rcu/srcu.c:436!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in: meson_drm drm_kms_helper drm dwmac_generic realtek
dwmac_meson8b stmmac_platform stmmac meson_rng rng_core meson_gxbb_wdt
ipv6
CPU: 3 PID: 4250 Comm: a.out Not tainted 4.11.0-rc1-next-20170308-xc2-dirty #3
Hardware name: Hardkernel ODROID-C2 (DT)
task: ffff800063699700 task.stack: ffff800063cfc000
PC is at[<        none        >] __synchronize_srcu+0x3d0/0x470
kernel/rcu/srcu.c:412
LR is at[<        none        >] __synchronize_srcu+0x130/0x470
kernel/rcu/srcu.c:434
pc : [<ffff20000821a3b8>] lr : [<ffff20000821a118>] pstate: 80000145
sp : ffff800063cffb00
x29: ffff800063cffb00 x28: ffff80005b1d6e00
x27: 1fffe4000156b242 x26: ffff800063cffb70
x25: 1fffe4000156b23b x24: ffff20000ab591d8
x23: ffff200009dbf000 x22: ffff20000ab591a0
x21: ffff20000ab59210 x20: ffff800063cffb70
x19: ffff20000ab59190 x18: 0000000000000a03
x17: 0000ffff944f3950 x16: ffff20000811f818
x15: 0000000000000000 x14: 0000000000000007
x13: 0000000000000002 x12: 0000000000000000
x11: 0000000000000040 x10: 1fffe400014b568c
x9 : ffff20000ab29000 x8 : 0000000000000007
x7 : 0000000000000001 x6 : 0000000000000000
x5 : 0000000000000040 x4 : 0000000000000003
x3 : ffff20000ab59208 x2 : 1fffe4000156b243
x1 : 0000000000000000 x0 : ffff80005e71fb70

Process a.out (pid: 4250, stack limit = 0xffff800063cfc000)
Stack: (0xffff800063cffb00 to 0xffff800063d00000)
fb00: ffff800063cffbd0 ffff20000821a480 ffff20000ab59190 1ffff0000b63adc0
fb20: dfff200000000000 ffff20000ab59190 ffff80004b9a8a00 1ffff000097351bc
fb40: ffff80004b9a8de0 0000000000000000 ffff800060cad328 ffff80005b1d6e00
fb60: ffff80004b9a8a00 1ffff000097351bc ffff80004f5e7b70 ffff200008217968
fb80: ffff800000000001 dead4ead00010001 dfff2000ffffffff ffffffffffffffff
fba0: ffff20000ab4c4b0 0000000000000000 0000000000000000 ffff200009b0b358
fbc0: ffff800063cffbc0 ffff800063cffbc0 ffff800063cffbf0 ffff2000083ffd20
fbe0: ffff80005b1d6e00 0000000000000140 ffff800063cffc50 ffff2000083aedfc
fc00: ffff80004b9a8a00 ffff80004b9a8a00 ffff80004b9a8d78 0000000000000001
fc20: 00000000000002a6 ffff80004f406780 ffff80004b9a8aa0 ffff800063699ac8
fc40: 1ffff0000c6d3359 ffff800063699700 ffff800063cffd20 ffff20000810caec
fc60: ffff80004b9a8a00 ffff80004b9a8b20 ffff80004b9a8d78 0000000000000001
fc80: ffff80005ebae2d8 ffff800063699ac8 ffff800063cffca0 ffff20000840fc08
fca0: ffff800063cffce0 ffff20000843327c ffff80005ebae2d8 ffff80004b9a8a00
fcc0: ffff80005ebae0f0 ffff200009de8000 ffff800063cffce0 ffff2000084332c4
fce0: ffff800063cffd20 ffff20000810cc64 ffff80004b9a8a00 ffff80004b9a8a48
fd00: ffff80004b9a8d78 0000000000000001 ffff800063cffd20 ffff20000810cae0
fd20: ffff800063cffd60 ffff20000811db88 ffff800063699700 ffff800063699700
fd40: ffff80004b9a8a00 0000000000000001 00000000000002a6 ffff80004f406780
fd60: ffff800063cffe40 ffff20000811f694 ffff80004f406780 0000000000000000
fd80: ffff80004f40681c 0000000000000004 1ffff00009e80d03 1ffff00009e80d02
fda0: ffff80004f406810 ffff800063699bd0 ffff800063699700 ffff800063699700
fdc0: ffff800063cffe80 ffff200008490868 0000000000000000 ffff80005fd45000
fde0: ffff80006369972c ffff800063699d48 1ffff0000c6d32e5 0000000000000004
fe00: 0000000000000123 000000000000001d 1ffff0000c6d33a9 ffff800063699700
fe20: ffff800063cffe30 ffff200008813c5c ffff800063cffe40 ffff20000811f688
fe40: ffff800063cffea0 ffff20000811f838 0000000000000000 000060006d24d000
fe60: ffffffffffffffff 0000ffff944f3974 0000000000000000 0000000000000015
fe80: 0000000000000123 000000000000005e ffff200009852000 ffff20000811f82c
fea0: 0000000000000000 ffff200008083f70 0000000000000000 0000000000000015
fec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
fee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ff00: 000000000000005e ffffff80ffffffd0 0101010101010101 0000000000000020
ff20: 0000000000000018 0000000056bcb768 0000000000000000 0000ffff945be000
ff40: 0000000000413110 0000ffff944f3950 0000000000000a03 00000000004020f8
ff60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ff80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ffa0: 0000000000000000 0000ffffc0cc99b0 0000000000401248 0000ffffc0cc99b0
ffc0: 0000ffff944f3974 0000000000000000 0000000000000000 000000000000005e
ffe0: 0000000000000000 0000000000000000 0403030303030100 0807060606060605
Call trace:
Exception stack(0xffff800063cff910 to 0xffff800063cffa40)
f900:                                   ffff20000ab59190 0001000000000000
f920: ffff800063cffb00 ffff20000821a3b8 0000000080000145 000000000000003d
f940: 1fffe4000156b23b ffff800063cffb70 ffff800063cff980 0001000000000000
f960: ffff800063cff9d0 ffff2000081da8e8 ffff800063699ec0 ffff200009df9000
f980: ffff800063cff990 ffff20000891e1e0 ffff800063cff9d0 ffff20000891e23c
f9a0: ffff200009dbfe18 0000000000000040 0000000000000004 0000000000000001
f9c0: 00000000000008ac 00000000000008ac ffff80005e71fb70 0000000000000000
f9e0: 1fffe4000156b243 ffff20000ab59208 0000000000000003 0000000000000040
fa00: 0000000000000000 0000000000000001 0000000000000007 ffff20000ab29000
fa20: 1fffe400014b568c 0000000000000040 0000000000000000 0000000000000002
[<ffff20000821a3b8>] __synchronize_srcu+0x3d0/0x470 kernel/rcu/srcu.c:412
[<ffff20000821a480>] synchronize_srcu+0x28/0x60 kernel/rcu/srcu.c:516
[<ffff2000083ffd20>] __mmu_notifier_release+0x268/0x3e0 mm/mmu_notifier.c:102
[<     inline     >] mmu_notifier_release ./include/linux/mmu_notifier.h:235
[<ffff2000083aedfc>] exit_mmap+0x21c/0x288 mm/mmap.c:2941
[<     inline     >] __mmput kernel/fork.c:881
[<ffff20000810caec>] mmput+0xdc/0x2e0 kernel/fork.c:903
[<     inline     >] exit_mm kernel/exit.c:557
[<ffff20000811db88>] do_exit+0x648/0x2020 kernel/exit.c:865
[<ffff20000811f694>] do_group_exit+0xdc/0x260 kernel/exit.c:982
[<     inline     >] SYSC_exit_group kernel/exit.c:993
[<ffff20000811f838>] __wake_up_parent+0x0/0x60 kernel/exit.c:991
[<ffff200008083f70>] el0_svc_naked+0x24/0x28 arch/arm64/kernel/entry.S:813
Code: 97feee10 35fff680 17ffff1c d503201f (d4210000)
---[ end trace b727e9858bfac1ff ]---
Kernel panic - not syncing: Fatal exception

Download attachment ".config" of type "application/octet-stream" (151074 bytes)

View attachment "kvm-srcu.c" of type "text/x-csrc" (9032 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ