lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZQvQue+DpE0Rm3q6JP=y6gt=Shzb9TVePpaKZj7ia4MA@mail.gmail.com>
Date:   Fri, 10 Mar 2017 20:42:42 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Andrey Konovalov <andreyknvl@...gle.com>
Cc:     Lai Jiangshan <jiangshanlai@...il.com>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        Josh Triplett <josh@...htriplett.org>,
        Steven Rostedt <rostedt@...dmis.org>,
        Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>,
        Kostya Serebryany <kcc@...gle.com>
Subject: Re: srcu: BUG in __synchronize_srcu

On Fri, Mar 10, 2017 at 8:29 PM, 'Andrey Konovalov' via syzkaller
<syzkaller@...glegroups.com> wrote:
> On Fri, Mar 10, 2017 at 8:28 PM, Andrey Konovalov <andreyknvl@...gle.com> wrote:
>> Hi,
>>
>> I've got the following error report while fuzzing the kernel with
>> syzkaller on an arm64 board.
>
> This also happened on x86 a few times during fuzzing, however it
> wasn't reproducible.


FWIW here are 2 crashes that we hit on x86_64 on
linux-next/56b8bad5e066c23e8fa273ef5fba50bd3da2ace8:

kernel BUG at kernel/rcu/srcu.c:436!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 26567 Comm: syz-executor3 Not tainted 4.11.0-rc1-next-20170308+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
task: ffff8801cbcba4c0 task.stack: ffff8801d1258000
RIP: 0010:__synchronize_srcu+0x695/0x7f0 kernel/rcu/srcu.c:412
RSP: 0018:ffff8801d125ea00 EFLAGS: 00010287
RAX: dffffc0000000000 RBX: ffff8801d125ea90 RCX: 0000000000000000
RDX: 1ffffffff0cf68f0 RSI: 0000000000000040 RDI: ffffffff867b4788
RBP: ffff8801d125eb40 R08: ffffffff867b4780 R09: ffffffff867b4778
R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1003a24bd46
R13: ffffffff867b4700 R14: ffffffff85680588 R15: ffff8801d125ea90
FS:  00007f55c1334700(0000) GS:ffff8801dbf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c81cbd7200 CR3: 00000001da67d000 CR4: 00000000001426e0
Call Trace:
 synchronize_srcu+0x1e/0x40 kernel/rcu/srcu.c:516
 __mmu_notifier_release+0x373/0x6c0 mm/mmu_notifier.c:102
 mmu_notifier_release include/linux/mmu_notifier.h:235 [inline]
 exit_mmap+0x3cc/0x490 mm/mmap.c:2941
 __mmput kernel/fork.c:881 [inline]
 mmput+0x22b/0x6e0 kernel/fork.c:903
 exit_mm kernel/exit.c:557 [inline]
 do_exit+0xa41/0x28f0 kernel/exit.c:865
 do_group_exit+0x149/0x420 kernel/exit.c:982
 get_signal+0x7e0/0x1820 kernel/signal.c:2318
 do_signal+0xd2/0x2190 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x200/0x2a0 arch/x86/entry/common.c:157
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath+0x4d3/0x570 arch/x86/entry/common.c:260
 entry_SYSCALL_64_fastpath+0xbc/0xbe
RIP: 0033:0x44fb79
RSP: 002b:00007f55c1333b58 EFLAGS: 00000212 ORIG_RAX: 0000000000000101
RAX: 0000000000000026 RBX: 00000000007080a8 RCX: 000000000044fb79
RDX: 0000000000000000 RSI: 000000002003a000 RDI: ffffffffffffff9c
RBP: 0000000000000331 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: ffffffffffffff9c
R13: 000000002003a000 R14: 0000000000000000 R15: 0000000000000000
Code: e8 e1 3e f8 ff 85 c0 0f 85 9a fd ff ff be ff ff ff ff 48 c7 c7
c0 d9 12 85 e8 c8 3e f8 ff 85 c0 0f 85 81 fd ff ff e9 12 fa ff ff <0f>
0b c6 44 24 20 00 e9 e5 fc ff ff c6 44 24 20 00 41 bf 01 00
RIP: __synchronize_srcu+0x695/0x7f0 kernel/rcu/srcu.c:412 RSP: ffff8801d125ea00
---[ end trace c25c3b4c622f543d ]---


------------[ cut here ]------------
QAT: Invalid ioctl
kernel BUG at kernel/rcu/srcu.c:436!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3886 Comm: kworker/u4:10 Not tainted 4.11.0-rc1-next-20170308+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine,
BIOS Google 01/01/2011
Workqueue: events_unbound fsnotify_mark_destroy_workfn
task: ffff8801c384c880 task.stack: ffff8801d9658000
RIP: 0010:__synchronize_srcu+0x695/0x7f0 kernel/rcu/srcu.c:412
RSP: 0018:ffff8801d965f250 EFLAGS: 00010287
RAX: dffffc0000000000 RBX: ffff8801d965f2e0 RCX: 0000000000000000
RDX: 1ffffffff0cf81a8 RSI: 0000000000000040 RDI: ffffffff867c0d48
RBP: ffff8801d965f390 R08: ffffffff867c0d40 R09: ffffffff867c0d38
R10: 0000000000000006 R11: 0000000000000000 R12: 1ffff1003b2cbe50
R13: ffffffff867c0cc0 R14: ffffffff85680588 R15: ffff8801d965f2e0
FS:  0000000000000000(0000) GS:ffff8801dbe00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001ddbc37000 CR3: 00000001c46e2000 CR4: 00000000001406f0
Call Trace:
 synchronize_srcu+0x1e/0x40 kernel/rcu/srcu.c:516
 fsnotify_mark_destroy_list+0x19d/0x540 fs/notify/mark.c:539
 fsnotify_mark_destroy_workfn+0xe/0x10 fs/notify/mark.c:549
 process_one_work+0xbd0/0x1c10 kernel/workqueue.c:2097
 worker_thread+0x223/0x1990 kernel/workqueue.c:2231
 kthread+0x326/0x3f0 kernel/kthread.c:229
 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Code: e8 e1 3e f8 ff 85 c0 0f 85 9a fd ff ff be ff ff ff ff 48 c7 c7
c0 d9 12 85 e8 c8 3e f8 ff 85 c0 0f 85 81 fd ff ff e9 12 fa ff ff <0f>
0b c6 44 24 20 00 e9 e5 fc ff ff c6 44 24 20 00 41 bf 01 00
RIP: __synchronize_srcu+0x695/0x7f0 kernel/rcu/srcu.c:412 RSP: ffff8801d965f250
---[ end trace 4aa6116de274db2a ]---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ