lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 8 Aug 2017 16:14:30 +0100
From:   Mark Rutland <mark.rutland@....com>
To:     linux-kernel@...r.kernel.org, Mel Gorman <mgorman@...e.de>,
        Davidlohr Bueso <dbueso@...e.de>,
        Ingo Molnar <mingo@...nel.org>
Cc:     Thomas Gleixner <tglx@...utronix.de>, Chris Mason <clm@...com>,
        Darren Hart <dvhart@...ux.intel.com>,
        Hugh Dickins <hughd@...gle.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
        dave@...olabs.net
Subject: Re: kernel BUG at kernel/futex.c:679 on v4.13-rc3-ish on arm64

On Tue, Aug 08, 2017 at 03:57:32PM +0100, Mark Rutland wrote:
> The below test case fires for me in a few seconds on an arm64 platform,
> triggering the kernel BUG at kernel/futex.c:679. If left running for longer, I
> then get a stream of other BUGs that I believe are a result of the first issue.

Likewise on v4.12 x86_64:

[2503756.486650] ------------[ cut here ]------------
[2503756.491450] WARNING: CPU: 0 PID: 21380 at kernel/futex.c:679 get_futex_key+0x2d8/0x330
[2503756.499527] Modules linked in:
[2503756.502754] CPU: 0 PID: 21380 Comm: futex-test Not tainted 4.12.0+ #14
[2503756.509441] Hardware name: LENOVO 7484A3G/LENOVO, BIOS 5CKT54AUS 09/07/2009
[2503756.516561] task: ffff9696e9abc800 task.stack: ffffa72c8637c000
[2503756.522648] RIP: 0010:get_futex_key+0x2d8/0x330
[2503756.527344] RSP: 0018:ffffa72c8637fcd8 EFLAGS: 00010246
[2503756.532734] RAX: 0000000000000000 RBX: ffffa72c8637fd88 RCX: ffff9696c618e690
[2503756.540025] RDX: ffffd98dc68b5f00 RSI: ffff9696c618e528 RDI: 0000000000000000
[2503756.547319] RBP: ffffa72c8637fd10 R08: ffff9696c618e670 R09: ffffa72c8637fc9c
[2503756.554609] R10: 0000008000000000 R11: ffff9696e5f65a58 R12: 00007f595cf4a000
[2503756.561900] R13: 0000000000000000 R14: 0000000000000001 R15: ffff9696e5fa4000
[2503756.569191] FS:  00007f595b759700(0000) GS:ffff9696fec00000(0000) knlGS:0000000000000000
[2503756.577439] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[2503756.583347] CR2: 00007f595cf4a000 CR3: 00000001a5e1d000 CR4: 00000000000406f0
[2503756.590646] Call Trace:
[2503756.593265]  ? iput+0x85/0x1d0
[2503756.596491]  futex_requeue+0x101/0x880
[2503756.600410]  do_futex+0xbe/0xa00
[2503756.603810]  ? pick_next_entity+0xa0/0x150
[2503756.608073]  ? pick_next_task_fair+0x3fc/0x460
[2503756.612685]  SyS_futex+0x6c/0x150
[2503756.616169]  ? schedule+0x31/0x80
[2503756.619657]  ? exit_to_usermode_loop+0x27/0x72
[2503756.624267]  entry_SYSCALL_64_fastpath+0x13/0x94
[2503756.629051] RIP: 0033:0x7f595c84e4e9
[2503756.632795] RSP: 002b:00007f595b758e78 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca
[2503756.640521] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f595c84e4e9
[2503756.647813] RDX: 0000000000000001 RSI: 000000000000000c RDI: 00007f595cf4a000
[2503756.655109] RBP: 00007f595b758ec0 R08: 00007f595cf4a004 R09: 0000000000000001
[2503756.662401] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f595cb2e880
[2503756.669693] R13: 00007f595b7599c0 R14: 0000000000000000 R15: 0000000000000003
[2503756.676986] Code: 83 ef 01 e9 ea fd ff ff 48 8d 78 ff e9 20 fe ff ff e8 7d 6d 06 00 eb a7 b8 ea ff ff ff e9 35 fe ff ff 48 8d 78 ff e9 d9 fe ff ff <0f> ff 48 8b 7d d0 e8 4d f3 ff ff e9 7f fd ff ff 0f ff 48 89 f7 
[2503756.695988] ---[ end trace adb5ba028949a89a ]---

Thanks,
Mark

> ---->8----
> #include <linux/futex.h>
> #include <pthread.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/mman.h>
> #include <sys/syscall.h>
> #include <sys/time.h>
> #include <unistd.h>
> 
> #define NR_FUTEX_THREADS 16
> 
> pthread_t threads[NR_FUTEX_THREADS];
> 
> void *mem;
> 
> #define MEM_PROT        (PROT_READ | PROT_WRITE)
> #define MEM_SIZE        65536
> 
> static int futex_wrapper(int *uaddr, int op, int val,
>                          const struct timespec *timeout,
>                          int *uaddr2, int val3)
> {
>         syscall(SYS_futex, uaddr, op, val, timeout, uaddr2, val3);
> }
> 
> void *poll_futex(void *unused)
> {
>         for (;;) {
>                 futex_wrapper(mem, FUTEX_CMP_REQUEUE_PI, 1, NULL, mem + 4, 1);
>         }
> }
> 
> int main(int argc, char *argv[])
> {
>         int i;
> 
>         mem = mmap(NULL, MEM_SIZE, MEM_PROT,
>                    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
> 
>         printf("Mapping @ %p\n", mem);
> 
>         printf("Creating futex threads...\n");
> 
>         for (i = 0; i < NR_FUTEX_THREADS; i++)
>                 pthread_create(&threads[i], NULL, poll_futex, NULL);
> 
>         printf("Flipping mapping...\n");
>         for (;;) {
>                 mmap(mem, MEM_SIZE, MEM_PROT,
>                      MAP_FIXED | MAP_SHARED | MAP_ANONYMOUS, -1, 0);
>         }
> 
>         return 0;
> }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ