lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87a81or0u2.fsf@notabene.neil.brown.name>
Date:   Thu, 21 Sep 2017 09:02:29 +0200
From:   NeilBrown <neilb@...e.com>
To:     kernel test robot <xiaolong.ye@...el.com>
Cc:     Jens Axboe <axboe@...nel.dk>, Christoph Hellwig <hch@....de>,
        Ming Lei <ming.lei@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>, lkp@...org
Subject: Re: [lkp-robot] [blk]  47e0fb461f: BUG:unable_to_handle_kernel

On Thu, Sep 21 2017, kernel test robot wrote:

> FYI, we noticed the following commit:
>
> commit: 47e0fb461fca1a68a566c82fcc006cc787312d8c ("blk: make the bioset rescue_workqueue optional.")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
>
> in testcase: trinity
> with following parameters:
>
> 	runtime: 300s
>
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
>
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu IvyBridge -m 420M
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):

Interesting.
I cannot see how that bug could be caused by that patch.

I think it is crashing in
static inline bool ata_is_host_link(const struct ata_link *link)
{
	return link == &link->ap->link || link == link->ap->slave_link;
}
from
static inline int ata_link_max_devices(const struct ata_link *link)
{
	if (ata_is_host_link(link) && link->ap->flags & ATA_FLAG_SLAVE_POSS)
		return 2;
	return 1;
}
from ata_dev_next().

I think %rdi holds link->ap, so the "link->ap->slave_link" dereference
causes the crash.

link->ap seems to be initialized quite early, and never cleared, so I
don't know how it could  be NULL...

Confused.

Thanks,
NeilBrown

Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ