| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180224003159.sc3odevnhsyqfzy5@inn>
Date: Sat, 24 Feb 2018 08:31:59 +0800
From: kernel test robot <fengguang.wu@...el.com>
To: "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Cc: LKML <linux-kernel@...r.kernel.org>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>, lkp@...org
Subject: [rcu] 858c7b0986: BUG:KASAN:null-ptr-deref_in__lock_acquire
FYI, we noticed the following commit (built with gcc-7):
commit: 858c7b0986b397d4960612f03a0ef00be69a8d3f ("rcu: Parallelize expedited grace-period initialization")
https://git.kernel.org/cgit/linux/kernel/git/paulmck/linux-rcu.git rcu/dev
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -m 512M
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------------------------------+------------+------------+
| | 28ea7ed1b3 | 858c7b0986 |
+------------------------------------------------------------------+------------+------------+
| boot_successes | 2 | 0 |
| boot_failures | 6 | 21 |
| invoked_oom-killer:gfp_mask=0x | 6 | |
| Mem-Info | 6 | |
| Kernel_panic-not_syncing:Out_of_memory_and_no_killable_processes | 6 | |
| BUG:KASAN:null-ptr-deref_in__lock_acquire | 0 | 21 |
| BUG:unable_to_handle_kernel | 0 | 21 |
| Oops:#[##] | 0 | 21 |
| RIP:__lock_acquire | 0 | 21 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 21 |
+------------------------------------------------------------------+------------+------------+
[ 0.033438] BUG: KASAN: null-ptr-deref in __lock_acquire+0x171/0x13d0
[ 0.034118] Read of size 8 at addr 0000000000000018 by task swapper/0/0
[ 0.034926]
[ 0.035118] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.16.0-rc1-00044-g858c7b0 #1
[ 0.036000] Call Trace:
[ 0.036000] dump_stack+0x81/0xb3
[ 0.036000] kasan_report+0x22a/0x25a
[ 0.036000] __lock_acquire+0x171/0x13d0
[ 0.036000] ? lookup_chain_cache+0x42/0x6b
[ 0.036000] ? mark_lock+0x25b/0x26d
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? debug_check_no_locks_freed+0x19f/0x19f
[ 0.036000] ? debug_check_no_locks_freed+0x19f/0x19f
[ 0.036000] ? acpi_hw_read+0x1a0/0x202
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? lock_acquire+0x1c0/0x209
[ 0.036000] lock_acquire+0x1c0/0x209
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? sync_sched_exp_handler+0x111/0x111
[ 0.036000] _raw_spin_lock_irqsave+0x43/0x56
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? sync_sched_exp_handler+0x111/0x111
[ 0.036000] sync_rcu_exp_select_cpus+0x31b/0x44d
[ 0.036000] ? rcu_read_lock_sched_held+0x60/0x66
[ 0.036000] ? sync_sched_exp_handler+0x111/0x111
[ 0.036000] _synchronize_rcu_expedited+0x427/0x5ba
[ 0.036000] ? signal_pending+0x15/0x15
[ 0.036000] ? acpi_hw_write_pm1_control+0x52/0x52
[ 0.036000] ? acpi_hw_write_pm1_control+0x52/0x52
[ 0.036000] ? __change_page_attr_set_clr+0x420/0x420
[ 0.036000] ? printk+0x94/0xb0
[ 0.036000] ? show_regs_print_info+0xa/0xa
[ 0.036000] ? lock_downgrade+0x26a/0x26a
[ 0.036000] ? acpi_read_bit_register+0xb1/0xde
[ 0.036000] ? acpi_read+0xa/0xa
[ 0.036000] ? acpi_read+0xa/0xa
[ 0.036000] ? acpi_hw_get_mode+0x91/0xc2
[ 0.036000] ? _find_next_bit+0x3f/0xe4
[ 0.036000] ? __lock_is_held+0x2a/0x87
[ 0.036000] ? lock_is_held_type+0x78/0x86
[ 0.036000] rcu_test_sync_prims+0xa/0x23
[ 0.036000] rest_init+0xb/0xcf
[ 0.036000] start_kernel+0x59a/0x5be
[ 0.036000] ? mem_encrypt_init+0x6/0x6
[ 0.036000] ? memcpy_orig+0x54/0x110
[ 0.036000] ? x86_family+0x5/0x1d
[ 0.036000] ? load_ucode_bsp+0x3a/0xab
[ 0.036000] secondary_startup_64+0xa5/0xb0
[ 0.036000] ==================================================================
[ 0.036000] Disabling lock debugging due to kernel taint
[ 0.036000] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
[ 0.036000] IP: __lock_acquire+0x171/0x13d0
[ 0.036000] PGD 0 P4D 0
[ 0.036000] Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[ 0.036000] Modules linked in:
[ 0.036000] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.16.0-rc1-00044-g858c7b0 #1
[ 0.036000] RIP: 0010:__lock_acquire+0x171/0x13d0
[ 0.036000] RSP: 0000:ffffffff908079a0 EFLAGS: 00010056
[ 0.036000] RAX: 0000000000000096 RBX: 0000000000000000 RCX: ffffffff8eec9e31
[ 0.036000] RDX: 0000000000000003 RSI: 0000000000000003 RDI: 0000000000000001
[ 0.036000] RBP: ffffffff90807b50 R08: dffffc0000000000 R09: 0000000000000000
[ 0.036000] R10: 0000000000000000 R11: ffffffff91ff673a R12: 0000000000000018
[ 0.036000] R13: 0000000000000000 R14: ffffffff9081cc40 R15: 0000000000000001
[ 0.036000] FS: 0000000000000000(0000) GS:ffff880017c00000(0000) knlGS:0000000000000000
[ 0.036000] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.036000] CR2: 0000000000000018 CR3: 0000000015614000 CR4: 00000000000006b0
[ 0.036000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.036000] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 0.036000] Call Trace:
[ 0.036000] ? lookup_chain_cache+0x42/0x6b
[ 0.036000] ? mark_lock+0x25b/0x26d
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? debug_check_no_locks_freed+0x19f/0x19f
[ 0.036000] ? debug_check_no_locks_freed+0x19f/0x19f
[ 0.036000] ? acpi_hw_read+0x1a0/0x202
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? lock_acquire+0x1c0/0x209
[ 0.036000] lock_acquire+0x1c0/0x209
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? sync_sched_exp_handler+0x111/0x111
[ 0.036000] _raw_spin_lock_irqsave+0x43/0x56
[ 0.036000] ? rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] rcu_report_exp_cpu_mult+0x21/0x6d
[ 0.036000] ? sync_sched_exp_handler+0x111/0x111
[ 0.036000] sync_rcu_exp_select_cpus+0x31b/0x44d
[ 0.036000] ? rcu_read_lock_sched_held+0x60/0x66
[ 0.036000] ? sync_sched_exp_handler+0x111/0x111
[ 0.036000] _synchronize_rcu_expedited+0x427/0x5ba
[ 0.036000] ? signal_pending+0x15/0x15
[ 0.036000] ? acpi_hw_write_pm1_control+0x52/0x52
[ 0.036000] ? acpi_hw_write_pm1_control+0x52/0x52
[ 0.036000] ? __change_page_attr_set_clr+0x420/0x420
[ 0.036000] ? printk+0x94/0xb0
[ 0.036000] ? show_regs_print_info+0xa/0xa
[ 0.036000] ? lock_downgrade+0x26a/0x26a
[ 0.036000] ? acpi_read_bit_register+0xb1/0xde
[ 0.036000] ? acpi_read+0xa/0xa
[ 0.036000] ? acpi_read+0xa/0xa
[ 0.036000] ? acpi_hw_get_mode+0x91/0xc2
[ 0.036000] ? _find_next_bit+0x3f/0xe4
[ 0.036000] ? __lock_is_held+0x2a/0x87
[ 0.036000] ? lock_is_held_type+0x78/0x86
[ 0.036000] rcu_test_sync_prims+0xa/0x23
[ 0.036000] rest_init+0xb/0xcf
[ 0.036000] start_kernel+0x59a/0x5be
[ 0.036000] ? mem_encrypt_init+0x6/0x6
[ 0.036000] ? memcpy_orig+0x54/0x110
[ 0.036000] ? x86_family+0x5/0x1d
[ 0.036000] ? load_ucode_bsp+0x3a/0xab
[ 0.036000] secondary_startup_64+0xa5/0xb0
[ 0.036000] Code: 90 48 c7 c7 40 8c 05 90 e8 c4 d5 f9 ff 0f ff e9 3e 12 00 00 8b 1d fb df 9b 01 85 db 74 19 4c 89 e7 bb 00 00 00 00 e8 a6 e2 14 00 <49> 81 3c 24 80 3d 46 91 41 0f 45 df 41 83 fd 01 77 17 45 89 ef
[ 0.036000] RIP: __lock_acquire+0x171/0x13d0 RSP: ffffffff908079a0
[ 0.036000] CR2: 0000000000000018
[ 0.036000] ---[ end trace faa1e435d14a1a8c ]---
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
lkp
View attachment "config-4.16.0-rc1-00044-g858c7b0" of type "text/plain" (122379 bytes)
View attachment "job-script" of type "text/plain" (3929 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (5864 bytes)
Powered by blists - more mailing lists