lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200719220813.GO9247@paulmck-ThinkPad-P72>
Date:   Sun, 19 Jul 2020 15:08:13 -0700
From:   "Paul E. McKenney" <paulmck@...nel.org>
To:     kernel test robot <rong.a.chen@...el.com>
Cc:     LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org
Subject: Re: [rcutorture] 5155be9994:
 BUG:kernel_NULL_pointer_dereference,address

On Fri, Jul 17, 2020 at 02:04:55PM +0800, kernel test robot wrote:
> Greeting,
> 
> FYI, we noticed the following commit (built with gcc-9):
> 
> commit: 5155be9994e557618a8312389fb4e52dfbf28a3c ("rcutorture: Dynamically allocate rcu_fwds structure")
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
> 
> 
> in testcase: trinity
> with following parameters:
> 
> 	runtime: 300s
> 
> test-description: Trinity is a linux system call fuzz tester.
> test-url: http://codemonkey.org.uk/projects/trinity/
> 
> 
> on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> 
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
> 
> 
> +-----------------------------------------------------------+------------+------------+
> |                                                           | 6764100bd2 | 5155be9994 |
> +-----------------------------------------------------------+------------+------------+
> | boot_successes                                            | 13         | 13         |
> | boot_failures                                             | 9          | 9          |
> | WARNING:at_kernel/rcu/rcutorture.c:#rcutorture_oom_notify | 9          | 9          |
> | EIP:rcutorture_oom_notify                                 | 9          | 9          |
> | invoked_oom-killer:gfp_mask=0x                            | 3          |            |
> | Mem-Info                                                  | 3          |            |
> | BUG:kernel_NULL_pointer_dereference,address               | 0          | 9          |
> | Oops:#[##]                                                | 0          | 9          |
> | EIP:rcu_torture_fwd_cb_hist                               | 0          | 9          |
> | Kernel_panic-not_syncing:Fatal_exception                  | 0          | 9          |
> +-----------------------------------------------------------+------------+------------+
> 
> 
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <rong.a.chen@...el.com>

Good catch!  Fix shown below, and thank you for your testing efforts!

							Thanx, Paul

------------------------------------------------------------------------

commit 36444974a456b95c18805dec8e0341cf02570fdc
Author: Paul E. McKenney <paulmck@...nel.org>
Date:   Sun Jul 19 14:40:31 2020 -0700

    rcutorture: Properly set rcu_fwds for OOM handling
    
    The conversion of rcu_fwds to dynamic allocation failed to actually
    allocate the required structure.  This commit therefore allocates it,
    frees it, and updates rcu_fwds accordingly.  While in the area, it
    abstracts the cleanup actions into rcu_torture_fwd_prog_cleanup().
    
    Fixes: 5155be9994e5 ("rcutorture: Dynamically allocate rcu_fwds structure")
    Reported-by: kernel test robot <rong.a.chen@...el.com>
    Signed-off-by: Paul E. McKenney <paulmck@...nel.org>

diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index 748212c..e40a38f 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -2153,9 +2153,20 @@ static int __init rcu_torture_fwd_prog_init(void)
 		return -ENOMEM;
 	spin_lock_init(&rfp->rcu_fwd_lock);
 	rfp->rcu_fwd_cb_tail = &rfp->rcu_fwd_cb_head;
+	rcu_fwds = rfp;
 	return torture_create_kthread(rcu_torture_fwd_prog, rfp, fwd_prog_task);
 }
 
+static void rcu_torture_fwd_prog_cleanup(void)
+{
+	struct rcu_fwd *rfp;
+
+	torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task);
+	rfp = rcu_fwds;
+	rcu_fwds = NULL;
+	kfree(rfp);
+}
+
 /* Callback function for RCU barrier testing. */
 static void rcu_torture_barrier_cbf(struct rcu_head *rcu)
 {
@@ -2453,7 +2464,7 @@ rcu_torture_cleanup(void)
 	show_rcu_gp_kthreads();
 	rcu_torture_read_exit_cleanup();
 	rcu_torture_barrier_cleanup();
-	torture_stop_kthread(rcu_torture_fwd_prog, fwd_prog_task);
+	rcu_torture_fwd_prog_cleanup();
 	torture_stop_kthread(rcu_torture_stall, stall_task);
 	torture_stop_kthread(rcu_torture_writer, writer_task);
 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ