lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20211205130412.GB33002@xsang-OptiPlex-9020>
Date:   Sun, 5 Dec 2021 21:04:12 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Christoph Hellwig <hch@....de>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        lkp@...ts.01.org, Jens Axboe <axboe@...nel.dk>,
        Paolo Valente <paolo.valente@...aro.org>,
        Jan Kara <jack@...e.cz>, linux-block@...r.kernel.org
Subject: [block]  8216260d3a:
 BUG:sleeping_function_called_from_invalid_context_at_arch/x86/mm/fault.c



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 8216260d3a11d90ae8964f40644a362edcf3a207 ("[PATCH 7/7] block: only build the icq tracking code when needed")
url: https://github.com/0day-ci/linux/commits/Christoph-Hellwig/block-remove-the-nr_task-field-from-struct-io_context/20211130-214709
base: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git for-next
patch link: https://lore.kernel.org/linux-block/20211130124636.2505904-8-hch@lst.de

in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:

	runtime: 300s
	group: group-01

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+--------------------------------------------------------------------------+------------+------------+
|                                                                          | 89e4ff2ade | 8216260d3a |
+--------------------------------------------------------------------------+------------+------------+
| boot_successes                                                           | 17         | 4          |
| boot_failures                                                            | 0          | 16         |
| BUG:sleeping_function_called_from_invalid_context_at_arch/x86/mm/fault.c | 0          | 14         |
| EIP:kmem_cache_alloc                                                     | 0          | 16         |
| BUG:kernel_NULL_pointer_dereference,address                              | 0          | 16         |
| Oops:#[##]                                                               | 0          | 16         |
| Kernel_panic-not_syncing:Fatal_exception                                 | 0          | 16         |
+--------------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  106.201353][ T3759] BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1355
[  106.202656][ T3759] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 3759, name: trinity-c3
[  106.203754][ T3759] preempt_count: 0, expected: 0
[  106.204360][ T3759] RCU nest depth: 1, expected: 0
[  106.204949][ T3759] 2 locks held by trinity-c3/3759:
[ 106.205556][ T3759] #0: c233b46c (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire (notifier.c:?) 
[ 106.206698][ T3759] #1: f4ad1ae8 (&mm->mmap_lock#2){++++}-{3:3}, at: do_user_addr_fault (fault.c:?) 
[  106.207848][ T3759] CPU: 1 PID: 3759 Comm: trinity-c3 Not tainted 5.16.0-rc3-00097-g8216260d3a11 #1
[  106.208923][ T3759] Call Trace:
[ 106.209298][ T3759] dump_stack_lvl (??:?) 
[ 106.209807][ T3759] dump_stack (??:?) 
[ 106.210285][ T3759] __might_resched (??:?) 
[ 106.210848][ T3759] ? preempt_count_add (??:?) 
[ 106.211459][ T3759] __might_sleep (??:?) 
[ 106.212034][ T3759] ? do_user_addr_fault (fault.c:?) 
[ 106.212726][ T3759] do_user_addr_fault (fault.c:?) 
[ 106.213318][ T3759] exc_page_fault (??:?) 
[ 106.213861][ T3759] ? paravirt_BUG (??:?) 
[ 106.214396][ T3759] handle_exception (arch/x86/entry/entry_32.o:?) 
[ 106.214991][ T3759] EIP: kmem_cache_alloc (??:?) 
[ 106.215604][ T3759] Code: 00 00 e8 97 4e f1 ff 64 a1 54 38 5c c2 85 c0 75 05 e8 c6 4c 88 00 5a 89 d8 5b 5e 5f 5d c3 55 89 e5 57 56 53 83 ec 0c 89 45 e8 <8b> 58 10 89 55 ec e8 7e e3 ff ff 89 c6 85 c0 0f 84 b9 00 00 00 a1
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	e8 97 4e f1 ff       	callq  0xfffffffffff14e9e
   7:	64 a1 54 38 5c c2 85 	movabs %fs:0x575c085c25c3854,%eax
   e:	c0 75 05 
  11:	e8 c6 4c 88 00       	callq  0x884cdc
  16:	5a                   	pop    %rdx
  17:	89 d8                	mov    %ebx,%eax
  19:	5b                   	pop    %rbx
  1a:	5e                   	pop    %rsi
  1b:	5f                   	pop    %rdi
  1c:	5d                   	pop    %rbp
  1d:	c3                   	retq   
  1e:	55                   	push   %rbp
  1f:	89 e5                	mov    %esp,%ebp
  21:	57                   	push   %rdi
  22:	56                   	push   %rsi
  23:	53                   	push   %rbx
  24:	83 ec 0c             	sub    $0xc,%esp
  27:	89 45 e8             	mov    %eax,-0x18(%rbp)
  2a:*	8b 58 10             	mov    0x10(%rax),%ebx		<-- trapping instruction
  2d:	89 55 ec             	mov    %edx,-0x14(%rbp)
  30:	e8 7e e3 ff ff       	callq  0xffffffffffffe3b3
  35:	89 c6                	mov    %eax,%esi
  37:	85 c0                	test   %eax,%eax
  39:	0f 84 b9 00 00 00    	je     0xf8
  3f:	a1                   	.byte 0xa1

Code starting with the faulting instruction
===========================================
   0:	8b 58 10             	mov    0x10(%rax),%ebx
   3:	89 55 ec             	mov    %edx,-0x14(%rbp)
   6:	e8 7e e3 ff ff       	callq  0xffffffffffffe389
   b:	89 c6                	mov    %eax,%esi
   d:	85 c0                	test   %eax,%eax
   f:	0f 84 b9 00 00 00    	je     0xce
  15:	a1                   	.byte 0xa1
[  106.217933][ T3759] EAX: 00000000 EBX: c3281cc0 ECX: 00000001 EDX: 00000b20
[  106.218763][ T3759] ESI: 00000b20 EDI: 00000000 EBP: c5423e58 ESP: c5423e40
[  106.219591][ T3759] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010282
[ 106.220526][ T3759] ? proc_sched_show_task (??:?) 
[ 106.221176][ T3759] ? paravirt_BUG (??:?) 
[ 106.221681][ T3759] ? proc_sched_show_task (??:?) 
[ 106.222312][ T3759] ? paravirt_BUG (??:?) 
[ 106.222770][ T3759] ? kmem_cache_alloc (??:?) 
[ 106.223282][ T3759] get_task_io_context (??:?) 
[ 106.223882][ T3759] set_task_ioprio (??:?) 
[ 106.224435][ T3759] __ia32_sys_ioprio_set (??:?) 
[ 106.225021][ T3759] __do_fast_syscall_32 (common.c:?) 
[ 106.225643][ T3759] ? __this_cpu_preempt_check (??:?) 
[ 106.226281][ T3759] ? lock_is_held_type (??:?) 
[ 106.226863][ T3759] ? __do_fast_syscall_32 (common.c:?) 
[ 106.227464][ T3759] ? __this_cpu_preempt_check (??:?) 
[ 106.228128][ T3759] ? lockdep_hardirqs_on (??:?) 
[ 106.228768][ T3759] ? syscall_exit_to_user_mode (??:?) 
[ 106.229458][ T3759] ? __do_fast_syscall_32 (common.c:?) 
[ 106.230085][ T3759] ? __do_fast_syscall_32 (common.c:?) 
[ 106.230695][ T3759] ? __this_cpu_preempt_check (??:?) 
[ 106.231340][ T3759] ? lockdep_hardirqs_on (??:?) 
[ 106.231967][ T3759] ? syscall_exit_to_user_mode (??:?) 
[ 106.232633][ T3759] ? __do_fast_syscall_32 (common.c:?) 
[ 106.233233][ T3759] ? __do_fast_syscall_32 (common.c:?) 
[ 106.233801][ T3759] ? __do_fast_syscall_32 (common.c:?) 
[ 106.234393][ T3759] ? irqentry_exit_to_user_mode (??:?) 
[ 106.235066][ T3759] ? irqentry_exit (??:?) 
[ 106.235610][ T3759] do_fast_syscall_32 (??:?) 
[ 106.236212][ T3759] do_SYSENTER_32 (??:?) 
[ 106.236739][ T3759] entry_SYSENTER_32 (??:?) 
[  106.237296][ T3759] EIP: 0xb7f40545
[ 106.237720][ T3759] Code: c4 01 10 03 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
All code
========
   0:	c4 01 10 03          	(bad)  
   4:	03 74 c0 01          	add    0x1(%rax,%rax,8),%esi
   8:	10 05 03 74 b8 01    	adc    %al,0x1b87403(%rip)        # 0x1b87411
   e:	10 06                	adc    %al,(%rsi)
  10:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
  14:	10 07                	adc    %al,(%rdi)
  16:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
  1a:	10 08                	adc    %cl,(%rax)
  1c:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	89 e5                	mov    %esp,%ebp
  26:	0f 34                	sysenter 
  28:	cd 80                	int    $0x80
  2a:*	5d                   	pop    %rbp		<-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq   
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	8d 76 00             	lea    0x0(%rsi),%esi
  35:	58                   	pop    %rax
  36:	b8 77 00 00 00       	mov    $0x77,%eax
  3b:	cd 80                	int    $0x80
  3d:	90                   	nop
  3e:	8d                   	.byte 0x8d
  3f:	76                   	.byte 0x76

Code starting with the faulting instruction
===========================================
   0:	5d                   	pop    %rbp
   1:	5a                   	pop    %rdx
   2:	59                   	pop    %rcx
   3:	c3                   	retq   
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	8d 76 00             	lea    0x0(%rsi),%esi
   b:	58                   	pop    %rax
   c:	b8 77 00 00 00       	mov    $0x77,%eax
  11:	cd 80                	int    $0x80
  13:	90                   	nop
  14:	8d                   	.byte 0x8d
  15:	76                   	.byte 0x76


To reproduce:

        # build kernel
	cd linux
	cp config-5.16.0-rc3-00097-g8216260d3a11 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.16.0-rc3-00097-g8216260d3a11" of type "text/plain" (124764 bytes)

View attachment "job-script" of type "text/plain" (4659 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (20516 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ