| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 5 Dec 2021 21:04:12 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Christoph Hellwig <hch@....de>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, Jens Axboe <axboe@...nel.dk>,
Paolo Valente <paolo.valente@...aro.org>,
Jan Kara <jack@...e.cz>, linux-block@...r.kernel.org
Subject: [block] 8216260d3a:
BUG:sleeping_function_called_from_invalid_context_at_arch/x86/mm/fault.c
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 8216260d3a11d90ae8964f40644a362edcf3a207 ("[PATCH 7/7] block: only build the icq tracking code when needed")
url: https://github.com/0day-ci/linux/commits/Christoph-Hellwig/block-remove-the-nr_task-field-from-struct-io_context/20211130-214709
base: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git for-next
patch link: https://lore.kernel.org/linux-block/20211130124636.2505904-8-hch@lst.de
in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:
runtime: 300s
group: group-01
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+--------------------------------------------------------------------------+------------+------------+
| | 89e4ff2ade | 8216260d3a |
+--------------------------------------------------------------------------+------------+------------+
| boot_successes | 17 | 4 |
| boot_failures | 0 | 16 |
| BUG:sleeping_function_called_from_invalid_context_at_arch/x86/mm/fault.c | 0 | 14 |
| EIP:kmem_cache_alloc | 0 | 16 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 16 |
| Oops:#[##] | 0 | 16 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 16 |
+--------------------------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 106.201353][ T3759] BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1355
[ 106.202656][ T3759] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 3759, name: trinity-c3
[ 106.203754][ T3759] preempt_count: 0, expected: 0
[ 106.204360][ T3759] RCU nest depth: 1, expected: 0
[ 106.204949][ T3759] 2 locks held by trinity-c3/3759:
[ 106.205556][ T3759] #0: c233b46c (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire (notifier.c:?)
[ 106.206698][ T3759] #1: f4ad1ae8 (&mm->mmap_lock#2){++++}-{3:3}, at: do_user_addr_fault (fault.c:?)
[ 106.207848][ T3759] CPU: 1 PID: 3759 Comm: trinity-c3 Not tainted 5.16.0-rc3-00097-g8216260d3a11 #1
[ 106.208923][ T3759] Call Trace:
[ 106.209298][ T3759] dump_stack_lvl (??:?)
[ 106.209807][ T3759] dump_stack (??:?)
[ 106.210285][ T3759] __might_resched (??:?)
[ 106.210848][ T3759] ? preempt_count_add (??:?)
[ 106.211459][ T3759] __might_sleep (??:?)
[ 106.212034][ T3759] ? do_user_addr_fault (fault.c:?)
[ 106.212726][ T3759] do_user_addr_fault (fault.c:?)
[ 106.213318][ T3759] exc_page_fault (??:?)
[ 106.213861][ T3759] ? paravirt_BUG (??:?)
[ 106.214396][ T3759] handle_exception (arch/x86/entry/entry_32.o:?)
[ 106.214991][ T3759] EIP: kmem_cache_alloc (??:?)
[ 106.215604][ T3759] Code: 00 00 e8 97 4e f1 ff 64 a1 54 38 5c c2 85 c0 75 05 e8 c6 4c 88 00 5a 89 d8 5b 5e 5f 5d c3 55 89 e5 57 56 53 83 ec 0c 89 45 e8 <8b> 58 10 89 55 ec e8 7e e3 ff ff 89 c6 85 c0 0f 84 b9 00 00 00 a1
All code
========
0: 00 00 add %al,(%rax)
2: e8 97 4e f1 ff callq 0xfffffffffff14e9e
7: 64 a1 54 38 5c c2 85 movabs %fs:0x575c085c25c3854,%eax
e: c0 75 05
11: e8 c6 4c 88 00 callq 0x884cdc
16: 5a pop %rdx
17: 89 d8 mov %ebx,%eax
19: 5b pop %rbx
1a: 5e pop %rsi
1b: 5f pop %rdi
1c: 5d pop %rbp
1d: c3 retq
1e: 55 push %rbp
1f: 89 e5 mov %esp,%ebp
21: 57 push %rdi
22: 56 push %rsi
23: 53 push %rbx
24: 83 ec 0c sub $0xc,%esp
27: 89 45 e8 mov %eax,-0x18(%rbp)
2a:* 8b 58 10 mov 0x10(%rax),%ebx <-- trapping instruction
2d: 89 55 ec mov %edx,-0x14(%rbp)
30: e8 7e e3 ff ff callq 0xffffffffffffe3b3
35: 89 c6 mov %eax,%esi
37: 85 c0 test %eax,%eax
39: 0f 84 b9 00 00 00 je 0xf8
3f: a1 .byte 0xa1
Code starting with the faulting instruction
===========================================
0: 8b 58 10 mov 0x10(%rax),%ebx
3: 89 55 ec mov %edx,-0x14(%rbp)
6: e8 7e e3 ff ff callq 0xffffffffffffe389
b: 89 c6 mov %eax,%esi
d: 85 c0 test %eax,%eax
f: 0f 84 b9 00 00 00 je 0xce
15: a1 .byte 0xa1
[ 106.217933][ T3759] EAX: 00000000 EBX: c3281cc0 ECX: 00000001 EDX: 00000b20
[ 106.218763][ T3759] ESI: 00000b20 EDI: 00000000 EBP: c5423e58 ESP: c5423e40
[ 106.219591][ T3759] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010282
[ 106.220526][ T3759] ? proc_sched_show_task (??:?)
[ 106.221176][ T3759] ? paravirt_BUG (??:?)
[ 106.221681][ T3759] ? proc_sched_show_task (??:?)
[ 106.222312][ T3759] ? paravirt_BUG (??:?)
[ 106.222770][ T3759] ? kmem_cache_alloc (??:?)
[ 106.223282][ T3759] get_task_io_context (??:?)
[ 106.223882][ T3759] set_task_ioprio (??:?)
[ 106.224435][ T3759] __ia32_sys_ioprio_set (??:?)
[ 106.225021][ T3759] __do_fast_syscall_32 (common.c:?)
[ 106.225643][ T3759] ? __this_cpu_preempt_check (??:?)
[ 106.226281][ T3759] ? lock_is_held_type (??:?)
[ 106.226863][ T3759] ? __do_fast_syscall_32 (common.c:?)
[ 106.227464][ T3759] ? __this_cpu_preempt_check (??:?)
[ 106.228128][ T3759] ? lockdep_hardirqs_on (??:?)
[ 106.228768][ T3759] ? syscall_exit_to_user_mode (??:?)
[ 106.229458][ T3759] ? __do_fast_syscall_32 (common.c:?)
[ 106.230085][ T3759] ? __do_fast_syscall_32 (common.c:?)
[ 106.230695][ T3759] ? __this_cpu_preempt_check (??:?)
[ 106.231340][ T3759] ? lockdep_hardirqs_on (??:?)
[ 106.231967][ T3759] ? syscall_exit_to_user_mode (??:?)
[ 106.232633][ T3759] ? __do_fast_syscall_32 (common.c:?)
[ 106.233233][ T3759] ? __do_fast_syscall_32 (common.c:?)
[ 106.233801][ T3759] ? __do_fast_syscall_32 (common.c:?)
[ 106.234393][ T3759] ? irqentry_exit_to_user_mode (??:?)
[ 106.235066][ T3759] ? irqentry_exit (??:?)
[ 106.235610][ T3759] do_fast_syscall_32 (??:?)
[ 106.236212][ T3759] do_SYSENTER_32 (??:?)
[ 106.236739][ T3759] entry_SYSENTER_32 (??:?)
[ 106.237296][ T3759] EIP: 0xb7f40545
[ 106.237720][ T3759] Code: c4 01 10 03 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
All code
========
0: c4 01 10 03 (bad)
4: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
8: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b87411
e: 10 06 adc %al,(%rsi)
10: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
14: 10 07 adc %al,(%rdi)
16: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
1a: 10 08 adc %cl,(%rax)
1c: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d 76 00 lea 0x0(%rsi),%esi
35: 58 pop %rax
36: b8 77 00 00 00 mov $0x77,%eax
3b: cd 80 int $0x80
3d: 90 nop
3e: 8d .byte 0x8d
3f: 76 .byte 0x76
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 8d 76 00 lea 0x0(%rsi),%esi
b: 58 pop %rax
c: b8 77 00 00 00 mov $0x77,%eax
11: cd 80 int $0x80
13: 90 nop
14: 8d .byte 0x8d
15: 76 .byte 0x76
To reproduce:
# build kernel
cd linux
cp config-5.16.0-rc3-00097-g8216260d3a11 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.16.0-rc3-00097-g8216260d3a11" of type "text/plain" (124764 bytes)
View attachment "job-script" of type "text/plain" (4659 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (20516 bytes)
Powered by blists - more mailing lists