Hello,
Hit this while fuzzing v3.10-rc4-0-gd683b96 with trinity.
Looks similar to what I reported back in March:
https://lkml.org/lkml/2013/3/13/222
Tommi
[42279.088045] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
[42279.091904] CPU: 1 PID: 10937 Comm: trinity-child7 Tainted: G
I 3.10.0-rc4 #1
[42279.091904] Hardware name: Hewlett-Packard HP Compaq dc7800 Small
Form Factor/0AA8h, BIOS 786F1 v01.24 03/18/2008
[42279.091904] task: ffff8801125e23e0 ti: ffff8800bdf40000 task.ti:
ffff8800bdf40000
[42279.091904] RIP: 0010:[<ffffffff81275b63>] [<ffffffff81275b63>]
fsnotify_clear_marks_by_group_flags+0x93/0xb0
[42279.091904] RSP: 0018:ffff8800bdf41be8 EFLAGS: 00010246
[42279.091904] RAX: ffff8800bdf41f00 RBX: ffff880102381400 RCX: 0000000000006c6b
[42279.091904] RDX: 0000000000000000 RSI: ffffffff82a42863 RDI: ffff880102381400
[42279.091904] RBP: ffff8800bdf41c18 R08: 0000000000000002 R09: 0000000000000000
[42279.091904] R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b5b
[42279.091904] R13: ffff8800d4630a90 R14: 00000000ffffffff R15: ffff8800d4630c70
[42279.091904] FS: 00007f9d0c425700(0000) GS:ffff880116a00000(0000)
knlGS:0000000000000000
[42279.091904] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[42279.091904] CR2: 0000000000000000 CR3: 0000000110ea3000 CR4: 00000000000007e0
[42279.091904] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[42279.091904] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[42279.091904] Stack:
[42279.091904] ffff8800d4630bc0 ffff8800d4630a90 0000000000000010
ffff8800c51d0b90
[42279.091904] ffff880114fbe9a0 ffff880115f78ca0 ffff8800bdf41c28
ffffffff81275b8e
[42279.091904] ffff8800bdf41c40 ffffffff81274c3d ffff8800c96ca940
ffff8800bdf41c50
[42279.091904] Call Trace:
[42279.091904] [<ffffffff81275b8e>] fsnotify_clear_marks_by_group+0xe/0x10
[42279.091904] [<ffffffff81274c3d>] fsnotify_destroy_group+0xd/0x30
[42279.091904] [<ffffffff81277060>] inotify_release+0x10/0x20
[42279.091904] [<ffffffff8123237a>] __fput+0x12a/0x230
[42279.091904] [<ffffffff81232489>] ____fput+0x9/0x10
[42279.091904] [<ffffffff8113a79e>] task_work_run+0xae/0xf0
[42279.091904] [<ffffffff811172bc>] do_exit+0x44c/0xb40
[42279.091904] [<ffffffff81129f39>] ? get_signal_to_deliver+0xf9/0x920
[42279.091904] [<ffffffff81117a74>] do_group_exit+0x84/0xd0
[42279.091904] [<ffffffff8112a661>] get_signal_to_deliver+0x821/0x920
[42279.091904] [<ffffffff810673e2>] do_signal+0x52/0x590
[42279.091904] [<ffffffff81231849>] ? do_readv_writev+0x249/0x270
[42279.091904] [<ffffffff81142191>] ? __hrtimer_start_range_ns+0x451/0x500
[42279.091904] [<ffffffff8117302d>] ? trace_hardirqs_on+0xd/0x10
[42279.091904] [<ffffffff822a1787>] ? _raw_spin_unlock_irq+0x27/0x50
[42279.091904] [<ffffffff8111870c>] ? do_setitimer+0x27c/0x330
[42279.091904] [<ffffffff81067947>] do_notify_resume+0x27/0x70
[42279.091904] [<ffffffff822a3162>] int_signal+0x12/0x17
[42279.091904] Code: 0f 1f 84 00 00 00 00 00 49 89 d4 44 85 b3 94 00
00 00 74 17 f0 ff 43 04 48 89 df 4c 89 ee e8 75 fa ff ff 48 89 df e8
ad f8 ff ff <49> 8b 54 24 10 49 8d 44 24 10 4c 89 e3 48 83 ea 10 49 39
c7 75
[42279.091904] RIP [<ffffffff81275b63>]
fsnotify_clear_marks_by_group_flags+0x93/0xb0
[42279.091904] RSP <ffff8800bdf41be8>
[42279.417403] ---[ end trace 1dec2388e3dff256 ]---
[42279.423057] Fixing recursive fault but reboot is needed!
On 03.06.2013 10:03, Tommi Rantala wrote:
> Hello,
>
> Hit this while fuzzing v3.10-rc4-0-gd683b96 with trinity.
>
> Looks similar to what I reported back in March:
> https://lkml.org/lkml/2013/3/13/222
>
> Tommi
>
> [42279.088045] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC
> [42279.091904] CPU: 1 PID: 10937 Comm: trinity-child7 Tainted: G
> I 3.10.0-rc4 #1
> [42279.091904] Hardware name: Hewlett-Packard HP Compaq dc7800 Small
> Form Factor/0AA8h, BIOS 786F1 v01.24 03/18/2008
> [42279.091904] task: ffff8801125e23e0 ti: ffff8800bdf40000 task.ti:
> ffff8800bdf40000
> [42279.091904] RIP: 0010:[<ffffffff81275b63>] [<ffffffff81275b63>]
> fsnotify_clear_marks_by_group_flags+0x93/0xb0
> [42279.091904] RSP: 0018:ffff8800bdf41be8 EFLAGS: 00010246
> [42279.091904] RAX: ffff8800bdf41f00 RBX: ffff880102381400 RCX: 0000000000006c6b
> [42279.091904] RDX: 0000000000000000 RSI: ffffffff82a42863 RDI: ffff880102381400
> [42279.091904] RBP: ffff8800bdf41c18 R08: 0000000000000002 R09: 0000000000000000
> [42279.091904] R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b5b
> [42279.091904] R13: ffff8800d4630a90 R14: 00000000ffffffff R15: ffff8800d4630c70
> [42279.091904] FS: 00007f9d0c425700(0000) GS:ffff880116a00000(0000)
> knlGS:0000000000000000
> [42279.091904] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> [42279.091904] CR2: 0000000000000000 CR3: 0000000110ea3000 CR4: 00000000000007e0
> [42279.091904] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [42279.091904] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [42279.091904] Stack:
> [42279.091904] ffff8800d4630bc0 ffff8800d4630a90 0000000000000010
> ffff8800c51d0b90
> [42279.091904] ffff880114fbe9a0 ffff880115f78ca0 ffff8800bdf41c28
> ffffffff81275b8e
> [42279.091904] ffff8800bdf41c40 ffffffff81274c3d ffff8800c96ca940
> ffff8800bdf41c50
> [42279.091904] Call Trace:
> [42279.091904] [<ffffffff81275b8e>] fsnotify_clear_marks_by_group+0xe/0x10
> [42279.091904] [<ffffffff81274c3d>] fsnotify_destroy_group+0xd/0x30
> [42279.091904] [<ffffffff81277060>] inotify_release+0x10/0x20
> [42279.091904] [<ffffffff8123237a>] __fput+0x12a/0x230
> [42279.091904] [<ffffffff81232489>] ____fput+0x9/0x10
> [42279.091904] [<ffffffff8113a79e>] task_work_run+0xae/0xf0
> [42279.091904] [<ffffffff811172bc>] do_exit+0x44c/0xb40
> [42279.091904] [<ffffffff81129f39>] ? get_signal_to_deliver+0xf9/0x920
> [42279.091904] [<ffffffff81117a74>] do_group_exit+0x84/0xd0
> [42279.091904] [<ffffffff8112a661>] get_signal_to_deliver+0x821/0x920
> [42279.091904] [<ffffffff810673e2>] do_signal+0x52/0x590
> [42279.091904] [<ffffffff81231849>] ? do_readv_writev+0x249/0x270
> [42279.091904] [<ffffffff81142191>] ? __hrtimer_start_range_ns+0x451/0x500
> [42279.091904] [<ffffffff8117302d>] ? trace_hardirqs_on+0xd/0x10
> [42279.091904] [<ffffffff822a1787>] ? _raw_spin_unlock_irq+0x27/0x50
> [42279.091904] [<ffffffff8111870c>] ? do_setitimer+0x27c/0x330
> [42279.091904] [<ffffffff81067947>] do_notify_resume+0x27/0x70
> [42279.091904] [<ffffffff822a3162>] int_signal+0x12/0x17
> [42279.091904] Code: 0f 1f 84 00 00 00 00 00 49 89 d4 44 85 b3 94 00
> 00 00 74 17 f0 ff 43 04 48 89 df 4c 89 ee e8 75 fa ff ff 48 89 df e8
> ad f8 ff ff <49> 8b 54 24 10 49 8d 44 24 10 4c 89 e3 48 83 ea 10 49 39
> c7 75
> [42279.091904] RIP [<ffffffff81275b63>]
> fsnotify_clear_marks_by_group_flags+0x93/0xb0
> [42279.091904] RSP <ffff8800bdf41be8>
> [42279.417403] ---[ end trace 1dec2388e3dff256 ]---
> [42279.423057] Fixing recursive fault but reboot is needed!
>
Hi Tommi,
thank you for reporting. Do you know a way how to reproduce this?
Regards,
Lino
2013/6/7 Lino Sanfilippo <[email protected]>:
> On 03.06.2013 10:03, Tommi Rantala wrote:
>>
>> Hello,
>>
>> Hit this while fuzzing v3.10-rc4-0-gd683b96 with trinity.
>>
>> Looks similar to what I reported back in March:
>> https://lkml.org/lkml/2013/3/13/222
>>
>
> Hi Tommi,
>
> thank you for reporting. Do you know a way how to reproduce this?
OK, looks like I can reproducible this with a small hackish
modification to trinity.
I just pushed a single commit to github in a "fanotify-fds" branch,
try something like:
git clone -b fanotify-fds git://github.com/rantala/trinity.git
cd trinity && ./configure.sh && make -j4
Then, fuzz the fanotify_mark() syscall as the root user in some
suitable environment:
# ./trinity -C20 -q -l off -c fanotify_mark --dangerous
I just tried that three times in a virtual machine, and at every
attempt I'm getting either the GPF or a "soft lockup" almost
instantly:
# ./trinity -q -l off -C20 -c fanotify_mark --dangerous
Trinity v1.2pre Dave Jones <[email protected]>
[3423] Marking syscall fanotify_mark (64bit:301 32bit:339) as to be enabled.
Done parsing arguments.
[3423] 32-bit syscalls: 1 enabled, 350 disabled. 64-bit syscalls: 1
enabled, 313 disabled.
DANGER: RUNNING AS ROOT.
Unless you are running in a virtual machine, this could cause serious
problems such as overwriting CMOS
or similar which could potentially make this machine unbootable
without a firmware reset.
ctrl-c now unless you really know what you are doing.
Using pid_max = 32768ds..
[3424] Watchdog is alive
[3423] Started watchdog process, PID is 3424
[3425] Main thread is alive.
Cachefile is stale. Need to regenerate.
created 375 sockets
Generating file descriptors
Added 132 filenames from /dev
Added 26622 filenames from /proc
Added 18318 filenames from /sys
[3425] Random reseed: 2990238257
[ 100.135012] BUG: soft lockup - CPU#0 stuck for 23s! [trinity-child11:3437]
[ 100.135012] irq event stamp: 186108
[ 100.135012] hardirqs last enabled at (186107):
[<ffffffff822a2c33>] restore_args+0x0/0x30
[ 100.135012] hardirqs last disabled at (186108):
[<ffffffff822a41ed>] apic_timer_interrupt+0x6d/0x80
[ 100.135012] softirqs last enabled at (186106):
[<ffffffff8111a0c3>] __do_softirq+0x353/0x420
[ 100.135012] softirqs last disabled at (186101):
[<ffffffff8111a2d9>] irq_exit+0x59/0xb0
[ 100.135012] CPU: 0 PID: 3437 Comm: trinity-child11 Not tainted 3.10.0-rc4+ #1
[ 100.135012] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 100.135012] task: ffff8800ae418000 ti: ffff8800ae43a000 task.ti:
ffff8800ae43a000
[ 100.135012] RIP: 0010:[<ffffffff81177b0e>] [<ffffffff81177b0e>]
lock_release+0x28e/0x340
[ 100.135012] RSP: 0000:ffff8800ae43be38 EFLAGS: 00000246
[ 100.135012] RAX: ffff8800ae418000 RBX: 00000000001d56c0 RCX: 00000000000061a0
[ 100.135012] RDX: ffff8800bf6392e0 RSI: ffffffff8115251a RDI: 0000000000000246
[ 100.135012] RBP: ffff8800ae43be60 R08: 0000000000000038 R09: 0000000000000000
[ 100.135012] R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8115219d
[ 100.135012] R13: ffff8800ae43bdc0 R14: ffffffff8106f4e9 R15: ffff8800ae43bd98
[ 100.135012] FS: 00007fb5c16b0700(0000) GS:ffff8800bf600000(0000)
knlGS:0000000000000000
[ 100.135012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 100.135012] CR2: 0000000000f16418 CR3: 00000000ae413000 CR4: 00000000000006f0
[ 100.135012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 100.135012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 100.135012] Stack:
[ 100.135012] ffff8800aed90608 ffff8800b7d40fd8 ffff8800aed90608
0000000000000001
[ 100.135012] ffff8800b7d411b8 ffff8800ae43be78 ffffffff822a1e0a
ffff8800aed905e8
[ 100.135012] ffff8800ae43beb0 ffffffff81275671 ffff8800aed905e8
ffff8800aed905e8
[ 100.135012] Call Trace:
[ 100.135012] [<ffffffff822a1e0a>] _raw_spin_unlock+0x1a/0x40
[ 100.135012] [<ffffffff81275671>] fsnotify_destroy_mark_locked+0x51/0x190
[ 100.135012] [<ffffffff81275bab>]
fsnotify_clear_marks_by_group_flags+0x8b/0xb0
[ 100.135012] [<ffffffff8127503e>]
fsnotify_clear_inode_marks_by_group+0xe/0x10
[ 100.135012] [<ffffffff812793a5>] SyS_fanotify_mark+0x515/0x590
[ 100.135012] [<ffffffff822a3569>] system_call_fastpath+0x16/0x1b
[ 100.135012] Code: 12 0f 1f 40 00 4c 89 ea 4c 89 e6 48 89 df e8 9a
e6 ff ff 65 48 8b 04 25 40 c9 00 00 4c 89 f7 c7 80 d4 06 00 00 00 00
00 00 57 9d <0f> 1f 44 00 00 e9 88 00 00 00 65 48 8b 04 25 30 c9 00 00
83 80
Tommi