Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3531859pxf; Mon, 15 Mar 2021 11:38:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAowK2/MdaM3PwyA6Tvz/QzwBmilTNKZnO/cmPcfDN3/bJHSrb8JpH3LUKdcLC/OIcGx7I X-Received: by 2002:a17:906:4955:: with SMTP id f21mr25991999ejt.74.1615833529294; Mon, 15 Mar 2021 11:38:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615833529; cv=none; d=google.com; s=arc-20160816; b=k9RoWWqmVc+hiKULOlb4gu0sTnHEJlkkaKgIMM5qybuvmI+z5Gafu0SV8CY2AuL1gG OOIC7CQYfue3Iv13H/jwdXiFiy8FJjh1u8gOD3EKbtIlZvsIAwO+J3k7OfiAVi26yx9h VpgAGX71i1LUs5d/aYTrkihqywkL34DzF8FnrgVGFYkovwq4mwqfH6K64cMP8UUKMyfx oBsux723SzSqj6G84+whnaFvmlWrOAOdKnV6BsPA2wxEI5YzQIs4ZTxjKtOVtKimaVUx 0KionFsas5c3RKQwdpzP4RlEKweYbfk9MAshWCDw8dA268lu/H1zM1YATefn846Frbtn mJug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:organization :from:references:cc:to:subject; bh=fb4wl7fdQ1VoZTL5RUz4gq72BoN97q9L0GIzNin5R3U=; b=JcpwKhX/I8VU/fQptsbSI37pMQ+cdTV5JMmoJqq74WR3HgHeQAZjDnFLjFLFM8EZJx VEK6H4x00vnx+gxyjTASOla8VZ8xRa5ZgvW4AMUITFeolhdlv6482w4NVaVEPoZgmSCO LzNhwFOB05vL7GEbCcPm9IrJDajN0deFiagm2C3+4JvoJV5TZiwcPdDGPX+Hz7RKsUcU 0LMo0pSiwvaBdexohMYiId/TwSU/nFoLoaI5npIbWbdhG/pTCZwRdxjMtXKq9C8b+Ogj g+bqcDZ5nRUUwY/ldgHIMHC0Dy1C//OVIv245dOBAtP1BM5QQXhUQwOuG720jRKf/W1P 8XKA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s28si12419681edw.110.2021.03.15.11.38.27; Mon, 15 Mar 2021 11:38:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233951AbhCOQ4D (ORCPT + 99 others); Mon, 15 Mar 2021 12:56:03 -0400 Received: from imap3.hz.codethink.co.uk ([176.9.8.87]:57672 "EHLO imap3.hz.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230138AbhCOQzk (ORCPT ); Mon, 15 Mar 2021 12:55:40 -0400 Received: from cpc79921-stkp12-2-0-cust288.10-2.cable.virginm.net ([86.16.139.33] helo=[192.168.0.18]) by imap3.hz.codethink.co.uk with esmtpsa (Exim 4.92 #3 (Debian)) id 1lLqV7-0007HK-4n; Mon, 15 Mar 2021 16:55:29 +0000 Subject: Re: [syzbot] BUG: unable to handle kernel access to user memory in schedule_tail To: Dmitry Vyukov Cc: Alex Ghiti , syzbot , Paul Walmsley , Palmer Dabbelt , Albert Ou , linux-riscv , Daniel Bristot de Oliveira , Benjamin Segall , dietmar.eggemann@arm.com, Juri Lelli , LKML , Mel Gorman , Ingo Molnar , Peter Zijlstra , Steven Rostedt , syzkaller-bugs , Vincent Guittot References: <000000000000b74f1b05bd316729@google.com> <84b0471d-42c1-175f-ae1d-a18c310c7f77@codethink.co.uk> <795597a1-ec87-e09e-d073-3daf10422abb@ghiti.fr> From: Ben Dooks Organization: Codethink Limited. Message-ID: Date: Mon, 15 Mar 2021 16:55:27 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13/03/2021 07:20, Dmitry Vyukov wrote: > On Fri, Mar 12, 2021 at 9:12 PM Ben Dooks wrote: >>> Still no luck for the moment, can't reproduce it locally, my test is >>> maybe not that good (I created threads all day long in order to trigger >>> the put_user of schedule_tail). >> >> It may of course depend on memory and other stuff. I did try to see if >> it was possible to clone() with the child_tid address being a valid but >> not mapped page... >> >>> Given that the path you mention works most of the time, and that the >>> status register in the stack trace shows the SUM bit is not set whereas >>> it is set in put_user, I'm leaning toward some race condition (maybe an >>> interrupt that arrives at the "wrong" time) or a qemu issue as you >>> mentioned. >> >> I suppose this is possible. From what I read it should get to the >> point of being there with the SUM flag cleared, so either something >> went wrong in trying to fix the instruction up or there's some other >> error we're missing. >> >>> To eliminate qemu issues, do you have access to some HW ? Or to >>> different qemu versions ? >> >> I do have access to a Microchip Polarfire board. I just need the >> instructions on how to setup the test-code to make it work on the >> hardware. > > For full syzkaller support, it would need to know how to reboot these > boards and get access to the console. > syzkaller has a stop-gap VM backend which just uses ssh to a physical > machine and expects the kernel to reboot on its own after any crashes. > > But I actually managed to reproduce it in an even simpler setup. > Assuming you have Go 1.15 and riscv64 cross-compiler gcc installed > > $ go get -u -d github.com/google/syzkaller/... > $ cd $GOPATH/src/github.com/google/syzkaller > $ make stress executor TARGETARCH=riscv64 > $ scp bin/linux_riscv64/syz-execprog bin/linux_riscv64/syz-executor > your_machine:/ > > Then run ./syz-stress on the machine. > On the first run it crashed it with some other bug, on the second run > I got the crash in schedule_tail. > With qemu tcg I also added -slowdown=10 flag to syz-stress to scale > all timeouts, if native execution is faster, then you don't need it. I have built the tools and got it to start. It would be helpful for the dashboard to give the qemu version and how it was launched (memory, cpus etc) -- Ben Dooks http://www.codethink.co.uk/ Senior Engineer Codethink - Providing Genius https://www.codethink.co.uk/privacy.html