From: Dmitry Vyukov <dvyukov@google.com>
To: Jiri Kosina <jikos@kernel.org>, NeilBrown <neilb@suse.com>,
Takashi Iwai <tiwai@suse.de>, Jens Axboe <axboe@fb.com>,
Hannes Reinecke <hare@suse.de>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>,
Kostya Serebryany <kcc@google.com>,
Alexander Potapenko <glider@google.com>,
Sasha Levin <sasha.levin@oracle.com>
Subject: floppy: GPF in floppy_rb0_cb
Date: Sun, 24 Jan 2016 14:12:44 +0100 [thread overview]
Message-ID: <CACT4Y+YFG2T=uCd4VPa8KFagf2+UgVTV4--Fk9ozuUcdps_4rA@mail.gmail.com> (raw)
Hello,
The following causes program causes multiple bugs and eventually machine death:
// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/wait.h>
#define N 100
int main()
{
int i, status, pids[N];
for (;;) {
for (i = 0; i < N; i++) {
if ((pids[i] = fork()) == 0) {
open("/dev/fd0", O_RDWR);
exit(0);
}
}
for (i = 0; i < N; i++) {
while (waitpid(pids[i], &status, __WALL) != pids[i]) {
}
}
}
return 0;
}
------------[ cut here ]------------
WARNING: CPU: 0 PID: 6 at drivers/block/floppy.c:975 schedule_bh+0x55/0x60()
Modules linked in:
CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
00000000ffffffff ffff88003df97ac0 ffffffff82999e2d 0000000000000000
ffff88003df32f80 ffffffff8687a0e0 ffff88003df97b00 ffffffff81352089
ffffffff8335dbb5 ffffffff8687a0e0 00000000000003cf ffffffff895cae20
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
[<ffffffff8335dbb5>] schedule_bh+0x55/0x60 drivers/block/floppy.c:975
[<ffffffff8336e1cf>] redo_fd_request+0x173f/0x39f0 drivers/block/floppy.c:2878
[< inline >] seek_floppy drivers/block/floppy.c:1572
[<ffffffff8336ad6c>] floppy_ready+0x106c/0x13f0 drivers/block/floppy.c:1911
[<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
[<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
---[ end trace 40047c23eabef132 ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 10091 at kernel/locking/lockdep.c:3183
__lock_acquire+0xbc8/0x4700()
DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
Modules linked in:
[< inline >] process_fd_request drivers/block/floppy.c:2893
[<ffffffff8335df06>] __floppy_read_block_0+0x196/0x260
drivers/block/floppy.c:3822
[<ffffffff83364b93>] floppy_revalidate+0x573/0x770 drivers/block/floppy.c:3867
[<ffffffff8186ff91>] check_disk_change+0xf1/0x130 fs/block_dev.c:1135
[<ffffffff8335e958>] floppy_open+0x518/0x920 drivers/block/floppy.c:3713
[<ffffffff81871c88>] __blkdev_get+0x338/0x10e0 fs/block_dev.c:1213
[<ffffffff818732b0>] blkdev_get+0x310/0x960 fs/block_dev.c:1352
[<ffffffff81873b05>] blkdev_open+0x1a5/0x250 fs/block_dev.c:1507
[<ffffffff817a9c02>] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
[<ffffffff817ad2db>] vfs_open+0x17b/0x1f0 fs/open.c:853
[< inline >] do_last fs/namei.c:3254
[<ffffffff817e00d9>] path_openat+0xde9/0x5e30 fs/namei.c:3386
[<ffffffff817e895e>] do_filp_open+0x18e/0x250 fs/namei.c:3421
[<ffffffff817ada5c>] do_sys_open+0x1fc/0x420 fs/open.c:1022
[< inline >] SYSC_open fs/open.c:1040
[<ffffffff817adcad>] SyS_open+0x2d/0x40 fs/open.c:1035
[<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 40047c23eabef13c ]---
CPU: 1 PID: 10091 Comm: kworker/u8:2 Tainted: G W 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
00000000ffffffff ffff8800607f7650 ffffffff82999e2d ffff8800607f76c0
ffff88005b2f4740 ffffffff8642bc40 ffff8800607f7690 ffffffff81352089
ffffffff81454e08 ffffed000c0feed4 ffffffff8642bc40 0000000000000c6f
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
[<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
[<ffffffff81352199>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
[<ffffffff81454e08>] __lock_acquire+0xbc8/0x4700 kernel/locking/lockdep.c:3183
[<ffffffff8145ad8c>] lock_acquire+0x1dc/0x430 kernel/locking/lockdep.c:3585
[< inline >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
[<ffffffff863365cf>] _raw_spin_lock_irqsave+0x9f/0xd0
kernel/locking/spinlock.c:159
[<ffffffff8143a678>] complete+0x18/0x70 kernel/sched/completion.c:33
[<ffffffff8335dd04>] floppy_rb0_cb+0x74/0xe0 drivers/block/floppy.c:3785
[<ffffffff828f41f7>] bio_endio+0x117/0x200 block/bio.c:1761
[< inline >] req_bio_endio block/blk-core.c:155
[<ffffffff82910533>] blk_update_request+0x1c3/0xbc0 block/blk-core.c:2632
[<ffffffff82910f5a>] blk_update_bidi_request+0x2a/0x160 block/blk-core.c:2686
[<ffffffff82913ee0>] __blk_end_bidi_request+0x30/0x60 block/blk-core.c:2802
[<ffffffff82913f37>] __blk_end_request+0x27/0x30 block/blk-core.c:2903
[<ffffffff83360076>] floppy_end_request+0x96/0x2a0 drivers/block/floppy.c:2213
[<ffffffff833606d2>] request_done+0x452/0x6d0 drivers/block/floppy.c:2266
[< inline >] seek_floppy drivers/block/floppy.c:1571
[<ffffffff8336ad40>] floppy_ready+0x1040/0x13f0 drivers/block/floppy.c:1911
[<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
[<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
---[ end trace 40047c23eabef13d ]---
BUG: unable to handle kernel NULL pointer dereference at 000000000000036b
IP: [<000000000000036b>] 0x36b
PGD 651b5067 PUD 63062067 PMD 0
Oops: 0010 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 1 PID: 10091 Comm: kworker/u8:2 Tainted: G W 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
task: ffff88005b2f4740 ti: ffff8800607f0000 task.ti: ffff8800607f0000
RIP: 0010:[<000000000000036b>] [<000000000000036b>] 0x36b
RSP: 0018:ffff8800607f7920 EFLAGS: 00010093
RAX: ffff88005eb775c8 RBX: 000000005eafc740 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff88005eb775c8
RBP: ffff8800607f7968 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000036b R11: ffffed000fffec09 R12: ffff88005eb775b8
R13: dffffc0000000000 R14: ffff88005eb77608 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000000000036b CR3: 0000000065243000 CR4: 00000000000006e0
Stack:
ffffffff81438d28 ffff88005eb775c8 0000000100000086 0000000300000000
ffff88005eb77578 ffff88005eb77580 0000000000000086 dffffc0000000000
0000000000001000 ffff8800607f7978 ffffffff81438e1e ffff8800607f79a0
Call Trace:
[<ffffffff81438e1e>] __wake_up_locked+0xe/0x10 kernel/sched/wait.c:105
[<ffffffff8143a6ae>] complete+0x4e/0x70 kernel/sched/completion.c:35
[<ffffffff8335dd04>] floppy_rb0_cb+0x74/0xe0 drivers/block/floppy.c:3785
[<ffffffff828f41f7>] bio_endio+0x117/0x200 block/bio.c:1761
[< inline >] req_bio_endio block/blk-core.c:155
[<ffffffff82910533>] blk_update_request+0x1c3/0xbc0 block/blk-core.c:2632
[<ffffffff82910f5a>] blk_update_bidi_request+0x2a/0x160 block/blk-core.c:2686
[<ffffffff82913ee0>] __blk_end_bidi_request+0x30/0x60 block/blk-core.c:2802
[<ffffffff82913f37>] __blk_end_request+0x27/0x30 block/blk-core.c:2903
[<ffffffff83360076>] floppy_end_request+0x96/0x2a0 drivers/block/floppy.c:2213
[<ffffffff833606d2>] request_done+0x452/0x6d0 drivers/block/floppy.c:2266
[< inline >] seek_floppy drivers/block/floppy.c:1571
[<ffffffff8336ad40>] floppy_ready+0x1040/0x13f0 drivers/block/floppy.c:1911
[<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
[<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
Code: Bad RIP value.
RIP [<000000000000036b>] 0x36b
RSP <ffff8800607f7920>
CR2: 000000000000036b
---[ end trace 40047c23eabef13e ]---
Oops: 0000 [#2] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 10091 Comm: kworker/u8:2 Tainted: G D W 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88005b2f4740 ti: ffff8800607f0000 task.ti: ffff8800607f0000
RIP: 0010:[<ffffffff813b632d>] [<ffffffff813b632d>] kthread_data+0x4d/0x70
RSP: 0018:ffff8800607f73d8 EFLAGS: 00010046
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88005b2f47e8
RDX: 1ffffffffffffff5 RSI: 0000000000000000 RDI: ffffffffffffffa8
RBP: ffff8800607f73e0 R08: ffff88003ec20b78 R09: 000000000252cb9d
R10: ffff88005b2f47c0 R11: ffff88003ec20270 R12: 0000000000000000
R13: 0000000000020140 R14: ffff88005b2f4784 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000028 CR3: 00000000075bb000 CR4: 00000000000006f0
Stack:
ffff88005b2f4740 ffff8800607f7400 ffffffff813a858a ffff88003ec20140
0000000000000040 ffff8800607f7488 ffffffff863275d6 0000000000000000
ffff8800607f7490 0000000000000286 ffff88003ec20af0 ffff88003ec20ac8
Call Trace:
[<ffffffff813a858a>] wq_worker_sleeping+0x1a/0x220 kernel/workqueue.c:850
[<ffffffff863275d6>] __schedule+0x1206/0x1c50 kernel/sched/core.c:3260
[<ffffffff863280b7>] schedule+0x97/0x1c0 kernel/sched/core.c:3311
[<ffffffff8135c521>] do_exit+0x1b61/0x2c60 kernel/exit.c:830
[<ffffffff811abe7f>] oops_end+0x9f/0xd0 arch/x86/kernel/dumpstack.c:250
[<ffffffff8127de6c>] no_context+0x2cc/0x870 arch/x86/mm/fault.c:728
[<ffffffff8127e68b>] __bad_area_nosemaphore+0x27b/0x460 arch/x86/mm/fault.c:808
[<ffffffff8127e89a>] bad_area_nosemaphore+0x2a/0x40 arch/x86/mm/fault.c:815
[<ffffffff8127ee0f>] __do_page_fault+0x18f/0x960 arch/x86/mm/fault.c:1180
[<ffffffff8127f738>] trace_do_page_fault+0xe8/0x420 arch/x86/mm/fault.c:1331
[<ffffffff812705c4>] do_async_page_fault+0x14/0xd0 arch/x86/kernel/kvm.c:264
[<ffffffff86338f78>] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:986
[<ffffffff81438e1e>] __wake_up_locked+0xe/0x10 kernel/sched/wait.c:105
[<ffffffff8143a6ae>] complete+0x4e/0x70 kernel/sched/completion.c:35
[<ffffffff8335dd04>] floppy_rb0_cb+0x74/0xe0 drivers/block/floppy.c:3785
[<ffffffff828f41f7>] bio_endio+0x117/0x200 block/bio.c:1761
[< inline >] req_bio_endio block/blk-core.c:155
[<ffffffff82910533>] blk_update_request+0x1c3/0xbc0 block/blk-core.c:2632
[<ffffffff82910f5a>] blk_update_bidi_request+0x2a/0x160 block/blk-core.c:2686
[<ffffffff82913ee0>] __blk_end_bidi_request+0x30/0x60 block/blk-core.c:2802
[<ffffffff82913f37>] __blk_end_request+0x27/0x30 block/blk-core.c:2903
[<ffffffff83360076>] floppy_end_request+0x96/0x2a0 drivers/block/floppy.c:2213
[<ffffffff833606d2>] request_done+0x452/0x6d0 drivers/block/floppy.c:2266
[< inline >] seek_floppy drivers/block/floppy.c:1571
[<ffffffff8336ad40>] floppy_ready+0x1040/0x13f0 drivers/block/floppy.c:1911
[<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
[<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
[<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
[<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
[<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
Code: c1 ea 03 80 3c 02 00 75 29 48 8b 9b 60 05 00 00 48 b8 00 00 00
00 00 fc ff df 48 8d 7b a8 48 89 fa 48 c1 ea 03 80 3c 02 00 75 0e <48>
8b 43 a8 5b 5d c3 e8 77 a6 3a 00 eb d0 e8 70 a6 3a 00 eb eb
RIP [<ffffffff813b632d>] kthread_data+0x4d/0x70 kernel/kthread.c:137
RSP <ffff8800607f73d8>
CR2: ffffffffffffffa8
---[ end trace 40047c23eabef13f ]---
Fixing recursive fault but reboot is needed!
I am testing in qemu, I think without a floppy drive:
$ qemu-system-x86_64 -hda wheezy.img -net
user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel
bzImage -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial
slub_debug=FPZU" -enable-kvm -m 2G -numa node,nodeid=0,cpus=0-1 -numa
node,nodeid=1,cpus=2-3 -smp sockets=2,cores=2,threads=1 -usb
-usbdevice mouse -usbdevice tablet -soundhw all
On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2.
next reply other threads:[~2016-01-24 13:13 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-24 13:12 Dmitry Vyukov [this message]
2016-01-25 14:06 ` floppy: GPF in floppy_rb0_cb Jiri Kosina
2016-01-25 15:34 ` Dmitry Vyukov
2016-01-27 16:55 ` Jiri Kosina
2016-01-27 17:17 ` Dmitry Vyukov
2016-01-27 20:27 ` Jiri Kosina
2016-01-28 10:32 ` Dmitry Vyukov
2016-01-28 10:43 ` [PATCH] floppy: fix lock_fdc() signal handling Jiri Kosina
2016-01-29 9:22 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+YFG2T=uCd4VPa8KFagf2+UgVTV4--Fk9ozuUcdps_4rA@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=axboe@fb.com \
--cc=glider@google.com \
--cc=hare@suse.de \
--cc=jikos@kernel.org \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=neilb@suse.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
--cc=tiwai@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.