From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752453AbcAXNNJ (ORCPT <rfc822;w@1wt.eu>);
	Sun, 24 Jan 2016 08:13:09 -0500
Received: from mail-wm0-f48.google.com ([74.125.82.48]:34717 "EHLO
	mail-wm0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751948AbcAXNNF (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 24 Jan 2016 08:13:05 -0500
MIME-Version: 1.0
From: Dmitry Vyukov <dvyukov@google.com>
Date: Sun, 24 Jan 2016 14:12:44 +0100
Message-ID: <CACT4Y+YFG2T=uCd4VPa8KFagf2+UgVTV4--Fk9ozuUcdps_4rA@mail.gmail.com>
Subject: floppy: GPF in floppy_rb0_cb
To: Jiri Kosina <jikos@kernel.org>, NeilBrown <neilb@suse.com>,
        Takashi Iwai <tiwai@suse.de>, Jens Axboe <axboe@fb.com>,
        Hannes Reinecke <hare@suse.de>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Sasha Levin <sasha.levin@oracle.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hello,

The following causes program causes multiple bugs and eventually machine death:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/wait.h>

#define N 100

int main()
{
  int i, status, pids[N];

  for (;;) {
    for (i = 0; i < N; i++) {
      if ((pids[i] = fork()) == 0) {
        open("/dev/fd0", O_RDWR);
        exit(0);
      }
    }
    for (i = 0; i < N; i++) {
      while (waitpid(pids[i], &status, __WALL) != pids[i]) {
      }
    }
  }
  return 0;
}


------------[ cut here ]------------
WARNING: CPU: 0 PID: 6 at drivers/block/floppy.c:975 schedule_bh+0x55/0x60()
Modules linked in:
CPU: 0 PID: 6 Comm: kworker/u8:0 Not tainted 4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
 00000000ffffffff ffff88003df97ac0 ffffffff82999e2d 0000000000000000
 ffff88003df32f80 ffffffff8687a0e0 ffff88003df97b00 ffffffff81352089
 ffffffff8335dbb5 ffffffff8687a0e0 00000000000003cf ffffffff895cae20
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff813522b9>] warn_slowpath_null+0x29/0x30 kernel/panic.c:515
 [<ffffffff8335dbb5>] schedule_bh+0x55/0x60 drivers/block/floppy.c:975
 [<ffffffff8336e1cf>] redo_fd_request+0x173f/0x39f0 drivers/block/floppy.c:2878
 [<     inline     >] seek_floppy drivers/block/floppy.c:1572
 [<ffffffff8336ad6c>] floppy_ready+0x106c/0x13f0 drivers/block/floppy.c:1911
 [<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
 [<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
 [<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
 [<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
 [<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
---[ end trace 40047c23eabef132 ]---
------------[ cut here ]------------
WARNING: CPU: 1 PID: 10091 at kernel/locking/lockdep.c:3183
__lock_acquire+0xbc8/0x4700()
DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
Modules linked in:
 [<     inline     >] process_fd_request drivers/block/floppy.c:2893
 [<ffffffff8335df06>] __floppy_read_block_0+0x196/0x260
drivers/block/floppy.c:3822
 [<ffffffff83364b93>] floppy_revalidate+0x573/0x770 drivers/block/floppy.c:3867
 [<ffffffff8186ff91>] check_disk_change+0xf1/0x130 fs/block_dev.c:1135
 [<ffffffff8335e958>] floppy_open+0x518/0x920 drivers/block/floppy.c:3713
 [<ffffffff81871c88>] __blkdev_get+0x338/0x10e0 fs/block_dev.c:1213
 [<ffffffff818732b0>] blkdev_get+0x310/0x960 fs/block_dev.c:1352
 [<ffffffff81873b05>] blkdev_open+0x1a5/0x250 fs/block_dev.c:1507
 [<ffffffff817a9c02>] do_dentry_open+0x6a2/0xcb0 fs/open.c:736
 [<ffffffff817ad2db>] vfs_open+0x17b/0x1f0 fs/open.c:853
 [<     inline     >] do_last fs/namei.c:3254
 [<ffffffff817e00d9>] path_openat+0xde9/0x5e30 fs/namei.c:3386
 [<ffffffff817e895e>] do_filp_open+0x18e/0x250 fs/namei.c:3421
 [<ffffffff817ada5c>] do_sys_open+0x1fc/0x420 fs/open.c:1022
 [<     inline     >] SYSC_open fs/open.c:1040
 [<ffffffff817adcad>] SyS_open+0x2d/0x40 fs/open.c:1035
 [<ffffffff86336c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
---[ end trace 40047c23eabef13c ]---
CPU: 1 PID: 10091 Comm: kworker/u8:2 Tainted: G        W       4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
 00000000ffffffff ffff8800607f7650 ffffffff82999e2d ffff8800607f76c0
 ffff88005b2f4740 ffffffff8642bc40 ffff8800607f7690 ffffffff81352089
 ffffffff81454e08 ffffed000c0feed4 ffffffff8642bc40 0000000000000c6f
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff82999e2d>] dump_stack+0x6f/0xa2 lib/dump_stack.c:50
 [<ffffffff81352089>] warn_slowpath_common+0xd9/0x140 kernel/panic.c:482
 [<ffffffff81352199>] warn_slowpath_fmt+0xa9/0xd0 kernel/panic.c:494
 [<ffffffff81454e08>] __lock_acquire+0xbc8/0x4700 kernel/locking/lockdep.c:3183
 [<ffffffff8145ad8c>] lock_acquire+0x1dc/0x430 kernel/locking/lockdep.c:3585
 [<     inline     >] __raw_spin_lock_irqsave
include/linux/spinlock_api_smp.h:112
 [<ffffffff863365cf>] _raw_spin_lock_irqsave+0x9f/0xd0
kernel/locking/spinlock.c:159
 [<ffffffff8143a678>] complete+0x18/0x70 kernel/sched/completion.c:33
 [<ffffffff8335dd04>] floppy_rb0_cb+0x74/0xe0 drivers/block/floppy.c:3785
 [<ffffffff828f41f7>] bio_endio+0x117/0x200 block/bio.c:1761
 [<     inline     >] req_bio_endio block/blk-core.c:155
 [<ffffffff82910533>] blk_update_request+0x1c3/0xbc0 block/blk-core.c:2632
 [<ffffffff82910f5a>] blk_update_bidi_request+0x2a/0x160 block/blk-core.c:2686
 [<ffffffff82913ee0>] __blk_end_bidi_request+0x30/0x60 block/blk-core.c:2802
 [<ffffffff82913f37>] __blk_end_request+0x27/0x30 block/blk-core.c:2903
 [<ffffffff83360076>] floppy_end_request+0x96/0x2a0 drivers/block/floppy.c:2213
 [<ffffffff833606d2>] request_done+0x452/0x6d0 drivers/block/floppy.c:2266
 [<     inline     >] seek_floppy drivers/block/floppy.c:1571
 [<ffffffff8336ad40>] floppy_ready+0x1040/0x13f0 drivers/block/floppy.c:1911
 [<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
 [<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
 [<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
 [<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
 [<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
---[ end trace 40047c23eabef13d ]---
BUG: unable to handle kernel NULL pointer dereference at 000000000000036b
IP: [<000000000000036b>] 0x36b
PGD 651b5067 PUD 63062067 PMD 0
Oops: 0010 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 1 PID: 10091 Comm: kworker/u8:2 Tainted: G        W       4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Workqueue: floppy fd_timer_workfn
task: ffff88005b2f4740 ti: ffff8800607f0000 task.ti: ffff8800607f0000
RIP: 0010:[<000000000000036b>]  [<000000000000036b>] 0x36b
RSP: 0018:ffff8800607f7920  EFLAGS: 00010093
RAX: ffff88005eb775c8 RBX: 000000005eafc740 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff88005eb775c8
RBP: ffff8800607f7968 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000036b R11: ffffed000fffec09 R12: ffff88005eb775b8
R13: dffffc0000000000 R14: ffff88005eb77608 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000000000036b CR3: 0000000065243000 CR4: 00000000000006e0
Stack:
 ffffffff81438d28 ffff88005eb775c8 0000000100000086 0000000300000000
 ffff88005eb77578 ffff88005eb77580 0000000000000086 dffffc0000000000
 0000000000001000 ffff8800607f7978 ffffffff81438e1e ffff8800607f79a0
Call Trace:
 [<ffffffff81438e1e>] __wake_up_locked+0xe/0x10 kernel/sched/wait.c:105
 [<ffffffff8143a6ae>] complete+0x4e/0x70 kernel/sched/completion.c:35
 [<ffffffff8335dd04>] floppy_rb0_cb+0x74/0xe0 drivers/block/floppy.c:3785
 [<ffffffff828f41f7>] bio_endio+0x117/0x200 block/bio.c:1761
 [<     inline     >] req_bio_endio block/blk-core.c:155
 [<ffffffff82910533>] blk_update_request+0x1c3/0xbc0 block/blk-core.c:2632
 [<ffffffff82910f5a>] blk_update_bidi_request+0x2a/0x160 block/blk-core.c:2686
 [<ffffffff82913ee0>] __blk_end_bidi_request+0x30/0x60 block/blk-core.c:2802
 [<ffffffff82913f37>] __blk_end_request+0x27/0x30 block/blk-core.c:2903
 [<ffffffff83360076>] floppy_end_request+0x96/0x2a0 drivers/block/floppy.c:2213
 [<ffffffff833606d2>] request_done+0x452/0x6d0 drivers/block/floppy.c:2266
 [<     inline     >] seek_floppy drivers/block/floppy.c:1571
 [<ffffffff8336ad40>] floppy_ready+0x1040/0x13f0 drivers/block/floppy.c:1911
 [<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
 [<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
 [<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
 [<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
 [<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
Code:  Bad RIP value.
RIP  [<000000000000036b>] 0x36b
 RSP <ffff8800607f7920>
CR2: 000000000000036b
---[ end trace 40047c23eabef13e ]---
Oops: 0000 [#2] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 10091 Comm: kworker/u8:2 Tainted: G      D W       4.4.0+ #276
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88005b2f4740 ti: ffff8800607f0000 task.ti: ffff8800607f0000
RIP: 0010:[<ffffffff813b632d>]  [<ffffffff813b632d>] kthread_data+0x4d/0x70
RSP: 0018:ffff8800607f73d8  EFLAGS: 00010046
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff88005b2f47e8
RDX: 1ffffffffffffff5 RSI: 0000000000000000 RDI: ffffffffffffffa8
RBP: ffff8800607f73e0 R08: ffff88003ec20b78 R09: 000000000252cb9d
R10: ffff88005b2f47c0 R11: ffff88003ec20270 R12: 0000000000000000
R13: 0000000000020140 R14: ffff88005b2f4784 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000028 CR3: 00000000075bb000 CR4: 00000000000006f0
Stack:
 ffff88005b2f4740 ffff8800607f7400 ffffffff813a858a ffff88003ec20140
 0000000000000040 ffff8800607f7488 ffffffff863275d6 0000000000000000
 ffff8800607f7490 0000000000000286 ffff88003ec20af0 ffff88003ec20ac8
Call Trace:
 [<ffffffff813a858a>] wq_worker_sleeping+0x1a/0x220 kernel/workqueue.c:850
 [<ffffffff863275d6>] __schedule+0x1206/0x1c50 kernel/sched/core.c:3260
 [<ffffffff863280b7>] schedule+0x97/0x1c0 kernel/sched/core.c:3311
 [<ffffffff8135c521>] do_exit+0x1b61/0x2c60 kernel/exit.c:830
 [<ffffffff811abe7f>] oops_end+0x9f/0xd0 arch/x86/kernel/dumpstack.c:250
 [<ffffffff8127de6c>] no_context+0x2cc/0x870 arch/x86/mm/fault.c:728
 [<ffffffff8127e68b>] __bad_area_nosemaphore+0x27b/0x460 arch/x86/mm/fault.c:808
 [<ffffffff8127e89a>] bad_area_nosemaphore+0x2a/0x40 arch/x86/mm/fault.c:815
 [<ffffffff8127ee0f>] __do_page_fault+0x18f/0x960 arch/x86/mm/fault.c:1180
 [<ffffffff8127f738>] trace_do_page_fault+0xe8/0x420 arch/x86/mm/fault.c:1331
 [<ffffffff812705c4>] do_async_page_fault+0x14/0xd0 arch/x86/kernel/kvm.c:264
 [<ffffffff86338f78>] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:986
 [<ffffffff81438e1e>] __wake_up_locked+0xe/0x10 kernel/sched/wait.c:105
 [<ffffffff8143a6ae>] complete+0x4e/0x70 kernel/sched/completion.c:35
 [<ffffffff8335dd04>] floppy_rb0_cb+0x74/0xe0 drivers/block/floppy.c:3785
 [<ffffffff828f41f7>] bio_endio+0x117/0x200 block/bio.c:1761
 [<     inline     >] req_bio_endio block/blk-core.c:155
 [<ffffffff82910533>] blk_update_request+0x1c3/0xbc0 block/blk-core.c:2632
 [<ffffffff82910f5a>] blk_update_bidi_request+0x2a/0x160 block/blk-core.c:2686
 [<ffffffff82913ee0>] __blk_end_bidi_request+0x30/0x60 block/blk-core.c:2802
 [<ffffffff82913f37>] __blk_end_request+0x27/0x30 block/blk-core.c:2903
 [<ffffffff83360076>] floppy_end_request+0x96/0x2a0 drivers/block/floppy.c:2213
 [<ffffffff833606d2>] request_done+0x452/0x6d0 drivers/block/floppy.c:2266
 [<     inline     >] seek_floppy drivers/block/floppy.c:1571
 [<ffffffff8336ad40>] floppy_ready+0x1040/0x13f0 drivers/block/floppy.c:1911
 [<ffffffff8335c9ff>] fd_timer_workfn+0xf/0x20 drivers/block/floppy.c:985
 [<ffffffff813a0836>] process_one_work+0x796/0x1440 kernel/workqueue.c:2037
 [<ffffffff813a15bb>] worker_thread+0xdb/0xfc0 kernel/workqueue.c:2171
 [<ffffffff813b4d4f>] kthread+0x23f/0x2d0 drivers/block/aoe/aoecmd.c:1303
 [<ffffffff86336fef>] ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468
Code: c1 ea 03 80 3c 02 00 75 29 48 8b 9b 60 05 00 00 48 b8 00 00 00
00 00 fc ff df 48 8d 7b a8 48 89 fa 48 c1 ea 03 80 3c 02 00 75 0e <48>
8b 43 a8 5b 5d c3 e8 77 a6 3a 00 eb d0 e8 70 a6 3a 00 eb eb
RIP  [<ffffffff813b632d>] kthread_data+0x4d/0x70 kernel/kthread.c:137
 RSP <ffff8800607f73d8>
CR2: ffffffffffffffa8
---[ end trace 40047c23eabef13f ]---
Fixing recursive fault but reboot is needed!


I am testing in qemu, I think without a floppy drive:

$ qemu-system-x86_64 -hda wheezy.img -net
user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic -nographic -kernel
bzImage -append "console=ttyS0 root=/dev/sda debug earlyprintk=serial
slub_debug=FPZU" -enable-kvm -m 2G -numa node,nodeid=0,cpus=0-1 -numa
node,nodeid=1,cpus=2-3 -smp sockets=2,cores=2,threads=1 -usb
-usbdevice mouse -usbdevice tablet -soundhw all

On commit 30f05309bde49295e02e45c7e615f73aa4e0ccc2.