[uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Toralf Förster" <toralf.foerster@gmx.de>
To: UML devel <user-mode-linux-devel@lists.sourceforge.net>
Subject: [uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity
Date: Sat, 03 May 2014 18:04:43 +0200	[thread overview]
Message-ID: <5365139B.2090104@gmx.de> (raw)

I could force a crash using latest kernel tree (v3.15-rc3-159-g6c6ca9c with applied fix3.patch for the mremap syscall) and latest trinity tree (1.1-1349-g18ebf71).

The backtrace of the core dump gives :

tfoerste@n22 ~/tmp $ gdb /home/tfoerste/devel/linux/linux --core=/mnt/ramdisk/core -batch -ex 'thread apply all bt'
[New LWP 23912]

warning: Could not load shared library symbols for linux-gate.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `/home/tfoerste/devel/linux/linux earlyprintk ubda=/home/tfoerste/virtual/uml/tr'.
Program terminated with signal 6, Aborted.
#0  0xb7741424 in __kernel_vsyscall ()

Thread 1 (LWP 23912):
#0  0xb7741424 in __kernel_vsyscall ()
#1  0x0848ac75 in kill ()
#2  0x08072a5d in uml_abort () at arch/um/os-Linux/util.c:93
#3  0x08072d95 in os_dump_core () at arch/um/os-Linux/util.c:148
#4  0x0806257d in panic_exit (self=0x86c9618 <panic_exit_notifier>, unused1=0, unused2=0x8700960 <buf.17019>) at arch/um/kernel/um_arch.c:240
#5  0x0809a266 in notifier_call_chain (nl=0x0, val=0, v=0x8700960 <buf.17019>, nr_to_call=-2, nr_calls=0x0) at kernel/notifier.c:93
#6  0x0809a381 in __atomic_notifier_call_chain (nh=0x8700944 <panic_notifier_list>, val=0, v=0x8700960 <buf.17019>, nr_to_call=0, nr_calls=0x0) at kernel/notifier.c:182
#7  0x0809a3bf in atomic_notifier_call_chain (nh=0x0, val=0, v=0x0) at kernel/notifier.c:191
#8  0x084e742c in panic (fmt=0x0) at kernel/panic.c:130
#9  0x080cc265 in __delete_from_page_cache (page=0xa303520, shadow=0x0) at mm/filemap.c:202
#10 0x080cc32b in delete_from_page_cache (page=0xa303520) at mm/filemap.c:234
#11 0x080d7af7 in truncate_complete_page (page=<optimized out>, mapping=<optimized out>) at mm/truncate.c:145
#12 truncate_inode_page (mapping=0x4592c974, page=0xa303520) at mm/truncate.c:180
#13 0x080de69d in shmem_undo_range (inode=0x4592c8bc, lstart=26525858516, lend=3247232753107730432, unfalloc=false) at mm/shmem.c:429
#14 0x080df591 in shmem_truncate_range (inode=0x4592c8bc, lstart=0, lend=3247230382285783040) at mm/shmem.c:526
#15 0x080df6a8 in shmem_fallocate (file=0x0, mode=3, offset=0, len=1048576) at mm/shmem.c:1741
#16 0x081045da in do_fallocate (file=0x458bf300, mode=3, offset=0, len=1048576) at fs/open.c:298
#17 0x080e6b91 in madvise_remove (end=<optimized out>, start=<optimized out>, prev=<optimized out>, vma=<optimized out>) at mm/madvise.c:332
#18 madvise_vma (behavior=<optimized out>, end=<optimized out>, start=<optimized out>, prev=<optimized out>, vma=<optimized out>) at mm/madvise.c:384
#19 SYSC_madvise (behavior=<optimized out>, len_in=<optimized out>, start=<optimized out>) at mm/madvise.c:534
#20 SyS_madvise (start=1076387840, len_in=1048576, behavior=9) at mm/madvise.c:465
#21 0x08062b34 in handle_syscall (r=0x2d38e3e0) at arch/um/kernel/skas/syscall.c:35
#22 0x08074875 in handle_trap (local_using_sysemu=<optimized out>, regs=<optimized out>, pid=<optimized out>) at arch/um/os-Linux/skas/process.c:193
#23 userspace (regs=0x2d38e3e0) at arch/um/os-Linux/skas/process.c:426
#24 0x0805f770 in fork_handler () at arch/um/kernel/process.c:149
#25 0x00000000 in ?? ()



The output of the UML guest is :


Kernel panic - not syncing: BUG!
CPU: 0 PID: 1988 Comm: trinity-c2 Not tainted 3.15.0-rc3-00159-g6c6ca9c-dirty #8
Stack:
 085a4f54 085a4f54 2d107bbc 00000004 086c8547 0a303520 0000003f 4592c974
 2d107bcc 084eafa5 00000000 00000000 2d107bf4 084e7410 085b08ec 08700960
 085a1ca5 2d107c00 00000000 0a303520 0000003f 4592c974 2d107c2c 080cc265
Call Trace:
 [<080cc265>] ? __delete_from_page_cache+0x215/0x270
 [<084eafa5>] dump_stack+0x26/0x28
 [<084e7410>] panic+0x7a/0x194
 [<080cc265>] __delete_from_page_cache+0x215/0x270
 [<080cc32b>] delete_from_page_cache+0x6b/0x90
 [<080d7af7>] truncate_inode_page+0x97/0xb0
 [<080de69d>] shmem_undo_range+0x1bd/0x620
 [<080df591>] shmem_truncate_range+0x31/0x60
 [<080df6a8>] shmem_fallocate+0xe8/0x360
 [<0849a605>] ? __gettimeofday+0x15/0x30
 [<08071dfe>] ? set_signals+0x1e/0x40
 [<081045da>] do_fallocate+0x14a/0x1d0
 [<080e6b91>] SyS_madvise+0x1d1/0x720
 [<080aef0d>] ? __getnstimeofday+0x3d/0x100
 [<0807fa68>] ? SyS_gettimeofday+0x38/0x80
 [<08062b34>] handle_syscall+0x64/0x80
 [<0849d621>] ? ptrace+0x31/0x80
 [<08079802>] ? get_fp_registers+0x22/0x40
 [<08074875>] userspace+0x475/0x5f0
 [<0849d621>] ? ptrace+0x31/0x80
 [<08079d66>] ? os_set_thread_area+0x26/0x40
 [<08078d30>] ? do_set_thread_area+0x20/0x50
 [<08078ea8>] ? arch_switch_tls+0xb8/0x100
 [<0805f770>] fork_handler+0x60/0x70
/home/tfoerste/workspace/bin/start_uml.sh: line 110: 23912 Aborted                 (core dumped) $LINUX earlyprintk ubda=$ROOTFS ubdb=$SWAP eth0=$NET mem=$MEM $TTY umid=uml_$NAME rootfstype=ext4 "$ARGS"
[3g        




There's no trinity log available, I lost it, sry.

FWIW the host system is a stable 32 bit Gentoo Linux with kernel 3.14.2.

-- 
Toralf


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

next             reply	other threads:[~2014-05-03 16:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-03 16:04 Toralf Förster [this message]
2014-05-03 18:07 ` [uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity Toralf Förster
2014-05-03 19:15 ` Richard Weinberger
2014-05-17 15:24   ` Toralf Förster
2014-05-17 18:22     ` Toralf Förster

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5365139B.2090104@gmx.de \
    --to=toralf.foerster@gmx.de \
    --cc=user-mode-linux-devel@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.