Re: [uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Toralf Förster" <toralf.foerster@gmx.de>
To: Richard Weinberger <richard.weinberger@gmail.com>
Cc: UML devel <user-mode-linux-devel@lists.sourceforge.net>
Subject: Re: [uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity
Date: Sat, 17 May 2014 20:22:14 +0200	[thread overview]
Message-ID: <5377A8D6.1060104@gmx.de> (raw)
In-Reply-To: <53777F1A.20402@gmx.de>

On 05/17/2014 05:24 PM, Toralf Förster wrote:
> On 05/03/2014 09:15 PM, Richard Weinberger wrote:
>> On Sat, May 3, 2014 at 6:04 PM, Toralf Förster <toralf.foerster@gmx.de> wrote:
>>> I could force a crash using latest kernel tree (v3.15-rc3-159-g6c6ca9c with applied fix3.patch for the mremap syscall) and latest trinity tree (1.1-1349-g18ebf71).
> ...
>>> #9  0x080cc265 in __delete_from_page_cache (page=0xa303520, shadow=0x0) at mm/filemap.c:202
> ...
>> As written two days ago, this seems to be a known issue:
>> https://lkml.org/lkml/2014/4/15/577
> 
> Just FWIW :
> If I exclude the syscall "madvise" from the trinity fuzzer then this
> issue can't be reproduced (till now). Allowing that syscall however
> crashes the UML usually within less than 1/2 hour.
> 
> 
Well, I was wrong, it just takes longer time, but here's an example for the issue using another syscall 

Kernel panic - not syncing: BUG!
CPU: 0 PID: 4400 Comm: trinity Not tainted 3.15.0-rc5-00077-g14186fe-dirty #17
Stack:
 085a4fd4 085a4fd4 48397c20 00000004 086c8547 0a5b8bc0 0000003f 48054244
 48397c30 084eb115 00000000 00000000 48397c58 084e7580 085b096c 08700960
 085a1d25 48397c64 00000000 0a5b8bc0 0000003f 48054244 48397c90 080cc2c5
Call Trace:
 [<080cc2c5>] ? __delete_from_page_cache+0x215/0x270
 [<084eb115>] dump_stack+0x26/0x28
 [<084e7580>] panic+0x7a/0x194
 [<080cc2c5>] __delete_from_page_cache+0x215/0x270
 [<080cc38b>] delete_from_page_cache+0x6b/0x90
 [<080d7a87>] truncate_inode_page+0x97/0xb0
 [<080de64d>] shmem_undo_range+0x1bd/0x620
 [<080df541>] shmem_truncate_range+0x31/0x60
 [<080dfb06>] shmem_evict_inode+0x86/0x150
 [<0811d87f>] evict+0xbf/0x170
 [<080fff98>] ? kmem_cache_free+0xe8/0x120
 [<080ec5a4>] ? remove_vma+0x44/0x50
 [<0811e2fd>] iput+0x14d/0x160
 [<0811ab08>] dentry_kill.isra.29+0x158/0x220
 [<0811ae8d>] dput+0xfd/0x120
 [<08107795>] __fput+0x175/0x190
 [<081075e0>] ? file_free_rcu+0x0/0x40
 [<081077eb>] ____fput+0xb/0x10
 [<08093b26>] task_work_run+0x76/0x90
 [<0805f95a>] interrupt_end+0x4a/0x80
 [<0807497b>] userspace+0x57b/0x5f0
 [<0849d7a1>] ? ptrace+0x31/0x80
 [<08079d66>] ? os_set_thread_area+0x26/0x40
 [<08078d30>] ? do_set_thread_area+0x20/0x50
 [<08078ea8>] ? arch_switch_tls+0xb8/0x100
 [<0805f770>] fork_handler+0x60/0x70
/home/tfoerste/workspace/bin/start_uml.sh: line 110:  8342 Aborted                 (core dumped) $LINUX earlyprintk ubda=$ROOTFS ubdb=$SWAP eth0=$NET mem=$MEM $TTY umid=uml_$NAME rootfstype=ext4 "$ARGS"




and the gdb back trace of the core file gives :

Thread 1 (LWP 8342):
#0  0xb7759424 in __kernel_vsyscall ()
#1  0x0848adf5 in kill ()
#2  0x08072a5d in uml_abort () at arch/um/os-Linux/util.c:93
#3  0x08072d95 in os_dump_core () at arch/um/os-Linux/util.c:148
#4  0x0806257d in panic_exit (self=0x86c9618 <panic_exit_notifier>, unused1=0, unused2=0x8700960 <buf.17021>) at arch/um/kernel/um_arch.c:240
#5  0x0809a2c6 in notifier_call_chain (nl=0x0, val=0, v=0x8700960 <buf.17021>, nr_to_call=-2, nr_calls=0x0) at kernel/notifier.c:93
#6  0x0809a3e1 in __atomic_notifier_call_chain (nh=0x8700944 <panic_notifier_list>, val=0, v=0x8700960 <buf.17021>, nr_to_call=0, nr_calls=0x0) at kernel/notifier.c:182
#7  0x0809a41f in atomic_notifier_call_chain (nh=0x0, val=0, v=0x0) at kernel/notifier.c:191
#8  0x084e759c in panic (fmt=0x0) at kernel/panic.c:130
#9  0x080cc2c5 in __delete_from_page_cache (page=0xa5b8bc0, shadow=0x0) at mm/filemap.c:202
#10 0x080cc38b in delete_from_page_cache (page=0xa5b8bc0) at mm/filemap.c:234
#11 0x080d7a87 in truncate_complete_page (page=<optimized out>, mapping=<optimized out>) at mm/truncate.c:145
#12 truncate_inode_page (mapping=0x48054244, page=0xa5b8bc0) at mm/truncate.c:180
#13 0x080de64d in shmem_undo_range (inode=0x4805418c, lstart=26981530424, lend=5204328695673653632, unfalloc=false) at mm/shmem.c:429
#14 0x080df541 in shmem_truncate_range (inode=0x4805418c, lstart=0, lend=5204326324851703808) at mm/shmem.c:526
#15 0x080dfb06 in shmem_evict_inode (inode=0x4805418c) at mm/shmem.c:570
#16 0x0811d87f in evict (inode=0x4805418c) at fs/inode.c:550
#17 0x0811e2fd in iput_final (inode=<optimized out>) at fs/inode.c:1418
#18 iput (inode=0x4805418c) at fs/inode.c:1436
#19 0x0811ab08 in dentry_iput (dentry=<optimized out>) at fs/dcache.c:292
#20 dentry_kill (dentry=0x3789d4d0, unlock_on_failure=<optimized out>) at fs/dcache.c:507
#21 0x0811ae8d in dput (dentry=0x3789d4d0) at fs/dcache.c:582
#22 0x08107795 in __fput (file=0x48ac89c0) at fs/file_table.c:228
#23 0x081077eb in ____fput (work=0x48ac89c0) at fs/file_table.c:246
#24 0x08093b26 in task_work_run () at kernel/task_work.c:123
#25 0x0805f95a in tracehook_notify_resume (regs=<optimized out>) at include/linux/tracehook.h:196
#26 interrupt_end () at arch/um/kernel/process.c:98
#27 0x0807497b in userspace (regs=0x45f822e0) at arch/um/os-Linux/skas/process.c:459
#28 0x0805f770 in fork_handler () at arch/um/kernel/process.c:149
#29 0x00000000 in ?? ()

-- 
Toralf


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

     prev parent reply	other threads:[~2014-05-17 18:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-03 16:04 [uml-devel] kernel BUG: while fuzzying a 32 bit Linux user mode guest with trinity Toralf Förster
2014-05-03 18:07 ` Toralf Förster
2014-05-03 19:15 ` Richard Weinberger
2014-05-17 15:24   ` Toralf Förster
2014-05-17 18:22     ` Toralf Förster [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5377A8D6.1060104@gmx.de \
    --to=toralf.foerster@gmx.de \
    --cc=richard.weinberger@gmail.com \
    --cc=user-mode-linux-devel@lists.sourceforge.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.