From: "Paul E. McKenney" <paulmck@linux.ibm.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Stefano Brivio <sbrivio@redhat.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
Arjan van de Ven <arjan@linux.intel.com>,
syzbot <syzbot+43f6755d1c2e62743468@syzkaller.appspotmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Triplett <josh@joshtriplett.org>,
LKML <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
netdev <netdev@vger.kernel.org>
Subject: Re: WARNING in __rcu_read_unlock
Date: Mon, 17 Dec 2018 11:56:22 -0800 [thread overview]
Message-ID: <20181217195622.GM4170@linux.ibm.com> (raw)
In-Reply-To: <CACT4Y+ZU3F=AyyuNyVia7gT22Z71JKM-K4uap0J-iumF=NjH9A@mail.gmail.com>
On Mon, Dec 17, 2018 at 07:45:58PM +0100, Dmitry Vyukov wrote:
> On Mon, Dec 17, 2018 at 12:29 PM Paul E. McKenney <paulmck@linux.ibm.com> wrote:
> > Any chance of a bisection?
>
> Better later then never. Bisection also needs testing :)
Well, it looks like it did pass the test, arriving at the same commit
that Eric called out. ;-)
Thanx, Paul
> syz-bisect -config bisect.cfg -crash dda626cdbd87eafe9a755acbbe102e2b6096b256
> searching for guilty commit starting from 2aa55dccf83d
> building syzkaller on 7624ddd6
> testing commit 2aa55dccf83d7ca9f1da59ae005426c44fbeb890 with gcc (GCC) 8.1.0
> run #0: crashed: KASAN: slab-out-of-bounds in tick_sched_handle
> run #1: crashed: KASAN: slab-out-of-bounds in tick_sched_handle
> run #2: crashed: BUG: Bad page map
> run #3: crashed: BUG: Bad page map
> run #4: crashed: PANIC: double fault in __udp4_lib_err
> run #5: crashed: general protection fault in __bfs
> run #6: crashed: KASAN: stack-out-of-bounds Read in __handle_mm_fault
> run #7: crashed: no output from test machine
> testing release v4.19
> testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect start 2aa55dccf83d v4.19
> Bisecting: 7955 revisions left to test after this (roughly 13 steps)
> [f8cab69be0a8a756a7409f6d2bd1e6e96ce46482] Merge tag
> 'linux-kselftest-4.20-rc1' of
> git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
> testing commit f8cab69be0a8a756a7409f6d2bd1e6e96ce46482 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good f8cab69be0a8a756a7409f6d2bd1e6e96ce46482
> Bisecting: 3957 revisions left to test after this (roughly 12 steps)
> [b3491d8430dd25f0a4e00c33d60da22a9bd9d052] Merge tag 'media/v4.20-2'
> of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
> testing commit b3491d8430dd25f0a4e00c33d60da22a9bd9d052 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good b3491d8430dd25f0a4e00c33d60da22a9bd9d052
> Bisecting: 1978 revisions left to test after this (roughly 11 steps)
> [40df309e4166c69600968c93846aa0b1821e83f0] octeontx2-af: Support to
> enable/disable default MCAM entries
> testing commit 40df309e4166c69600968c93846aa0b1821e83f0 with gcc (GCC) 8.1.0
> run #0: crashed: general protection fault in __bfs
> run #1: crashed: KASAN: stack-out-of-bounds Read in copy_page_range
> run #2: crashed: general protection fault in __bfs
> run #3: crashed: KASAN: slab-out-of-bounds Read in vma_compute_subtree_gap
> run #4: crashed: general protection fault in corrupted
> run #5: crashed: general protection fault in corrupted
> run #6: crashed: BUG: unable to handle kernel paging request in corrupted
> run #7: crashed: KASAN: stack-out-of-bounds Read in inet6_fill_ifla6_attrs
> # git bisect bad 40df309e4166c69600968c93846aa0b1821e83f0
> Bisecting: 989 revisions left to test after this (roughly 10 steps)
> [a13511dfa836c8305a737436eed3ba9a8e74a826] Merge
> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
> testing commit a13511dfa836c8305a737436eed3ba9a8e74a826 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good a13511dfa836c8305a737436eed3ba9a8e74a826
> Bisecting: 521 revisions left to test after this (roughly 9 steps)
> [9ff01193a20d391e8dbce4403dd5ef87c7eaaca6] Linux 4.20-rc3
> testing commit 9ff01193a20d391e8dbce4403dd5ef87c7eaaca6 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good 9ff01193a20d391e8dbce4403dd5ef87c7eaaca6
> Bisecting: 260 revisions left to test after this (roughly 8 steps)
> [47e3e53ceadc568c038e457661d836f2259ed774] ice: Destroy scheduler tree
> in reset path
> testing commit 47e3e53ceadc568c038e457661d836f2259ed774 with gcc (GCC) 8.1.0
> run #0: crashed: KASAN: slab-out-of-bounds Read in tick_sched_handle
> run #1: crashed: KASAN: stack-out-of-bounds in __fget_light
> run #2: crashed: BUG: unable to handle kernel paging request in corrupted
> run #3: crashed: KASAN: stack-out-of-bounds in anon_vma_interval_tree_remove
> run #4: crashed: general protection fault in __udp4_lib_err
> run #5: crashed: KASAN: stack-out-of-bounds Read in free_pgd_range
> run #6: crashed: general protection fault in change_protection
> run #7: crashed: INFO: trying to register non-static key in corrupted
> # git bisect bad 47e3e53ceadc568c038e457661d836f2259ed774
> Bisecting: 129 revisions left to test after this (roughly 7 steps)
> [52358cb5a310990ea5069f986bdab3620e01181f] Merge branch 's390-qeth-next'
> testing commit 52358cb5a310990ea5069f986bdab3620e01181f with gcc (GCC) 8.1.0
> run #0: crashed: BUG: unable to handle kernel paging request in corrupted
> run #1: crashed: general protection fault in vma_interval_tree_insert
> run #2: crashed: KASAN: stack-out-of-bounds Read in __call_rcu
> run #3: crashed: BUG: unable to handle kernel paging request in corrupted
> run #4: crashed: general protection fault in __bfs
> run #5: crashed: BUG: unable to handle kernel paging request in
> __cgroup_account_cputime_field
> run #6: crashed: WARNING in anon_vma_interval_tree_verify
> run #7: crashed: general protection fault in rb_first
> # git bisect bad 52358cb5a310990ea5069f986bdab3620e01181f
> Bisecting: 65 revisions left to test after this (roughly 6 steps)
> [2e7ad56aa54778de863998579fc6b5ff52838571] net/wan/fsl_ucc_hdlc: add BQL support
> testing commit 2e7ad56aa54778de863998579fc6b5ff52838571 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good 2e7ad56aa54778de863998579fc6b5ff52838571
> Bisecting: 32 revisions left to test after this (roughly 5 steps)
> [b592843c6723a850be70bf9618578082f3b73851] net: sched: add an offload
> dump helper
> testing commit b592843c6723a850be70bf9618578082f3b73851 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good b592843c6723a850be70bf9618578082f3b73851
> Bisecting: 16 revisions left to test after this (roughly 4 steps)
> [a07966447f39fe43e37d05c9bfc92b1493267a59] geneve: ICMP error lookup handler
> testing commit a07966447f39fe43e37d05c9bfc92b1493267a59 with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good a07966447f39fe43e37d05c9bfc92b1493267a59
> Bisecting: 8 revisions left to test after this (roughly 3 steps)
> [04087d9a89bef97998c71c21e3ecfca0cc7c52f3] openvswitch: remove BUG_ON
> from get_dpdev
> testing commit 04087d9a89bef97998c71c21e3ecfca0cc7c52f3 with gcc (GCC) 8.1.0
> run #0: crashed: WARNING: kernel stack regs has bad 'bp' value
> run #1: crashed: BUG: unable to handle kernel paging request in corrupted
> run #2: crashed: general protection fault in corrupted
> run #3: crashed: general protection fault in __bfs
> run #4: crashed: general protection fault in corrupted
> run #5: crashed: general protection fault in rb_insert_color
> run #6: crashed: BUG: corrupted list in __pagevec_lru_add_fn
> run #7: crashed: general protection fault in validate_mm
> # git bisect bad 04087d9a89bef97998c71c21e3ecfca0cc7c52f3
> Bisecting: 3 revisions left to test after this (roughly 2 steps)
> [e7cc082455cb49ea937a3ec4ab3d001b0b5f137b] udp: Support for error
> handlers of tunnels with arbitrary destination port
> testing commit e7cc082455cb49ea937a3ec4ab3d001b0b5f137b with gcc (GCC) 8.1.0
> all runs: OK
> # git bisect good e7cc082455cb49ea937a3ec4ab3d001b0b5f137b
> Bisecting: 1 revision left to test after this (roughly 1 step)
> [56fd865f46b894681dd7e7f83761243add7a71a3] selftests: pmtu: Introduce
> FoU and GUE PMTU exceptions tests
> testing commit 56fd865f46b894681dd7e7f83761243add7a71a3 with gcc (GCC) 8.1.0
> run #0: crashed: WARNING in unlink_anon_vmas
> run #1: crashed: BUG: unable to handle kernel NULL pointer dereference
> in corrupted
> run #2: crashed: BUG: unable to handle kernel NULL pointer dereference
> in corrupted
> run #3: crashed: KASAN: stack-out-of-bounds Read in update_min_vruntime
> run #4: crashed: BUG: unable to handle kernel paging request in corrupted
> run #5: crashed: PANIC: double fault in corrupted
> run #6: crashed: WARNING in unlink_anon_vmas
> run #7: crashed: WARNING in unlink_anon_vmas
> # git bisect bad 56fd865f46b894681dd7e7f83761243add7a71a3
> Bisecting: 0 revisions left to test after this (roughly 0 steps)
> [b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e] fou, fou6: ICMP error
> handlers for FoU and GUE
> testing commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e with gcc (GCC) 8.1.0
> run #0: crashed: kernel BUG at include/linux/swapops.h:LINE!
> run #1: crashed: general protection fault in __bfs
> run #2: crashed: INFO: trying to register non-static key in corrupted
> run #3: crashed: lost connection to test machine
> run #4: crashed: BUG: unable to handle kernel NULL pointer dereference
> in corrupted
> run #5: crashed: kernel BUG at include/linux/swapops.h:LINE!
> run #6: crashed: no output from test machine
> run #7: crashed: lost connection to test machine
> # git bisect bad b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
> b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e is the first bad commit
> commit b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e
> Author: Stefano Brivio <sbrivio@redhat.com>
> Date: Thu Nov 8 12:19:23 2018 +0100
>
> fou, fou6: ICMP error handlers for FoU and GUE
>
> As the destination port in FoU and GUE receiving sockets doesn't
> necessarily match the remote destination port, we can't associate errors
> to the encapsulating tunnels with a socket lookup -- we need to blindly
> try them instead. This means we don't even know if we are handling errors
> for FoU or GUE without digging into the packets.
>
> Hence, implement a single handler for both, one for IPv4 and one for IPv6,
> that will check whether the packet that generated the ICMP error used a
> direct IP encapsulation or if it had a GUE header, and send the error to
> the matching protocol handler, if any.
>
> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
> Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
> Signed-off-by: David S. Miller <davem@davemloft.net>
>
> :040000 040000 cabdcb7779c24a357486aae139cb31cdd625bc53
> 6bc9db712d9698330234b7c8c934dcfc71cfb657 M net
> revisions tested: 16, total time: 3h25m25.893971693s (build:
> 1h23m29.053198068s, test: 1h59m23.409063298s)
> first bad commit: b8a51b38e4d4dec3e379d52c0fe1a66827f7cf1e fou, fou6:
> ICMP error handlers for FoU and GUE
> cc: ["sbrivio@redhat.com" "sd@queasysnail.net"]
>
prev parent reply other threads:[~2018-12-17 19:56 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <0000000000005e47a2057d0edc49@google.com>
[not found] ` <20181216190412.GE4170@linux.ibm.com>
2018-12-17 9:44 ` WARNING in __rcu_read_unlock Dmitry Vyukov
2018-12-17 11:29 ` Paul E. McKenney
2018-12-17 13:07 ` Dmitry Vyukov
2018-12-17 14:14 ` Arjan van de Ven
2018-12-17 14:40 ` Dmitry Vyukov
2018-12-17 14:49 ` Paul E. McKenney
2018-12-17 14:57 ` Eric Dumazet
2018-12-17 14:59 ` Stefano Brivio
2018-12-17 15:11 ` Dmitry Vyukov
2018-12-17 15:24 ` Stefano Brivio
2018-12-17 15:53 ` Dmitry Vyukov
2018-12-17 23:18 ` Stefano Brivio
2018-12-18 8:49 ` Dmitry Vyukov
2018-12-18 12:40 ` Stefano Brivio
2018-12-18 13:26 ` Dmitry Vyukov
2018-12-18 14:02 ` Paul E. McKenney
2018-12-18 14:12 ` Stefano Brivio
2018-12-18 16:05 ` Dmitry Vyukov
2018-12-19 4:12 ` Cong Wang
2018-12-17 18:21 ` Stefano Brivio
2018-12-17 18:45 ` Dmitry Vyukov
2018-12-17 19:56 ` Paul E. McKenney [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181217195622.GM4170@linux.ibm.com \
--to=paulmck@linux.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=dvyukov@google.com \
--cc=eric.dumazet@gmail.com \
--cc=josh@joshtriplett.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sbrivio@redhat.com \
--cc=syzbot+43f6755d1c2e62743468@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).