Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 4 Feb 2021 15:11:31 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
	lkp@...ts.01.org, io-uring@...r.kernel.org,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Christian Brauner <christian.brauner@...ntu.com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>
Subject: 0ac0c30c8f: WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210201-222426


in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------------+------------+------------+
|                                                | 82b53805c5 | 0ac0c30c8f |
+------------------------------------------------+------------+------------+
| Oops:#[##]                                     | 4          | 3          |
| RIP:is_ucounts_overlimit                       | 4          | 1          |
| Kernel_panic-not_syncing:Fatal_exception       | 4          | 3          |
| RIP:inc_rlimit_ucounts_and_test                | 0          | 3          |
| WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts | 0          | 1          |
| RIP:dec_rlimit_ucounts                         | 0          | 1          |
+------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   31.706679] WARNING: CPU: 1 PID: 760 at kernel/ucount.c:291 dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:291 (discriminator 1)) 
[   31.707605] Modules linked in: mpls_router ip_tunnel af_key vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ieee802154_socket ieee802154 hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_user nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom ata_generic ppdev bochs_drm drm_vram_helper drm_ttm_helper ttm drm_kms_helper intel_rapl_msr intel_rapl_common crct10dif_pclmul syscopyarea crc32_pclmul sysfillrect crc32c_intel sysimgblt fb_sys_fops ghash_clmulni_intel rapl drm ata_piix joydev serio_raw parport_pc parport i2c_piix4 libata
[   31.713767] CPU: 1 PID: 760 Comm: kworker/1:3 Not tainted 5.11.0-rc2-00008-g0ac0c30c8ff7 #1
[   31.714811] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   31.715844] Workqueue: events free_ipc
[   31.716626] RIP: 0010:dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:291 (discriminator 1)) 
[ 31.717485] Code: 01 49 89 c0 48 89 c6 49 29 d0 f0 4c 0f b1 01 48 39 c6 75 ed 48 85 c0 78 11 48 8b 47 10 48 8b b8 e0 01 00 00 48 85 ff 75 d1 c3 <0f> 0b eb eb 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00
All code
========
   0:	01 49 89             	add    %ecx,-0x77(%rcx)
   3:	c0 48 89 c6          	rorb   $0xc6,-0x77(%rax)
   7:	49 29 d0             	sub    %rdx,%r8
   a:	f0 4c 0f b1 01       	lock cmpxchg %r8,(%rcx)
   f:	48 39 c6             	cmp    %rax,%rsi
  12:	75 ed                	jne    0x1
  14:	48 85 c0             	test   %rax,%rax
  17:	78 11                	js     0x2a
  19:	48 8b 47 10          	mov    0x10(%rdi),%rax
  1d:	48 8b b8 e0 01 00 00 	mov    0x1e0(%rax),%rdi
  24:	48 85 ff             	test   %rdi,%rdi
  27:	75 d1                	jne    0xfffffffffffffffa
  29:	c3                   	retq   
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	eb eb                	jmp    0x19
  2e:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  35:	00 00 00 00 
  39:	66                   	data16
  3a:	66                   	data16
  3b:	2e                   	cs
  3c:	0f                   	.byte 0xf
  3d:	1f                   	(bad)  
  3e:	84 00                	test   %al,(%rax)

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	eb eb                	jmp    0xffffffffffffffef
   4:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
   b:	00 00 00 00 
   f:	66                   	data16
  10:	66                   	data16
  11:	2e                   	cs
  12:	0f                   	.byte 0xf
  13:	1f                   	(bad)  
  14:	84 00                	test   %al,(%rax)
[   31.719705] RSP: 0018:ffffa61e002e7dd0 EFLAGS: 00010286
[   31.720626] RAX: fffffffffffffe00 RBX: ffff89896b751800 RCX: ffff89894012da48
[   31.721648] RDX: 00000000000a1c00 RSI: fffffffffffffe00 RDI: ffff89894012d9c0
[   31.722688] RBP: ffff89896b799f00 R08: fffffffffff5e200 R09: 0000000000000088
[   31.723717] R10: 0000000000000000 R11: ffff89896a6ab918 R12: ffff898969bd6400
[   31.724743] R13: 0000000000000001 R14: ffff89896b799f00 R15: ffff89896b751800
[   31.725757] FS:  0000000000000000(0000) GS:ffff898a77d00000(0000) knlGS:0000000000000000
[   31.726743] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.727891] CR2: 00007f98a32e22fc CR3: 000000012e20c000 CR4: 00000000000406e0
[   31.729080] DR0: 0000000000000000 DR1: 00007f98a1bd1000 DR2: 00007f98a22d1000
[   31.729880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[   31.730674] Call Trace:
[   31.731292] shm_destroy (kbuild/src/consumer/ipc/shm.c:293) 
[   31.731936] free_ipcs (kbuild/src/consumer/ipc/namespace.c:106 (discriminator 2)) 
[   31.732569] ? shm_destroy (kbuild/src/consumer/ipc/shm.c:114) 
[   31.733224] shm_exit_ns (kbuild/src/consumer/ipc/shm.c:132) 
[   31.733855] free_ipc (kbuild/src/consumer/ipc/namespace.c:29 (discriminator 6) kbuild/src/consumer/ipc/namespace.c:128 (discriminator 6) kbuild/src/consumer/ipc/namespace.c:141 (discriminator 6)) 
[   31.734479] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280) 
[   31.735136] ? process_one_work (kbuild/src/consumer/kernel/workqueue.c:2364) 
[   31.735777] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422) 
[   31.736416] ? process_one_work (kbuild/src/consumer/kernel/workqueue.c:2364) 
[   31.737065] kthread (kbuild/src/consumer/kernel/kthread.c:292) 
[   31.737656] ? kthread_park (kbuild/src/consumer/kernel/kthread.c:245) 
[   31.738275] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302) 
[   31.738890] ---[ end trace 7a58348982bc0099 ]---
[  306.675403] sh: can't kill pid 503: No such process
[  313.160211] sysrq: Emergency Sync
[  313.160911] sysrq: Resetting
[  313.1612
Kboot worker: lkp-worker60
Elapsed time: 360

kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-91.cgz
-m 8192
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::32032-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
-serial stdio
-display none
-monitor null
)

append=(
ip=::::vm-snb-91::dhcp
root=/dev/ram0
user=lkp
job=/job-script
ARCH=x86_64
kconfig=x86_64-rhel-8.3-kbuiltin
branch=linux-devel/devel-catchup-20210202-110043
commit=0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be
BOOT_IMAGE=/pkg/linux/x86_64-rhel-8.3-kbuiltin/gcc-9/0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be/vmlinuz-5.11.0-rc2-00008-g0ac0c30c8ff7
vmalloc=512M
max_uptime=2100
RESULT_ROOT=/result/trinity/300s/vm-snb/yocto-x86_64-minimal-20190520.cgz/x86_64-rhel-8.3-kbuiltin/gcc-9/0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be/0
result_service=tmpfs
selinux=0
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
net.ifnames=0
printk.devkmsg=on
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
drbd.minor_count=8
systemd.log_level=err
ignore_loglevel
console=tty0
earlyprintk=ttyS0,115200
console=ttyS0,115200
vga=normal
rw
rcuperf.shutdown=0
watchdog_thresh=240
)

"${kvm[@]}" -append "${append[*]}"


To reproduce:

        # build kernel
	cd linux
	cp config-5.11.0-rc2-00008-g0ac0c30c8ff7 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc2-00008-g0ac0c30c8ff7" of type "text/plain" (171262 bytes)

View attachment "job-script" of type "text/plain" (4117 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (14472 bytes)

View attachment "trinity" of type "text/plain" (2788 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.