kernel BUG at kernel/futex.c:679 on v4.13-rc3-ish on arm64
From: Mark Rutland
Date: Tue Aug 08 2017 - 06:53:18 EST
Hi,
As a heads-up, I hit the below splat when using Syzkaller to fuzz arm64
VMAP_STACK patches [1] atop of v4.13-rc3. I haven't hit anything else
major, and so far I haven't had any luck reproducing this, so it may be
an existing issue that's difficult to hit.
Note that while reported as a BUG(), it's actually the WARN_ON_ONCE()
introduced in commit:
65d8fc777f6dcfee ("futex: Remove requirement for lock_page() in get_futex_key()")
... misreported as I accidentally throw away the flags in __BUG_FLAGS().
Other than that, I believe BUG() and friends are working correctly.
The Syzkaller log is huge (1.0M), so rather than attaching it, I've
uploaded the log, report, and kernel config to:
http://data.yaey.co.uk/bugs/20170808-futex-bug/
I'll continue trying to reproduce and minimize this.
Thanks,
Mark.
[1] git://git.kernel.org/pub/scm/linux/kernel/git/mark/linux.git arm64/vmap-stack
------------[ cut here ]------------
kernel BUG at kernel/futex.c:679!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3695 Comm: syz-executor1 Not tainted 4.13.0-rc3-00020-g307fec773ba3 #3
Hardware name: linux,dummy-virt (DT)
task: ffff80001e271780 task.stack: ffff000010908000
PC is at get_futex_key+0x6a4/0xcf0 kernel/futex.c:679
LR is at get_futex_key+0x6a4/0xcf0 kernel/futex.c:679
pc : [<ffff00000821ac14>] lr : [<ffff00000821ac14>] pstate: 80000145
sp : ffff00001090bab0
x29: ffff00001090bab0 x28: 0000000000000000
x27: 0000000000000000 x26: 0000000000000000
x25: ffff00000998f000 x24: ffff00001090bbc0
x23: ffff80001e2a56d8 x22: ffff000009a4f000
x21: 0000000020bc6000 x20: ffff80001e2a56b8
x19: ffff7e00005dbf00 x18: ffff80001e272018
x17: 0000000000826000 x16: ffff00000821f790
x15: ffff00000a608000 x14: ffff00000a608fc0
x13: 0000000000000038 x12: ffff000009d3c000
x11: 7f7f7f7f7f7f7f7f x10: 0000000000000002
x9 : ffff00000998fb88 x8 : ffff80001e272018
x7 : ffff00000821a6b4 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000
x3 : 0000000000000000 x2 : 0000000000000001
x1 : 0000000000040d00 x0 : 0000000000000000
Process syz-executor1 (pid: 3695, stack limit = 0xffff000010908000)
Stack: (0xffff00001090bab0 to 0xffff00001090c000)
baa0: ffff00001090bb50 ffff00000821d668
bac0: ffff80001e271780 ffff00000998f000 0000000000000001 ffff00001090bbc0
bae0: 0000000020bc626c ffff00001090bc20 0000000020bc6000 0000000000000000
bb00: 0000000000000001 00000000ffffffff ffff00001090bb30 ffff000009a74420
bb20: ffff000009a73610 ffff80001deec800 000000001090bb50 ffff80001e2a54d0
bb40: ffff7e00005dbf00 0000000000040d00 ffff00001090bd00 ffff00000821e81c
bb60: 0000000020bc6000 0000000020bc626c ffff00000998f000 000000000000000b
bb80: 000000000000000b 0000000000000000 0000000000000000 ffff00001090bea0
bba0: 0000000000000001 0000000000000001 000000000000042e 0000000000040d00
bbc0: 0000000000000000 0000000000000000 000000000000026c ffff00001090bbd8
bbe0: 0000000000000000 0000000000000000 00000000009959d0 0000000000989680
bc00: ffff0000081f73e0 ffff80001ffd34c0 0000000000000000 ffff80001e271780
bc20: ffff00001090bc20 1111111111111111 1111111111111111 ffff00001090bc38
bc40: 1111111111111111 1111111111111111 0000000000000000 1111111111111111
bc60: 1111111111111111 0000000000000000 1111111111111111 1111111111111111
bc80: 1111111111111111 0000000000000000 0000000000000000 0000000000000000
bca0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
bcc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
bce0: 0000000000000000 0000000000000000 00000000ffffffff 0000000000040d00
bd00: ffff00001090be40 ffff00000821f850 000000000000000b ffff00000998f000
bd20: 0000000020bc6000 000000000000000b 0000000000000000 0000000020bc6000
bd40: 0000000000000000 0000000020bc626c 0000000000000001 ffff00001090bea0
bd60: ffff000009d3c000 0000000000000038 ffff00000a608fc0 ffff00000a608000
bd80: ffff00000821f790 0000000000826000 ffff80001e272018 000000000000000b
bda0: ffff00000998f000 0000000020bc6000 000000000000000b ffff80001e271780
bdc0: 0000000020bc6000 0000000000000000 0000000020bc626c ffffffff00000001
bde0: ffff80001e271780 ffff00001090be40 ffff00000821f8d8 ffff00001090be40
be00: ffff00001090be40 ffff00000821f830 000000000000000b ffff00000998f000
be20: 0000000020bc6000 000000000000000b 0000000000000043 0000000000040d00
be40: ffff00001090bff0 ffff0000080837b0 0000000000000000 0000800016662000
be60: ffffffffffffffff 000000000042cff4 00000000a0000000 0000000000000015
be80: 0000000000000124 0000000000000062 ffff0000093d1000 ffff80001e271780
bea0: 0000000000989680 0000000000000000 0000000000989680 0000000000040d00
bec0: 0000000020bc6000 000000000000000b 0000000000000000 0000000020bc6000
bee0: 0000000020bc626c 0000000000000001 0000000000000000 0000000000000000
bf00: 0000000000000062 7f7fffffffffffff ff227262752e7564 7f7f7f7f7f7f7f7f
bf20: 0101010101010101 0000000000000038 000000000000003f 0000000000000001
bf40: 0000000000000000 0000000000826000 0000000000000000 00000000004c0008
bf60: 00000000ffffffff 0000000020bc6000 000000000000000b 000000000046e250
bf80: 00000000004a87f8 000000000046f380 0000fffffc994b80 0000000000000000
bfa0: 0000ffff8b77bf60 0000ffff8b77b640 00000000004020e4 0000ffff8b77b640
bfc0: 000000000042cff4 00000000a0000000 0000000020bc6000 0000000000000062
bfe0: 0000000000000000 0000000000000000 0000000000000000 000000000042cff4
Call trace:
Exception stack(0xffff00001090b970 to 0xffff00001090bab0)
b960: 0000000000000000 0000000000040d00
b980: 0000000000000001 0000000000000000 0000000000000000 0000000000000001
b9a0: 0000000000000000 ffff00000821a6b4 ffff80001e272018 ffff00000998fb88
b9c0: 0000000000000002 7f7f7f7f7f7f7f7f ffff000009d3c000 0000000000000038
b9e0: ffff00000a608fc0 ffff00000a608000 ffff00000821f790 0000000000826000
ba00: ffff80001e272018 ffff7e00005dbf00 ffff80001e2a56b8 0000000020bc6000
ba20: ffff000009a4f000 ffff80001e2a56d8 ffff00001090bbc0 ffff00000998f000
ba40: 0000000000000000 0000000000000000 0000000000000000 ffff00001090bab0
ba60: ffff00000821ac14 ffff00001090bab0 ffff00000821ac14 0000000080000145
ba80: ffff7e00005dbf00 ffff80001e2a56b8 0001000000000000 ffff000009a4f000
baa0: ffff00001090bab0 ffff00000821ac14
[<ffff00000821ac14>] get_futex_key+0x6a4/0xcf0 kernel/futex.c:679
[<ffff00000821d668>] futex_wait_requeue_pi.constprop.5+0x108/0x5f8 kernel/futex.c:3008
[<ffff00000821e81c>] do_futex+0x194/0x1108 kernel/futex.c:3412
[<ffff00000821f850>] SYSC_futex kernel/futex.c:3453 [inline]
[<ffff00000821f850>] SyS_futex+0xc0/0x200 kernel/futex.c:3421
Exception stack(0xffff00001090bec0 to 0xffff00001090c000)
bec0: 0000000020bc6000 000000000000000b 0000000000000000 0000000020bc6000
bee0: 0000000020bc626c 0000000000000001 0000000000000000 0000000000000000
bf00: 0000000000000062 7f7fffffffffffff ff227262752e7564 7f7f7f7f7f7f7f7f
bf20: 0101010101010101 0000000000000038 000000000000003f 0000000000000001
bf40: 0000000000000000 0000000000826000 0000000000000000 00000000004c0008
bf60: 00000000ffffffff 0000000020bc6000 000000000000000b 000000000046e250
bf80: 00000000004a87f8 000000000046f380 0000fffffc994b80 0000000000000000
bfa0: 0000ffff8b77bf60 0000ffff8b77b640 00000000004020e4 0000ffff8b77b640
bfc0: 000000000042cff4 00000000a0000000 0000000020bc6000 0000000000000062
bfe0: 0000000000000000 0000000000000000 0000000000000000 000000000042cff4
[<ffff0000080837b0>] el0_svc_naked+0x24/0x28
[<000000000042cff4>] 0x42cff4
Code: 97fffbeb 17fffefd d503201f 94017212 (d4210000)
---[ end trace b28460ea0c9812d7 ]---