[syzkaller] KASAN: null-ptr-deref Write in add_wait_queue #100
Comments
|
Closes thanks to Paolo's patch: e3514ae |
jenkins-tessares
pushed a commit
that referenced
this issue
Oct 23, 2021
With PREEMPT_COUNT=y, when a CPU is offlined and then onlined again, we get: BUG: scheduling while atomic: swapper/1/0/0x00000000 no locks held by swapper/1/0. CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.15.0-rc2+ #100 Call Trace: dump_stack_lvl+0xac/0x108 __schedule_bug+0xac/0xe0 __schedule+0xcf8/0x10d0 schedule_idle+0x3c/0x70 do_idle+0x2d8/0x4a0 cpu_startup_entry+0x38/0x40 start_secondary+0x2ec/0x3a0 start_secondary_prolog+0x10/0x14 This is because powerpc's arch_cpu_idle_dead() decrements the idle task's preempt count, for reasons explained in commit a7c2bb8 ("powerpc: Re-enable preemption before cpu_die()"), specifically "start_secondary() expects a preempt_count() of 0." However, since commit 2c669ef ("powerpc/preempt: Don't touch the idle task's preempt_count during hotplug") and commit f1a0a37 ("sched/core: Initialize the idle task with preemption disabled"), that justification no longer holds. The idle task isn't supposed to re-enable preemption, so remove the vestigial preempt_enable() from the CPU offline path. Tested with pseries and powernv in qemu, and pseries on PowerVM. Fixes: 2c669ef ("powerpc/preempt: Don't touch the idle task's preempt_count during hotplug") Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com> Reviewed-by: Valentin Schneider <valentin.schneider@arm.com> Reviewed-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20211015173902.2278118-1-nathanl@linux.ibm.com
jenkins-tessares
pushed a commit
that referenced
this issue
Apr 14, 2023
Currently, test_progs outputs all stdout/stderr as it runs, and when it
is done, prints a summary.
It is non-trivial for tooling to parse that output and extract meaningful
information from it.
This change adds a new option, `--json-summary`/`-J` that let the caller
specify a file where `test_progs{,-no_alu32}` can write a summary of the
run in a json format that can later be parsed by tooling.
Currently, it creates a summary section with successes/skipped/failures
followed by a list of failed tests and subtests.
A test contains the following fields:
- name: the name of the test
- number: the number of the test
- message: the log message that was printed by the test.
- failed: A boolean indicating whether the test failed or not. Currently
we only output failed tests, but in the future, successful tests could
be added.
- subtests: A list of subtests associated with this test.
A subtest contains the following fields:
- name: same as above
- number: sanme as above
- message: the log message that was printed by the subtest.
- failed: same as above but for the subtest
An example run and json content below:
```
$ sudo ./test_progs -a $(grep -v '^#' ./DENYLIST.aarch64 | awk '{print
$1","}' | tr -d '\n') -j -J /tmp/test_progs.json
$ jq < /tmp/test_progs.json | head -n 30
{
"success": 29,
"success_subtest": 23,
"skipped": 3,
"failed": 28,
"results": [
{
"name": "bpf_cookie",
"number": 10,
"message": "test_bpf_cookie:PASS:skel_open 0 nsec\n",
"failed": true,
"subtests": [
{
"name": "multi_kprobe_link_api",
"number": 2,
"message": "kprobe_multi_link_api_subtest:PASS:load_kallsyms 0 nsec\nlibbpf: extern 'bpf_testmod_fentry_test1' (strong): not resolved\nlibbpf: failed to load object 'kprobe_multi'\nlibbpf: failed to load BPF skeleton 'kprobe_multi': -3\nkprobe_multi_link_api_subtest:FAIL:fentry_raw_skel_load unexpected error: -3\n",
"failed": true
},
{
"name": "multi_kprobe_attach_api",
"number": 3,
"message": "libbpf: extern 'bpf_testmod_fentry_test1' (strong): not resolved\nlibbpf: failed to load object 'kprobe_multi'\nlibbpf: failed to load BPF skeleton 'kprobe_multi': -3\nkprobe_multi_attach_api_subtest:FAIL:fentry_raw_skel_load unexpected error: -3\n",
"failed": true
},
{
"name": "lsm",
"number": 8,
"message": "lsm_subtest:PASS:lsm.link_create 0 nsec\nlsm_subtest:FAIL:stack_mprotect unexpected stack_mprotect: actual 0 != expected -1\n",
"failed": true
}
```
The file can then be used to print a summary of the test run and list of
failing tests/subtests:
```
$ jq -r < /tmp/test_progs.json '"Success: \(.success)/\(.success_subtest), Skipped: \(.skipped), Failed: \(.failed)"'
Success: 29/23, Skipped: 3, Failed: 28
$ jq -r < /tmp/test_progs.json '.results | map([
if .failed then "#\(.number) \(.name)" else empty end,
(
. as {name: $tname, number: $tnum} | .subtests | map(
if .failed then "#\($tnum)/\(.number) \($tname)/\(.name)" else empty end
)
)
]) | flatten | .[]' | head -n 20
#10 bpf_cookie
#10/2 bpf_cookie/multi_kprobe_link_api
#10/3 bpf_cookie/multi_kprobe_attach_api
#10/8 bpf_cookie/lsm
#15 bpf_mod_race
#15/1 bpf_mod_race/ksym (used_btfs UAF)
#15/2 bpf_mod_race/kfunc (kfunc_btf_tab UAF)
#36 cgroup_hierarchical_stats
#61 deny_namespace
#61/1 deny_namespace/unpriv_userns_create_no_bpf
#73 fexit_stress
#83 get_func_ip_test
#99 kfunc_dynptr_param
#99/1 kfunc_dynptr_param/dynptr_data_null
#99/4 kfunc_dynptr_param/dynptr_data_null
#100 kprobe_multi_bench_attach
#100/1 kprobe_multi_bench_attach/kernel
#100/2 kprobe_multi_bench_attach/modules
#101 kprobe_multi_test
#101/1 kprobe_multi_test/skel_api
```
Signed-off-by: Manu Bretelle <chantr4@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20230317163256.3809328-1-chantr4@gmail.com
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HEAD is at:
2229aa4 ("DO-NOT-MERGE: mptcp: enabled by default") (HEAD, tag: export/20201015T052017, mptcp_net-next/export) (13 hours ago)
e3a6adb ("DO-NOT-MERGE: mptcp: use kmalloc on kasan build") (13 hours ago)
a70060b ("mptcp: send explicit ack on delayed ack_seq incr") (13 hours ago)
374eed7 ("mptcp: keep track of advertised windows right edge") (13 hours ago)
8378c1a ("mptcp: rework poll+nospace handling") (13 hours ago)
d8463fb ("mptcp: try to push pending data on snd una updates") (13 hours ago)
b731900 ("mptcp: move page frag allocation in mptcp_sendmsg()") (13 hours ago)
87c30b9 ("mptcp: refactor shutdown and close") (13 hours ago)
52f3620 ("mptcp: introduce MPTCP snd_nxt") (13 hours ago)
6f3da02 ("mptcp: add accounting for pending data") (13 hours ago)
29341dc ("mptcp: reduce the arguments of mptcp_sendmsg_frag") (13 hours ago)
f39e064 ("mptcp: introduce mptcp_schedule_work") (13 hours ago)
d22ae16 ("tcp: factor out __tcp_close() helper") (13 hours ago)
f584bdd ("selftests: mptcp: add ADD_ADDR timeout test case") (13 hours ago)
4e829f2 ("mptcp: add a new sysctl add_addr_timeout") (13 hours ago)
c8f08dc ("mptcp: split mptcp_clean_una function") (13 hours ago)
ab67d80 ("tcp: propagate MPTCP skb extensions on xmit splits") (13 hours ago)
503d07b ("mptcp: use _fast lock version in __mptcp_move_skbs") (13 hours ago)
682ae73 ("mptcp: adjust mptcp receive buffer limit if subflow has larger one") (13 hours ago)
b112bb7 ("bpf:selftests: add bpf_mptcp_sock() verifier tests") (13 hours ago)
54ad37c ("bpf:selftests: add MPTCP test base") (13 hours ago)
99fa4f0 ("bpf: add 'bpf_mptcp_sock' structure and helper") (13 hours ago)
ab21791 ("mptcp: attach subflow socket to parent cgroup") (13 hours ago)
7d0ec46 ("bpf: expose is_mptcp flag to bpf_tcp_sock") (13 hours ago)
7708163 ("net: mptcp: make DACK4/DACK8 usage consistent among all subflows") (13 hours ago)
d477456 ("mptcp: subflows garbage collection") (13 hours ago)
4a9600a ("mptcp: fix fallback for MP_JOIN subflows") (13 hours ago)
d25e2e9 ("netfilter: restore NF_INET_NUMHOOKS") (mptcp_net-next/net-next) (15 hours ago)
5017273 ("Merge tag 'mlx5-updates-2020-10-12' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux") (2 days ago)
syzkaller-repro:
The text was updated successfully, but these errors were encountered: