BUG:soft lockup - CPU#0 stuck for 36s! rcu_core_si kernel/rcu/tree.c:2807
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-hwe-5.13 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
linux-hwe-5.15 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
We would like to report the following bug which has been found by our modified version of syzkaller.
rcu_core_si in kernel/
description: BUG: soft lockup in rcu_core_si
affected file: kernel/rcu/tree.c
kernel version: 5.13
kernel config, syzkaller reproducer and raw console output are all in the attachments.
=======
Crash log:
=======
watchdog: BUG: soft lockup - CPU#0 stuck for 36s! [syz-executor.
Modules linked in:
CPU: 0 PID: 14479 Comm: syz-executor.6 Not tainted 5.13.19+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:cred_label security/
RIP: 0010:apparmor_
Code: 01 00 00 48 63 1d a1 fd 4d 02 49 03 5c 24 78 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 80 3c 02 00 0f 85 08 01 00 00 <4c> 8b 2b 4d 85 ed 74 68 e8 74 53 4b ff be 04 00 00 00 4c 89 ef bb
RSP: 0018:ffff888056
RAX: dffffc0000000000 RBX: ffff888005c8fc80 RCX: ffffffff967eb4fd
RDX: 1ffff11000b91f90 RSI: 0000000000000100 RDI: ffff888005821000
RBP: ffff888056609de8 R08: 0000000000000001 R09: ffffed1000b04201
R10: ffff888005821003 R11: ffffed1000b04200 R12: ffff888005821000
R13: ffff888005821000 R14: ffff888005821078 R15: ffff888007ba8000
FS: 00007f5f81a4070
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe8252bb80 CR3: 0000000003cf6006 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<IRQ>
security_
put_cred_
rcu_do_batch kernel/
rcu_core+
rcu_core_
__do_softirq+
invoke_softirq kernel/
__irq_exit_rcu kernel/
irq_exit_
sysvec_
</IRQ>
<TASK>
asm_sysvec_
RIP: 0010:0xffffffff
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 <55> 48 89 e5 53 41 55 31 c0 45 31 ed 48 89 fb b8 ff ff ff 7f 41 5d
RSP: 0018:ffff888006
RAX: ffffffffc01e07fc RBX: 000000007fff0000 RCX: ffffffff95ccef6a
RDX: ffff888007ba8000 RSI: ffffc90000763048 RDI: ffff888006ec7e10
RBP: ffff888006ec7eb8 R08: 0000000000000001 R09: ffffed1005374c87
R10: ffff888029ba6437 R11: ffffed1005374c86 R12: ffff888006ec7e10
R13: ffff888029ba6400 R14: ffffc90000763000 R15: dffffc0000000000
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 27 Comm: khungtaskd Not tainted 5.13.19+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:check_
RIP: 0010:watchdog+
Code: 45 a8 e8 e2 74 fd ff 49 8d 87 40 03 00 00 48 b9 00 00 00 00 00 fc ff df 48 89 45 c0 48 c1 e8 03 80 3c 08 00 0f 85 dd 07 00 00 <49> 8b 9f 40 03 00 00 48 be 00 00 00 00 00 fc ff df 4c 8d 63 10 4c
RSP: 0000:ffff888001
RAX: 1ffff11000dea98b RBX: ffff88800669b630 RCX: dffffc0000000000
RDX: ffff888001d6a080 RSI: 0000000000000000 RDI: ffff888005e4c918
RBP: ffff888001d77f00 R08: 0000000000000001 R09: fffffbfff34354d9
R10: ffffffff9a1aa6c7 R11: fffffbfff34354d8 R12: ffff88800669c010
R13: 00000000003fff85 R14: 0000000100021a4b R15: ffff888006f54918
FS: 000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffcc3c83ce8 CR3: 0000000004310004 CR4: 0000000000770ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
kthread+
ret_from_
</TASK>
----------------
Code disassembly (best guess):
0: 01 00 add %eax,(%rax)
2: 00 48 63 add %cl,0x63(%rax)
5: 1d a1 fd 4d 02 sbb $0x24dfda1,%eax
a: 49 03 5c 24 78 add 0x78(%r12),%rbx
f: 48 b8 00 00 00 00 00 movabs $0xdffffc000000
16: fc ff df
19: 48 89 da mov %rbx,%rdx
1c: 48 c1 ea 03 shr $0x3,%rdx
20: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
24: 0f 85 08 01 00 00 jne 0x132
* 2a: 4c 8b 2b mov (%rbx),%r13 <-- trapping instruction
2d: 4d 85 ed test %r13,%r13
30: 74 68 je 0x9a
32: e8 74 53 4b ff callq 0xff4b53ab
37: be 04 00 00 00 mov $0x4,%esi
3c: 4c 89 ef mov %r13,%rdi
3f: bb .byte 0xbb
--
information type: | Private Security → Public Security |
@saltf1sh, thanks for reporting this, however, the 5.13 kernel is no longer supported (since July 2022). Are you able to reproduce the problem on a kernel version that's still supported (like 5.4 or 5.15)?