[BUG] random: crash via credit_entropy_bits
From: Jiri Olsa
Date: Fri Sep 09 2016 - 11:39:00 EST
hi,
when printing out some early acpi messages I hit bug in
work queue code.. the system_wq is not initialized at
the time acpi_early_init is called and causes irq storm
(I assume) that makes credit_entropy_bits call schedule_work
and crash:
[ 286.521659] BUG: unable to handle kernel NULL pointer dereference at 0000000000000102^M
[ 286.521660] IP: [<ffffffff810bc282>] __queue_work+0x32/0x450^M
[ 286.521664] PGD 0 ^M
[ 286.521666] Oops: 0000 [#1] SMP^M
[ 286.521666] Modules linked in:^M
[ 286.521669] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc5tip+ #263^M
[ 286.521669] Hardware name: IBM System x3650 M4 : -[7915E2G]-/00Y7683, BIOS -[VVE124AUS-1.30]- 11/21/2012^M
[ 286.521670] task: ffffffff81c0d4c0 task.stack: ffffffff81c00000^M
[ 286.521671] RIP: 0010:[<ffffffff810bc282>] [<ffffffff810bc282>] __queue_work+0x32/0x450^M
[ 286.521673] RSP: 0000:ffff880277a03e38 EFLAGS: 00010046^M
[ 286.521674] RAX: 0000000000000092 RBX: 0000000000000087 RCX: 0000000000000000^M
[ 286.521675] RDX: ffffffff81cd3460 RSI: 0000000000000000 RDI: 0000000000000040^M
[ 286.521675] RBP: ffff880277a03e78 R08: 0000000000000000 R09: 0000000000007ffe^M
[ 286.521676] R10: 0000000006bf0603 R11: 0000000000000068 R12: 0000000000000040^M
[ 286.521677] R13: 0000000000000000 R14: ffffffff81cd3460 R15: ffffffff81cd3510^M
[ 286.521678] FS: 0000000000000000(0000) GS:ffff880277a00000(0000) knlGS:0000000000000000^M
[ 286.521679] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033^M
[ 286.521679] CR2: 0000000000000102 CR3: 0000000001c06000 CR4: 00000000000406b0^M
[ 286.521680] Stack:^M
[ 286.521681] ffff880277a03e48 ffffffff817b5dc6 0000004077a03e58 0000000000000087^M
[ 286.521682] ffffffff81cd34c0 ffffffff814f0f82 0000000000008000 ffffffff81cd3510^M
[ 286.521684] ffff880277a03e90 ffffffff810bcc47 0000000000000381 ffff880277a03ed8^M
[ 286.521686] Call Trace:^M
[ 286.521686] <IRQ> [ 286.521689] [<ffffffff817b5dc6>] ? _raw_write_unlock_irqrestore+0x16/0x20^M
[ 286.521692] [<ffffffff814f0f82>] ? add_interrupt_randomness+0x1c2/0x200^M
[ 286.521694] [<ffffffff810bcc47>] queue_work_on+0x27/0x40^M
[ 286.521695] [<ffffffff814f03a9>] credit_entropy_bits+0x219/0x280^M
[ 286.521697] [<ffffffff814ee4f6>] ? __mix_pool_bytes+0x36/0x90^M
[ 286.521699] [<ffffffff814f0f82>] add_interrupt_randomness+0x1c2/0x200^M
[ 286.521702] [<ffffffff810fe570>] handle_irq_event_percpu+0x40/0x80^M
[ 286.521704] [<ffffffff810fe5dc>] handle_irq_event+0x2c/0x50^M
[ 286.521705] [<ffffffff81101b93>] handle_level_irq+0x83/0x100^M
[ 286.521707] [<ffffffff8102fdb3>] handle_irq+0x73/0x120^M
[ 286.521709] [<ffffffff810a8fa1>] ? _local_bh_enable+0x21/0x50^M
[ 286.521710] [<ffffffff817b8d2b>] do_IRQ+0x4b/0xd0^M
[ 286.521712] [<ffffffff817b6bcc>] common_interrupt+0x8c/0x8c^M
[ 286.521712] <EOI> [ 286.521717] [<ffffffff81062216>] ? native_restore_fl+0x6/0x10^M
[ 286.521719] [<ffffffff810fbb4f>] console_unlock+0x3ef/0x5d0^M
[ 286.521721] [<ffffffff8100dade>] ? update_sample+0x6e/0xe0^M
[ 286.521723] [<ffffffff810fc55a>] vprintk_emit+0x2aa/0x520^M
[ 286.521725] [<ffffffff810fc96f>] vprintk_default+0x1f/0x30^M
[ 286.521726] [<ffffffff811a87b9>] printk+0x57/0x73^M
[ 286.521730] [<ffffffff81447dda>] acpi_os_vprintf+0x3f/0x41^M
[ 286.521732] [<ffffffff81447e2e>] acpi_os_printf+0x52/0x6e^M
[ 286.521735] [<ffffffff8148b5c4>] acpi_debug_print+0xae/0x118^M
[ 286.521737] [<ffffffff8148b6c2>] ? acpi_ut_value_exit+0x44/0x5c^M
[ 286.521739] [<ffffffff8148baad>] acpi_ut_ptr_exit+0x3f/0x55^M
[ 286.521741] [<ffffffff8147caf0>] acpi_ns_get_normalized_pathname+0x111/0x11d^M
[ 286.521742] [<ffffffff8147ec33>] acpi_ns_search_one_scope+0x52/0x207^M
[ 286.521743] [<ffffffff8147eec8>] acpi_ns_search_and_enter+0xe0/0x4d9^M
[ 286.521747] [<ffffffff814798f9>] acpi_ns_lookup+0x5cc/0x7d6^M
[ 286.521750] [<ffffffff8145c4e9>] acpi_ds_init_field_objects+0x1a3/0x232^M
[ 286.521752] [<ffffffff81461c26>] acpi_ds_load1_end_op+0xe7/0x355^M
[ 286.521754] [<ffffffff8148286b>] acpi_ps_parse_loop+0x7fc/0x8ac^M
[ 286.521755] [<ffffffff81483b6d>] acpi_ps_parse_aml+0x1b0/0x493^M
[ 286.521757] [<ffffffff8147d35b>] acpi_ns_one_complete_parse+0x22e/0x27f^M
[ 286.521758] [<ffffffff8147d427>] acpi_ns_parse_table+0x7b/0x148^M
[ 286.521759] [<ffffffff8147c5a0>] acpi_ns_load_table+0xc6/0x213^M
[ 286.521761] [<ffffffff81489c30>] acpi_tb_load_namespace+0xd3/0x28d^M
[ 286.521764] [<ffffffff81dbfc56>] acpi_load_tables+0x6c/0xf4^M
[ 286.521767] [<ffffffff81dbe4a6>] acpi_early_init+0x7a/0xf0^M
[ 286.521771] [<ffffffff81d73f39>] start_kernel+0x3be/0x472^M
patch below prevents that.. however I'm not sure this is the
correct fix, just allows me to continue the acpi debug ;-)
thanks,
jirka
---
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 3efb3bf0ab83..f4dec86c2e25 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -725,7 +725,8 @@ retry:
/* If the input pool is getting full, send some
* entropy to the blocking pool until it is 75% full.
*/
- if (entropy_bits > random_write_wakeup_bits &&
+ if (keventd_up() &&
+ entropy_bits > random_write_wakeup_bits &&
r->initialized &&
r->entropy_total >= 2*random_read_wakeup_bits) {
struct entropy_store *other = &blocking_pool;