Bug #2004582 “rtmutex bug causing kernel state corruption issues...” : Bugs : ubuntu-realtime

Revision history for this message

Jacob Martin (jacobmartin) wrote on 2023-02-02:

#1

Download full text (6.9 KiB)

An example of an oops resulting from this bug:

[ 384.960099] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[ 384.960104] Mem abort info:
[ 384.960105] ESR = 0x96000004
[ 384.960107] EC = 0x25: DABT (current EL), IL = 32 bits
[ 384.960109] SET = 0, FnV = 0
[ 384.960110] EA = 0, S1PTW = 0
[ 384.960111] FSC = 0x04: level 0 translation fault
[ 384.960113] Data abort info:
[ 384.960114] ISV = 0, ISS = 0x00000004
[ 384.960116] CM = 0, WnR = 0
[ 384.960116] user pgtable: 4k pages, 48-bit VAs, pgdp=0000400006947000
[ 384.960118] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[ 384.960121] Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
[ 384.960123] Modules linked in: binfmt_misc nls_iso8859_1 input_leds arm_spe_pmu joydev acpi_ipmi ipmi_ssif ipmi_devintf ipmi_msghandler arm_cmn arm_dmc620_pmu xgene_hwmon arm_dsu_pmu cppc_cpufreq acpi_tad sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ramoops reed_solomon pstore_blk pstore_zone efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid cdc_ether hid usbnet mlx5_ib ib_uverbs ib_core uas usb_storage ast drm_vram_helper drm_ttm_helper ttm i2c_algo_bit drm_kms_helper crct10dif_ce syscopyarea ghash_ce sysfillrect sha2_ce sysimgblt fb_sys_fops sha256_arm64 sha1_ce cec rc_core nvme mlx5_core xhci_pci drm nvme_core xhci_pci_renesas mlxfw psample tls aes_neon_bs aes_neon_blk aes_ce_blk crypto_simd cryptd aes_ce_cipher
[ 384.960228] CPU: 107 PID: 3946 Comm: dd Not tainted 5.15.0-1032-realtime #35
[ 384.960230] Hardware name: WIWYNN Mt.Jade Server System B81.030Z1.0007/Mt.Jade Motherboard, BIOS 1.6.20210526 (SCP: 1.06.20210526) 2021/05/26
[ 384.960231] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 384.960233] pc : pipe_write+0x540/0x754
[ 384.960237] lr : pipe_write+0x50/0x754
[ 384.960238] sp : ffff80003e1cbbc0
[ 384.960239] x29: ffff80003e1cbbc0 x28: ffff3fff8a931a00 x27: ffff3fff983e4800
[ 384.960242] x26: 0000000000000003 x25: 0000000000000000 x24: ffff3fff983e4990
[ 384.960244] x23: 0000000000000190 x22: ffff3fff8a92cdc0 x21: ffff80003e1cbca0
[ 384.960246] x20: ffffffffffffffee x19: 0000000000000001 x18: 0000000000000000
[ 384.960248] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[ 384.960250] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[ 384.960252] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa5ccdcffe188
[ 384.960254] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
[ 384.960257] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 000000000001f74a
[ 384.960259] x2 : 0000000000000010 x1 : 0000000000000004 x0 : 0000000000000000
[ 384.960261] Call trace:
[ 384.960262] pipe_write+0x540/0x754
[ 384.960263] new_sync_write+0x17c/0x18c
[ 384.960266] vfs_write+0x278/0x2e4
[ 384.960268] ksys_write+0xe4/0x100
[ 384.960270] __arm64_sys_write+0x24/0x30
[ 384.960272] invoke_syscall+0x78/0x100
[ 384.960276] el0_svc_common.constprop.0+0x54...

An example of an oops resulting from this bug:

[  384.960099] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[  384.960104] Mem abort info:
[  384.960105]   ESR = 0x96000004
[  384.960107]   EC = 0x25: DABT (current EL), IL = 32 bits
[  384.960109]   SET = 0, FnV = 0
[  384.960110]   EA = 0, S1PTW = 0
[  384.960111]   FSC = 0x04: level 0 translation fault
[  384.960113] Data abort info:
[  384.960114]   ISV = 0, ISS = 0x00000004
[  384.960116]   CM = 0, WnR = 0
[  384.960116] user pgtable: 4k pages, 48-bit VAs, pgdp=0000400006947000
[  384.960118] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[  384.960121] Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
[  384.960123] Modules linked in: binfmt_misc nls_iso8859_1 input_leds arm_spe_pmu joydev acpi_ipmi ipmi_ssif ipmi_devintf ipmi_msghandler arm_cmn arm_dmc620_pmu xgene_hwmon arm_dsu_pmu cppc_cpufreq acpi_tad sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ramoops reed_solomon pstore_blk pstore_zone efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid cdc_ether hid usbnet mlx5_ib ib_uverbs ib_core uas usb_storage ast drm_vram_helper drm_ttm_helper ttm i2c_algo_bit drm_kms_helper crct10dif_ce syscopyarea ghash_ce sysfillrect sha2_ce sysimgblt fb_sys_fops sha256_arm64 sha1_ce cec rc_core nvme mlx5_core xhci_pci drm nvme_core xhci_pci_renesas mlxfw psample tls aes_neon_bs aes_neon_blk aes_ce_blk crypto_simd cryptd aes_ce_cipher
[  384.960228] CPU: 107 PID: 3946 Comm: dd Not tainted 5.15.0-1032-realtime #35
[  384.960230] Hardware name: WIWYNN Mt.Jade Server System B81.030Z1.0007/Mt.Jade Motherboard, BIOS 1.6.20210526 (SCP: 1.06.20210526) 2021/05/26
[  384.960231] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  384.960233] pc : pipe_write+0x540/0x754
[  384.960237] lr : pipe_write+0x50/0x754
[  384.960238] sp : ffff80003e1cbbc0
[  384.960239] x29: ffff80003e1cbbc0 x28: ffff3fff8a931a00 x27: ffff3fff983e4800
[  384.960242] x26: 0000000000000003 x25: 0000000000000000 x24: ffff3fff983e4990
[  384.960244] x23: 0000000000000190 x22: ffff3fff8a92cdc0 x21: ffff80003e1cbca0
[  384.960246] x20: ffffffffffffffee x19: 0000000000000001 x18: 0000000000000000
[  384.960248] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
[  384.960250] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
[  384.960252] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa5ccdcffe188
[  384.960254] x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
[  384.960257] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 000000000001f74a
[  384.960259] x2 : 0000000000000010 x1 : 0000000000000004 x0 : 0000000000000000
[  384.960261] Call trace:
[  384.960262]  pipe_write+0x540/0x754
[  384.960263]  new_sync_write+0x17c/0x18c
[  384.960266]  vfs_write+0x278/0x2e4
[  384.960268]  ksys_write+0xe4/0x100
[  384.960270]  __arm64_sys_write+0x24/0x30
[  384.960272]  invoke_syscall+0x78/0x100
[  384.960276]  el0_svc_common.constprop.0+0x54/0x184
[  384.960278]  do_el0_svc+0x30/0x9c
[  384.960280]  el0_svc+0x30/0x150
[  384.960283]  el0t_64_sync_handler+0xa4/0x130
[  384.960285]  el0t_64_sync+0x1a4/0x1a8
[  384.960288] Code: 8b130341 f140043f 54ffdea8 f9400b00 (f9400002) 
[  384.960290] ---[ end trace 0000000000000002 ]---
[  385.960885] ------------[ cut here ]------------
[  385.960887] rtmutex deadlock detected
[  385.960890] WARNING: CPU: 107 PID: 3946 at kernel/locking/rtmutex.c:1553 rt_mutex_slowlock.constprop.0+0x140/0x160
[  385.960894] Modules linked in: binfmt_misc nls_iso8859_1 input_leds arm_spe_pmu joydev acpi_ipmi ipmi_ssif ipmi_devintf ipmi_msghandler arm_cmn arm_dmc620_pmu xgene_hwmon arm_dsu_pmu cppc_cpufreq acpi_tad sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ramoops reed_solomon pstore_blk pstore_zone efi_pstore ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor xor_neon raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid cdc_ether hid usbnet mlx5_ib ib_uverbs ib_core uas usb_storage ast drm_vram_helper drm_ttm_helper ttm i2c_algo_bit drm_kms_helper crct10dif_ce syscopyarea ghash_ce sysfillrect sha2_ce sysimgblt fb_sys_fops sha256_arm64 sha1_ce cec rc_core nvme mlx5_core xhci_pci drm nvme_core xhci_pci_renesas mlxfw psample tls aes_neon_bs aes_neon_blk aes_ce_blk crypto_simd cryptd aes_ce_cipher
[  385.960934] CPU: 107 PID: 3946 Comm: dd Tainted: G      D           5.15.0-1032-realtime #35
[  385.960936] Hardware name: WIWYNN Mt.Jade Server System B81.030Z1.0007/Mt.Jade Motherboard, BIOS 1.6.20210526 (SCP: 1.06.20210526) 2021/05/26
[  385.960937] pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  385.960939] pc : rt_mutex_slowlock.constprop.0+0x140/0x160
[  385.960940] lr : rt_mutex_slowlock.constprop.0+0x140/0x160
[  385.960942] sp : ffff80003e1cb6a0
[  385.960943] x29: ffff80003e1cb6a0 x28: ffff80003e1cb8e3 x27: ffffa5ccdd513400
[  385.960945] x26: 0000000000000001 x25: ffffa5ccdc466f54 x24: ffff3fff983eddc0
[  385.960948] x23: ffff80003e1cb6e0 x22: ffff3fff983eddc0 x21: 0000000000000000
[  385.960949] x20: 00000000ffffffdd x19: ffff3fff8a931a00 x18: ffffffffffffffff
[  385.960951] x17: 0000000000000000 x16: 000000000000002b x15: ffff401f600b85e8
[  385.960952] x14: 0000000000000000 x13: 0a64657463657465 x12: 64206b636f6c6461
[  385.960954] x11: 656820747563205b x10: ffff401ee035c750 x9 : ffffa5ccdc1f54e0
[  385.960956] x8 : ffff80003e1cb6a0 x7 : 6b636f6c64616564 x6 : 00000000ffff8afe
[  385.960957] x5 : ffff401ee09cbcc8 x4 : ffff80003e1cb4f0 x3 : ffff9a5202b25000
[  385.960959] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3fff983eddc0
[  385.960961] Call trace:
[  385.960961]  rt_mutex_slowlock.constprop.0+0x140/0x160
[  385.960963]  mutex_lock+0x5c/0x6c
[  385.960964]  pipe_release+0x30/0x130
[  385.960965]  __fput+0x80/0x250
[  385.960967]  ____fput+0x18/0x24
[  385.960968]  task_work_run+0x88/0xd0
[  385.960970]  do_exit+0x484/0x600
[  385.960973]  die+0x1fc/0x238
[  385.960975]  die_kernel_fault+0x6c/0x80
[  385.960976]  __do_kernel_fault+0x18c/0x1b0
[  385.960978]  do_page_fault+0x1d0/0x4e4
[  385.960979]  do_translation_fault+0x60/0x9c
[  385.960981]  do_mem_abort+0x48/0xc0
[  385.960982]  el1_abort+0x74/0xdc
[  385.960983]  el1h_64_sync_handler+0xa4/0xd0
[  385.960985]  el1h_64_sync+0x7c/0x80
[  385.960986]  pipe_write+0x540/0x754
[  385.960987]  new_sync_write+0x17c/0x18c
[  385.960988]  vfs_write+0x278/0x2e4
[  385.960989]  ksys_write+0xe4/0x100
[  385.960991]  __arm64_sys_write+0x24/0x30
[  385.960992]  invoke_syscall+0x78/0x100
[  385.960994]  el0_svc_common.constprop.0+0x54/0x184
[  385.960996]  do_el0_svc+0x30/0x9c
[  385.960998]  el0_svc+0x30/0x150
[  385.960999]  el0t_64_sync_handler+0xa4/0x130
[  385.961001]  el0t_64_sync+0x1a4/0x1a8
[  385.961002] ---[ end trace 0000000000000003 ]---

Jacob Martin (jacobmartin) on 2023-02-02

description:

updated

Joseph Salisbury (jsalisbury) on 2023-02-02

Changed in ubuntu-realtime:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2023-02-02:

#2

I built a test kernel with commit:
1c0908d8e441 ("rtmutex: Add acquire semantics for rtmutex lock acquisition slow path")

If anyone would like to test this kernel, it can be downloaded from:
https://people.canonical.com/~jsalisbury/lp2004582/

Commit 1c0908d8e441 will be picked up by the Ubuntu real-time kernel within the next SRU cycle or two. It first needs to land in upstream stable, and this commit will be picked up in the usual stable update process.

Joseph Salisbury (jsalisbury) on 2023-02-23

Changed in ubuntu-realtime:
assignee:	nobody → Joseph Salisbury (jsalisbury)

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2023-05-09:

#3

Commit 1c0908d8e441 has made it to the upstream stable v5.15.109 kernel. The real-time kernel will pick up this commit once Jammy is rebased to 5.15.109.

Changed in ubuntu-realtime:
status:	Triaged → In Progress

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2023-07-25:

#4

This issue is fixed as of the 5.15.0-1043.48 real-time kernel version.

Changed in ubuntu-realtime:
status:	In Progress → Fix Committed

Joseph Salisbury (jsalisbury) on 2023-09-06

Changed in ubuntu-realtime:
status:	Fix Committed → Fix Released

ubuntu-realtime

rtmutex bug causing kernel state corruption issues on arm64

Bug Description

Other bug subscribers

Remote bug watches