lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 15 Nov 2014 18:24:06 +0800
From:	Fengguang Wu <fengguang.wu@...el.com>
To:	Kees Cook <keescook@...omium.org>
Cc:	LKP <lkp@...org>, linux-kernel@...r.kernel.org
Subject: [x86, mm] kernel BUG at include/linux/mm.h:548!


Hi Kees,

Here is another bisect result.

git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git x86/pmd-nx

commit 3622dcc2b4f4eaf23bae2511a30fc449d0e5f0d9
Author:     Kees Cook <keescook@...omium.org>
AuthorDate: Fri Nov 14 11:36:17 2014 -0800
Commit:     Kees Cook <keescook@...omium.org>
CommitDate: Fri Nov 14 13:36:37 2014 -0800

    x86, mm: set NX across entire PMD at boot
    
    When setting up permissions on kernel memory at boot, the end of the
    PMD that was split from bss remained executable. It should be NX like
    the rest. This performs a PMD alignment instead of a PAGE alignment to
    get the correct span of memory, and should be freed.
    
    Before:
    ---[ High Kernel Mapping ]---
    ...
    0xffffffff8202d000-0xffffffff82200000  1868K     RW       GLB NX pte
    0xffffffff82200000-0xffffffff82c00000    10M     RW   PSE GLB NX pmd
    0xffffffff82c00000-0xffffffff82df5000  2004K     RW       GLB NX pte
    0xffffffff82df5000-0xffffffff82e00000    44K     RW       GLB x  pte
    0xffffffff82e00000-0xffffffffc0000000   978M                     pmd
    
    After:
    ---[ High Kernel Mapping ]---
    ...
    0xffffffff8202d000-0xffffffff82200000  1868K     RW       GLB NX pte
    0xffffffff82200000-0xffffffff82c00000    10M     RW   PSE GLB NX pmd
    0xffffffff82c00000-0xffffffff82df5000  2004K     RW       GLB NX pte
    0xffffffff82df5000-0xffffffff82e00000    44K     RW           NX pte
    0xffffffff82e00000-0xffffffffc0000000   978M                     pmd
    
    Signed-off-by: Kees Cook <keescook@...omium.org>

+------------------------------------------+------------+------------+------------+
|                                          | b23dc5a7cc | 3622dcc2b4 | 3622dcc2b4 |
+------------------------------------------+------------+------------+------------+
| boot_successes                           | 102        | 3          | 3          |
| boot_failures                            | 1          | 182        | 182        |
| BUG:kernel_boot_hang                     | 1          |            |            |
| kernel_BUG_at_include/linux/mm.h         | 0          | 182        | 182        |
| invalid_opcode                           | 0          | 182        | 182        |
| RIP:__rmqueue                            | 0          | 182        | 182        |
| Kernel_panic-not_syncing:Fatal_exception | 0          | 182        | 182        |
| backtrace:iterate_dir                    | 0          | 1          | 1          |
| backtrace:SyS_getdents                   | 0          | 1          | 1          |
+------------------------------------------+------------+------------+------------+

[    2.033203] flags: 0x80000080068(uptodate|lru|active|swapbacked)
[    2.033347] page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_mapcount) != -1)
[    2.033347] ------------[ cut here ]------------
[    2.033347] kernel BUG at include/linux/mm.h:548!
[    2.033347] invalid opcode: 0000 [#1] SMP 
[    2.033347] Modules linked in:
[    2.033347] CPU: 0 PID: 284 Comm: udevd Not tainted 3.18.0-rc4-g3622dcc2 #1438
[    2.033347] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[    2.033347] task: ffff8800001022e0 ti: ffff880010bbc000 task.ti: ffff880010bbc000
[    2.033347] RIP: 0010:[<ffffffff811be28e>]  [<ffffffff811be28e>] __rmqueue+0x230/0x770
[    2.033347] RSP: 0000:ffff880010bbf978  EFLAGS: 00010046
[    2.033347] RAX: 0000000000000006 RBX: ffff880012fb4000 RCX: 0000000000000003
[    2.033347] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000046
[    2.033347] RBP: ffff880010bbf9f8 R08: 0000000000000001 R09: 0000000000000000
[    2.033347] R10: ffffffff81b1f800 R11: ffffffff81b1f8c0 R12: ffffffff820d4d80
[    2.033347] R13: ffff880012fb5000 R14: 0000000000000020 R15: ffff880012fb4020
[    2.033347] FS:  00007f5c34ad4700(0000) GS:ffff880013a00000(0000) knlGS:0000000000000000
[    2.033347] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.033347] CR2: 0000000001b80b40 CR3: 0000000010bae000 CR4: 00000000000406b0
[    2.033347] Stack:
[    2.033347]  ffff880010bbf9d8 0000000000000096 0000000000000096 ffffffff820d5078
[    2.033347]  0000000000000006 0000000000000101 ffffffff00000001 0000000000000002
[    2.033347]  0000000000000040 0000000200000000 ffffffff820d6280 ffff880013bd6ec8
[    2.033347] Call Trace:
[    2.033347]  [<ffffffff811beb1d>] get_page_from_freelist+0x34f/0xbde
[    2.033347]  [<ffffffff810415e6>] ? pvclock_clocksource_read+0x12c/0x140
[    2.033347]  [<ffffffff811bf8b7>] __alloc_pages_nodemask+0x2c3/0x1095
[    2.033347]  [<ffffffff811038ed>] ? sched_clock_cpu+0x14d/0x16a
[    2.033347]  [<ffffffff811ee46b>] do_wp_page+0x94b/0x101e
[    2.033347]  [<ffffffff811f088d>] handle_pte_fault+0x7c6/0x833
[    2.033347]  [<ffffffff811f499c>] handle_mm_fault+0x4a0/0x4d2
[    2.033347]  [<ffffffff810466f3>] __do_page_fault+0x867/0xace
[    2.033347]  [<ffffffff811465a7>] ? rcu_eqs_enter_common+0x362/0x371
[    2.033347]  [<ffffffff8114685f>] ? rcu_eqs_exit_common+0xf1/0x326
[    2.033347]  [<ffffffff811466da>] ? rcu_eqs_enter+0x124/0x138
[    2.033347]  [<ffffffff81146bbe>] ? rcu_eqs_exit+0x12a/0x139
[    2.033347]  [<ffffffff81046c61>] trace_do_page_fault+0x1f3/0x25f
[    2.033347]  [<ffffffff8104018a>] do_async_page_fault+0x3a/0x131
[    2.033347]  [<ffffffff818af478>] async_page_fault+0x28/0x30
[    2.033347] Code: 48 83 c0 02 48 ff 04 c5 f8 44 1f 82 44 8a 5d a8 45 84 db 8b 4d a0 4c 8b 55 98 74 11 48 c7 c6 5f a4 f1 81 4c 89 ef e8 e2 a4 02 00 <0f> 0b 41 c7 45 18 80 ff ff ff e9 ec fe ff ff 48 8b 45 b8 49 89 
[    2.033347] RIP  [<ffffffff811be28e>] __rmqueue+0x230/0x770
[    2.033347]  RSP <ffff880010bbf978>
[    2.033347] ---[ end trace 5923814eef589562 ]---
[    2.033347] Kernel panic - not syncing: Fatal exception

git bisect start 3622dcc2b4f4eaf23bae2511a30fc449d0e5f0d9 206c5f60a3d902bc4b56dab2de3e88de5eb06108 --
git bisect good 04689e749b7ec156291446028a0ce2e685bf3855  # 08:52     22+      0  Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
git bisect good 6b07974af9698225766d42175470b1a5d7bf9f48  # 11:35     22+      0  Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
git bisect good 971ad4e4d6833d5f250d0db332ff863c599ae19f  # 11:51     22+      1  Merge branch 'akpm' (fixes from Andrew Morton)
git bisect good 5cf52037042d3ad7432df1aec004a935e83939a6  # 11:51     22+      0  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
git bisect good b23dc5a7cc6ebc9a0d57351da7a0e8454c9ffea3  # 11:58     22+      1  Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
# first bad commit: [3622dcc2b4f4eaf23bae2511a30fc449d0e5f0d9] x86, mm: set NX across entire PMD at boot
git bisect good b23dc5a7cc6ebc9a0d57351da7a0e8454c9ffea3  # 12:02     66+      1  Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
git bisect  bad 192495a3a4e9b8caa94cdd6b8200e6c6bf121aac  # 12:02      0-     36  0day head guard for 'devel-lkp-hsx01-x86_64-201411150620'
git bisect good 56c381f93d57b88a3e667a2f55137947315c17e2  # 12:05     66+      1  Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
git bisect good d7e5a72b951a4ef6d97b2aa43cad37f237ba8030  # 12:18     66+      0  Add linux-next specific files for 20141114


This script may reproduce the error.

----------------------------------------------------------------------------
#!/bin/bash

kernel=$1
initrd=yocto-minimal-x86_64.cgz

wget --no-clobber https://github.com/fengguang/reproduce-kernel-bug/raw/master/initrd/$initrd

kvm=(
	qemu-system-x86_64
	-enable-kvm
	-cpu Haswell,+smep,+smap
	-kernel $kernel
	-initrd $initrd
	-m 320
	-smp 1
	-net nic,vlan=1,model=e1000
	-net user,vlan=1
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-rtc base=localtime
	-serial stdio
	-display none
	-monitor null 
)

append=(
	hung_task_panic=1
	earlyprintk=ttyS0,115200
	debug
	apic=debug
	sysrq_always_enabled
	rcupdate.rcu_cpu_stall_timeout=100
	panic=-1
	softlockup_panic=1
	nmi_watchdog=panic
	oops=panic
	load_ramdisk=2
	prompt_ramdisk=0
	console=ttyS0,115200
	console=tty0
	vga=normal
	root=/dev/ram0
	rw
	drbd.minor_count=8
)

"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------

Thanks,
Fengguang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ