lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Jun 2015 16:55:59 +0800 From: Fengguang Wu <fengguang.wu@...el.com> To: Frederic Weisbecker <fweisbec@...il.com> Cc: fengguang.wu@...el.com, Ingo Molnar <mingo@...nel.org>, "Peter Zijlstra (Intel)" <peterz@...radead.org>, LKP <lkp@...org>, LKML <linux-kernel@...r.kernel.org> Subject: [sched/preempt] BUG: KASan: out of bounds access in trace_graph_entry at addr ffff88000d717e48 Hi Frederic, FYI, there are a number more bug messages showing up after this commit git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master commit b30f0e3ffedfa52b1d67a302ae5860c49998e5e2 Author: Frederic Weisbecker <fweisbec@...il.com> AuthorDate: Tue May 12 16:41:49 2015 +0200 Commit: Ingo Molnar <mingo@...nel.org> CommitDate: Tue May 19 08:39:12 2015 +0200 sched/preempt: Optimize preemption operations on __schedule() callers __schedule() disables preemption and some of its callers (the preempt_schedule*() family) also set PREEMPT_ACTIVE. So we have two preempt_count() modifications that could be performed at once. Lets remove the preemption disablement from __schedule() and pull this responsibility to its callers in order to optimize preempt_count() operations in a single place. Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org> Signed-off-by: Frederic Weisbecker <fweisbec@...il.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org> Cc: Peter Zijlstra <peterz@...radead.org> Cc: Thomas Gleixner <tglx@...utronix.de> Link: http://lkml.kernel.org/r/1431441711-29753-5-git-send-email-fweisbec@gmail.com Signed-off-by: Ingo Molnar <mingo@...nel.org> =================================================== PARENT COMMIT NOT CLEAN. LOOK OUT FOR WRONG BISECT! =================================================== Attached dmesg for the parent commit, too, to help confirm whether it is a noise error. +-----------------------------------------------------------------------------+------------+------------+---------------+ | | 90b62b5129 | b30f0e3ffe | next-20150601 | +-----------------------------------------------------------------------------+------------+------------+---------------+ | boot_successes | 1476 | 310 | 37 | | boot_failures | 24 | 889 | 59 | | BUG:kernel_boot_hang | 23 | 99 | 1 | | kernel_BUG_at_arch/x86/kernel/traps.c | 1 | | | | invalid_opcode | 1 | 4 | | | RIP:do_device_not_available | 1 | | | | Kernel_panic-not_syncing:Fatal_exception | 1 | 294 | 42 | | backtrace:do_execve | 1 | | | | backtrace:run_init_process | 1 | | | | BUG:unable_to_handle_kernel | 0 | 398 | 25 | | Oops | 0 | 395 | 25 | | BUG:kernel_boot_crashed | 0 | 181 | | | RIP:check_timers_list | 0 | 19 | | | ptr_deref_or_user_memory_accessgeneral_protection_fault | 0 | 59 | 8 | | RIP:print_ftrace_graph_addr | 0 | 95 | 1 | | BUG:KASan:out_of_bounds_access_in_trace_graph_entry_at_addr | 0 | 16 | 4 | | BUG_sighand_cache(Not_tainted):kasan:bad_access_detected | 0 | 20 | | | INFO:Slab#objects=#used=#fp=0x(null)flags= | 0 | 24 | 4 | | INFO:Object#@...set=#fp= | 0 | 20 | 3 | | BUG:KASan:user-memory-access_on_address | 0 | 71 | 11 | | Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0 | 42 | | | BUG:recent_printk_recursion | 0 | 3 | | | BUG:KASan:out_of_bounds_access_in__trace_graph_return_at_addr | 0 | 7 | | | BUG:KASan:out_of_bounds_access_in_tick_periodic_at_addr | 0 | 5 | | | INFO:rcu_sched_detected_stalls_on_CPUs/tasks | 0 | 1 | | | backtrace:cpu_startup_entry | 0 | 2 | 3 | | RIP:__asan_load8 | 0 | 4 | | | BUG:KASan:use_after_free_in_prepare_ftrace_return_at_addr | 0 | 2 | | | BUG:KASan:use_after_free_in_trace_graph_entry_at_addr | 0 | 4 | | | BUG:KASan:out_of_bounds_access_in__trace_graph_entry_at_addr | 0 | 7 | | | BUG_sighand_cache(Tainted:G_D):kasan:bad_access_detected | 0 | 1 | | | BUG:KASan:out_of_bounds_access_in_prepare_ftrace_return_at_addr | 0 | 5 | 2 | | BUG_sighand_cache(Tainted:G_B):kasan:bad_access_detected | 0 | 3 | | | RIP:native_read_tsc | 0 | 1 | | | backtrace:smpboot_thread_fn | 0 | 4 | | | Kernel_panic-not_syncing:Attempted_to_kill_init!exitcode= | 0 | 94 | 6 | | backtrace:do_group_exit | 0 | 1 | | | backtrace:SyS_exit_group | 0 | 1 | | | BUG:scheduling_while_atomic | 0 | 36 | 1 | | WARNING:at_kernel/trace/trace_functions_graph.c:#ftrace_return_to_handler() | 0 | 5 | 2 | | backtrace:ftrace_graph_caller | 0 | 4 | 16 | | general_protection_fault | 0 | 10 | 10 | | RIP:preempt_count_add | 0 | 4 | 18 | | BUG_kmalloc-#(Not_tainted):kasan:bad_access_detected | 0 | 7 | | | INFO:Object#@...set=#fp=0x(null) | 0 | 2 | 1 | | WARNING:at_kernel/sched/core.c:#return_to_handler() | 0 | 18 | | | RIP:no_context | 0 | 1 | | | RIP:_raw_spin_unlock_irq | 0 | 3 | | | BUG_task_struct(Not_tainted):kasan:bad_access_detected | 0 | 2 | 4 | | WARNING:at_kernel/time/timer.c:#return_to_handler() | 0 | 2 | | | backtrace:show_stack | 0 | 1 | | | backtrace:dump_stack | 0 | 3 | | | RIP:scheduler_tick | 0 | 2 | | | RIP:pick_next_task_rt | 0 | 5 | | | RIP:__switch_to_xtra | 0 | 1 | | | backtrace:irq_exit | 0 | 2 | | | WARNING:at_kernel/softirq.c:#return_to_handler() | 0 | 2 | | | backtrace:__local_bh_disable_ip | 0 | 2 | | | backtrace:show_stack_log_lvl | 0 | 2 | | | backtrace:apic_timer_interrupt | 0 | 1 | | | RIP:__asan_loadN | 0 | 1 | | | RIP:update_curr | 0 | 1 | | | BUG:KASan:use_after_free_in_tick_periodic_at_addr | 0 | 1 | | | RIP:preempt_schedule_context | 0 | 3 | | | backtrace:register_tracer | 0 | 3 | | | backtrace:init_graph_trace | 0 | 3 | | | backtrace:kernel_init_freeable | 0 | 11 | 1 | | RIP:_raw_spin_lock | 0 | 1 | | | RIP:task_curr | 0 | 6 | | | BUG:KASan:use_after_free_in__trace_graph_return_at_addr | 0 | 1 | | | BUG:KASan:use_after_free_in__trace_graph_entry_at_addr | 0 | 1 | | | BUG:KASan:use_after_free_in_ftrace_push_return_trace_at_addr | 0 | 1 | | | RIP:rb_reserve_next_event | 0 | 1 | | | BUG_kmalloc-#(Tainted:G_B):kasan:bad_access_detected | 0 | 2 | | | BUG:KASan:out_of_bounds_access_in_ftrace_push_return_trace_at_addr | 0 | 1 | | | WARNING:at_kernel/trace/trace.c:#register_tracer() | 0 | 2 | | | BUG:KASan:out_of_bounds_access_in_vsnprintf_at_addr | 0 | 1 | | | BUG:KASan:user-memory-access_on_address(null) | 0 | 1 | | | BUG:KASan:use_after_free_in__switch_to_xtra_at_addr | 0 | 1 | | | BUG:KASan:use_after_free_in_memcpy_at_addr | 0 | 1 | | | RIP:memcpy_orig | 0 | 1 | | | kernel_BUG_at_arch/x86/kernel/nmi.c | 0 | 1 | | | WARNING:at_kernel/sched/core.c:#preempt_count_sub() | 0 | 74 | 2 | | WARNING:at_kernel/trace/ring_buffer.c:#ring_buffer_unlock_commit() | 0 | 1 | | | RIP:ftrace_push_return_trace | 0 | 1 | 1 | | RIP:ftrace_likely_update | 0 | 1 | | | RIP:parameqn | 0 | 8 | 1 | | backtrace:parse_args | 0 | 8 | 1 | | RIP:notifier_call_chain | 0 | 2 | | | WARNING:at_kernel/sched/core.c:#preempt_count_add() | 0 | 0 | 1 | | BUG_task_struct(Tainted:G_B):kasan:bad_access_detected | 0 | 0 | 2 | | RIP:rb_next | 0 | 0 | 8 | | INFO:rcu_sched_self-detected_stall_on_CPU | 0 | 0 | 1 | | IP-Config:Auto-configuration_of_network_failed | 0 | 0 | 1 | | WARNING:at_include/linux/uaccess.h:#is_prefetch() | 0 | 0 | 1 | | WARNING:at_include/linux/uaccess.h:#show_regs() | 0 | 0 | 1 | +-----------------------------------------------------------------------------+------------+------------+---------------+ [ 0.324653] Testing tracer irqsoff: PASSED [ 0.407082] Testing tracer function_graph: [ 1.288675] ================================================================== [ 1.289000] BUG: KASan: out of bounds access in trace_graph_entry+0x90/0x260 at addr ffff88000d717e48 [ 1.289000] Read of size 4 by task swapper/0/1 [ 1.289000] ============================================================================= [ 1.289000] BUG task_struct (Not tainted): kasan: bad access detected [ 1.289000] ----------------------------------------------------------------------------- [ 1.289000] [ 1.289000] Disabling lock debugging due to kernel taint [ 1.289000] INFO: Slab 0xffffea000035c400 objects=14 used=14 fp=0x (null) flags=0x1ffe00000004080 [ 1.289000] INFO: Object 0xffff88000d717d20 @offset=32032 fp=0x (null) [ 1.289000] [ 1.289000] Bytes b4 ffff88000d717d10: 90 7d 71 0d 00 88 ff ff 98 5a fe 82 ff ff ff ff .}q......Z...... [ 1.289000] Object ffff88000d717d20: 00 00 00 00 00 00 00 00 40 1e 31 81 ff ff ff ff ........@....... [ 1.289000] Object ffff88000d717d30: 48 7e 71 0d 00 88 ff ff 48 7e 71 0d 00 88 ff ff H~q.....H~q..... [ 1.289000] Object ffff88000d717d40: 48 7e 71 0d 00 88 ff ff 04 00 00 00 00 00 00 00 H~q............. [ 1.289000] Object ffff88000d717d50: 00 00 00 00 00 00 00 00 40 1e 31 81 ff ff ff ff ........@....... [ 1.289000] Object ffff88000d717d60: d0 7d 71 0d 00 88 ff ff 00 00 71 0d 00 88 ff ff .}q.......q..... [ 1.289000] Object ffff88000d717d70: 40 7e 71 0d 00 88 ff ff 80 0b 89 84 ff ff ff ff @~q............. [ 1.289000] Object ffff88000d717d80: 70 a2 1a 81 ff ff ff ff 00 00 00 00 00 00 00 00 p............... [ 1.289000] Object ffff88000d717d90: d0 7d 71 0d 00 88 ff ff 98 5a fe 82 ff ff ff ff .}q......Z...... [ 1.289000] Object ffff88000d717da0: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................ [ 1.289000] Object ffff88000d717db0: 20 7e 71 0d 00 88 ff ff f9 4e 31 81 ff ff ff ff ~q......N1..... [ 1.289000] Object ffff88000d717dc0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [ 1.289000] Object ffff88000d717dd0: 10 7e 71 0d 00 88 ff ff 40 1e 31 81 ff ff ff ff .~q.....@....... [ 1.289000] Object ffff88000d717de0: 50 7e 71 0d 00 88 ff ff 00 00 71 0d 00 88 ff ff P~q.......q..... [ 1.289000] Object ffff88000d717df0: 00 00 00 00 00 00 00 00 68 7f 71 0d 00 88 ff ff ........h.q..... [ 1.661390] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) [ 1.661521] BUG: unable to handle kernel paging request at ffff88000da1ef38 [ 1.661691] IP: [<ffff88000da1ef38>] 0xffff88000da1ef38 [ 1.661908] PGD 50c2067 PUD 50c3067 PMD 800000000da001e3 [ 1.661972] Thread overran stack, or stack corrupted [ 1.662000] Oops: 0011 [#1] PREEMPT SMP KASAN [ 1.662000] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.1.0-rc4-00025-gb30f0e3 #1 [ 1.662000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 1.662000] task: ffffffff838176c0 ti: ffffffff83800000 task.ti: ffffffff83800000 [ 1.662000] RIP: 0010:[<ffff88000da1ef38>] [<ffff88000da1ef38>] 0xffff88000da1ef38 [ 1.662000] RSP: 0000:ffffffff837f9638 EFLAGS: 00010246 [ 1.662000] RAX: fffffbfff07f6b91 RBX: ffff88000da1ef38 RCX: dffffc0000000000 [ 1.662000] RDX: 00000000014aac94 RSI: 0000000000000008 RDI: ffff88000da1ef10 [ 1.662000] RBP: ffff88000da1ef10 R08: fffffbfff0846cbd R09: ffffffff842365ef [ 1.662000] R10: 00000000014aacb1 R11: 00000000014da8df R12: ffff88000da19870 [ 1.662000] R13: 0000000000000008 R14: 00000000049c09bd R15: ffffffff837f96b8 [ 1.662000] FS: 0000000000000000(0000) GS:ffff88000da00000(0000) knlGS:0000000000000000 [ 1.662000] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1.662000] CR2: ffff88000da1ef38 CR3: 000000000380c000 CR4: 00000000000006b4 [ 1.662000] Stack: [ 1.662000] ffffffff82fe3e32 ffffffff837f96b8 00000000049c09bd 0000000000000008 [ 1.662000] ffff88000da19870 ffff88000da1ef10 ffff88000da1ef38 ffffffff83817b01 [ 1.662000] ffff88000d7111e0 ffffffff838176c0 ffffffff83800000 0000000000000002 [ 1.662000] Call Trace: [ 1.662000] <UNK> [ 1.662000] Code: 00 00 00 c0 76 81 83 ff ff ff ff c0 76 81 83 ff ff ff ff 50 62 71 0d 00 88 ff ff e4 72 fb ff 00 00 00 00 00 00 00 00 00 00 00 00 <01> 00 00 00 00 00 00 00 3d a1 03 63 00 00 00 00 3d a1 03 63 00 [ 1.662000] RIP [<ffff88000da1ef38>] 0xffff88000da1ef38 [ 1.662000] RSP <ffffffff837f9638> [ 1.662000] CR2: ffff88000da1ef38 [ 1.662000] ---[ end trace 0e292f67bf70a095 ]--- [ 1.662000] Kernel panic - not syncing: Fatal exception git bisect start e430ccc59c12619af6196c34707d3afa0728ca27 ba155e2d21f6bf05de86a78dbe5bfd8757604a65 -- git bisect good 11db825cd35b971e6ef0a7421b74dd0eda99b218 # 17:57 242+ 12 Merge remote-tracking branch 'hwmon-staging/hwmon-next' git bisect good 8365bad28b9f8cf0bec48912bbb06fd656acfc00 # 18:08 242+ 7 Merge remote-tracking branch 'audit/next' git bisect bad 29597791edec5a20b0e4d4fdc4f4bc709f283ad5 # 18:08 0- 145 Merge remote-tracking branch 'char-misc/char-misc-next' git bisect bad cc2d26ffa3ce0eb218b85bd2996d1394166c0155 # 18:09 0- 140 Merge remote-tracking branch 'kvm/linux-next' git bisect bad eec2f49932b2d459faaac8fae117066a5f917b3a # 18:09 0- 187 Merge remote-tracking branch 'clockevents/clockevents/next' git bisect good 18b6e4be5ccd87d2585217672f51065af165b0b2 # 18:23 242+ 2 Merge remote-tracking branch 'mailbox/mailbox-for-next' git bisect good 11e1652325b01b40b4a9b2781c94fdbe49110072 # 18:32 242+ 26 Merge remote-tracking branch 'spi/for-next' git bisect bad 97354d679ddfd564a61fcb2466139783db36bb97 # 18:32 0- 188 Merge remote-tracking branch 'tip/auto-latest' git bisect bad c41f3eb84e58355b9209c961328067e2c23a1aeb # 18:32 0- 237 Merge branch 'timers/nohz' git bisect good 17186ccda374ae02ef231cbbc8f1825e7c19ddbd # 18:32 300+ 0 perf/x86/intel: Make WARN()ings consistent git bisect bad b7794610cdd2533e303de1027c1a4d9576875e51 # 18:32 0- 222 manual merge of sched/core git bisect bad 06931e62246844c73fba24d7aeb4a5dc897a2739 # 18:33 0- 227 sched/topology: Rename topology_thread_cpumask() to topology_sibling_cpumask() git bisect bad 8bcbde5480f9777f8b74d71493722c663e22c21b # 18:33 0- 231 sched/preempt, mm/fault: Count pagefault_disable() levels in pagefault_disabled git bisect good 7110744516276e906f9197e2857d026eb2343393 # 18:33 300+ 0 sched, timer: Use the atomic task_cputime in thread_group_cputimer git bisect good a22ae718067c233af790b8690b3d8f6190859ead # 18:42 300+ 22 Merge tag 'v4.1-rc4' into sched/core, before applying new patches git bisect good 90b62b5129d5cb50f62f40e684de7a1961e57197 # 07:10 300+ 18 sched/preempt: Rename PREEMPT_CHECK_OFFSET to PREEMPT_DISABLE_OFFSET git bisect bad e017cf21ae82e0b36f026b22083a8ae67926f465 # 07:10 0- 194 sched/preempt: Fix out of date comment git bisect bad b30f0e3ffedfa52b1d67a302ae5860c49998e5e2 # 07:11 0- 889 sched/preempt: Optimize preemption operations on __schedule() callers # first bad commit: [b30f0e3ffedfa52b1d67a302ae5860c49998e5e2] sched/preempt: Optimize preemption operations on __schedule() callers git bisect good 90b62b5129d5cb50f62f40e684de7a1961e57197 # 07:35 900+ 24 sched/preempt: Rename PREEMPT_CHECK_OFFSET to PREEMPT_DISABLE_OFFSET # extra tests with DEBUG_INFO git bisect bad b30f0e3ffedfa52b1d67a302ae5860c49998e5e2 # 07:47 40- 42 sched/preempt: Optimize preemption operations on __schedule() callers # extra tests on HEAD of next/master git bisect bad e430ccc59c12619af6196c34707d3afa0728ca27 # 07:47 0- 59 Add linux-next specific files for 20150601 # extra tests on tree/branch next/master git bisect good f0939c364ffe7dc377c4d7946360f99cb7fc867b # 20:10 900+ 1 Add linux-next specific files for 20150611 # extra tests on tree/branch linus/master git bisect good df5f4158415b6fc4a2d683c6fdc806be6da176bc # 09:09 900+ 16 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux # extra tests on tree/branch next/master git bisect good d9b5ec5b1b4d4055e256674de4a5337f6a66d284 # 22:21 900+ 19 Add linux-next specific files for 20150612 This script may reproduce the error. ---------------------------------------------------------------------------- #!/bin/bash kernel=$1 kvm=( qemu-system-x86_64 -enable-kvm -cpu kvm64 -kernel $kernel -m 300 -smp 2 -device e1000,netdev=net0 -netdev user,id=net0 -boot order=nc -no-reboot -watchdog i6300esb -rtc base=localtime -serial stdio -display none -monitor null ) append=( hung_task_panic=1 earlyprintk=ttyS0,115200 systemd.log_level=err debug apic=debug sysrq_always_enabled rcupdate.rcu_cpu_stall_timeout=100 panic=-1 softlockup_panic=1 nmi_watchdog=panic oops=panic load_ramdisk=2 prompt_ramdisk=0 console=ttyS0,115200 console=tty0 vga=normal root=/dev/ram0 rw drbd.minor_count=8 ) "${kvm[@]}" --append "${append[*]}" ---------------------------------------------------------------------------- Thanks, Fengguang View attachment "dmesg-quantal-ivb41-52:20150606010148:x86_64-randconfig-v0-06021206:4.1.0-rc4-00025-gb30f0e3:1" of type "text/plain" (54288 bytes) View attachment "dmesg-quantal-intel12-11:20150606002017:x86_64-randconfig-v0-06021206:4.1.0-rc4-00024-g90b62b51:1" of type "text/plain" (45963 bytes) View attachment "config-4.1.0-rc4-00025-gb30f0e3" of type "text/plain" (89092 bytes)
Powered by blists - more mailing lists