| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Oct 2016 10:31:56 +0800
From: kernel test robot <xiaolong.ye@...el.com>
To: Nikolay Borisov <kernel@...p.com>
Cc: jack@...e.cz, ebiederm@...ssion.com, linux-kernel@...r.kernel.org,
serge@...lyn.com, containers@...ts.linux-foundation.org,
Nikolay Borisov <kernel@...p.com>, lkp@...org
Subject: [lkp] [inotify] 464e1236c3: BUG kmalloc-512 (Not tainted):
Freepointer corrupt
FYI, we noticed the following commit:
https://github.com/0day-ci/linux Nikolay-Borisov/inotify-Convert-to-using-per-namespace-limits/20161011-153830
commit 464e1236c367919e405c8d248d6a4118fdc4a2c1 ("inotify: Convert to using per-namespace limits")
in testcase: trinity
with following parameters:
runtime: 300s
Trinity is a linux system call fuzz tester.
on test machine: qemu-system-x86_64 -enable-kvm -smp 2 -m 320M
caused below changes:
+-------------------------------------------------------+------------+------------+
| | 101105b171 | 464e1236c3 |
+-------------------------------------------------------+------------+------------+
| boot_successes | 20 | 62 |
| boot_failures | 14 | 94 |
| invoked_oom-killer:gfp_mask=0x | 14 | 10 |
| Mem-Info | 14 | 10 |
| page_allocation_failure:order:#,mode:#(GFP_USER) | 1 | |
| BUG_kmalloc-#(Not_tainted):Freepointer_corrupt | 0 | 46 |
| INFO:Allocated_in_setup_userns_sysctls_age=#cpu=#pid= | 0 | 46 |
| INFO:Freed_in_free_ctx_age=#cpu=#pid= | 0 | 8 |
| INFO:Slab#objects=#used=#fp=#flags= | 0 | 45 |
| INFO:Object#@...set=#fp= | 0 | 46 |
| calltrace:free_user_ns | 0 | 46 |
| BUG_kmalloc-#(Tainted:G_B):Freepointer_corrupt | 0 | 3 |
| INFO:Freed_in_kernfs_fop_release_age=#cpu=#pid= | 0 | 8 |
| BUG:kernel_reboot-without-warning_in_test_stage | 0 | 38 |
| INFO:Slab#objects=#used=#fp=0x(null)flags= | 0 | 1 |
| BUG:unable_to_handle_kernel | 0 | 1 |
| Oops | 0 | 1 |
| RIP:copy_process | 0 | 1 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 1 |
| INFO:Freed_in_skb_free_head_age=#cpu=#pid= | 0 | 3 |
| INFO:Freed_in_kvfree_age=#cpu=#pid= | 0 | 2 |
| INFO:Freed_in_ep_free_age=#cpu=#pid= | 0 | 1 |
| INFO:Freed_in_free_pipe_info_age=#cpu=#pid= | 0 | 3 |
+-------------------------------------------------------+------------+------------+
[ 64.996369] genirq: Flags mismatch irq 4. 00000000 (serial) vs. 00000080 (goldfish_pdev_bus)
[ 65.007839] genirq: Flags mismatch irq 4. 00000000 (serial) vs. 00000080 (goldfish_pdev_bus)
[ 65.519812] =============================================================================
[ 65.521973] BUG kmalloc-512 (Not tainted): Freepointer corrupt
[ 65.523368] -----------------------------------------------------------------------------
[ 65.523368]
[ 65.525977] Disabling lock debugging due to kernel taint
[ 65.527277] INFO: Allocated in setup_userns_sysctls+0x3f/0xa6 age=5 cpu=1 pid=418
[ 65.558397] INFO: Freed in free_ctx+0x1d/0x20 age=6 cpu=0 pid=19
[ 65.566491] INFO: Slab 0xffff88000f147700 objects=19 used=15 fp=0xffff8800070de7c8 flags=0x200004081
[ 65.568956] INFO: Object 0xffff8800070dee68 @offset=11880 fp=0xffff880007030288
[ 65.568956]
[ 65.574100] Redzone ffff8800070dee60: cc cc cc cc cc cc cc cc ........
[ 65.576524] Object ffff8800070dee68: 90 d1 fd 81 ff ff ff ff 68 02 03 07 00 88 ff ff ........h.......
[ 65.579009] Object ffff8800070dee78: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.581691] Object ffff8800070dee88: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.584222] Object ffff8800070dee98: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.586768] Object ffff8800070deea8: a4 d1 fd 81 ff ff ff ff 6c 02 03 07 00 88 ff ff ........l.......
[ 65.589412] Object ffff8800070deeb8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.591971] Object ffff8800070deec8: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.594469] Object ffff8800070deed8: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.596977] Object ffff8800070deee8: b7 d1 fd 81 ff ff ff ff 70 02 03 07 00 88 ff ff ........p.......
[ 65.599617] Object ffff8800070deef8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.602173] Object ffff8800070def08: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.604667] Object ffff8800070def18: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.607358] Object ffff8800070def28: ca d1 fd 81 ff ff ff ff 74 02 03 07 00 88 ff ff ........t.......
[ 65.609905] Object ffff8800070def38: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.612456] Object ffff8800070def48: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.614946] Object ffff8800070def58: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.617618] Object ffff8800070def68: dd d1 fd 81 ff ff ff ff 78 02 03 07 00 88 ff ff ........x.......
[ 65.620145] Object ffff8800070def78: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.622607] Object ffff8800070def88: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.625270] Object ffff8800070def98: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.627773] Object ffff8800070defa8: f0 d1 fd 81 ff ff ff ff 7c 02 03 07 00 88 ff ff ........|.......
[ 65.630300] Object ffff8800070defb8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.632804] Object ffff8800070defc8: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.635477] Object ffff8800070defd8: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.637983] Object ffff8800070defe8: 03 d2 fd 81 ff ff ff ff 80 02 03 07 00 88 ff ff ................
[ 65.640507] Object ffff8800070deff8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 65.642994] Object ffff8800070df008: 59 02 0c 81 ff ff ff ff 00 00 00 00 00 00 00 00 Y...............
[ 65.645711] Object ffff8800070df018: e0 4d 4a 83 ff ff ff ff 40 17 26 82 ff ff ff ff .MJ.....@.......
[ 65.648170] Object ffff8800070df028: 00 00 00 00 00 00 00 00 84 02 03 07 00 88 ff ff ................
[ 65.650683] Object ffff8800070df038: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 65.653395] Object ffff8800070df048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 65.655876] Object ffff8800070df058: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 65.658394] Redzone ffff8800070df068: cc cc cc cc cc cc cc cc ........
[ 65.660854] Padding ffff8800070df1a8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
[ 65.663396] CPU: 0 PID: 35 Comm: kworker/0:1 Tainted: G B 4.8.0-11826-g464e123 #1
[ 65.665746] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[ 65.668185] Workqueue: events free_user_ns
[ 65.669571] ffffc90000187ad8 ffffffff8148d545 ffff88000e804e00 ffff8800070dee68
[ 65.672224] ffffc90000187b08 ffffffff811a74a0 ffff88000e804e00 ffff88000f147700
[ 65.674863] ffff8800070dee68 00000000000000cc ffffc90000187b30 ffffffff811a8088
[ 65.677604] Call Trace:
[ 65.678412] [<ffffffff8148d545>] dump_stack+0x86/0xc0
[ 65.679908] [<ffffffff811a74a0>] print_trailer+0x178/0x181
[ 65.681439] [<ffffffff811a8088>] object_err+0x2f/0x36
[ 65.682835] [<ffffffff811a82f4>] check_object+0x265/0x282
[ 65.684336] [<ffffffff811a9e1b>] free_debug_processing+0xc1/0x35c
[ 65.686049] [<ffffffff810d8a3f>] ? retire_userns_sysctls+0x2e/0x33
[ 65.687714] [<ffffffff810d8a3f>] ? retire_userns_sysctls+0x2e/0x33
[ 65.689398] [<ffffffff811aa125>] __slab_free+0x6f/0x426
[ 65.690840] [<ffffffff81037aea>] ? kvm_clock_read+0x25/0x2e
[ 65.692350] [<ffffffff81037b07>] ? kvm_sched_clock_read+0x9/0x12
[ 65.694056] [<ffffffff8101c211>] ? sched_clock+0x9/0xd
[ 65.695552] [<ffffffff810fa12d>] ? mark_held_locks+0x5e/0x74
[ 65.697043] [<ffffffff811abab5>] ? kfree+0xfe/0x170
[ 65.698430] [<ffffffff810d8a3f>] ? retire_userns_sysctls+0x2e/0x33
[ 65.700159] [<ffffffff811abb1c>] kfree+0x165/0x170
[ 65.701540] [<ffffffff811abb1c>] ? kfree+0x165/0x170
[ 65.702885] [<ffffffff810d8a3f>] retire_userns_sysctls+0x2e/0x33
[ 65.704553] [<ffffffff81137c4c>] free_user_ns+0x26/0x6b
[ 65.706069] [<ffffffff810cf1a6>] process_one_work+0x208/0x3a5
[ 65.707635] [<ffffffff810cf143>] ? process_one_work+0x1a5/0x3a5
[ 65.729991] [<ffffffff810cf5bb>] worker_thread+0x24a/0x380
[ 65.731583] [<ffffffff810cf371>] ? process_scheduled_works+0x2e/0x2e
[ 65.733274] [<ffffffff810d546c>] kthread+0x106/0x10e
[ 65.734628] [<ffffffff810d5366>] ? __kthread_parkme+0x81/0x81
[ 65.736286] [<ffffffff81b60bea>] ret_from_fork+0x2a/0x40
[ 65.737828] FIX kmalloc-512: Object at 0xffff8800070dee68 not freed
[ 65.887942] genirq: Flags mismatch irq 4. 00000000 (serial) vs. 00000080 (goldfish_pdev_bus)
[ 66.042944] genirq: Flags mismatch irq 4. 00000000 (serial) vs. 00000080 (goldfish_pdev_bus)
To reproduce:
git clone git://git.kernel.org/pub/scm/linux/kernel/git/wfg/lkp-tests.git
cd lkp-tests
bin/lkp install job.yaml # job file is attached in this email
bin/lkp run job.yaml
Thanks,
Xiaolong
View attachment "config-4.8.0-11826-g464e123" of type "text/plain" (112771 bytes)
View attachment "job-script" of type "text/plain" (3603 bytes)
Download attachment "dmesg.xz" of type "application/octet-stream" (18356 bytes)
View attachment "job.yaml" of type "text/plain" (2816 bytes)
Powered by blists - more mailing lists