lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150614085559.GB1911@wfg-t540p.sh.intel.com>
Date:	Sun, 14 Jun 2015 16:55:59 +0800
From:	Fengguang Wu <fengguang.wu@...el.com>
To:	Frederic Weisbecker <fweisbec@...il.com>
Cc:	fengguang.wu@...el.com, Ingo Molnar <mingo@...nel.org>,
	"Peter Zijlstra (Intel)" <peterz@...radead.org>, LKP <lkp@...org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: [sched/preempt] BUG: KASan: out of bounds access in
 trace_graph_entry at addr ffff88000d717e48

Hi Frederic,

FYI, there are a number more bug messages showing up after this commit

git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

commit b30f0e3ffedfa52b1d67a302ae5860c49998e5e2
Author:     Frederic Weisbecker <fweisbec@...il.com>
AuthorDate: Tue May 12 16:41:49 2015 +0200
Commit:     Ingo Molnar <mingo@...nel.org>
CommitDate: Tue May 19 08:39:12 2015 +0200

    sched/preempt: Optimize preemption operations on __schedule() callers
    
    __schedule() disables preemption and some of its callers
    (the preempt_schedule*() family) also set PREEMPT_ACTIVE.
    
    So we have two preempt_count() modifications that could be performed
    at once.
    
    Lets remove the preemption disablement from __schedule() and pull
    this responsibility to its callers in order to optimize preempt_count()
    operations in a single place.
    
    Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
    Signed-off-by: Frederic Weisbecker <fweisbec@...il.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
    Cc: Peter Zijlstra <peterz@...radead.org>
    Cc: Thomas Gleixner <tglx@...utronix.de>
    Link: http://lkml.kernel.org/r/1431441711-29753-5-git-send-email-fweisbec@gmail.com
    Signed-off-by: Ingo Molnar <mingo@...nel.org>

===================================================
PARENT COMMIT NOT CLEAN. LOOK OUT FOR WRONG BISECT!
===================================================

Attached dmesg for the parent commit, too, to help confirm whether it is a noise error.

+-----------------------------------------------------------------------------+------------+------------+---------------+
|                                                                             | 90b62b5129 | b30f0e3ffe | next-20150601 |
+-----------------------------------------------------------------------------+------------+------------+---------------+
| boot_successes                                                              | 1476       | 310        | 37            |
| boot_failures                                                               | 24         | 889        | 59            |
| BUG:kernel_boot_hang                                                        | 23         | 99         | 1             |
| kernel_BUG_at_arch/x86/kernel/traps.c                                       | 1          |            |               |
| invalid_opcode                                                              | 1          | 4          |               |
| RIP:do_device_not_available                                                 | 1          |            |               |
| Kernel_panic-not_syncing:Fatal_exception                                    | 1          | 294        | 42            |
| backtrace:do_execve                                                         | 1          |            |               |
| backtrace:run_init_process                                                  | 1          |            |               |
| BUG:unable_to_handle_kernel                                                 | 0          | 398        | 25            |
| Oops                                                                        | 0          | 395        | 25            |
| BUG:kernel_boot_crashed                                                     | 0          | 181        |               |
| RIP:check_timers_list                                                       | 0          | 19         |               |
| ptr_deref_or_user_memory_accessgeneral_protection_fault                     | 0          | 59         | 8             |
| RIP:print_ftrace_graph_addr                                                 | 0          | 95         | 1             |
| BUG:KASan:out_of_bounds_access_in_trace_graph_entry_at_addr                 | 0          | 16         | 4             |
| BUG_sighand_cache(Not_tainted):kasan:bad_access_detected                    | 0          | 20         |               |
| INFO:Slab#objects=#used=#fp=0x(null)flags=                                  | 0          | 24         | 4             |
| INFO:Object#@...set=#fp=                                                    | 0          | 20         | 3             |
| BUG:KASan:user-memory-access_on_address                                     | 0          | 71         | 11            |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt                       | 0          | 42         |               |
| BUG:recent_printk_recursion                                                 | 0          | 3          |               |
| BUG:KASan:out_of_bounds_access_in__trace_graph_return_at_addr               | 0          | 7          |               |
| BUG:KASan:out_of_bounds_access_in_tick_periodic_at_addr                     | 0          | 5          |               |
| INFO:rcu_sched_detected_stalls_on_CPUs/tasks                                | 0          | 1          |               |
| backtrace:cpu_startup_entry                                                 | 0          | 2          | 3             |
| RIP:__asan_load8                                                            | 0          | 4          |               |
| BUG:KASan:use_after_free_in_prepare_ftrace_return_at_addr                   | 0          | 2          |               |
| BUG:KASan:use_after_free_in_trace_graph_entry_at_addr                       | 0          | 4          |               |
| BUG:KASan:out_of_bounds_access_in__trace_graph_entry_at_addr                | 0          | 7          |               |
| BUG_sighand_cache(Tainted:G_D):kasan:bad_access_detected                    | 0          | 1          |               |
| BUG:KASan:out_of_bounds_access_in_prepare_ftrace_return_at_addr             | 0          | 5          | 2             |
| BUG_sighand_cache(Tainted:G_B):kasan:bad_access_detected                    | 0          | 3          |               |
| RIP:native_read_tsc                                                         | 0          | 1          |               |
| backtrace:smpboot_thread_fn                                                 | 0          | 4          |               |
| Kernel_panic-not_syncing:Attempted_to_kill_init!exitcode=                   | 0          | 94         | 6             |
| backtrace:do_group_exit                                                     | 0          | 1          |               |
| backtrace:SyS_exit_group                                                    | 0          | 1          |               |
| BUG:scheduling_while_atomic                                                 | 0          | 36         | 1             |
| WARNING:at_kernel/trace/trace_functions_graph.c:#ftrace_return_to_handler() | 0          | 5          | 2             |
| backtrace:ftrace_graph_caller                                               | 0          | 4          | 16            |
| general_protection_fault                                                    | 0          | 10         | 10            |
| RIP:preempt_count_add                                                       | 0          | 4          | 18            |
| BUG_kmalloc-#(Not_tainted):kasan:bad_access_detected                        | 0          | 7          |               |
| INFO:Object#@...set=#fp=0x(null)                                            | 0          | 2          | 1             |
| WARNING:at_kernel/sched/core.c:#return_to_handler()                         | 0          | 18         |               |
| RIP:no_context                                                              | 0          | 1          |               |
| RIP:_raw_spin_unlock_irq                                                    | 0          | 3          |               |
| BUG_task_struct(Not_tainted):kasan:bad_access_detected                      | 0          | 2          | 4             |
| WARNING:at_kernel/time/timer.c:#return_to_handler()                         | 0          | 2          |               |
| backtrace:show_stack                                                        | 0          | 1          |               |
| backtrace:dump_stack                                                        | 0          | 3          |               |
| RIP:scheduler_tick                                                          | 0          | 2          |               |
| RIP:pick_next_task_rt                                                       | 0          | 5          |               |
| RIP:__switch_to_xtra                                                        | 0          | 1          |               |
| backtrace:irq_exit                                                          | 0          | 2          |               |
| WARNING:at_kernel/softirq.c:#return_to_handler()                            | 0          | 2          |               |
| backtrace:__local_bh_disable_ip                                             | 0          | 2          |               |
| backtrace:show_stack_log_lvl                                                | 0          | 2          |               |
| backtrace:apic_timer_interrupt                                              | 0          | 1          |               |
| RIP:__asan_loadN                                                            | 0          | 1          |               |
| RIP:update_curr                                                             | 0          | 1          |               |
| BUG:KASan:use_after_free_in_tick_periodic_at_addr                           | 0          | 1          |               |
| RIP:preempt_schedule_context                                                | 0          | 3          |               |
| backtrace:register_tracer                                                   | 0          | 3          |               |
| backtrace:init_graph_trace                                                  | 0          | 3          |               |
| backtrace:kernel_init_freeable                                              | 0          | 11         | 1             |
| RIP:_raw_spin_lock                                                          | 0          | 1          |               |
| RIP:task_curr                                                               | 0          | 6          |               |
| BUG:KASan:use_after_free_in__trace_graph_return_at_addr                     | 0          | 1          |               |
| BUG:KASan:use_after_free_in__trace_graph_entry_at_addr                      | 0          | 1          |               |
| BUG:KASan:use_after_free_in_ftrace_push_return_trace_at_addr                | 0          | 1          |               |
| RIP:rb_reserve_next_event                                                   | 0          | 1          |               |
| BUG_kmalloc-#(Tainted:G_B):kasan:bad_access_detected                        | 0          | 2          |               |
| BUG:KASan:out_of_bounds_access_in_ftrace_push_return_trace_at_addr          | 0          | 1          |               |
| WARNING:at_kernel/trace/trace.c:#register_tracer()                          | 0          | 2          |               |
| BUG:KASan:out_of_bounds_access_in_vsnprintf_at_addr                         | 0          | 1          |               |
| BUG:KASan:user-memory-access_on_address(null)                               | 0          | 1          |               |
| BUG:KASan:use_after_free_in__switch_to_xtra_at_addr                         | 0          | 1          |               |
| BUG:KASan:use_after_free_in_memcpy_at_addr                                  | 0          | 1          |               |
| RIP:memcpy_orig                                                             | 0          | 1          |               |
| kernel_BUG_at_arch/x86/kernel/nmi.c                                         | 0          | 1          |               |
| WARNING:at_kernel/sched/core.c:#preempt_count_sub()                         | 0          | 74         | 2             |
| WARNING:at_kernel/trace/ring_buffer.c:#ring_buffer_unlock_commit()          | 0          | 1          |               |
| RIP:ftrace_push_return_trace                                                | 0          | 1          | 1             |
| RIP:ftrace_likely_update                                                    | 0          | 1          |               |
| RIP:parameqn                                                                | 0          | 8          | 1             |
| backtrace:parse_args                                                        | 0          | 8          | 1             |
| RIP:notifier_call_chain                                                     | 0          | 2          |               |
| WARNING:at_kernel/sched/core.c:#preempt_count_add()                         | 0          | 0          | 1             |
| BUG_task_struct(Tainted:G_B):kasan:bad_access_detected                      | 0          | 0          | 2             |
| RIP:rb_next                                                                 | 0          | 0          | 8             |
| INFO:rcu_sched_self-detected_stall_on_CPU                                   | 0          | 0          | 1             |
| IP-Config:Auto-configuration_of_network_failed                              | 0          | 0          | 1             |
| WARNING:at_include/linux/uaccess.h:#is_prefetch()                           | 0          | 0          | 1             |
| WARNING:at_include/linux/uaccess.h:#show_regs()                             | 0          | 0          | 1             |
+-----------------------------------------------------------------------------+------------+------------+---------------+

[    0.324653] Testing tracer irqsoff: PASSED
[    0.407082] Testing tracer function_graph: 
[    1.288675] ==================================================================
[    1.289000] BUG: KASan: out of bounds access in trace_graph_entry+0x90/0x260 at addr ffff88000d717e48
[    1.289000] Read of size 4 by task swapper/0/1
[    1.289000] =============================================================================
[    1.289000] BUG task_struct (Not tainted): kasan: bad access detected
[    1.289000] -----------------------------------------------------------------------------
[    1.289000] 
[    1.289000] Disabling lock debugging due to kernel taint
[    1.289000] INFO: Slab 0xffffea000035c400 objects=14 used=14 fp=0x          (null) flags=0x1ffe00000004080
[    1.289000] INFO: Object 0xffff88000d717d20 @offset=32032 fp=0x          (null)
[    1.289000] 
[    1.289000] Bytes b4 ffff88000d717d10: 90 7d 71 0d 00 88 ff ff 98 5a fe 82 ff ff ff ff  .}q......Z......
[    1.289000] Object ffff88000d717d20: 00 00 00 00 00 00 00 00 40 1e 31 81 ff ff ff ff  ........@.......
[    1.289000] Object ffff88000d717d30: 48 7e 71 0d 00 88 ff ff 48 7e 71 0d 00 88 ff ff  H~q.....H~q.....
[    1.289000] Object ffff88000d717d40: 48 7e 71 0d 00 88 ff ff 04 00 00 00 00 00 00 00  H~q.............
[    1.289000] Object ffff88000d717d50: 00 00 00 00 00 00 00 00 40 1e 31 81 ff ff ff ff  ........@.......
[    1.289000] Object ffff88000d717d60: d0 7d 71 0d 00 88 ff ff 00 00 71 0d 00 88 ff ff  .}q.......q.....
[    1.289000] Object ffff88000d717d70: 40 7e 71 0d 00 88 ff ff 80 0b 89 84 ff ff ff ff  @~q.............
[    1.289000] Object ffff88000d717d80: 70 a2 1a 81 ff ff ff ff 00 00 00 00 00 00 00 00  p...............
[    1.289000] Object ffff88000d717d90: d0 7d 71 0d 00 88 ff ff 98 5a fe 82 ff ff ff ff  .}q......Z......
[    1.289000] Object ffff88000d717da0: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
[    1.289000] Object ffff88000d717db0: 20 7e 71 0d 00 88 ff ff f9 4e 31 81 ff ff ff ff   ~q......N1.....
[    1.289000] Object ffff88000d717dc0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[    1.289000] Object ffff88000d717dd0: 10 7e 71 0d 00 88 ff ff 40 1e 31 81 ff ff ff ff  .~q.....@.......
[    1.289000] Object ffff88000d717de0: 50 7e 71 0d 00 88 ff ff 00 00 71 0d 00 88 ff ff  P~q.......q.....
[    1.289000] Object ffff88000d717df0: 00 00 00 00 00 00 00 00 68 7f 71 0d 00 88 ff ff  ........h.q.....
[    1.661390] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
[    1.661521] BUG: unable to handle kernel paging request at ffff88000da1ef38
[    1.661691] IP: [<ffff88000da1ef38>] 0xffff88000da1ef38
[    1.661908] PGD 50c2067 PUD 50c3067 PMD 800000000da001e3 
[    1.661972] Thread overran stack, or stack corrupted
[    1.662000] Oops: 0011 [#1] PREEMPT SMP KASAN
[    1.662000] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G    B           4.1.0-rc4-00025-gb30f0e3 #1
[    1.662000] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[    1.662000] task: ffffffff838176c0 ti: ffffffff83800000 task.ti: ffffffff83800000
[    1.662000] RIP: 0010:[<ffff88000da1ef38>]  [<ffff88000da1ef38>] 0xffff88000da1ef38
[    1.662000] RSP: 0000:ffffffff837f9638  EFLAGS: 00010246
[    1.662000] RAX: fffffbfff07f6b91 RBX: ffff88000da1ef38 RCX: dffffc0000000000
[    1.662000] RDX: 00000000014aac94 RSI: 0000000000000008 RDI: ffff88000da1ef10
[    1.662000] RBP: ffff88000da1ef10 R08: fffffbfff0846cbd R09: ffffffff842365ef
[    1.662000] R10: 00000000014aacb1 R11: 00000000014da8df R12: ffff88000da19870
[    1.662000] R13: 0000000000000008 R14: 00000000049c09bd R15: ffffffff837f96b8
[    1.662000] FS:  0000000000000000(0000) GS:ffff88000da00000(0000) knlGS:0000000000000000
[    1.662000] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[    1.662000] CR2: ffff88000da1ef38 CR3: 000000000380c000 CR4: 00000000000006b4
[    1.662000] Stack:
[    1.662000]  ffffffff82fe3e32 ffffffff837f96b8 00000000049c09bd 0000000000000008
[    1.662000]  ffff88000da19870 ffff88000da1ef10 ffff88000da1ef38 ffffffff83817b01
[    1.662000]  ffff88000d7111e0 ffffffff838176c0 ffffffff83800000 0000000000000002
[    1.662000] Call Trace:
[    1.662000]  <UNK> 
[    1.662000] Code: 00 00 00 c0 76 81 83 ff ff ff ff c0 76 81 83 ff ff ff ff 50 62 71 0d 00 88 ff ff e4 72 fb ff 00 00 00 00 00 00 00 00 00 00 00 00 <01> 00 00 00 00 00 00 00 3d a1 03 63 00 00 00 00 3d a1 03 63 00 
[    1.662000] RIP  [<ffff88000da1ef38>] 0xffff88000da1ef38
[    1.662000]  RSP <ffffffff837f9638>
[    1.662000] CR2: ffff88000da1ef38
[    1.662000] ---[ end trace 0e292f67bf70a095 ]---
[    1.662000] Kernel panic - not syncing: Fatal exception

git bisect start e430ccc59c12619af6196c34707d3afa0728ca27 ba155e2d21f6bf05de86a78dbe5bfd8757604a65 --
git bisect good 11db825cd35b971e6ef0a7421b74dd0eda99b218  # 17:57    242+     12  Merge remote-tracking branch 'hwmon-staging/hwmon-next'
git bisect good 8365bad28b9f8cf0bec48912bbb06fd656acfc00  # 18:08    242+      7  Merge remote-tracking branch 'audit/next'
git bisect  bad 29597791edec5a20b0e4d4fdc4f4bc709f283ad5  # 18:08      0-    145  Merge remote-tracking branch 'char-misc/char-misc-next'
git bisect  bad cc2d26ffa3ce0eb218b85bd2996d1394166c0155  # 18:09      0-    140  Merge remote-tracking branch 'kvm/linux-next'
git bisect  bad eec2f49932b2d459faaac8fae117066a5f917b3a  # 18:09      0-    187  Merge remote-tracking branch 'clockevents/clockevents/next'
git bisect good 18b6e4be5ccd87d2585217672f51065af165b0b2  # 18:23    242+      2  Merge remote-tracking branch 'mailbox/mailbox-for-next'
git bisect good 11e1652325b01b40b4a9b2781c94fdbe49110072  # 18:32    242+     26  Merge remote-tracking branch 'spi/for-next'
git bisect  bad 97354d679ddfd564a61fcb2466139783db36bb97  # 18:32      0-    188  Merge remote-tracking branch 'tip/auto-latest'
git bisect  bad c41f3eb84e58355b9209c961328067e2c23a1aeb  # 18:32      0-    237  Merge branch 'timers/nohz'
git bisect good 17186ccda374ae02ef231cbbc8f1825e7c19ddbd  # 18:32    300+      0  perf/x86/intel: Make WARN()ings consistent
git bisect  bad b7794610cdd2533e303de1027c1a4d9576875e51  # 18:32      0-    222  manual merge of sched/core
git bisect  bad 06931e62246844c73fba24d7aeb4a5dc897a2739  # 18:33      0-    227  sched/topology: Rename topology_thread_cpumask() to topology_sibling_cpumask()
git bisect  bad 8bcbde5480f9777f8b74d71493722c663e22c21b  # 18:33      0-    231  sched/preempt, mm/fault: Count pagefault_disable() levels in pagefault_disabled
git bisect good 7110744516276e906f9197e2857d026eb2343393  # 18:33    300+      0  sched, timer: Use the atomic task_cputime in thread_group_cputimer
git bisect good a22ae718067c233af790b8690b3d8f6190859ead  # 18:42    300+     22  Merge tag 'v4.1-rc4' into sched/core, before applying new patches
git bisect good 90b62b5129d5cb50f62f40e684de7a1961e57197  # 07:10    300+     18  sched/preempt: Rename PREEMPT_CHECK_OFFSET to PREEMPT_DISABLE_OFFSET
git bisect  bad e017cf21ae82e0b36f026b22083a8ae67926f465  # 07:10      0-    194  sched/preempt: Fix out of date comment
git bisect  bad b30f0e3ffedfa52b1d67a302ae5860c49998e5e2  # 07:11      0-    889  sched/preempt: Optimize preemption operations on __schedule() callers
# first bad commit: [b30f0e3ffedfa52b1d67a302ae5860c49998e5e2] sched/preempt: Optimize preemption operations on __schedule() callers
git bisect good 90b62b5129d5cb50f62f40e684de7a1961e57197  # 07:35    900+     24  sched/preempt: Rename PREEMPT_CHECK_OFFSET to PREEMPT_DISABLE_OFFSET
# extra tests with DEBUG_INFO
git bisect  bad b30f0e3ffedfa52b1d67a302ae5860c49998e5e2  # 07:47     40-     42  sched/preempt: Optimize preemption operations on __schedule() callers
# extra tests on HEAD of next/master
git bisect  bad e430ccc59c12619af6196c34707d3afa0728ca27  # 07:47      0-     59  Add linux-next specific files for 20150601
# extra tests on tree/branch next/master
git bisect good f0939c364ffe7dc377c4d7946360f99cb7fc867b  # 20:10    900+      1  Add linux-next specific files for 20150611
# extra tests on tree/branch linus/master
git bisect good df5f4158415b6fc4a2d683c6fdc806be6da176bc  # 09:09    900+     16  Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
# extra tests on tree/branch next/master
git bisect good d9b5ec5b1b4d4055e256674de4a5337f6a66d284  # 22:21    900+     19  Add linux-next specific files for 20150612


This script may reproduce the error.

----------------------------------------------------------------------------
#!/bin/bash

kernel=$1

kvm=(
	qemu-system-x86_64
	-enable-kvm
	-cpu kvm64
	-kernel $kernel
	-m 300
	-smp 2
	-device e1000,netdev=net0
	-netdev user,id=net0
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-rtc base=localtime
	-serial stdio
	-display none
	-monitor null 
)

append=(
	hung_task_panic=1
	earlyprintk=ttyS0,115200
	systemd.log_level=err
	debug
	apic=debug
	sysrq_always_enabled
	rcupdate.rcu_cpu_stall_timeout=100
	panic=-1
	softlockup_panic=1
	nmi_watchdog=panic
	oops=panic
	load_ramdisk=2
	prompt_ramdisk=0
	console=ttyS0,115200
	console=tty0
	vga=normal
	root=/dev/ram0
	rw
	drbd.minor_count=8
)

"${kvm[@]}" --append "${append[*]}"
----------------------------------------------------------------------------

Thanks,
Fengguang

View attachment "dmesg-quantal-ivb41-52:20150606010148:x86_64-randconfig-v0-06021206:4.1.0-rc4-00025-gb30f0e3:1" of type "text/plain" (54288 bytes)

View attachment "dmesg-quantal-intel12-11:20150606002017:x86_64-randconfig-v0-06021206:4.1.0-rc4-00024-g90b62b51:1" of type "text/plain" (45963 bytes)

View attachment "config-4.1.0-rc4-00025-gb30f0e3" of type "text/plain" (89092 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ