| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20160630015521.GD8951@yexl-desktop>
Date: Thu, 30 Jun 2016 09:55:21 +0800
From: kernel test robot <xiaolong.ye@...el.com>
To: Alexander Potapenko <glider@...gle.com>
Cc: Stephen Rothwell <sfr@...b.auug.org.au>,
Andrey Konovalov <adech.fo@...il.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Steven Rostedt <rostedt@...dmis.org>,
Joonsoo Kim <iamjoonsoo.kim@....com>,
Konstantin Serebryany <kcc@...gle.com>,
Christoph Lameter <cl@...ux.com>,
Pekka Enberg <penberg@...nel.org>,
David Rientjes <rientjes@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>, lkp@...org
Subject: [lkp] [mm, kasan] 5bced26420: BUG radix_tree_node (Not tainted):
Object padding overwritten
FYI, we noticed the following commit:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
commit 5bced26420be17f44647cbc17d0217ba1a564cd2 ("mm, kasan: switch SLUB to stackdepot, enable memory quarantine for SLUB")
on test machine: 1 threads qemu-system-x86_64 -enable-kvm -cpu Westmere with 320M memory
caused below changes:
+---------------------------------------------------------------+------------+------------+
| | c0df48f854 | 5bced26420 |
+---------------------------------------------------------------+------------+------------+
| boot_successes | 0 | 0 |
| boot_failures | 84 | 87 |
| BUG:KASAN:use-after-free_in_kobj_kset_leave_at_addr | 84 | |
| BUG_kmalloc-#(Not_tainted):kasan:bad_access_detected | 84 | |
| INFO:Allocated_in#age=#cpu=#pid= | 84 | |
| INFO:Freed_in#age=#cpu=#pid= | 84 | |
| INFO:Slab#objects=#used=#fp=#flags= | 84 | 49 |
| INFO:Object#@...set=#fp= | 84 | 87 |
| BUG:KASAN:use-after-free_in_devices_kset_move_last_at_addr | 84 | |
| BUG_kmalloc-#(Tainted:G_B):kasan:bad_access_detected | 84 | |
| BUG_kmalloc-#(Tainted:G_B):Poison_overwritten | 84 | |
| INFO:#-#.First_byte#instead_of | 84 | 87 |
| INFO:Allocated_in_usb_add_gadget_udc_release_age=#cpu=#pid= | 84 | |
| INFO:Freed_in_usb_add_gadget_udc_release_age=#cpu=#pid= | 84 | |
| INFO:Slab#objects=#used=#fp=0x(null)flags= | 84 | 87 |
| genirq:Flags_mismatch_irq##(serial)vs.#(goldfish_pdev_bus) | 82 | |
| backtrace:init | 84 | |
| backtrace:kernel_init_freeable | 84 | 87 |
| backtrace:pnp_register_driver | 84 | |
| backtrace:i8042_init | 84 | |
| backtrace:__platform_create_bundle | 84 | |
| BUG:KASAN:use-after-free_in_worker_thread_at_addr | 2 | |
| BUG:KASAN:wild-memory-access_on_address | 2 | |
| general_protection_fault:#[##]SMP_DEBUG_PAGEALLOC_KASAN | 2 | |
| RIP:worker_thread | 2 | |
| Kernel_panic-not_syncing:Fatal_exception | 2 | |
| BUG_radix_tree_node(Not_tainted):Object_padding_overwritten | 0 | 87 |
| BUG_inode_cache(Tainted:G_B):Object_padding_overwritten | 0 | 87 |
| BUG_bdev_cache(Tainted:G_B):Object_padding_overwritten | 0 | 87 |
| BUG_sighand_cache(Tainted:G_B):Object_padding_overwritten | 0 | 87 |
| BUG_proc_inode_cache(Tainted:G_B):Object_padding_overwritten | 0 | 87 |
| BUG_radix_tree_node(Tainted:G_B):Object_padding_overwritten | 0 | 87 |
| INFO:Object#@...set=#fp=0x(null) | 0 | 78 |
| BUG_shmem_inode_cache(Tainted:G_B):Object_padding_overwritten | 0 | 76 |
| BUG_sock_inode_cache(Tainted:G_B):Object_padding_overwritten | 0 | 55 |
| BUG_kmalloc-#(Tainted:G_B):Object_padding_overwritten | 0 | 51 |
| INFO:Allocated_in_pcpu_mem_zalloc_age=#cpu=#pid= | 0 | 51 |
| INFO:Allocated_in_do_set_mempolicy_age=#cpu=#pid= | 0 | 51 |
| INFO:Allocated_in_alloc_cpumask_var_node_age=#cpu=#pid= | 0 | 51 |
| INFO:Allocated_in_kzalloc_age=#cpu=#pid= | 0 | 51 |
| BUG_idr_layer_cache(Tainted:G_B):Object_padding_overwritten | 0 | 50 |
| INFO:Allocated_in_ida_pre_get_age=#cpu=#pid= | 0 | 50 |
| backtrace:__radix_tree_insert | 0 | 87 |
| backtrace:early_irq_init | 0 | 87 |
| backtrace:vfs_kern_mount | 0 | 87 |
| backtrace:mnt_init | 0 | 87 |
| backtrace:vfs_caches_init | 0 | 87 |
| backtrace:kern_mount_data | 0 | 87 |
| backtrace:bdev_cache_init | 0 | 87 |
| backtrace:nsfs_init | 0 | 87 |
| backtrace:_do_fork | 0 | 87 |
| backtrace:native_smp_prepare_cpus | 0 | 87 |
| backtrace:fork_idle | 0 | 14 |
| backtrace:idle_threads_init | 0 | 14 |
| backtrace:smp_init | 0 | 14 |
| backtrace:shmem_init | 0 | 76 |
| backtrace:do_mount | 0 | 67 |
| backtrace:SyS_mount | 0 | 67 |
| backtrace:devtmpfsd | 0 | 67 |
| backtrace:debugfs_create_dir | 0 | 66 |
| backtrace:regulator_init | 0 | 66 |
| backtrace:debugfs_create_file | 0 | 63 |
| backtrace:rdev_init_debugfs | 0 | 59 |
| backtrace:__platform_driver_register | 0 | 59 |
| backtrace:regulator_dummy_init | 0 | 59 |
| backtrace:debugfs_create_u32 | 0 | 57 |
| backtrace:sock_init | 0 | 54 |
| backtrace:__netlink_kernel_create | 0 | 52 |
| backtrace:rtnetlink_net_init | 0 | 52 |
| backtrace:ops_init | 0 | 52 |
| backtrace:register_pernet_subsys | 0 | 52 |
| backtrace:rtnetlink_init | 0 | 52 |
| backtrace:netlink_proto_init | 0 | 52 |
| backtrace:bdi_class_init | 0 | 52 |
| backtrace:uevent_net_init | 0 | 52 |
| backtrace:kobject_uevent_init | 0 | 52 |
| backtrace:regmap_initcall | 0 | 52 |
| backtrace:arch_kdebugfs_init | 0 | 52 |
| backtrace:debugfs_create_x16 | 0 | 51 |
| backtrace:debugfs_create_blob | 0 | 51 |
| backtrace:register_one_node | 0 | 5 |
| backtrace:topology_init | 0 | 5 |
| backtrace:pci_direct_probe | 0 | 46 |
| backtrace:pci_arch_init | 0 | 46 |
| INFO:Allocated_in__register_sysctl_paths_age=#cpu=#pid= | 0 | 12 |
| INFO:Allocated_in_allocate_cgrp_cset_links_age=#cpu=#pid= | 0 | 2 |
+---------------------------------------------------------------+------------+------------+
[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1
[ 0.000000] NR_IRQS:4352 nr_irqs:48 16
[ 0.000000] =============================================================================
[ 0.000000] BUG radix_tree_node (Not tainted): Object padding overwritten
[ 0.000000] -----------------------------------------------------------------------------
[ 0.000000]
[ 0.000000] Disabling lock debugging due to kernel taint
[ 0.000000] INFO: 0xffff880009c00390-0xffff880009c00390. First byte 0x58 instead of 0x5a
[ 0.000000] INFO: Slab 0xffffea0000270000 objects=17 used=17 fp=0x (null) flags=0x1fffff80004080
[ 0.000000] INFO: Object 0xffff880009c00008 @offset=8 fp=0xffff880009c003b8
[ 0.000000]
[ 0.000000] Redzone ffff880009c00000: bb bb bb bb bb bb bb bb ........
[ 0.000000] Object ffff880009c00008: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00018: 00 00 00 00 00 00 00 00 20 00 c0 09 00 88 ff ff ........ .......
[ 0.000000] Object ffff880009c00028: 20 00 c0 09 00 88 ff ff 00 00 00 00 00 00 00 00 ...............
[ 0.000000] Object ffff880009c00038: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00058: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00068: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00078: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00088: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00098: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c000a8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c000b8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c000c8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c000d8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c000e8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c000f8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00108: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00118: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00138: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00148: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00158: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00168: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00178: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00188: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00198: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c001a8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c001b8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c001c8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c001d8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c001e8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c001f8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00218: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00228: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Object ffff880009c00238: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 0.000000] Redzone ffff880009c00248: bb bb bb bb bb bb bb bb ........
[ 0.000000] Padding ffff880009c00388: 5a 5a 5a 5a 5a 5a 5a 5a 58 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZXZZZZZZZ
[ 0.000000] Padding ffff880009c00398: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
[ 0.000000] Padding ffff880009c003a8: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
FYI, raw QEMU command line is:
qemu-system-x86_64 -enable-kvm -cpu Westmere -kernel /pkg/linux/x86_64-randconfig-s0-06160151/gcc-6/5bced26420be17f44647cbc17d0217ba1a564cd2/vmlinuz-4.7.0-rc4-00215-g5bced26 -append 'root=/dev/ram0 user=lkp job=/lkp/scheduled/vm-kbuild-yocto-ia32-23/validate_boot-1-yocto-minimal-i386.cgz-x86_64-randconfig-s0-06160151-5bced26420be17f44647cbc17d0217ba1a564cd2-20160629-38918-1pxnsf3-31.yaml ARCH=x86_64 kconfig=x86_64-randconfig-s0-06160151 branch=linux-devel/devel-hourly-2016061522 commit=5bced26420be17f44647cbc17d0217ba1a564cd2 BOOT_IMAGE=/pkg/linux/x86_64-randconfig-s0-06160151/gcc-6/5bced26420be17f44647cbc17d0217ba1a564cd2/vmlinuz-4.7.0-rc4-00215-g5bced26 max_uptime=600 RESULT_ROOT=/result/boot/1/vm-kbuild-yocto-ia32/yocto-minimal-i386.cgz/x86_64-randconfig-s0-06160151/gcc-6/5bced26420be17f44647cbc17d0217ba1a564cd2/31 LKP_SERVER=inn earlyprintk=ttyS0,115200 systemd.log_level=err debug apic=debug sysrq_always_enabled rcupdate.rcu_cpu_stall_timeout=100 panic=-1 softlockup_panic=1 nmi_watchdog=panic oops=panic load_ramdisk=2 prompt_ramdisk=0 console=ttyS0,115200 console=tty0 vga=normal rw ip=::::vm-kbuild-yocto-ia32-23::dhcp drbd.minor_count=8' -initrd /fs/sda1/initrd-vm-kbuild-yocto-ia32-23 -m 320 -smp 1 -device e1000,netdev=net0 -netdev user,id=net0 -boot order=nc -no-reboot -watchdog i6300esb -rtc base=localtime -drive file=/fs/sda1/disk0-vm-kbuild-yocto-ia32-23,media=disk,if=virtio -pidfile /dev/shm/kboot/pid-vm-kbuild-yocto-ia32-23 -serial file:/dev/shm/kboot/serial-vm-kbuild-yocto-ia32-23 -daemonize -display none -monitor null
Thanks,
Xiaolong
View attachment "config-4.7.0-rc4-00215-g5bced26" of type "text/plain" (96767 bytes)
Download attachment "dmesg.xz" of type "application/octet-stream" (61356 bytes)
Powered by blists - more mailing lists