| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 9 Oct 2016 13:55:24 +0800
From: kernel test robot <xiaolong.ye@...el.com>
To: Nikolay Borisov <kernel@...p.com>
Cc: ebiederm@...ssion.com, john@...nmccutchan.com,
eparis@...isplace.org, viro@...iv.linux.org.uk, jack@...e.cz,
serge@...lyn.com, avagin@...nvz.org, linux-kernel@...r.kernel.org,
containers@...ts.linux-foundation.org,
Nikolay Borisov <kernel@...p.com>, lkp@...org
Subject: [lkp] [inotify] 1109954e99: BUG kmalloc-512 (Not tainted):
Freepointer corrupt
FYI, we noticed the following commit:
https://github.com/0day-ci/linux Nikolay-Borisov/inotify-Convert-to-using-per-namespace-limits/20161007-184900
commit 1109954e99c57a13814a9c1ebb3f01c53b48091f ("inotify: Convert to using per-namespace limits")
in testcase: trinity
with following parameters:
runtime: 300s
Trinity is a linux system call fuzz tester.
on test machine: qemu-system-x86_64 -enable-kvm -cpu IvyBridge -m 360M
caused below changes:
+----------------------------------------------------------------------------+------------+------------+
| | 3477d168ba | 1109954e99 |
+----------------------------------------------------------------------------+------------+------------+
| boot_successes | 19 | 5 |
| boot_failures | 11 | 29 |
| invoked_oom-killer:gfp_mask=0x | 8 | 3 |
| Mem-Info | 8 | 3 |
| BUG:kernel_reboot-without-warning_in_test_stage | 1 | 3 |
| Kernel_panic-not_syncing:VFS:Unable_to_mount_root_fs_on_unknown-block(#,#) | 2 | 2 |
| calltrace:prepare_namespace | 2 | 2 |
| BUG_kmalloc-#(Not_tainted):Freepointer_corrupt | 0 | 18 |
| INFO:Allocated_in_setup_userns_sysctls_age=#cpu=#pid= | 0 | 18 |
| INFO:Freed_in_qlist_free_all_age=#cpu=#pid= | 0 | 15 |
| INFO:Slab#objects=#used=#fp=#flags= | 0 | 14 |
| INFO:Object#@...set=#fp= | 0 | 18 |
| calltrace:SyS_lgetxattr | 0 | 1 |
| RIP:__kmalloc | 0 | 1 |
| calltrace:virtio_pci_driver_init | 0 | 4 |
| Kernel_panic-not_syncing:softlockup:hung_tasks | 0 | 4 |
| calltrace:SyS_clone | 0 | 11 |
| calltrace:SyS_listxattr | 0 | 1 |
| BUG_kmalloc-#(Tainted:G_B):Freepointer_corrupt | 0 | 2 |
| INFO:Slab#objects=#used=#fp=0x(null)flags= | 0 | 4 |
| RIP:memcmp | 0 | 1 |
| RIP:unwind_get_return_address | 0 | 1 |
| RIP:_raw_spin_unlock_irqrestore | 0 | 1 |
| calltrace:SyS_add_key | 0 | 1 |
| calltrace:SyS_fchownat | 0 | 1 |
| calltrace:SyS_chown | 0 | 1 |
| calltrace:SyS_chown16 | 0 | 1 |
| calltrace:SyS_setfsgid | 0 | 1 |
| calltrace:SyS_setfsgid16 | 0 | 1 |
| calltrace:SyS_fgetxattr | 0 | 1 |
| calltrace:SyS_setgid | 0 | 1 |
+----------------------------------------------------------------------------+------------+------------+
[ 35.734332] VFS: Warning: trinity-c0 using old stat() call. Recompile your binary.
[ 35.757516] VFS: Warning: trinity-c2 using old stat() call. Recompile your binary.
[ 39.409080] =============================================================================
[ 39.411116] BUG kmalloc-512 (Not tainted): Freepointer corrupt
[ 39.414680] -----------------------------------------------------------------------------
[ 39.414680]
[ 39.417417] Disabling lock debugging due to kernel taint
[ 39.418853] INFO: Allocated in setup_userns_sysctls+0x43/0xac age=25 cpu=0 pid=1716
[ 39.431035] INFO: Freed in qlist_free_all+0x7e/0xca age=36 cpu=0 pid=1719
[ 39.448221] INFO: Slab 0xffffea00002e0a00 objects=9 used=7 fp=0xffff88000b829b08 flags=0x4000000000004081
[ 39.450623] INFO: Object 0xffff88000b8286c8 @offset=1736 fp=0xffff88000c3781b0
[ 39.450623]
[ 39.453102] Redzone ffff88000b8286c0: cc cc cc cc cc cc cc cc ........
[ 39.474115] Object ffff88000b8286c8: 08 80 37 0c 00 88 ff ff 90 81 37 0c 00 88 ff ff ..7.......7.....
[ 39.476523] Object ffff88000b8286d8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.478798] Object ffff88000b8286e8: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.481183] Object ffff88000b8286f8: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.483548] Object ffff88000b828708: 6e 28 40 9b ff ff ff ff 94 81 37 0c 00 88 ff ff n(@.......7.....
[ 39.485836] Object ffff88000b828718: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.488232] Object ffff88000b828728: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.490612] Object ffff88000b828738: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.493044] Object ffff88000b828748: 81 28 40 9b ff ff ff ff 98 81 37 0c 00 88 ff ff .(@.......7.....
[ 39.495350] Object ffff88000b828758: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.497721] Object ffff88000b828768: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.500034] Object ffff88000b828778: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.502325] Object ffff88000b828788: 94 28 40 9b ff ff ff ff 9c 81 37 0c 00 88 ff ff .(@.......7.....
[ 39.504549] Object ffff88000b828798: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.506834] Object ffff88000b8287a8: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.509108] Object ffff88000b8287b8: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.511379] Object ffff88000b8287c8: a7 28 40 9b ff ff ff ff a0 81 37 0c 00 88 ff ff .(@.......7.....
[ 39.513665] Object ffff88000b8287d8: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.515964] Object ffff88000b8287e8: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.518230] Object ffff88000b8287f8: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.520508] Object ffff88000b828808: ba 28 40 9b ff ff ff ff a4 81 37 0c 00 88 ff ff .(@.......7.....
[ 39.522820] Object ffff88000b828818: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.525094] Object ffff88000b828828: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.527390] Object ffff88000b828838: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.529689] Object ffff88000b828848: cd 28 40 9b ff ff ff ff a8 81 37 0c 00 88 ff ff .(@.......7.....
[ 39.531969] Object ffff88000b828858: 04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
[ 39.534248] Object ffff88000b828868: ff 5d c9 9a ff ff ff ff 00 00 00 00 00 00 00 00 .]..............
[ 39.536541] Object ffff88000b828878: 30 ae 79 9b ff ff ff ff 70 b6 64 9b ff ff ff ff 0.y.....p.d.....
[ 39.538845] Object ffff88000b828888: 00 00 00 00 00 00 00 00 ac 81 37 0c 00 88 ff ff ..........7.....
[ 39.541123] Object ffff88000b828898: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 39.543355] Object ffff88000b8288a8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 39.545624] Object ffff88000b8288b8: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[ 39.547908] Redzone ffff88000b8288c8: cc cc cc cc cc cc cc cc ........
[ 39.550043] Padding ffff88000b828a18: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ
[ 39.552214] CPU: 0 PID: 1717 Comm: trinity-c1 Tainted: G B 4.8.0-09432-g1109954 #1
[ 39.554401] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
[ 39.556611] ffff88000b1377b8 ffffffff9af67c6e ffff88000b1377e8 ffffffff9ad48ae9
[ 39.559019] ffff880010402cc0 ffffea00002e0a00 ffff88000b8286c8 0000000000000350
[ 39.561466] ffff88000b137818 ffffffff9ad48c30 ffff88000b8286c8 ffff880010402cc0
[ 39.563880] Call Trace:
[ 39.564673] [<ffffffff9af67c6e>] dump_stack+0x19/0x1b
[ 39.565973] [<ffffffff9ad48ae9>] print_trailer+0x175/0x17e
[ 39.567355] [<ffffffff9ad48c30>] object_err+0x35/0x3d
[ 39.568656] [<ffffffff9ad48fe1>] check_object+0x1db/0x1ff
[ 39.570038] [<ffffffff9ad48c82>] ? on_freelist+0x4a/0x1ce
[ 39.571401] [<ffffffff9ad4e6ca>] ? qlist_free_all+0x7e/0xca
[ 39.572785] [<ffffffff9ad4e6ca>] ? qlist_free_all+0x7e/0xca
[ 39.574180] [<ffffffff9ad4adb3>] free_debug_processing+0xbf/0x1ef
[ 39.575681] [<ffffffff9ad4af1d>] __slab_free+0x3a/0x27f
[ 39.577023] [<ffffffff9ad4b62b>] ___cache_free+0x9c/0xa3
[ 39.578497] [<ffffffff9ad4e6e7>] qlist_free_all+0x9b/0xca
[ 39.579854] [<ffffffff9ad4ea00>] quarantine_reduce+0x214/0x226
[ 39.581239] [<ffffffff9ad4896c>] ? init_object+0x73/0x7b
[ 39.582570] [<ffffffff9ad4acaf>] ? alloc_debug_processing+0xb6/0xfb
[ 39.584085] [<ffffffff9ad4d493>] kasan_kmalloc+0x2b/0xac
[ 39.585427] [<ffffffff9ad4d523>] kasan_slab_alloc+0xf/0x11
[ 39.586799] [<ffffffff9ad49c22>] slab_post_alloc_hook+0x38/0x4a
[ 39.588251] [<ffffffff9ac8ee0e>] ? copy_process+0x12a/0x14ae
[ 39.589643] [<ffffffff9ad4bf7c>] kmem_cache_alloc+0xc4/0xd5
[ 39.591023] [<ffffffff9ac8ee0e>] copy_process+0x12a/0x14ae
[ 39.592402] [<ffffffff9ac8eb1a>] ? __mmdrop+0xc4/0xd1
[ 39.593718] [<ffffffff9ad2c65c>] ? wp_page_reuse+0x54/0xbf
[ 39.595093] [<ffffffff9ad2ea24>] ? do_wp_page+0x2a4/0x413
To reproduce:
git clone git://git.kernel.org/pub/scm/linux/kernel/git/wfg/lkp-tests.git
cd lkp-tests
bin/lkp install job.yaml # job file is attached in this email
bin/lkp run job.yaml
Thanks,
Xiaolong
View attachment "config-4.8.0-09432-g1109954" of type "text/plain" (88575 bytes)
View attachment "job-script" of type "text/plain" (3758 bytes)
Download attachment "dmesg.xz" of type "application/octet-stream" (11136 bytes)
View attachment "job.yaml" of type "text/plain" (2954 bytes)
Powered by blists - more mailing lists