| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2017 04:51:18 +0800
From: kernel test robot <fengguang.wu@...el.com>
To: Peter Zijlstra <peterz@...radead.org>
Cc: LKP <lkp@...org>, linux-kernel@...r.kernel.org,
Ingo Molnar <mingo@...nel.org>, wfg@...ux.intel.com
Subject: 2e44b7ddf8 ("sched/clock: Use late_initcall() instead of .."):
BUG: KASAN: use-after-free in __lock_acquire
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit 2e44b7ddf8ab01cf98106c68388f87af15fbde73
Author: Peter Zijlstra <peterz@...radead.org>
AuthorDate: Fri Apr 21 12:46:57 2017 +0200
Commit: Ingo Molnar <mingo@...nel.org>
CommitDate: Mon May 15 10:15:21 2017 +0200
sched/clock: Use late_initcall() instead of sched_init_smp()
Core2 marks its TSC unstable in ACPI Processor Idle, which is probed
after sched_init_smp(). Luckily it appears both acpi_processor and
intel_idle (which has a similar check) are mandatory built-in.
This means we can delay switching to stable until after these drivers
have ran (if they were modules, this would be impossible).
Delay the stable switch to late_initcall() to allow these drivers to
mark TSC unstable and avoid difficult stable->unstable transitions.
Reported-by: Lofstedt, Marta <marta.lofstedt@...el.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Mike Galbraith <efault@....de>
Cc: Peter Zijlstra <peterz@...radead.org>
Cc: Rafael J . Wysocki <rafael.j.wysocki@...el.com>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: linux-kernel@...r.kernel.org
Signed-off-by: Ingo Molnar <mingo@...nel.org>
f9fccdb9ef cpuidle: Fix idle time tracking
2e44b7ddf8 sched/clock: Use late_initcall() instead of sched_init_smp()
fcd0735000 Merge tag 'md/4.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md
497247033e Add linux-next specific files for 20170815
+------------------------------------------------------------------+------------+------------+------------+---------------+
| | f9fccdb9ef | 2e44b7ddf8 | fcd0735000 | next-20170815 |
+------------------------------------------------------------------+------------+------------+------------+---------------+
| boot_successes | 1010 | 898 | 898 | 128 |
| boot_failures | 0 | 12 | 19 | 23 |
| BUG:workqueue_lockup-pool | 0 | 11 | 12 | 20 |
| BUG:KASAN:use-after-free | 0 | 1 | 2 | 1 |
| BUG:kernel_hang_in_test_stage | 0 | 0 | 2 | |
| invoked_oom-killer:gfp_mask=0x | 0 | 0 | 2 | |
| Mem-Info | 0 | 0 | 2 | |
| Kernel_panic-not_syncing:Out_of_memory_and_no_killable_processes | 0 | 0 | 2 | |
| IP-Config:Auto-configuration_of_network_failed | 0 | 0 | 1 | 2 |
+------------------------------------------------------------------+------------+------------+------------+---------------+
[ 106.691111] DS1WM w1 busmaster driver - (c) 2004 Szabolcs Gyurko
[ 106.698746] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
[ 106.699333] evbug: Connected device: input3 (ImExPS/2 Generic Explorer Mouse at isa0060/serio1/input0)
[ 106.700852] evbug: Disconnected device: input3
[ 106.834193] ==================================================================
[ 106.836370] BUG: KASAN: use-after-free in __lock_acquire+0x1d7/0x1f4b
[ 106.836869] Read of size 8 at addr ffff880011b35168 by task kworker/u2:0/5
[ 106.836869]
[ 106.836869] CPU: 0 PID: 5 Comm: kworker/u2:0 Not tainted 4.12.0-rc1-00012-g2e44b7d #1
[ 106.836869] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
[ 106.836869] Workqueue: usbip_event event_handler
[ 106.836869] Call Trace:
[ 106.836869] dump_stack+0x19/0x1b
[ 106.836869] print_address_description+0x57/0x211
[ 106.836869] kasan_report+0x1ce/0x1ee
[ 106.836869] ? __lock_acquire+0x1d7/0x1f4b
[ 106.836869] __asan_report_load8_noabort+0x14/0x16
[ 106.836869] __lock_acquire+0x1d7/0x1f4b
[ 106.836869] ? vprintk_default+0x18/0x1a
[ 106.836869] ? vprintk_func+0x3a/0x3c
[ 106.836869] ? __wake_up+0x1d/0x46
[ 106.836869] ? debug_show_all_locks+0x228/0x228
[ 106.836869] ? __dynamic_pr_debug+0xf4/0x127
[ 106.836869] ? ddebug_proc_start+0x19d/0x19d
[ 106.836869] ? find_held_lock+0x33/0x100
[ 106.836869] ? mark_lock+0x2c/0x2fb
[ 106.836869] ? lock_release+0x4a0/0x510
[ 106.836869] lock_acquire+0xe5/0x146
[ 106.836869] ? lock_acquire+0xe5/0x146
[ 106.836869] ? __wake_up+0x1d/0x46
[ 106.836869] _raw_spin_lock_irqsave+0x41/0x53
[ 106.836869] ? __wake_up+0x1d/0x46
[ 106.836869] __wake_up+0x1d/0x46
[ 106.836869] event_handler+0x203/0x303
[ 106.836869] process_one_work+0x534/0x7d2
[ 106.836869] ? pwq_dec_nr_in_flight+0x22a/0x22a
[ 106.836869] worker_thread+0x4e1/0x619
[ 106.836869] kthread+0x2fa/0x30a
[ 106.836869] ? process_scheduled_works+0x71/0x71
[ 106.836869] ? init_completion+0x49/0x49
[ 106.836869] ret_from_fork+0x31/0x40
[ 106.836869]
[ 106.836869] Allocated by task 1:
[ 106.836869] save_stack_trace+0x15/0x17
[ 106.836869] save_stack+0x46/0xd6
[ 106.836869] kasan_kmalloc+0x93/0xa2
[ 106.836869] __kmalloc+0x11b/0x12e
[ 106.836869] kzalloc+0xe/0x10
[ 106.836869] __usb_create_hcd+0x51/0x860
[ 106.836869] usb_create_hcd+0x12/0x14
[ 106.836869] vhci_hcd_probe+0x110/0x1fa
[ 106.836869] platform_drv_probe+0x7c/0xee
[ 106.836869] driver_probe_device+0x424/0xaef
[ 106.836869] __device_attach_driver+0x164/0x1e0
[ 106.836869] bus_for_each_drv+0x109/0x183
[ 106.836869] __device_attach+0x169/0x226
[ 106.836869] device_initial_probe+0xe/0x10
[ 106.836869] bus_probe_device+0xad/0x1dd
[ 106.836869] device_add+0x8e8/0xd42
[ 106.836869] platform_device_add+0x3d7/0x567
[ 106.836869] platform_device_register_full+0x327/0x3a4
[ 106.836869] vhci_hcd_init+0x124/0x1ed
[ 106.836869] do_one_initcall+0x10d/0x1f3
[ 106.836869] kernel_init_freeable+0x243/0x2ec
[ 106.836869] kernel_init+0xc/0xfb
[ 106.836869] ret_from_fork+0x31/0x40
[ 106.836869]
[ 106.836869] Freed by task 1:
[ 106.836869] save_stack_trace+0x15/0x17
[ 106.836869] save_stack+0x46/0xd6
[ 106.836869] kasan_slab_free+0x79/0x9c
[ 106.836869] slab_free_freelist_hook+0x6f/0x8b
[ 106.836869] kfree+0x75/0xf3
[ 106.836869] usb_put_hcd+0x12e/0x133
[ 106.836869] vhci_hcd_remove+0x47/0x4c
[ 106.836869] platform_drv_remove+0x6d/0x88
[ 106.836869] driver_probe_device+0x4ae/0xaef
[ 106.836869] __device_attach_driver+0x164/0x1e0
[ 106.836869] bus_for_each_drv+0x109/0x183
[ 106.836869] __device_attach+0x169/0x226
[ 106.836869] device_initial_probe+0xe/0x10
[ 106.836869] bus_probe_device+0xad/0x1dd
[ 106.836869] device_add+0x8e8/0xd42
[ 106.836869] platform_device_add+0x3d7/0x567
[ 106.836869] platform_device_register_full+0x327/0x3a4
[ 106.836869] vhci_hcd_init+0x124/0x1ed
[ 106.836869] do_one_initcall+0x10d/0x1f3
[ 106.836869] kernel_init_freeable+0x243/0x2ec
[ 106.836869] kernel_init+0xc/0xfb
[ 106.836869] ret_from_fork+0x31/0x40
[ 106.836869]
[ 106.836869] The buggy address belongs to the object at ffff880011b34200
[ 106.836869] which belongs to the cache kmalloc-8192 of size 8192
[ 106.836869] The buggy address belongs to the object at ffff880011b34200
[ 106.836869] which belongs to the cache kmalloc-8192 of size 8192
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9 v4.12 --
git bisect bad 7cb328c30a71a450278031f932d2134c11165f4c # 20:45 B 295 1 0 18 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad c96e6dabfbdb241e32b3c588dbfa1ccb87d2c95a # 20:45 B 307 2 0 5 Merge tag 'gfs2-4.13.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2
git bisect bad 974668417b74ec5f68df2411f53b3d3812565059 # 20:45 B 308 2 0 4 Merge tag 'driver-core-4.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
git bisect bad e1449007e83f18db4470194232812ae524d64d79 # 20:45 B 307 3 0 4 Merge branch 'x86-hyperv-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect good 7447d56217e215e50317f308aee1ed293ac4f749 # 23:20 G 902 0 0 3 Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad 48b5259cf0a2b86b978da122f9459e22a2d1e8f6 # 00:02 B 439 1 0 33 Merge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad 59b60185b4a1adc46b115291dc34af2186cc9678 # 00:56 B 84 1 0 4 Merge branch 'timers-nohz-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad 9bd42183b951051f73de121f7ee17091e7d26fbb # 01:41 B 39 1 0 2 Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
git bisect bad b903dfb277c09e53d499480e9670557dcce36fbd # 05:32 B 231 1 0 0 iommu/of: Adjust system_state check
git bisect bad 35a566e6e8a18c3bc16229abeac146a707b8f216 # 07:53 B 110 1 1 1 sched/topology: Add a few comments
git bisect bad 8c0334697dc37eb3d6d7632304d3a3662248daac # 12:20 B 180 1 0 0 sched/topology: Refactor function build_overlap_sched_groups()
git bisect good cf15ca8deda86b27b66e27848b4b0fe58098fc0b # 00:50 G 900 0 0 0 sched/clock: Initialize all per-CPU state before switching (back) to unstable
git bisect good 3067a33d5fec856bb297d58e7f03411d060ccdee # 04:52 G 900 0 7 7 sched/clock: Remove watchdog touching
git bisect bad 2e44b7ddf8ab01cf98106c68388f87af15fbde73 # 06:25 B 363 1 11 11 sched/clock: Use late_initcall() instead of sched_init_smp()
git bisect good f9fccdb9efef60dbcf84d493514b475c41aa866f # 12:33 G 905 0 0 0 cpuidle: Fix idle time tracking
# first bad commit: [2e44b7ddf8ab01cf98106c68388f87af15fbde73] sched/clock: Use late_initcall() instead of sched_init_smp()
git bisect good f9fccdb9efef60dbcf84d493514b475c41aa866f # 13:14 G 1000 0 0 0 cpuidle: Fix idle time tracking
# extra tests with CONFIG_DEBUG_INFO_REDUCED
git bisect bad 2e44b7ddf8ab01cf98106c68388f87af15fbde73 # 17:05 B 536 1 32 32 sched/clock: Use late_initcall() instead of sched_init_smp()
# extra tests on HEAD of linux-devel/devel-catchup-201708121943
git bisect bad 3a60eadc8a77b3e3ec30f813007ea23eeaece4bd # 17:06 B 98 2 0 18 0day head guard for 'devel-catchup-201708121943'
# extra tests on tree/branch linus/master
git bisect bad fcd07350007bdcc0aab506fb9b5703fad48a6521 # 21:05 B 328 1 12 18 Merge tag 'md/4.13-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md
# extra tests with first bad commit reverted
git bisect good d9e539d81abe766b307e221cb6fd13df46ac7708 # 04:00 G 903 0 0 0 Revert "sched/clock: Use late_initcall() instead of sched_init_smp()"
# extra tests on tree/branch linux-next/master
git bisect bad 497247033eb19f49b7cbdfa68387351b8d34f923 # 04:50 B 146 1 20 24 Add linux-next specific files for 20170815
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-yocto-intel12-39:20170815062429:x86_64-randconfig-s5-08121922:4.12.0-rc1-00012-g2e44b7d:1.gz" of type "application/gzip" (45338 bytes)
View attachment "reproduce-yocto-intel12-39:20170815062429:x86_64-randconfig-s5-08121922:4.12.0-rc1-00012-g2e44b7d:1" of type "text/plain" (903 bytes)
View attachment "config-4.12.0-rc1-00012-g2e44b7d" of type "text/plain" (115721 bytes)
Powered by blists - more mailing lists