lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 29 Nov 2017 13:21:06 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Andrey Ryabinin <aryabinin@...tuozzo.com>
Cc:     wfg@...ux.intel.com, Pavel Tatashin <pasha.tatashin@...cle.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        linux-kernel@...r.kernel.org, kasan-dev@...glegroups.com,
        LKP <lkp@...org>
Subject: d17a1d97dc ("x86/mm/kasan: don't use vmemmap_populate() to
 initialize shadow"): BUG: KASAN: use-after-scope in __drm_mm_interval_first

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

commit d17a1d97dc208d664c91cc387ffb752c7f85dc61
Author:     Andrey Ryabinin <aryabinin@...tuozzo.com>
AuthorDate: Wed Nov 15 17:36:35 2017 -0800
Commit:     Linus Torvalds <torvalds@...ux-foundation.org>
CommitDate: Wed Nov 15 18:21:05 2017 -0800

     x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
     
     The kasan shadow is currently mapped using vmemmap_populate() since that
     provides a semi-convenient way to map pages into init_top_pgt.  However,
     since that no longer zeroes the mapped pages, it is not suitable for
     kasan, which requires zeroed shadow memory.
     
     Add kasan_populate_shadow() interface and use it instead of
     vmemmap_populate().  Besides, this allows us to take advantage of
     gigantic pages and use them to populate the shadow, which should save us
     some memory wasted on page tables and reduce TLB pressure.
     
     Link: http://lkml.kernel.org/r/20171103185147.2688-2-pasha.tatashin@oracle.com
     Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
     Signed-off-by: Pavel Tatashin <pasha.tatashin@...cle.com>
     Cc: Steven Sistare <steven.sistare@...cle.com>
     Cc: Daniel Jordan <daniel.m.jordan@...cle.com>
     Cc: Bob Picco <bob.picco@...cle.com>
     Cc: Michal Hocko <mhocko@...e.com>
     Cc: Alexander Potapenko <glider@...gle.com>
     Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>
     Cc: Catalin Marinas <catalin.marinas@....com>
     Cc: Christian Borntraeger <borntraeger@...ibm.com>
     Cc: David S. Miller <davem@...emloft.net>
     Cc: Dmitry Vyukov <dvyukov@...gle.com>
     Cc: Heiko Carstens <heiko.carstens@...ibm.com>
     Cc: "H. Peter Anvin" <hpa@...or.com>
     Cc: Ingo Molnar <mingo@...hat.com>
     Cc: Mark Rutland <mark.rutland@....com>
     Cc: Matthew Wilcox <willy@...radead.org>
     Cc: Mel Gorman <mgorman@...hsingularity.net>
     Cc: Michal Hocko <mhocko@...nel.org>
     Cc: Sam Ravnborg <sam@...nborg.org>
     Cc: Thomas Gleixner <tglx@...utronix.de>
     Cc: Will Deacon <will.deacon@....com>
     Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
     Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>

a4a3ede213  mm: zero reserved and unavailable struct pages
d17a1d97dc  x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
43570f0383  Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
5bef2980ad  Add linux-next specific files for 20171128
+-------------------------------------------------------+------------+------------+------------+---------------+
|                                                       | a4a3ede213 | d17a1d97dc | 43570f0383 | next-20171128 |
+-------------------------------------------------------+------------+------------+------------+---------------+
| boot_successes                                        | 30         | 0          | 0          | 0             |
| boot_failures                                         | 8          | 15         | 19         | 2             |
| WARNING:at_drivers/pci/pci-sysfs.c:#pci_mmap_resource | 8          |            |            |               |
| RIP:pci_mmap_resource                                 | 8          |            |            |               |
| BUG:KASAN:use-after-scope_in__drm_mm_interval_first   | 0          | 15         | 19         | 2             |
+-------------------------------------------------------+------------+------------+------------+---------------+

[   27.628251] AMD IOMMUv2 functionality not available on this system
[   27.631925] drm_mm: Testing DRM range manger (struct drm_mm), with random_seed=0x248e657d max_iterations=8192 max_prime=128
[   27.633191] drm_mm: igt_sanitycheck - ok!
[   79.880445] Writes:  Total: 2  Max/Min: 0/0   Fail: 0 
[  103.749567] ==================================================================
[  103.750064] BUG: KASAN: use-after-scope in __drm_mm_interval_first+0xbb/0x1bf
[  103.750064] Read of size 8 at addr ffff880016577c08 by task swapper/0/1
[  103.750064] 
[  103.750064] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.0-04319-gd17a1d9 #1
[  103.750064] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  103.750064] Call Trace:
[  103.750064]  ? dump_stack+0xd1/0x16c
[  103.750064]  ? _atomic_dec_and_lock+0x10f/0x10f
[  103.750064]  ? print_address_description+0x93/0x22e
[  103.750064]  ? __drm_mm_interval_first+0xbb/0x1bf
[  103.750064]  ? kasan_report+0x219/0x23f
[  103.750064]  ? __drm_mm_interval_first+0xbb/0x1bf
[  103.750064]  ? assert_continuous+0x13c/0x22f
[  103.750064]  ? drm_mm_replace_node+0x210/0x3ed
[  103.750064]  ? __igt_insert+0x5af/0xb3a
[  103.750064]  ? igt_bottomup+0x9e6/0x9e6
[  103.750064]  ? kvm_clock_read+0x21/0x29
[  103.750064]  ? kvm_sched_clock_read+0x5/0xd
[  103.750064]  ? sched_clock+0x5/0x8
[  103.750064]  ? sched_clock_local+0x36/0xe8
[  103.750064]  ? sched_clock_cpu+0x123/0x13f
[  103.750064]  ? rcu_irq_enter_disabled+0x8/0x8
[  103.750064]  ? next_prime_number+0x33f/0x368
[  103.750064]  ? rcu_note_context_switch+0x267/0x267
[  103.750064]  ? igt_replace+0x45/0xa9
[  103.750064]  ? test_drm_mm_init+0x112/0x164
[  103.750064]  ? drm_kms_helper_init+0x5/0x5
[  103.750064]  ? do_one_initcall+0xe7/0x1ef
[  103.750064]  ? initcall_blacklisted+0x15d/0x15d
[  103.750064]  ? up_read+0x2c/0x2c
[  103.750064]  ? kasan_unpoison_shadow+0xf/0x2e
[  103.750064]  ? kernel_init_freeable+0x2a8/0x33b
[  103.750064]  ? rest_init+0x24f/0x24f
[  103.750064]  ? kernel_init+0x7/0xfe
[  103.750064]  ? rest_init+0x24f/0x24f
[  103.750064]  ? ret_from_fork+0x24/0x30
[  103.750064] 
[  103.750064] The buggy address belongs to the page:
[  103.750064] page:ffff88001b1e3208 count:0 mapcount:0 mapping:          (null) index:0x0
[  103.750064] flags: 0x401fff800000()
[  103.750064] raw: 0000401fff800000 0000000000000000 0000000000000000 00000000ffffffff

                                                           # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 4fbd8d194f06c8a3fd2af1ce560ddb31f7ec8323 v4.14 --
git bisect  bad 93ea0eb7d77afab34657715630d692a78b8cea6a  # 04:25  B      0     1   15   0  Merge tag 'leaks-4.15-rc1' of git://github.com/tcharding/linux
git bisect good 32190f0afbf4f1c0a9142e5a886a078ee0b794fd  # 04:53  G     11     0    3   3  Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt
git bisect good 37cb8e1f8e10c6e9bd2a1b95cdda0620a21b0551  # 05:10  G     11     0    2   2  Merge tag 'devicetree-for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
git bisect good 6c4ba00c40d5acb17f32d4b7e02dbcd21f336d9f  # 05:26  G     11     0    1   1  Merge tag 'hsi-for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-hsi
git bisect good 766ec76a27aa9dfdfee3a80f29ddc1f7539c71f9  # 05:38  G     11     0    2   2  Merge branch 'for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu
git bisect good 1b6115fbe3b3db746d7baa11399dd617fc75e1c4  # 06:00  G     11     0    3   3  Merge tag 'pci-v4.15-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
git bisect good 6363b3f3ac5be096d08c8c504128befa0c033529  # 06:17  G     11     0    4   4  Merge tag 'ipmi-for-4.15' of git://github.com/cminyard/linux-ipmi
git bisect  bad 7c225c69f86c934e3be9be63ecde754e286838d7  # 06:30  B      0    11   25   0  Merge branch 'akpm' (patches from Andrew)
git bisect good 4be90299a1693c2112edb20ca78d6cc9f2183326  # 06:51  G     11     0    0   0  ceph: use pagevec_lookup_range_nr_tag()
git bisect  bad 76253fbc8fbf6018401755fc5c07814a837cc832  # 07:11  B      0     1   15   0  mm: move accounting updates before page_cache_tree_delete()
git bisect good 353b1e7b5859e98860f984d8894fa7ddc242a90e  # 08:16  G     11     0    2   2  x86/mm: set fields in deferred pages
git bisect  bad 78c943662f4b1d53ddbfc515e427827915781377  # 08:43  B      0    11   25   0  sparc64: optimize struct page zeroing
git bisect good a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b  # 08:58  G     11     0    2   2  mm: zero reserved and unavailable struct pages
git bisect  bad e17d8025f07e4fd9d73b137a8bcab04548126b83  # 09:19  B      0    11   29   4  arm64/mm/kasan: don't use vmemmap_populate() to initialize shadow
git bisect  bad d17a1d97dc208d664c91cc387ffb752c7f85dc61  # 09:43  B      0    11   25   0  x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
# first bad commit: [d17a1d97dc208d664c91cc387ffb752c7f85dc61] x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
git bisect good a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b  # 09:50  G     32     0    6   8  mm: zero reserved and unavailable struct pages
# extra tests with debug options
git bisect  bad d17a1d97dc208d664c91cc387ffb752c7f85dc61  # 10:21  B      0     5   24   4  x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
# extra tests on HEAD of linux-devel/devel-catchup-201711282153
git bisect  bad 2f623f1c616f6504ca8f87cd851c0512b7afd343  # 10:21  B      0    13   30   0  0day head guard for 'devel-catchup-201711282153'
# extra tests on tree/branch linus/master
git bisect  bad 43570f0383d6d5879ae585e6c3cf027ba321546f  # 10:45  B      0     5   19   0  Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
# extra tests with first bad commit reverted
git bisect good 749d726ffd5b18e874a743c6195801a55ddf1077  # 11:38  G     10     0    1   1  Revert "x86/mm/kasan: don't use vmemmap_populate() to initialize shadow"
# extra tests on tree/branch linux-next/master
git bisect  bad 5bef2980adef8a6032d4f4709aebe9486181052f  # 11:38  B      0     2   16   0  Add linux-next specific files for 20171128

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-yocto-ivb41-109:20171129093120:x86_64-randconfig-s5-11282011:4.14.0-04319-gd17a1d9:1.gz" of type "application/gzip" (13351 bytes)

View attachment "reproduce-yocto-ivb41-109:20171129093120:x86_64-randconfig-s5-11282011:4.14.0-04319-gd17a1d9:1" of type "text/plain" (902 bytes)

View attachment "config-4.14.0-04319-gd17a1d9" of type "text/plain" (95211 bytes)

Powered by blists - more mailing lists