lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171130034139.o5br7xc57buhnseb@wfg-t540p.sh.intel.com>
Date:   Thu, 30 Nov 2017 11:41:39 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Jason Baron <jbaron@...mai.com>
Cc:     Shakeel Butt <shakeelb@...gle.com>, Lee Duncan <lduncan@...e.com>,
        Chris Leech <cleech@...hat.com>,
        "James E.J. Bottomley" <jejb@...ux.vnet.ibm.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        open-iscsi@...glegroups.com, linux-scsi@...r.kernel.org,
        linux-kernel@...r.kernel.org, lkp@...org
Subject: BUG: KASAN: use-after-scope in ep_poll+0x5cd/0xc90

Hello,

FYI this happens in mainline kernel 4.15.0-rc1.
It looks a new regression and bisect is on the way.

It occurs in 3 out of 3 boots.

[   35.704690] init: Failed to create pty - disabling logging for job
[   35.706676] init: Temporary process spawn error: No such file or directory
[   35.731988] init: Failed to create pty - disabling logging for job
[   35.734084] init: Temporary process spawn error: No such file or directory
[   35.737946] ==================================================================
[   35.739635] BUG: KASAN: use-after-scope in ep_poll+0x5cd/0xc90:
						ep_send_events at fs/eventpoll.c:1700
						 (inlined by) ep_poll at fs/eventpoll.c:1829
[   35.740945] Write of size 16 at addr ffff88001018fde8 by task plymouthd/174
[   35.742422]
[   35.742913] CPU: 1 PID: 174 Comm: plymouthd Not tainted 4.15.0-rc1 #149
[   35.744333] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   35.746146] Call Trace:
[   35.746823]  dump_stack+0x17d/0x25a:
						dump_stack at lib/dump_stack.c:55
[   35.747676]  ? _atomic_dec_and_lock+0x296/0x296:
						dump_stack at lib/dump_stack.c:29
[   35.748714]  ? printk+0x94/0xb0:
						printk at kernel/printk/printk.c:1824
[   35.749489]  ? cpumask_weight+0x1e/0x1e
[   35.750623]  print_address_description+0x14b/0x3e0:
						print_address_description at mm/kasan/report.c:253
[   35.751712]  ? ep_poll+0x5cd/0xc90:
						ep_send_events at fs/eventpoll.c:1700
						 (inlined by) ep_poll at fs/eventpoll.c:1829
[   35.752540]  kasan_report+0x239/0x3a0:
						kasan_report_error at mm/kasan/report.c:352
						 (inlined by) kasan_report at mm/kasan/report.c:409
[   35.753415]  __asan_store16+0x54/0x80
[   35.754292]  ep_poll+0x5cd/0xc90:
						ep_send_events at fs/eventpoll.c:1700
						 (inlined by) ep_poll at fs/eventpoll.c:1829
[   35.755089]  ? ep_eventpoll_poll+0x160/0x160:
						ep_poll at fs/eventpoll.c:1738
[   35.756079]  ? ep_item_poll+0xa8/0x1a0
[   35.757104]  ? __asan_loadN+0xf/0x20
[   35.757970]  ? mutex_unlock+0x49/0x90:
						__mutex_unlock_fast at kernel/locking/mutex.c:153
						 (inlined by) mutex_unlock at kernel/locking/mutex.c:611
[   35.758848]  ? __asan_loadN+0xf/0x20
[   35.759397] init: Failed to create pty - disabling logging for job
[   35.759739] init: Temporary process spawn error: No such file or directory
[   35.762496]  ? SyS_epoll_ctl+0x3fe/0x1620
[   35.763427]  ? SyS_epoll_create+0x210/0x210
[   35.764395]  ? unix_accept+0x49c/0x4d0:
						native_queued_spin_unlock at include/linux/compiler.h:209
						 (inlined by) queued_spin_unlock at arch/x86/include/asm/qspinlock.h:46
						 (inlined by) do_raw_spin_unlock at include/linux/spinlock.h:187
						 (inlined by) __raw_spin_unlock at include/linux/spinlock_api_smp.h:151
						 (inlined by) spin_unlock at include/linux/spinlock.h:355
						 (inlined by) unix_accept at net/unix/af_unix.c:1448
[   35.765288]  ? sock_put+0x50/0x50:
						unix_accept at net/unix/af_unix.c:1413
[   35.766096]  ? branch_trace_reset+0x10/0x10:
						ftrace_likely_update at kernel/trace/trace_branch.c:207
[   35.767056]  ? __asan_loadN+0xf/0x20
[   35.767916]  ? ftrace_likely_update+0x91/0x3b0:
						ftrace_likely_update at kernel/trace/trace_branch.c:223
[   35.768936]  ? branch_trace_reset+0x10/0x10:
						ftrace_likely_update at kernel/trace/trace_branch.c:207
[   35.769904]  ? SYSC_accept4+0x12f/0x710:
						SYSC_accept4 at net/socket.c:1597
[   35.775190]  ? __fget_light+0x26c/0x2e0:
						__fget_light at fs/file.c:741 (discriminator 2)
[   35.777712]  ? rw_verify_area+0x13c/0x300:
						rw_verify_area at fs/read_write.c:380
[   35.778645]  ? trace_hardirqs_on_caller+0xd5/0x1b0:
						static_key_false at include/linux/jump_label.h:201
						 (inlined by) trace_irq_enable_rcuidle at include/trace/events/preemptirq.h:40
						 (inlined by) trace_hardirqs_on_caller at kernel/trace/trace_irqsoff.c:815
[   35.781772]  ? entry_SYSCALL_64_fastpath+0x5/0x91:
						entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:192
[   35.781784]  ? vfs_write+0x35a/0x520:
						file_end_write at include/linux/fs.h:2727
						 (inlined by) vfs_write at fs/read_write.c:550
[   35.781796]  ? do_task_dead+0x70/0x70:
						default_wake_function at kernel/sched/core.c:3627
[   35.781810]  SyS_epoll_wait+0x2a6/0x2f0
[   35.781821]  entry_SYSCALL_64_fastpath+0x1f/0x91:
						entry_SYSCALL_64_fastpath at arch/x86/entry/entry_64.S:210
[   35.781828] RIP: 0033:0x7f78afd0db33
[   35.781832] RSP: 002b:00007ffd2a335798 EFLAGS: 00000246 ORIG_RAX: 00000000000000e8
[   35.781842] RAX: ffffffffffffffda RBX: 0000000001a4c940 RCX: 00007f78afd0db33
[   35.781847] RDX: 0000000000000040 RSI: 00007f78b0402520 RDI: 0000000000000003
[   35.781852] RBP: 0000000000000007 R08: 0000000000000003 R09: 0000000000000008
[   35.781858] R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000001a4c940
[   35.781863] R13: 0000000001a50c50 R14: 0000000000000000 R15: 0000000000000000
[   35.781870]
[   35.781873] The buggy address belongs to the page:
[   35.781883] page:ffffea00004063c0 count:0 mapcount:0 mapping:          (null) index:0x0

Attached the full dmesg, kconfig and reproduce scripts.

Thanks,
Fengguang

View attachment "dmesg-vm-vp-quantal-x86_64-45:20171129181612:x86_64-randconfig-ws0-11291727:4.15.0-rc1:149" of type "text/plain" (55412 bytes)

View attachment ".config" of type "text/plain" (106776 bytes)

View attachment "job-script" of type "text/plain" (3850 bytes)

View attachment "reproduce-vm-vp-quantal-x86_64-45:20171129181612:x86_64-randconfig-ws0-11291727:4.15.0-rc1:149" of type "text/plain" (1800 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ