lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180419014235.r6ykoznj6sgyb3m4@wfg-t540p.sh.intel.com> Date: Thu, 19 Apr 2018 09:42:35 +0800 From: Fengguang Wu <fengguang.wu@...el.com> To: Kees Cook <keescook@...omium.org> Cc: kernel-hardening@...ts.openwall.com, linux-kbuild@...r.kernel.org, linux-kernel@...r.kernel.org, lkp@...org Subject: BUG: KASAN: use-after-scope in ep_poll+0x1177/0x131b Hi Kees, FYI this happens in mainline kernel 4.17.0-rc1. It at least dates back to v4.15-rc1 . I just sent you a bisect report for c61f13eaa1 ("gcc-plugins: Add structleak for more stack initialization") possibly related to this error. [ 30.565138] init: Console is alive [ 30.574301] kmodloader (149) used greatest stack depth: 22824 bytes left [ 31.573627] init: - preinit - [ 31.628946] procd: - early - [ 31.715094] ================================================================== [ 31.716334] BUG: KASAN: use-after-scope in ep_poll+0x1177/0x131b: ep_poll at fs/eventpoll.c:1832 [ 31.717242] Write of size 24 at addr ffff880000307b80 by task procd/1 [ 31.718361] [ 31.718653] CPU: 0 PID: 1 Comm: procd Tainted: G T 4.17.0-rc1 #1 [ 31.719799] Call Trace: [ 31.720289] print_address_description+0x69/0x24d: print_address_description at mm/kasan/report.c:257 [ 31.721257] ? ep_poll+0x1177/0x131b: ep_poll at fs/eventpoll.c:1832 [ 31.721910] kasan_report+0x219/0x34e: kasan_report_error at mm/kasan/report.c:355 (inlined by) kasan_report at mm/kasan/report.c:412 [ 31.722589] ep_poll+0x1177/0x131b: ep_poll at fs/eventpoll.c:1832 [ 31.723218] ? ep_send_events_proc+0x979/0x979: ep_poll at fs/eventpoll.c:1741 [ 31.724120] ? sched_clock_cpu+0xa9/0x14a: sched_clock_cpu at kernel/sched/clock.c:351 [ 31.724861] ? pvclock_read_flags+0x136/0x136: pvclock_clocksource_read at arch/x86/kernel/pvclock.c:79 [ 31.725633] ? print_lockdep_off+0x27/0x27: match_held_lock at kernel/locking/lockdep.c:3491 [ 31.726387] ? kvm_sched_clock_read+0x12/0x20: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) kvm_clock_read at arch/x86/kernel/kvmclock.c:90 (inlined by) kvm_sched_clock_read at arch/x86/kernel/kvmclock.c:101 [ 31.727184] ? sched_clock+0x34/0x37: paravirt_sched_clock at arch/x86/include/asm/paravirt.h:175 (inlined by) sched_clock at arch/x86/kernel/tsc.c:228 [ 31.727920] ? __context_tracking_exit+0xb5/0x22b: atomic_read at include/asm-generic/atomic-instrumented.h:21 (inlined by) static_key_count at include/linux/jump_label.h:194 (inlined by) static_key_false at include/linux/jump_label.h:206 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158 [ 31.728750] ? kvm_sched_clock_read+0x12/0x20: __preempt_count_sub at arch/x86/include/asm/preempt.h:81 (inlined by) kvm_clock_read at arch/x86/kernel/kvmclock.c:90 (inlined by) kvm_sched_clock_read at arch/x86/kernel/kvmclock.c:101 [ 31.729508] ? sched_clock+0x34/0x37: paravirt_sched_clock at arch/x86/include/asm/paravirt.h:175 (inlined by) sched_clock at arch/x86/kernel/tsc.c:228 [ 31.730138] ? sched_clock_cpu+0xa9/0x14a: sched_clock_cpu at kernel/sched/clock.c:351 [ 31.730913] ? clear_sched_clock_stable+0x115/0x115: sched_clock_cpu at kernel/sched/clock.c:346 [ 31.731763] ? find_held_lock+0x39/0x18d: find_held_lock at kernel/locking/lockdep.c:3536 [ 31.732494] ? lock_downgrade+0x730/0x730: lock_release at kernel/locking/lockdep.c:3929 [ 31.733221] ? lock_release+0xe6b/0xe6b: lock_acquire at kernel/locking/lockdep.c:3909 [ 31.733917] ? get_vtime_delta+0x19f/0x239: steal_account_process_time at kernel/sched/cputime.c:243 (inlined by) account_other_time at kernel/sched/cputime.c:260 (inlined by) get_vtime_delta at kernel/sched/cputime.c:706 [ 31.734777] ? in_sched_functions+0x35/0x35: ___might_sleep at kernel/sched/core.c:6146 [ 31.735513] ? account_steal_time+0x35/0x35: get_vtime_delta at kernel/sched/cputime.c:695 [ 31.736313] ? mntput_no_expire+0x73/0x6fe: rcu_lock_acquire at include/linux/rcupdate.h:246 (inlined by) rcu_read_lock at include/linux/rcupdate.h:632 (inlined by) mntput_no_expire at fs/namespace.c:1196 [ 31.737082] ? syscall_slow_exit_work+0x5c2/0x5c2: syscall_trace_enter at arch/x86/entry/common.c:68 [ 31.737969] ? __fget_light+0xb3/0x305: __read_once_size at include/linux/compiler.h:188 (inlined by) arch_atomic_read at arch/x86/include/asm/atomic.h:31 (inlined by) atomic_read at include/asm-generic/atomic-instrumented.h:22 (inlined by) __fget_light at fs/file.c:735 [ 31.738658] ? __fget+0x366/0x366: __fget_light at fs/file.c:731 [ 31.739231] ? vtime_user_exit+0x134/0x16b: raw_write_seqcount_end at include/linux/seqlock.h:235 (inlined by) write_seqcount_end at include/linux/seqlock.h:388 (inlined by) vtime_user_exit at kernel/sched/cputime.c:770 [ 31.739878] ? __context_tracking_exit+0xb5/0x22b: atomic_read at include/asm-generic/atomic-instrumented.h:21 (inlined by) static_key_count at include/linux/jump_label.h:194 (inlined by) static_key_false at include/linux/jump_label.h:206 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158 [ 31.740811] ? __context_tracking_exit+0xc6/0x22b: __read_once_size at include/linux/compiler.h:188 (inlined by) arch_atomic_read at arch/x86/include/asm/atomic.h:31 (inlined by) atomic_read at include/asm-generic/atomic-instrumented.h:22 (inlined by) static_key_count at include/linux/jump_label.h:194 (inlined by) static_key_false at include/linux/jump_label.h:206 (inlined by) trace_user_exit at include/trace/events/context_tracking.h:48 (inlined by) __context_tracking_exit at kernel/context_tracking.c:158 [ 31.741616] ? do_sched_yield+0x2b7/0x2b7: default_wake_function at kernel/sched/core.c:3742 [ 31.742351] ? trace_raw_output_preemptirq_template+0xf9/0xf9: trace_hardirqs_on at kernel/trace/trace_irqsoff.c:787 [ 31.743380] do_epoll_wait+0x112/0x148: fdput at include/linux/file.h:39 (inlined by) do_epoll_wait at fs/eventpoll.c:2194 [ 31.744126] __ia32_sys_epoll_wait+0xd8/0xe0: __do_sys_epoll_wait at fs/eventpoll.c:2201 (inlined by) __se_sys_epoll_wait at fs/eventpoll.c:2198 (inlined by) __ia32_sys_epoll_wait at fs/eventpoll.c:2198 [ 31.744915] do_int80_syscall_32+0x436/0x8b6: do_syscall_32_irqs_on at arch/x86/entry/common.c:323 (inlined by) do_int80_syscall_32 at arch/x86/entry/common.c:346 [ 31.745672] ? do_syscall_64+0x84b/0x84b: do_int80_syscall_32 at arch/x86/entry/common.c:343 [ 31.746268] ? vtime_user_enter+0xba/0xef: raw_write_seqcount_end at include/linux/seqlock.h:235 (inlined by) write_seqcount_end at include/linux/seqlock.h:388 (inlined by) vtime_user_enter at kernel/sched/cputime.c:756 [ 31.746951] ? __context_tracking_enter+0x21d/0x266: __context_tracking_enter at kernel/context_tracking.c:97 [ 31.747929] ? __context_tracking_enter+0x21d/0x266: __context_tracking_enter at kernel/context_tracking.c:97 [ 31.748817] ? context_tracking_recursion_enter+0x4a/0x4a: __context_tracking_enter at kernel/context_tracking.c:62 [ 31.749791] ? trace_raw_output_sys_exit+0xc6/0xc6: exit_to_usermode_loop at arch/x86/entry/common.c:139 [ 31.750662] ? trace_hardirqs_on_caller+0x1b3/0x1b3: trace_hardirqs_off_caller at kernel/trace/trace_irqsoff.c:823 [ 31.751532] ? prepare_exit_to_usermode+0x230/0x262: prepare_exit_to_usermode at arch/x86/entry/common.c:184 [ 31.752287] ? trace_hardirqs_off_thunk+0x1a/0x1c: trace_hardirqs_off_thunk at arch/x86/entry/thunk_64.S:43 [ 31.753106] entry_INT80_compat+0x84/0x90: entry_INT80_compat at arch/x86/entry/entry_64_compat.S:410 [ 31.753715] [ 31.753966] The buggy address belongs to the page: [ 31.754784] page:ffffea000000c1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 31.756053] flags: 0x0() Attached the full dmesg, kconfig and reproduce scripts. Thanks, Fengguang View attachment "dmesg-vm-lkp-nhm-dp1-openwrt-ia32-9:20180416214450:x86_64-randconfig-s5-04161820:4.17.0-rc1:1" of type "text/plain" (56645 bytes) View attachment ".config" of type "text/plain" (115199 bytes) View attachment "job-script" of type "text/plain" (3788 bytes) View attachment "reproduce-vm-lkp-nhm-dp1-openwrt-ia32-9:20180416214450:x86_64-randconfig-s5-04161820:4.17.0-rc1:1" of type "text/plain" (1937 bytes)
Powered by blists - more mailing lists