| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Apr 2018 10:26:11 +0800
From: Fengguang Wu <fengguang.wu@...el.com>
To: Andrey Ryabinin <aryabinin@...tuozzo.com>,
Pavel Tatashin <pasha.tatashin@...cle.com>
Cc: Steven Sistare <steven.sistare@...cle.com>,
Daniel Jordan <daniel.m.jordan@...cle.com>,
Bob Picco <bob.picco@...cle.com>,
Linux Memory Management List <linux-mm@...ck.org>,
linux-kernel@...r.kernel.org, LKP <lkp@...org>,
Petr Mladek <pmladek@...e.com>,
Sergey Senozhatsky <sergey.senozhatsky@...il.com>,
Steven Rostedt <rostedt@...dmis.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Nikitas Angelinas <nikitas.angelinas@...il.com>,
Matt Redfearn <matt.redfearn@...s.com>,
Dmitry Vyukov <dvyukov@...gle.com>, kasan-dev@...glegroups.com
Subject: d17a1d97dc ("x86/mm/kasan: don't use vmemmap_populate() to
initialize shadow"): [ 0.001000] BUG: KASAN: use-after-scope in
console_unlock
On Thu, Apr 19, 2018 at 10:17:57AM +0800, Fengguang Wu wrote:
>Hello,
>
>FYI this happens in mainline kernel 4.17.0-rc1.
>It at least dates back to v4.15-rc1 .
>
>The regression was reported before
>
> https://lkml.org/lkml/2017/11/30/33
>
>Where the last message from Dmitry mentions that use-after-scope has
>known false positives with CONFIG_GCC_PLUGIN_STRUCTLEAK_BYREF_ALL=y
>If so, what would be the best way to workaround such false positives
>in boot testing? Disable the above config?
>
>0day bisects produce diverged results, with 2 of them converge to
>commit d17a1d97dc ("x86/mm/kasan: don't use vmemmap_populate() to
>initialize shadow") and 1 bisected to the earlier a4a3ede213 ("mm:
>zero reserved and unavailable struct pages"). I'll send the bisect
>reports in follow up emails.
Here is the bisect report for
commit d17a1d97dc208d664c91cc387ffb752c7f85dc61
Author: Andrey Ryabinin <aryabinin@...tuozzo.com>
AuthorDate: Wed Nov 15 17:36:35 2017 -0800
Commit: Linus Torvalds <torvalds@...ux-foundation.org>
CommitDate: Wed Nov 15 18:21:05 2017 -0800
x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
The kasan shadow is currently mapped using vmemmap_populate() since that
provides a semi-convenient way to map pages into init_top_pgt. However,
since that no longer zeroes the mapped pages, it is not suitable for
kasan, which requires zeroed shadow memory.
Add kasan_populate_shadow() interface and use it instead of
vmemmap_populate(). Besides, this allows us to take advantage of
gigantic pages and use them to populate the shadow, which should save us
some memory wasted on page tables and reduce TLB pressure.
Link: http://lkml.kernel.org/r/20171103185147.2688-2-pasha.tatashin@oracle.com
Signed-off-by: Andrey Ryabinin <aryabinin@...tuozzo.com>
Signed-off-by: Pavel Tatashin <pasha.tatashin@...cle.com>
Cc: Steven Sistare <steven.sistare@...cle.com>
Cc: Daniel Jordan <daniel.m.jordan@...cle.com>
Cc: Bob Picco <bob.picco@...cle.com>
Cc: Michal Hocko <mhocko@...e.com>
Cc: Alexander Potapenko <glider@...gle.com>
Cc: Ard Biesheuvel <ard.biesheuvel@...aro.org>
Cc: Catalin Marinas <catalin.marinas@....com>
Cc: Christian Borntraeger <borntraeger@...ibm.com>
Cc: David S. Miller <davem@...emloft.net>
Cc: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Heiko Carstens <heiko.carstens@...ibm.com>
Cc: "H. Peter Anvin" <hpa@...or.com>
Cc: Ingo Molnar <mingo@...hat.com>
Cc: Mark Rutland <mark.rutland@....com>
Cc: Matthew Wilcox <willy@...radead.org>
Cc: Mel Gorman <mgorman@...hsingularity.net>
Cc: Michal Hocko <mhocko@...nel.org>
Cc: Sam Ravnborg <sam@...nborg.org>
Cc: Thomas Gleixner <tglx@...utronix.de>
Cc: Will Deacon <will.deacon@....com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
a4a3ede213 mm: zero reserved and unavailable struct pages
d17a1d97dc x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
d6bbd51587 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
73005e1a35 Add linux-next specific files for 20180103
+--------------------------------+------------+------------+------------+---------------+
| | a4a3ede213 | d17a1d97dc | d6bbd51587 | next-20180103 |
+--------------------------------+------------+------------+------------+---------------+
| boot_successes | 35 | 0 | 0 | 10 |
| boot_failures | 0 | 15 | 17 | |
| BUG:KASAN:use-after-scope_in_c | 0 | 15 | 17 | |
+--------------------------------+------------+------------+------------+---------------+
[ 0.004000] Tasks RCU enabled.
[ 0.004000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[ 0.004000] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[ 0.004000] Offload RCU callbacks from CPUs: .
[ 0.004000] ==================================================================
[ 0.004000] BUG: KASAN: use-after-scope in console_unlock+0x516/0x7bf
[ 0.004000] Write of size 4 at addr ffffffffaf207aa0 by task swapper/0
[ 0.004000]
[ 0.004000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.14.0-04319-gd17a1d9 #2
[ 0.004000] Call Trace:
[ 0.004000] ? dump_stack+0xd1/0x178
[ 0.004000] ? _atomic_dec_and_lock+0x11a/0x11a
[ 0.004000] ? show_regs_print_info+0x51/0x51
[ 0.004000] ? do_raw_spin_unlock+0x223/0x247
[ 0.004000] ? print_address_description+0x94/0x2d9
[ 0.004000] ? console_unlock+0x516/0x7bf
[ 0.004000] ? kasan_report+0x21e/0x244
[ 0.004000] ? console_unlock+0x516/0x7bf
[ 0.004000] ? wake_up_klogd+0xe6/0xe6
[ 0.004000] ? vprintk_emit+0x3ee/0x426
[ 0.004000] ? __down_trylock_console_sem+0x5d/0x6c
[ 0.004000] ? vprintk_emit+0x3f7/0x426
[ 0.004000] ? console_unlock+0x7bf/0x7bf
[ 0.004000] ? memblock_virt_alloc_try_nid+0xd9/0x107
[ 0.004000] ? zero_pud_populate+0x7f1/0x8e8
[ 0.004000] ? printk+0x8f/0xab
[ 0.004000] ? show_regs_print_info+0x51/0x51
[ 0.004000] ? native_flush_tlb_global+0x71/0x7d
[ 0.004000] ? setup_arch+0x2427/0x2770
[ 0.004000] ? reserve_standard_io_resources+0x83/0x83
[ 0.004000] ? debug_check_no_locks_freed+0x20b/0x21a
[ 0.004000] ? __lockdep_init_map+0x20f/0x4d5
[ 0.004000] ? printk+0x8f/0xab
[ 0.004000] ? show_regs_print_info+0x51/0x51
[ 0.004000] ? cgroup_init_early+0xad/0x16e
[ 0.004000] ? do_device_not_available+0x4f/0x4f
[ 0.004000] ? start_kernel+0xe1/0x10ce
[ 0.004000] ? early_idt_handler_common+0x3b/0x60
[ 0.004000] ? thread_stack_cache_init+0x2e/0x2e
[ 0.004000] ? memcpy_orig+0x16/0x110
[ 0.004000] ? load_ucode_bsp+0x69/0x2fe
[ 0.004000] ? secondary_startup_64+0xa5/0xb0
[ 0.004000]
[ 0.004000] Memory state around the buggy address:
[ 0.004000] ffffffffaf207980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.004000] ffffffffaf207a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 0.004000] >ffffffffaf207a80: f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 30a7acd573899fd8b8ac39236eff6468b195ac7d v4.14 --
git bisect bad 4fbd8d194f06c8a3fd2af1ce560ddb31f7ec8323 # 02:00 B 0 11 25 0 Linux 4.15-rc1
git bisect bad 93ea0eb7d77afab34657715630d692a78b8cea6a # 02:21 B 0 11 25 0 Merge tag 'leaks-4.15-rc1' of git://github.com/tcharding/linux
git bisect good 32190f0afbf4f1c0a9142e5a886a078ee0b794fd # 02:39 G 11 0 0 0 Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/fscrypt
git bisect good 37cb8e1f8e10c6e9bd2a1b95cdda0620a21b0551 # 02:52 G 11 0 0 0 Merge tag 'devicetree-for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux
git bisect good 6c4ba00c40d5acb17f32d4b7e02dbcd21f336d9f # 03:10 G 11 0 0 0 Merge tag 'hsi-for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-hsi
git bisect good 766ec76a27aa9dfdfee3a80f29ddc1f7539c71f9 # 03:30 G 11 0 0 0 Merge branch 'for-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu
git bisect good 1b6115fbe3b3db746d7baa11399dd617fc75e1c4 # 03:54 G 11 0 0 0 Merge tag 'pci-v4.15-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
git bisect good 6363b3f3ac5be096d08c8c504128befa0c033529 # 04:09 G 11 0 0 0 Merge tag 'ipmi-for-4.15' of git://github.com/cminyard/linux-ipmi
git bisect bad 7c225c69f86c934e3be9be63ecde754e286838d7 # 04:25 B 0 1 15 0 Merge branch 'akpm' (patches from Andrew)
git bisect good 4be90299a1693c2112edb20ca78d6cc9f2183326 # 04:47 G 11 0 0 0 ceph: use pagevec_lookup_range_nr_tag()
git bisect bad 76253fbc8fbf6018401755fc5c07814a837cc832 # 05:07 B 0 2 16 0 mm: move accounting updates before page_cache_tree_delete()
git bisect good 353b1e7b5859e98860f984d8894fa7ddc242a90e # 05:29 G 11 0 0 0 x86/mm: set fields in deferred pages
git bisect bad 78c943662f4b1d53ddbfc515e427827915781377 # 05:51 B 0 3 17 0 sparc64: optimize struct page zeroing
git bisect good a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b # 06:16 G 11 0 0 0 mm: zero reserved and unavailable struct pages
git bisect bad e17d8025f07e4fd9d73b137a8bcab04548126b83 # 06:29 B 0 10 24 0 arm64/mm/kasan: don't use vmemmap_populate() to initialize shadow
git bisect bad d17a1d97dc208d664c91cc387ffb752c7f85dc61 # 06:42 B 0 5 19 0 x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
# first bad commit: [d17a1d97dc208d664c91cc387ffb752c7f85dc61] x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
git bisect good a4a3ede2132ae0863e2d43e06f9b5697c51a7a3b # 06:51 G 31 0 0 0 mm: zero reserved and unavailable struct pages
# extra tests with debug options
git bisect bad d17a1d97dc208d664c91cc387ffb752c7f85dc61 # 07:06 B 0 10 24 0 x86/mm/kasan: don't use vmemmap_populate() to initialize shadow
# extra tests on HEAD of linux-devel/devel-hourly-2018010321
git bisect bad d23305f3c66383c30bc6a65b33dbdde7cabcf2e1 # 07:07 B 0 13 30 0 0day head guard for 'devel-hourly-2018010321'
# extra tests on tree/branch linus/master
git bisect bad d6bbd51587ecd173958453969964fb41140b1540 # 07:25 B 0 6 20 0 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
# extra tests on tree/branch linux-next/master
git bisect good 73005e1a35fd67c644b0645c9e4c1efabd0fe62c # 07:48 G 11 0 1 1 Add linux-next specific files for 20180103
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Download attachment "dmesg-quantal-ivb41-10:20180104064259:x86_64-randconfig-s4-01040103:4.14.0-04319-gd17a1d9:2.gz" of type "application/gzip" (8921 bytes)
View attachment "reproduce-quantal-ivb41-10:20180104064259:x86_64-randconfig-s4-01040103:4.14.0-04319-gd17a1d9:2" of type "text/plain" (889 bytes)
View attachment "config-4.14.0-04319-gd17a1d9" of type "text/plain" (116744 bytes)
Powered by blists - more mailing lists