| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180423060532.GB28534@yexl-desktop>
Date: Mon, 23 Apr 2018 14:05:32 +0800
From: kernel test robot <xiaolong.ye@...el.com>
To: Tejun Heo <tj@...nel.org>
Cc: Johannes Weiner <hannes@...xchg.org>,
Michal Hocko <mhocko@...nel.org>,
Vladimir Davydov <vdavydov.dev@...il.com>,
Roman Gushchin <guro@...com>, Rik van Riel <riel@...riel.com>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>, Tejun Heo <tj@...nel.org>,
cgroups@...r.kernel.org, lkp@...org
Subject: [lkp-robot] [mm] 07f09ce017: BUG:KASAN:null-ptr-deref_in_c
FYI, we noticed the following commit (built with gcc-7):
commit: 07f09ce0175185a21865133ccd2cfd6515e24995 ("mm: memcontrol: Use cgroup_rstat for stat accounting")
https://git.kernel.org/cgit/linux/kernel/git/tj/cgroup.git review-memcg-swap.events
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu host -smp 2 -m 1G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+------------+------------+
| | 4098f3a8ac | 07f09ce017 |
+------------------------------------------+------------+------------+
| boot_successes | 2 | 0 |
| boot_failures | 19 | 21 |
| invoked_oom-killer:gfp_mask=0x | 17 | |
| Mem-Info | 17 | |
| Out_of_memory:Kill_process | 17 | |
| BUG:kernel_in_stage | 2 | 2 |
| BUG:KASAN:null-ptr-deref_in_c | 0 | 19 |
| BUG:unable_to_handle_kernel | 0 | 19 |
| Oops:#[##] | 0 | 19 |
| RIP:cgroup_rstat_flush_locked | 0 | 19 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 19 |
+------------------------------------------+------------+------------+
[ 68.759108] BUG: KASAN: null-ptr-deref in cgroup_rstat_flush_locked+0xc7/0x445
[ 68.762498] Read of size 8 at addr 0000000000000030 by task kswapd0/81
[ 68.765402]
[ 68.766288] CPU: 0 PID: 81 Comm: kswapd0 Not tainted 4.16.0-rc6-00088-g07f09ce #1
[ 68.769615] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 68.772859] Call Trace:
[ 68.773982] kasan_report+0x21d/0x24d
[ 68.775869] cgroup_rstat_flush_locked+0xc7/0x445
[ 68.777990] cgroup_rstat_flush+0x30/0x3d
[ 68.779821] snapshot_refaults+0x39/0x107
[ 68.781996] kswapd+0x5bf/0x64b
[ 68.783476] ? try_to_free_mem_cgroup_pages+0x1bb/0x1bb
[ 68.785779] ? lock_downgrade+0x28a/0x28a
[ 68.787441] ? match_held_lock+0x1c/0x1e1
[ 68.789078] ? do_raw_spin_unlock+0xb2/0xbd
[ 68.790783] ? __wake_up_common_lock+0x10b/0x10b
[ 68.792638] ? sysctl_net_exit+0xf/0xf
[ 68.794219] ? try_to_free_mem_cgroup_pages+0x1bb/0x1bb
[ 68.796557] ? try_to_free_mem_cgroup_pages+0x1bb/0x1bb
[ 68.798859] kthread+0x1cd/0x1dd
[ 68.800404] ? __kthread_create_on_node+0x22f/0x22f
[ 68.802656] ret_from_fork+0x1f/0x30
[ 68.804160] ==================================================================
[ 68.806991] Disabling lock debugging due to kernel taint
[ 68.809020] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[ 68.811985] IP: cgroup_rstat_flush_locked+0xc7/0x445
[ 68.814050] PGD 0 P4D 0
[ 68.815287] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC KASAN PTI
[ 68.817704] CPU: 0 PID: 81 Comm: kswapd0 Tainted: G B 4.16.0-rc6-00088-g07f09ce #1
[ 68.821366] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 68.824952] RIP: 0010:cgroup_rstat_flush_locked+0xc7/0x445
[ 68.827295] RSP: 0018:ffff88000d36fc70 EFLAGS: 00010056
[ 68.829563] RAX: 0000000000000096 RBX: ffff8800240dc790 RCX: ffffffff8111252d
[ 68.832168] RDX: ffffffff811f5c00 RSI: 0000000000000003 RDI: 0000000000000096
[ 68.834795] RBP: 0000000000000000 R08: dffffc0000000000 R09: 0000000000000000
[ 68.837397] R10: fffffbfff08fbb46 R11: fffffbfff0ac139f R12: ffffffff844ef720
[ 68.840007] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000001
[ 68.842600] FS: 0000000000000000(0000) GS:ffffffff83a75000(0000) knlGS:0000000000000000
[ 68.845964] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 68.848372] CR2: 0000000000000030 CR3: 000000000d71c000 CR4: 00000000000006f0
[ 68.851200] Call Trace:
[ 68.852386] cgroup_rstat_flush+0x30/0x3d
[ 68.854170] snapshot_refaults+0x39/0x107
[ 68.855749] kswapd+0x5bf/0x64b
[ 68.857064] ? try_to_free_mem_cgroup_pages+0x1bb/0x1bb
[ 68.859300] ? lock_downgrade+0x28a/0x28a
[ 68.861099] ? match_held_lock+0x1c/0x1e1
[ 68.862875] ? do_raw_spin_unlock+0xb2/0xbd
[ 68.864760] ? __wake_up_common_lock+0x10b/0x10b
[ 68.866644] ? sysctl_net_exit+0xf/0xf
[ 68.868356] ? try_to_free_mem_cgroup_pages+0x1bb/0x1bb
[ 68.870480] ? try_to_free_mem_cgroup_pages+0x1bb/0x1bb
[ 68.872466] kthread+0x1cd/0x1dd
[ 68.873820] ? __kthread_create_on_node+0x22f/0x22f
[ 68.875675] ret_from_fork+0x1f/0x30
[ 68.877120] Code: 48 8b 98 e0 00 00 00 48 8d 83 70 02 00 00 48 89 c7 48 89 44 24 10 e8 c1 e0 09 00 48 8b ab 70 02 00 00 48 8d 7d 30 e8 b1 e0 09 00 <48> 8b 45 30 48 39 c3 48 89 04 24 74 06 48 8b 1c 24 eb c9 48 8d
[ 68.884035] RIP: cgroup_rstat_flush_locked+0xc7/0x445 RSP: ffff88000d36fc70
[ 68.886870] CR2: 0000000000000030
[ 68.888387] ---[ end trace 9edd9c01f8506185 ]---
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Xiaolong
View attachment "config-4.16.0-rc6-00088-g07f09ce" of type "text/plain" (134101 bytes)
View attachment "job-script" of type "text/plain" (4185 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (18048 bytes)
Powered by blists - more mailing lists