| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Jul 2018 16:01:42 +0800
From: kernel test robot <xiaolong.ye@...el.com>
To: ufo19890607@...il.com
Cc: akpm@...ux-foundation.org, mhocko@...e.com, rientjes@...gle.com,
kirill.shutemov@...ux.intel.com, aarcange@...hat.com,
penguin-kernel@...ove.sakura.ne.jp, guro@...com,
yang.s@...baba-inc.com, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, yuzhoujian@...ichuxing.com,
lkp@...org
Subject: [lkp-robot] 3586e04c29: BUG:KASAN:user-memory-access_in_d
FYI, we noticed the following commit (built with gcc-6):
commit: 3586e04c2954d48a690aee721a034c7867bb0fc1 ("[PATCH v11 2/2] Add the missing information in dump_header")
url: https://github.com/0day-ci/linux/commits/ufo19890607-gmail-com/Refactor-part-of-the-oom-report-in-dump_header/20180701-004229
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu Westmere -m 512M
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+------------+------------+
| | d1206092c9 | 3586e04c29 |
+------------------------------------------+------------+------------+
| boot_successes | 0 | 2 |
| boot_failures | 12 | 21 |
| invoked_oom-killer:gfp_mask=0x | 12 | 21 |
| BUG:KASAN:null-ptr-deref_in_d | 12 | |
| BUG:unable_to_handle_kernel | 12 | 21 |
| Oops:#[##] | 12 | 21 |
| RIP:dump_header | 12 | 21 |
| Kernel_panic-not_syncing:Fatal_exception | 12 | 21 |
| kernel_BUG_at_mm/usercopy.c | 1 | 2 |
| invalid_opcode:#[##] | 1 | 2 |
| RIP:usercopy_abort | 1 | 2 |
| BUG:KASAN:user-memory-access_in_d | 0 | 21 |
+------------------------------------------+------------+------------+
[ 8.645427] BUG: KASAN: user-memory-access in dump_header+0xf7/0x452
[ 8.646474] Read of size 8 at addr 0000000000001c58 by task swapper/0/1
[ 8.646692]
[ 8.646692] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G T 4.18.0-rc2-00225-g3586e04 #1
[ 8.646692] Call Trace:
[ 8.646692] dump_stack+0x8e/0xd5
[ 8.646692] kasan_report+0x245/0x28d
[ 8.646692] dump_header+0xf7/0x452
[ 8.646692] out_of_memory+0x7cb/0x86c
[ 8.646692] ? oom_killer_disable+0x1b7/0x1b7
[ 8.646692] __alloc_pages_slowpath+0xc9e/0xf35
[ 8.646692] ? gfp_pfmemalloc_allowed+0x10/0x10
[ 8.646692] ? sched_clock_local+0xa4/0xc0
[ 8.646692] ? check_chain_key+0xf4/0x14b
[ 8.646692] ? match_held_lock+0x2b/0xf8
[ 8.646692] ? match_held_lock+0x2b/0xf8
[ 8.646692] ? lock_is_held_type+0x80/0x90
[ 8.646692] __alloc_pages_nodemask+0x1b9/0x343
[ 8.646692] ? __alloc_pages_slowpath+0xf35/0xf35
[ 8.646692] ? find_first_bit+0x1b/0x4a
[ 8.646692] ? __next_node_in+0x39/0x46
[ 8.646692] alloc_page_interleave+0x12/0xba
[ 8.646692] pagecache_get_page+0x118/0x190
[ 8.646692] grab_cache_page_write_begin+0x37/0x50
[ 8.646692] simple_write_begin+0x26/0x79
[ 8.646692] generic_perform_write+0x163/0x2a2
[ 8.646692] ? fatal_signal_pending+0x34/0x34
[ 8.646692] ? file_update_time+0x132/0x21e
[ 8.646692] ? __insert_inode_hash+0xc7/0xc7
[ 8.646692] ? lock_acquired+0x3b0/0x429
[ 8.646692] ? generic_file_write_iter+0x4b/0xd0
[ 8.646692] ? lock_contended+0x46a/0x46a
[ 8.646692] ? lock_acquire+0x1d8/0x22c
[ 8.646692] __generic_file_write_iter+0x176/0x201
[ 8.646692] generic_file_write_iter+0x66/0xd0
[ 8.646692] __vfs_write+0x15b/0x1dd
[ 8.646692] ? kernel_read+0x6e/0x6e
[ 8.646692] ? lock_is_held_type+0x80/0x90
[ 8.646692] ? rcu_read_lock_sched_held+0x5d/0x74
[ 8.646692] ? rcu_sync_lockdep_assert+0x3d/0x63
[ 8.646692] ? __sb_start_write+0x188/0x1a3
[ 8.646692] ? vfs_write+0xb0/0xf2
[ 8.646692] vfs_write+0xce/0xf2
[ 8.646692] ksys_write+0xbb/0x133
[ 8.646692] ? __ia32_sys_read+0x41/0x41
[ 8.646692] ? trace_kmalloc+0xd8/0x123
[ 8.646692] ? do_name+0x22c/0x484
[ 8.646692] ? __kmalloc_track_caller+0x13f/0x167
[ 8.646692] xwrite+0x57/0x124
[ 8.646692] do_copy+0x52/0x172
[ 8.646692] write_buffer+0x61/0x9c
[ 8.646692] flush_buffer+0x10e/0x165
[ 8.646692] __gunzip+0x5d8/0x7ab
[ 8.646692] ? bunzip2+0x94d/0x94d
[ 8.646692] ? write_buffer+0x9c/0x9c
[ 8.646692] gunzip+0x39/0x3d
[ 8.646692] ? initrd_load+0xad/0xad
[ 8.646692] unpack_to_rootfs+0x2a4/0x526
[ 8.646692] ? initrd_load+0xad/0xad
[ 8.646692] ? do_symlink+0xe8/0xe8
[ 8.646692] ? __lock_is_held+0x72/0x87
[ 8.646692] ? do_header+0x1de/0x1de
[ 8.646692] populate_rootfs+0xd8/0x2cc
[ 8.646692] ? do_header+0x1de/0x1de
[ 8.646692] do_one_initcall+0x193/0x3c9
[ 8.646692] ? perf_trace_initcall_finish+0x1ef/0x1ef
[ 8.646692] ? __lock_is_held+0x72/0x87
[ 8.646692] ? lock_is_held_type+0x80/0x90
[ 8.646692] kernel_init_freeable+0x3ba/0x54d
[ 8.646692] ? start_kernel+0x8b8/0x8b8
[ 8.646692] ? mmdrop+0x19/0x2f
[ 8.646692] ? finish_task_switch+0x1bd/0x233
[ 8.646692] ? balance_callback+0x1f/0xa1
[ 8.646692] ? rest_init+0xd3/0xd3
[ 8.646692] ? rest_init+0xd3/0xd3
[ 8.646692] kernel_init+0xc/0x108
[ 8.646692] ? rest_init+0xd3/0xd3
[ 8.646692] ret_from_fork+0x3a/0x50
[ 8.646692] ==================================================================
[ 8.646692] Disabling lock debugging due to kernel taint
[ 8.701796] BUG: unable to handle kernel paging request at 0000000000001c58
[ 8.703542] PGD 0 P4D 0
[ 8.703995] Oops: 0000 [#1] SMP KASAN
[ 8.704606] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B T 4.18.0-rc2-00225-g3586e04 #1
[ 8.705771] RIP: 0010:dump_header+0xf7/0x452
[ 8.705771] Code: 8b 34 fd 80 ac ec 81 44 89 ea 4c 89 f1 48 c7 c7 a0 9a ec 81 e8 79 13 f1 ff e8 4f db ff ff 48 8d bb 58 1c 00 00 e8 3b f3 06 00 <4c> 8b ab 58 1c 00 00 e8 1b 33 f2 ff 85 c0 74 31 80 3d d4 ca 77 01
[ 8.705771] RSP: 0000:ffff880009907258 EFLAGS: 00010286
[ 8.705771] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff810f8551
[ 8.705771] RDX: 1ffffffff04d7600 RSI: 0000000000000003 RDI: 0000000000000296
[ 8.705771] RBP: ffff8800099074e0 R08: dffffc0000000000 R09: fffffbfff04d7620
[ 8.705771] R10: fffffbfff04d7620 R11: 0000000000000000 R12: ffff8800099074e8
[ 8.705771] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 8.705771] FS: 0000000000000000(0000) GS:ffff88000a200000(0000) knlGS:0000000000000000
[ 8.705771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8.705771] CR2: 0000000000001c58 CR3: 0000000002415000 CR4: 00000000000006b0
[ 8.705771] Call Trace:
[ 8.705771] out_of_memory+0x7cb/0x86c
[ 8.705771] ? oom_killer_disable+0x1b7/0x1b7
[ 8.705771] __alloc_pages_slowpath+0xc9e/0xf35
[ 8.705771] ? gfp_pfmemalloc_allowed+0x10/0x10
[ 8.705771] ? sched_clock_local+0xa4/0xc0
[ 8.705771] ? check_chain_key+0xf4/0x14b
[ 8.705771] ? match_held_lock+0x2b/0xf8
[ 8.705771] ? match_held_lock+0x2b/0xf8
[ 8.705771] ? lock_is_held_type+0x80/0x90
[ 8.705771] __alloc_pages_nodemask+0x1b9/0x343
[ 8.705771] ? __alloc_pages_slowpath+0xf35/0xf35
[ 8.705771] ? find_first_bit+0x1b/0x4a
[ 8.705771] ? __next_node_in+0x39/0x46
[ 8.705771] alloc_page_interleave+0x12/0xba
[ 8.705771] pagecache_get_page+0x118/0x190
[ 8.705771] grab_cache_page_write_begin+0x37/0x50
[ 8.705771] simple_write_begin+0x26/0x79
[ 8.705771] generic_perform_write+0x163/0x2a2
[ 8.705771] ? fatal_signal_pending+0x34/0x34
[ 8.705771] ? file_update_time+0x132/0x21e
[ 8.705771] ? __insert_inode_hash+0xc7/0xc7
[ 8.705771] ? lock_acquired+0x3b0/0x429
[ 8.705771] ? generic_file_write_iter+0x4b/0xd0
[ 8.705771] ? lock_contended+0x46a/0x46a
[ 8.705771] ? lock_acquire+0x1d8/0x22c
[ 8.705771] __generic_file_write_iter+0x176/0x201
[ 8.705771] generic_file_write_iter+0x66/0xd0
[ 8.705771] __vfs_write+0x15b/0x1dd
[ 8.705771] ? kernel_read+0x6e/0x6e
[ 8.705771] ? lock_is_held_type+0x80/0x90
[ 8.705771] ? rcu_read_lock_sched_held+0x5d/0x74
[ 8.705771] ? rcu_sync_lockdep_assert+0x3d/0x63
[ 8.705771] ? __sb_start_write+0x188/0x1a3
[ 8.705771] ? vfs_write+0xb0/0xf2
[ 8.705771] vfs_write+0xce/0xf2
[ 8.705771] ksys_write+0xbb/0x133
[ 8.705771] ? __ia32_sys_read+0x41/0x41
[ 8.705771] ? trace_kmalloc+0xd8/0x123
[ 8.705771] ? do_name+0x22c/0x484
[ 8.705771] ? __kmalloc_track_caller+0x13f/0x167
[ 8.705771] xwrite+0x57/0x124
[ 8.705771] do_copy+0x52/0x172
[ 8.705771] write_buffer+0x61/0x9c
[ 8.705771] flush_buffer+0x10e/0x165
[ 8.705771] __gunzip+0x5d8/0x7ab
[ 8.705771] ? bunzip2+0x94d/0x94d
[ 8.705771] ? write_buffer+0x9c/0x9c
[ 8.705771] gunzip+0x39/0x3d
[ 8.705771] ? initrd_load+0xad/0xad
[ 8.705771] unpack_to_rootfs+0x2a4/0x526
[ 8.705771] ? initrd_load+0xad/0xad
[ 8.705771] ? do_symlink+0xe8/0xe8
[ 8.705771] ? __lock_is_held+0x72/0x87
[ 8.705771] ? do_header+0x1de/0x1de
[ 8.705771] populate_rootfs+0xd8/0x2cc
[ 8.705771] ? do_header+0x1de/0x1de
[ 8.705771] do_one_initcall+0x193/0x3c9
[ 8.705771] ? perf_trace_initcall_finish+0x1ef/0x1ef
[ 8.705771] ? __lock_is_held+0x72/0x87
[ 8.705771] ? lock_is_held_type+0x80/0x90
[ 8.705771] kernel_init_freeable+0x3ba/0x54d
[ 8.705771] ? start_kernel+0x8b8/0x8b8
[ 8.705771] ? mmdrop+0x19/0x2f
[ 8.705771] ? finish_task_switch+0x1bd/0x233
[ 8.705771] ? balance_callback+0x1f/0xa1
[ 8.705771] ? rest_init+0xd3/0xd3
[ 8.705771] ? rest_init+0xd3/0xd3
[ 8.705771] kernel_init+0xc/0x108
[ 8.705771] ? rest_init+0xd3/0xd3
[ 8.705771] ret_from_fork+0x3a/0x50
[ 8.705771] Modules linked in:
[ 8.705771] CR2: 0000000000001c58
[ 8.705771] ---[ end trace 414d7789c0d43a18 ]---
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Xiaolong
View attachment "config-4.18.0-rc2-00225-g3586e04" of type "text/plain" (138392 bytes)
View attachment "job-script" of type "text/plain" (4040 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (9760 bytes)
Powered by blists - more mailing lists