lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 2 Nov 2018 08:19:57 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Ming Lei <ming.lei@...hat.com>
Cc:     Jens Axboe <axboe@...nel.dk>, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org, LKP <lkp@...org>
Subject: [LKP] a518560778 [ 16.132179] BUG: KASAN: null-ptr-deref in brd_alloc

Greetings,

0day kernel testing robot got the below dmesg and the first bad commit is

https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-linus

commit a5185607787e030fcb0009194d3b12f8bcca59d6
Author:     Ming Lei <ming.lei@...hat.com>
AuthorDate: Wed Oct 31 16:40:50 2018 +0800
Commit:     Jens Axboe <axboe@...nel.dk>
CommitDate: Wed Oct 31 08:43:09 2018 -0600

    block: brd: associate with queue until adding disk
    
    brd_free() may be called in failure path on one brd instance without
    the disk being added yet, so release handler of gendisk may free the
    associated request_queue early and cause the following use-after-free[1].
    
    This patch fixes this issue by associating gendisk with request_queue
    just before adding disk.
    
    [1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3
    Linux agpgart interface v0.103
    [drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0
    usbcore: registered new interface driver udl
    ==================================================================
    BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
    kernel/locking/lockdep.c:3218
    Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1
    
    CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
    Google 01/01/2011
    Call Trace:
      __dump_stack lib/dump_stack.c:77 [inline]
      dump_stack+0x244/0x39d lib/dump_stack.c:113
      print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
      kasan_report_error mm/kasan/report.c:354 [inline]
      kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
      __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
      __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
      lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
      del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283
      blk_cleanup_queue+0x413/0x710 block/blk-core.c:809
      brd_free+0x5d/0x71 drivers/block/brd.c:422
      brd_init+0x2eb/0x393 drivers/block/brd.c:518
      do_one_initcall+0x145/0x957 init/main.c:890
      do_initcall_level init/main.c:958 [inline]
      do_initcalls init/main.c:966 [inline]
      do_basic_setup init/main.c:984 [inline]
      kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148
      kernel_init+0x11/0x1ae init/main.c:1068
      ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350
    
    Reported-by: syzbot+3701447012fe951dabb2@...kaller.appspotmail.com
    Signed-off-by: Ming Lei <ming.lei@...hat.com>
    Signed-off-by: Jens Axboe <axboe@...nel.dk>

c57cdf7a9e  block: call rq_qos_exit() after queue is frozen
a518560778  block: brd: associate with queue until adding disk
+------------------------------------------------+------------+------------+
|                                                | c57cdf7a9e | a518560778 |
+------------------------------------------------+------------+------------+
| boot_successes                                 | 0          | 0          |
| boot_failures                                  | 46         | 15         |
| BUG:kernel_hang_in_test_stage                  | 44         |            |
| IP-Config:Auto-configuration_of_network_failed | 2          |            |
| BUG:KASAN:null-ptr-deref_in_b                  | 0          | 15         |
| BUG:unable_to_handle_kernel                    | 0          | 15         |
| Oops:#[##]                                     | 0          | 15         |
| RIP:brd_alloc                                  | 0          | 15         |
| Kernel_panic-not_syncing:Fatal_exception       | 0          | 15         |
+------------------------------------------------+------------+------------+

[   16.119590] smapi::smapi_init, ERROR invalid usSmapiID
[   16.120907] mwave: tp3780i::tp3780I_InitializeBoardData: Error: SMAPI is not available on this machine
[   16.123300] mwave: mwavedd::mwave_init: Error: Failed to initialize board data
[   16.125261] mwave: mwavedd::mwave_init: Error: Failed to initialize
[   16.130478] ==================================================================
[   16.132179] BUG: KASAN: null-ptr-deref in brd_alloc+0x20e/0x277
[   16.132179] Read of size 8 at addr 0000000000000230 by task swapper/1
[   16.132179] 
[   16.132179] CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-05614-ga518560 #1
[   16.132179] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   16.132179] Call Trace:
[   16.132179]  kasan_report+0x231/0x279
[   16.132179]  brd_alloc+0x20e/0x277
[   16.132179]  brd_init+0x51/0x234
[   16.132179]  ? ramdisk_size+0x16/0x16
[   16.132179]  ? do_early_param+0xae/0xae
[   16.132179]  do_one_initcall+0xc0/0x1b3
[   16.132179]  ? rcu_read_lock+0x2c/0x2c
[   16.132179]  ? lock_downgrade+0x27d/0x27d
[   16.132179]  kernel_init_freeable+0x17c/0x227
[   16.132179]  ? rest_init+0xd5/0xd5
[   16.132179]  kernel_init+0x7/0xfe
[   16.132179]  ? rest_init+0xd5/0xd5
[   16.132179]  ret_from_fork+0x1f/0x30
[   16.132179] ==================================================================
[   16.132179] Disabling lock debugging due to kernel taint
[   16.173689] BUG: unable to handle kernel NULL pointer dereference at 0000000000000230
[   16.175701] PGD 0 P4D 0 
[   16.176497] Oops: 0000 [#1] PREEMPT KASAN PTI
[   16.176972] CPU: 0 PID: 1 Comm: swapper Tainted: G    B             4.19.0-05614-ga518560 #1
[   16.176972] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[   16.176972] RIP: 0010:brd_alloc+0x20e/0x277
[   16.176972] Code: 50 4c 8d 24 00 e8 64 a8 b7 ff 4c 89 65 50 4c 89 ef e8 da a7 b7 ff 4c 8b a5 90 05 00 00 49 8d bc 24 30 02 00 00 e8 c6 a7 b7 ff <4d> 8b a4 24 30 02 00 00 49 8d 7c 24 3c e8 b1 a6 b7 ff 41 83 4c 24
[   16.176972] RSP: 0000:ffff88001909fdd8 EFLAGS: 00010282
[   16.176972] RAX: 0000000000000000 RBX: ffff880013473988 RCX: ffffffff810dffc0
[   16.176972] RDX: ffffffff811e48ae RSI: 0000000000000003 RDI: ffffffff8290b200
[   16.176972] RBP: ffff8800134c2ee8 R08: dffffc0000000000 R09: 0000000000000000
[   16.176972] R10: 0000000000000001 R11: 073d073d073d073d R12: 0000000000000000
[   16.176972] R13: ffff8800134c3478 R14: ffffffff83228050 R15: ffffffff82a8d960
[   16.176972] FS:  0000000000000000(0000) GS:ffffffff8285c000(0000) knlGS:0000000000000000
[   16.176972] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   16.176972] CR2: 0000000000000230 CR3: 0000000002824000 CR4: 00000000000006b0
[   16.176972] Call Trace:
[   16.176972]  brd_init+0x51/0x234
[   16.176972]  ? ramdisk_size+0x16/0x16
[   16.176972]  ? do_early_param+0xae/0xae
[   16.176972]  do_one_initcall+0xc0/0x1b3
[   16.176972]  ? rcu_read_lock+0x2c/0x2c
[   16.176972]  ? lock_downgrade+0x27d/0x27d
[   16.176972]  kernel_init_freeable+0x17c/0x227
[   16.176972]  ? rest_init+0xd5/0xd5
[   16.176972]  kernel_init+0x7/0xfe
[   16.176972]  ? rest_init+0xd5/0xd5
[   16.176972]  ret_from_fork+0x1f/0x30
[   16.176972] Modules linked in:
[   16.176972] CR2: 0000000000000230
[   16.176972] ---[ end trace 4c9c9e7a1ae58e68 ]---
[   16.176972] RIP: 0010:brd_alloc+0x20e/0x277

                                                          # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 5da169cafb99be34009584e06bde227d33727524 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d --
git bisect  bad 94e203722538e1af1130debc1b4408b84d0a4ed4  # 17:26  B      0    11   26   0  Merge 'tip/x86/urgent' into devel-hourly-2018110113
git bisect good 2cd5e1c3bc1206e86c5e31651c4c77e179ddf4a8  # 19:03  G     11     0   11  12  Merge 'linux-review/Andreas-Puhm/fpga-altera_cvp-restrict-registration-to-CvP-enabled-devices/20181022-213417' into devel-hourly-2018110113
git bisect  bad 6d0d7e4e782cc962b8a4fa7b65c695a1092f61ac  # 19:19  B      0     1   16   0  Merge 'nf/master' into devel-hourly-2018110113
git bisect good bd5d37fd8f3f500f331161c816ce87c9427e9fc3  # 20:16  G     10     0   10  10  Merge 'linux-review/Florian-Fainelli/arm64-Get-rid-of-__early_init_dt_declare_initrd/20181030-075423' into devel-hourly-2018110113
git bisect  bad a0e620bebd1ad34866b6646af5027c6c92784314  # 20:39  B      0    11   26   0  Merge 'block/for-linus' into devel-hourly-2018110113
git bisect good 2561c52cec3f710041e34a3737a866b565437e20  # 21:39  G     11     0   11  11  Merge 'jlayton/locks-4.21' into devel-hourly-2018110113
git bisect good 1bb9b0d1289f12f22a4145804b66aba7e22581c3  # 22:23  G     11     0   11  11  Merge 'superna9999/amlogic/v4.20/drm-overlay' into devel-hourly-2018110113
git bisect good 6bceec3a8988eb11f6f75db9254fc42a4782d88d  # 23:16  G     10     0   10  10  Merge 'linux-review/Julia-Lawall/ASoC-AMD-constify-regulator_desc-structure/20181028-143635' into devel-hourly-2018110113
git bisect good d122007297044d28f8a285ea3a38f04a9065982d  # 00:03  G     10     0   10  10  Merge 'gpio/fixes' into devel-hourly-2018110113
git bisect good 698b53b3119c45a59eef10b516d780b3e9a5402d  # 00:56  G     11     0   11  13  mtip32xx: clean an indentation issue, remove extraneous tabs
git bisect  bad a5185607787e030fcb0009194d3b12f8bcca59d6  # 01:11  B      0     1   16   0  block: brd: associate with queue until adding disk
git bisect good c57cdf7a9e51d97a43e29b8f4a04157875104000  # 02:01  G     11     0   11  11  block: call rq_qos_exit() after queue is frozen
# first bad commit: [a5185607787e030fcb0009194d3b12f8bcca59d6] block: brd: associate with queue until adding disk
git bisect good c57cdf7a9e51d97a43e29b8f4a04157875104000  # 02:43  G     33     0   33  46  block: call rq_qos_exit() after queue is frozen
# extra tests with debug options
git bisect  bad a5185607787e030fcb0009194d3b12f8bcca59d6  # 02:56  B      0     5   20   0  block: brd: associate with queue until adding disk
# extra tests on HEAD of linux-devel/devel-hourly-2018110113
git bisect  bad 5da169cafb99be34009584e06bde227d33727524  # 03:01  B      0    13   31   0  0day head guard for 'devel-hourly-2018110113'
# extra tests on tree/branch block/for-linus
git bisect  bad a5185607787e030fcb0009194d3b12f8bcca59d6  # 03:06  B      0    15   30   0  block: brd: associate with queue until adding disk
# extra tests with first bad commit reverted
git bisect good 0d9bc20beb726cc13f58a44660e94ea0c4402314  # 04:54  G     10     0   10  10  Revert "block: brd: associate with queue until adding disk"

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/lkp                          Intel Corporation

Download attachment "dmesg-quantal-vp-24:20181102011209:x86_64-randconfig-s3-11011429:4.19.0-05614-ga518560:1.gz" of type "application/gzip" (10635 bytes)

Download attachment "dmesg-quantal-vp-11:20181102023350:x86_64-randconfig-s3-11011429:4.19.0-05613-gc57cdf7:1.gz" of type "application/gzip" (13133 bytes)

View attachment "reproduce-quantal-vp-24:20181102011209:x86_64-randconfig-s3-11011429:4.19.0-05614-ga518560:1" of type "text/plain" (909 bytes)

View attachment "config-4.19.0-05614-ga518560" of type "text/plain" (114387 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ