| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Mar 2019 15:50:54 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: David Howells <dhowells@...hat.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
LKML <linux-kernel@...r.kernel.org>,
linux-fsdevel@...r.kernel.org, lkp@...org
Subject: [LKP] [hugetlbfs] 2284cf59cb: BUG:KASAN:global-out-of-bounds_in_f
FYI, we noticed the following commit (built with gcc-5):
commit: 2284cf59cbcec2f17e50139e2db6d6d761521cd3 ("hugetlbfs: Convert to fs_context")
https://git.kernel.org/cgit/linux/kernel/git/viro/vfs.git R48
in testcase: rcutorture
with following parameters:
runtime: 300s
test: cpuhotplug
torture_type: rcu
test-description: rcutorture is rcutorture kernel module load/unload test.
test-url: https://www.kernel.org/doc/Documentation/RCU/torture.txt
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-----------------------------------------------------------------------------+------------+------------+
| | 0ecab105a8 | 2284cf59cb |
+-----------------------------------------------------------------------------+------------+------------+
| boot_successes | 4 | 0 |
| boot_failures | 51 | 4 |
| kobject(#):tried_to_init_an_initialized_object,something_is_seriously_wrong | 42 | |
| BUG:KASAN:double-free_or_invalid-free_in_k | 43 | |
| BUG:KASAN:use-after-free_in_t | 13 | |
| BUG:KASAN:user-memory-access_in_s | 1 | |
| BUG:unable_to_handle_kernel | 17 | |
| Oops:#[##] | 17 | |
| RIP:string | 2 | |
| Kernel_panic-not_syncing:Fatal_exception | 18 | |
| BUG:KASAN:slab-out-of-bounds_in_t | 3 | |
| general_protection_fault:#[##] | 1 | |
| WARNING:at_kernel/locking/lockdep.c:#lock_downgrade | 2 | |
| RIP:lock_downgrade | 2 | |
| BUG:kernel_in_stage | 3 | |
| BUG:KASAN:user-memory-access_in_t | 19 | |
| RIP:ttm_mem_global_init[ttm] | 16 | |
| BUG:kernel_hang_in_boot-around-mounting-root_stage | 5 | |
| BUG:KASAN:global-out-of-bounds_in_f | 0 | 4 |
+-----------------------------------------------------------------------------+------------+------------+
[ 5.777052] BUG: KASAN: global-out-of-bounds in fs_validate_description+0xeb/0x3c0
[ 5.778184] Read of size 8 at addr ffffffffafade9b0 by task swapper/1
[ 5.778184]
[ 5.778184] CPU: 0 PID: 1 Comm: swapper Not tainted 5.0.0-rc2-00037-g2284cf5 #2
[ 5.778184] Call Trace:
[ 5.778184] print_address_description+0x1dd/0x290
[ 5.778184] ? fs_validate_description+0xeb/0x3c0
[ 5.778184] ? fs_validate_description+0xeb/0x3c0
[ 5.778184] kasan_report+0x134/0x1a4
[ 5.778184] ? f_dupfd+0xa0/0xf0
[ 5.778184] ? fs_validate_description+0xeb/0x3c0
[ 5.778184] fs_validate_description+0xeb/0x3c0
[ 5.778184] ? kmem_cache_create_usercopy+0xa2/0x2f0
[ 5.778184] register_filesystem+0x23/0xc0
[ 5.778184] init_hugetlbfs_fs+0xc3/0x286
[ 5.778184] ? init_ramfs_fs+0x7c/0x7c
[ 5.778184] do_one_initcall+0xb3/0x300
[ 5.778184] ? initcall_blacklisted+0x120/0x120
[ 5.778184] ? check_flags+0x1d0/0x270
[ 5.778184] ? __lock_is_held+0x37/0xd0
[ 5.778184] kernel_init_freeable+0x418/0x66c
[ 5.778184] ? rest_init+0x140/0x140
[ 5.778184] kernel_init+0xf/0x120
[ 5.778184] ? _raw_spin_unlock_irq+0x29/0x40
[ 5.778184] ? rest_init+0x140/0x140
[ 5.778184] ret_from_fork+0x24/0x30
[ 5.778184]
[ 5.778184] The buggy address belongs to the variable:
[ 5.778184] hugetlb_param_specs+0x70/0xc0
[ 5.778184]
[ 5.778184] Memory state around the buggy address:
[ 5.778184] ffffffffafade880: 00 01 fa fa fa fa fa fa 05 fa fa fa fa fa fa fa
[ 5.778184] ffffffffafade900: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
[ 5.778184] >ffffffffafade980: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00
[ 5.778184] ^
[ 5.778184] ffffffffafadea00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 5.778184] ffffffffafadea80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
[ 5.778184] ==================================================================
[ 5.778184] Disabling lock debugging due to kernel taint
[ 5.827396] pnp: PnP ACPI init
[ 5.830044] pnp 00:00: Plug and Play ACPI device, IDs PNP0b00 (active)
[ 5.833615] pnp 00:01: Plug and Play ACPI device, IDs PNP0303 (active)
[ 5.837002] pnp 00:02: Plug and Play ACPI device, IDs PNP0f13 (active)
[ 5.839483] pnp 00:03: [dma 2]
[ 5.840964] pnp 00:03: Plug and Play ACPI device, IDs PNP0700 (active)
[ 5.845533] pnp 00:04: Plug and Play ACPI device, IDs PNP0400 (active)
[ 5.849958] pnp 00:05: Plug and Play ACPI device, IDs PNP0501 (active)
[ 5.854484] pnp 00:06: Plug and Play ACPI device, IDs PNP0501 (active)
[ 5.870601] pnp: PnP ACPI: found 7 devices
[ 5.882050] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 5.884525] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 5.886139] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 5.887790] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 5.889583] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfffff window]
[ 5.894067] NET: Registered protocol family 2
[ 5.895541] random: get_random_u32 called from neigh_hash_alloc+0xa4/0xf0 with crng_init=0
[ 5.900301] random: get_random_u32 called from bucket_table_alloc+0xbe/0x210 with crng_init=0
[ 5.903284] random: get_random_u32 called from rt_genid_init+0x78/0xc0 with crng_init=0
[ 5.905616] tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 360448 bytes)
[ 5.908791] TCP established hash table entries: 65536 (order: 7, 524288 bytes)
[ 5.913051] TCP bind hash table entries: 32768 (order: 9, 2621440 bytes)
[ 5.923551] TCP: Hash tables configured (established 65536 bind 32768)
[ 5.931298] UDP hash table entries: 4096 (order: 7, 786432 bytes)
[ 5.935818] UDP-Lite hash table entries: 4096 (order: 7, 786432 bytes)
[ 5.940087] NET: Registered protocol family 1
[ 5.943920] RPC: Registered named UNIX socket transport module.
[ 5.945542] RPC: Registered udp transport module.
[ 5.946777] RPC: Registered tcp transport module.
[ 5.948034] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 5.949740] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 5.951332] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 5.952971] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[ 5.954821] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 5.957382] PCI: CLS 0 bytes, default 64
[ 5.959720] Unpacking initramfs...
Elapsed time: 10
qemu-img create -f qcow2 disk-vm-snb-8G-423-0 256G
qemu-img create -f qcow2 disk-vm-snb-8G-423-1 256G
qemu-img create -f qcow2 disk-vm-snb-8G-423-2 256G
qemu-img create -f qcow2 disk-vm-snb-8G-423-3 256G
qemu-img create -f qcow2 disk-vm-snb-8G-423-4 256G
qemu-img create -f qcow2 disk-vm-snb-8G-423-5 256G
qemu-img create -f qcow2 disk-vm-snb-8G-423-6 256G
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-8G-423
-m 8192
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::26422-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
To reproduce:
# build kernel
cd linux
cp config-5.0.0-rc2-00037-g2284cf5 .config
make HOSTCC=gcc-5 CC=gcc-5 ARCH=x86_64 olddefconfig
make HOSTCC=gcc-5 CC=gcc-5 ARCH=x86_64 prepare
make HOSTCC=gcc-5 CC=gcc-5 ARCH=x86_64 modules_prepare
make HOSTCC=gcc-5 CC=gcc-5 ARCH=x86_64 SHELL=/bin/bash
make HOSTCC=gcc-5 CC=gcc-5 ARCH=x86_64 bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Rong Chen
View attachment "config-5.0.0-rc2-00037-g2284cf5" of type "text/plain" (95385 bytes)
View attachment "job-script" of type "text/plain" (4831 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (7796 bytes)
Powered by blists - more mailing lists