lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200705082603.GX3874@shao2-debian>
Date:   Sun, 5 Jul 2020 16:26:03 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     "Paul E. McKenney" <paulmck@...nel.org>
Cc:     Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org
Subject: [kernel/smp] 5408b78b7a: BUG:KASAN:out-of-bounds_in_c

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 5408b78b7aca1891d8f87d5bfbb9b763b3097810 ("kernel/smp: Provide CSD lock timeout diagnostics")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: trinity
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------+------------+------------+
|                                    | 5107b9d6a3 | 5408b78b7a |
+------------------------------------+------------+------------+
| boot_successes                     | 24         | 0          |
| boot_failures                      | 0          | 28         |
| BUG:KASAN:out-of-bounds_in_c       | 0          | 25         |
| RIP:delay_tsc                      | 0          | 17         |
| RIP:rcu_read_delay                 | 0          | 2          |
| BUG:KASAN:stack-out-of-bounds_in_c | 0          | 3          |
| RIP:__slab_alloc                   | 0          | 1          |
| RIP:_flat_send_IPI_mask            | 0          | 1          |
| RIP:lock_release                   | 0          | 1          |
| RIP:rcu_torture_one_read           | 0          | 1          |
| RIP:lock_acquire                   | 0          | 1          |
| RIP:rcutorture_one_extend          | 0          | 1          |
| RIP:default_idle                   | 0          | 1          |
+------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>


[   96.621096] BUG: KASAN: out-of-bounds in csd_lock_record+0x48/0x87
[   96.622396] Read of size 8 at addr ffffc90000c0fe70 by task swapper/0/0
[   96.623635] 
[   96.623975] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0-rc3-00194-g5408b78b7aca1 #1
[   96.630113] Call Trace:
[   96.630682]  dump_stack+0x7d/0xa3
[   96.631340]  print_address_description+0x1a/0x3e2
[   96.632572]  ? csd_lock_record+0x48/0x87
[   96.633334]  kasan_report+0x13a/0x173
[   96.634139]  ? csd_lock_record+0x48/0x87
[   96.634829]  csd_lock_record+0x48/0x87
[   96.635446]  flush_smp_call_function_queue+0x251/0x447
[   96.636281]  ? rb_write_something+0x4b7/0x4b7
[   96.637017]  flush_smp_call_function_from_idle+0x48/0x52
[   96.637905]  do_idle+0x2dd/0x302
[   96.638506]  ? arch_cpu_idle_exit+0x1d/0x1d
[   96.639345]  ? test_bit+0x22/0x2e
[   96.639936]  cpu_startup_entry+0x1d/0x1f
[   96.640692]  start_kernel+0x904/0x931
[   96.641386]  ? thread_stack_cache_init+0x6/0x6
[   96.642296]  ? memcpy_orig+0x54/0x10f
[   96.643019]  secondary_startup_64+0xa4/0xb0
[   96.643799] 
[   96.644077] 
[   96.644351] Memory state around the buggy address:
[   96.645259]  ffffc90000c0fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.646642]  ffffc90000c0fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.647905] >ffffc90000c0fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[   96.649241]                                                              ^
[   96.650487]  ffffc90000c0fe80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[   96.651935]  ffffc90000c0ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   96.653364] ==================================================================
[   96.654740] Disabling lock debugging due to kernel taint
[   98.261057] rcu-torture: rcu_torture_read_exit: Start of episode
[   98.346096] rcu-torture: rcu_torture_read_exit: End of episode
[  102.101272] rcu-torture: rtc: (____ptrval____) ver: 7045 tfle: 0 rta: 7046 rtaf: 0 rtf: 7034 rtmbe: 0 rtbe: 0 rtbke: 0 rtbre: 0 rtbf: 0 rtb: 0 nt: 13352 onoff: 0/0:0/0 -1,0:-1,0 0:0 (HZ=1000) barrier: 0/0:0 read-exits: 84
[  102.107526] rcu-torture: Reader Pipe:  2994865 13 0 0 0 0 0 0 0 0 0
[  102.108736] rcu-torture: Reader Batch:  2994567 311 0 0 0 0 0 0 0 0 0
[  102.109980] rcu-torture: Free-Block Circulation:  7045 7044 7042 7041 7040 7039 7038 7036 7035 7034 0
[  106.711814] finished
[  106.714985] CPU 0:
[  106.715356]               events:    220188
[  106.716091]        dropped bytes:    0
[  106.716762]        alloced bytes:    17134732
[  106.717544]        written bytes:    16770649
[  106.722442]        biggest event:    285
[  106.723131]       smallest event:    4
[  106.735395]          read events:   12393
[  106.736168]          lost events:   207795
[  106.736862]         total events:   220188
[  106.737574]   recorded len bytes:   973552
[  106.738314]  recorded size bytes:   953716
[  106.739066]  With dropped events, record len and size may not match
[  106.739066]  alloced and written from above
[  106.740829] CPU 1:
[  106.741208]               events:    120920
[  106.741984]        dropped bytes:    0
[  106.742682]        alloced bytes:    8501756
[  106.743429]        written bytes:    8279131
[  106.744165]        biggest event:    295
[  106.744855]       smallest event:    4
[  106.761695]          read events:   13030
[  106.762495]          lost events:   107890
[  106.763195]         total events:   120920
[  106.763959]   recorded len bytes:   972532
[  106.764668]  recorded size bytes:   952295
[  106.765374]  With dropped events, record len and size may not match
[  106.765374]  alloced and written from above
[  106.767239] Ring buffer PASSED!
[  106.772088] Testing ftrace filter: OK
[  106.824842] Loading compiled-in X.509 certificates
[  106.825904] page_owner is disabled
[  106.828873] Key type ._fscrypt registered
[  106.829810] Key type .fscrypt registered
[  106.830639] Key type fscrypt-provisioning registered
[  106.833811] fs-verity: Initialized fs-verity
[  106.873123] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[  106.878060] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[  106.889984] Sending DHCP requests ., OK
[  106.897520] IP-Config: Got DHCP answer from 10.0.2.2, my address is 10.0.2.15
[  106.898958] IP-Config: Complete:
[  106.899615]      device=eth0, hwaddr=52:54:00:12:34:56, ipaddr=10.0.2.15, mask=255.255.255.0, gw=10.0.2.2
[  106.901548]      host=vm-snb-28, domain=, nis-domain=(none)
[  106.902595]      bootserver=10.0.2.2, rootserver=10.0.2.2, rootpath=
[  106.902598]      nameserver0=10.0.2.3
[  107.014119] Freeing unused decrypted memory: 2040K
[  107.039113] Freeing unused kernel image (initmem) memory: 2676K
[  107.061095] Write protecting the kernel read-only data: 30720k
[  107.086772] Freeing unused kernel image (text/rodata gap) memory: 2044K
[  107.121627] Freeing unused kernel image (rodata/data gap) memory: 1104K
[  107.269517] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[  107.275688] rodata_test: all tests were successful
[  107.276761] x86/mm: Checking user space page tables
[  107.418318] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[  107.428996] Failed to set sysctl parameter 'kernel.softlockup_panic=1': parameter not found
[  107.441198] Run /init as init process
[  107.441899]   with arguments:
[  107.442540]     /init
[  107.442999]   with environment:
[  107.443604]     HOME=/
[  107.444096]     TERM=linux


To reproduce:

        # build kernel
	cd linux
	cp config-5.8.0-rc3-00194-g5408b78b7aca1 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Rong Chen


View attachment "config-5.8.0-rc3-00194-g5408b78b7aca1" of type "text/plain" (150213 bytes)

View attachment "job-script" of type "text/plain" (4456 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (14716 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ