| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200705082603.GX3874@shao2-debian>
Date: Sun, 5 Jul 2020 16:26:03 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: "Paul E. McKenney" <paulmck@...nel.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org
Subject: [kernel/smp] 5408b78b7a: BUG:KASAN:out-of-bounds_in_c
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 5408b78b7aca1891d8f87d5bfbb9b763b3097810 ("kernel/smp: Provide CSD lock timeout diagnostics")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------+------------+------------+
| | 5107b9d6a3 | 5408b78b7a |
+------------------------------------+------------+------------+
| boot_successes | 24 | 0 |
| boot_failures | 0 | 28 |
| BUG:KASAN:out-of-bounds_in_c | 0 | 25 |
| RIP:delay_tsc | 0 | 17 |
| RIP:rcu_read_delay | 0 | 2 |
| BUG:KASAN:stack-out-of-bounds_in_c | 0 | 3 |
| RIP:__slab_alloc | 0 | 1 |
| RIP:_flat_send_IPI_mask | 0 | 1 |
| RIP:lock_release | 0 | 1 |
| RIP:rcu_torture_one_read | 0 | 1 |
| RIP:lock_acquire | 0 | 1 |
| RIP:rcutorture_one_extend | 0 | 1 |
| RIP:default_idle | 0 | 1 |
+------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>
[ 96.621096] BUG: KASAN: out-of-bounds in csd_lock_record+0x48/0x87
[ 96.622396] Read of size 8 at addr ffffc90000c0fe70 by task swapper/0/0
[ 96.623635]
[ 96.623975] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.8.0-rc3-00194-g5408b78b7aca1 #1
[ 96.630113] Call Trace:
[ 96.630682] dump_stack+0x7d/0xa3
[ 96.631340] print_address_description+0x1a/0x3e2
[ 96.632572] ? csd_lock_record+0x48/0x87
[ 96.633334] kasan_report+0x13a/0x173
[ 96.634139] ? csd_lock_record+0x48/0x87
[ 96.634829] csd_lock_record+0x48/0x87
[ 96.635446] flush_smp_call_function_queue+0x251/0x447
[ 96.636281] ? rb_write_something+0x4b7/0x4b7
[ 96.637017] flush_smp_call_function_from_idle+0x48/0x52
[ 96.637905] do_idle+0x2dd/0x302
[ 96.638506] ? arch_cpu_idle_exit+0x1d/0x1d
[ 96.639345] ? test_bit+0x22/0x2e
[ 96.639936] cpu_startup_entry+0x1d/0x1f
[ 96.640692] start_kernel+0x904/0x931
[ 96.641386] ? thread_stack_cache_init+0x6/0x6
[ 96.642296] ? memcpy_orig+0x54/0x10f
[ 96.643019] secondary_startup_64+0xa4/0xb0
[ 96.643799]
[ 96.644077]
[ 96.644351] Memory state around the buggy address:
[ 96.645259] ffffc90000c0fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 96.646642] ffffc90000c0fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 96.647905] >ffffc90000c0fe00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
[ 96.649241] ^
[ 96.650487] ffffc90000c0fe80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 96.651935] ffffc90000c0ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 96.653364] ==================================================================
[ 96.654740] Disabling lock debugging due to kernel taint
[ 98.261057] rcu-torture: rcu_torture_read_exit: Start of episode
[ 98.346096] rcu-torture: rcu_torture_read_exit: End of episode
[ 102.101272] rcu-torture: rtc: (____ptrval____) ver: 7045 tfle: 0 rta: 7046 rtaf: 0 rtf: 7034 rtmbe: 0 rtbe: 0 rtbke: 0 rtbre: 0 rtbf: 0 rtb: 0 nt: 13352 onoff: 0/0:0/0 -1,0:-1,0 0:0 (HZ=1000) barrier: 0/0:0 read-exits: 84
[ 102.107526] rcu-torture: Reader Pipe: 2994865 13 0 0 0 0 0 0 0 0 0
[ 102.108736] rcu-torture: Reader Batch: 2994567 311 0 0 0 0 0 0 0 0 0
[ 102.109980] rcu-torture: Free-Block Circulation: 7045 7044 7042 7041 7040 7039 7038 7036 7035 7034 0
[ 106.711814] finished
[ 106.714985] CPU 0:
[ 106.715356] events: 220188
[ 106.716091] dropped bytes: 0
[ 106.716762] alloced bytes: 17134732
[ 106.717544] written bytes: 16770649
[ 106.722442] biggest event: 285
[ 106.723131] smallest event: 4
[ 106.735395] read events: 12393
[ 106.736168] lost events: 207795
[ 106.736862] total events: 220188
[ 106.737574] recorded len bytes: 973552
[ 106.738314] recorded size bytes: 953716
[ 106.739066] With dropped events, record len and size may not match
[ 106.739066] alloced and written from above
[ 106.740829] CPU 1:
[ 106.741208] events: 120920
[ 106.741984] dropped bytes: 0
[ 106.742682] alloced bytes: 8501756
[ 106.743429] written bytes: 8279131
[ 106.744165] biggest event: 295
[ 106.744855] smallest event: 4
[ 106.761695] read events: 13030
[ 106.762495] lost events: 107890
[ 106.763195] total events: 120920
[ 106.763959] recorded len bytes: 972532
[ 106.764668] recorded size bytes: 952295
[ 106.765374] With dropped events, record len and size may not match
[ 106.765374] alloced and written from above
[ 106.767239] Ring buffer PASSED!
[ 106.772088] Testing ftrace filter: OK
[ 106.824842] Loading compiled-in X.509 certificates
[ 106.825904] page_owner is disabled
[ 106.828873] Key type ._fscrypt registered
[ 106.829810] Key type .fscrypt registered
[ 106.830639] Key type fscrypt-provisioning registered
[ 106.833811] fs-verity: Initialized fs-verity
[ 106.873123] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 106.878060] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 106.889984] Sending DHCP requests ., OK
[ 106.897520] IP-Config: Got DHCP answer from 10.0.2.2, my address is 10.0.2.15
[ 106.898958] IP-Config: Complete:
[ 106.899615] device=eth0, hwaddr=52:54:00:12:34:56, ipaddr=10.0.2.15, mask=255.255.255.0, gw=10.0.2.2
[ 106.901548] host=vm-snb-28, domain=, nis-domain=(none)
[ 106.902595] bootserver=10.0.2.2, rootserver=10.0.2.2, rootpath=
[ 106.902598] nameserver0=10.0.2.3
[ 107.014119] Freeing unused decrypted memory: 2040K
[ 107.039113] Freeing unused kernel image (initmem) memory: 2676K
[ 107.061095] Write protecting the kernel read-only data: 30720k
[ 107.086772] Freeing unused kernel image (text/rodata gap) memory: 2044K
[ 107.121627] Freeing unused kernel image (rodata/data gap) memory: 1104K
[ 107.269517] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 107.275688] rodata_test: all tests were successful
[ 107.276761] x86/mm: Checking user space page tables
[ 107.418318] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 107.428996] Failed to set sysctl parameter 'kernel.softlockup_panic=1': parameter not found
[ 107.441198] Run /init as init process
[ 107.441899] with arguments:
[ 107.442540] /init
[ 107.442999] with environment:
[ 107.443604] HOME=/
[ 107.444096] TERM=linux
To reproduce:
# build kernel
cd linux
cp config-5.8.0-rc3-00194-g5408b78b7aca1 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Rong Chen
View attachment "config-5.8.0-rc3-00194-g5408b78b7aca1" of type "text/plain" (150213 bytes)
View attachment "job-script" of type "text/plain" (4456 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14716 bytes)
Powered by blists - more mailing lists