lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20201230031436.GB22185@xsang-OptiPlex-9020>
Date:   Wed, 30 Dec 2020 11:14:36 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Andrey Konovalov <andreyknvl@...gle.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Vincenzo Frascino <Vincenzo.Frascino@....com>,
        Marco Elver <elver@...gle.com>,
        Alexander Potapenko <glider@...gle.com>,
        Andrey Ryabinin <aryabinin@...tuozzo.com>,
        Branislav Rankov <Branislav.Rankov@....com>,
        Catalin Marinas <catalin.marinas@....com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Evgenii Stepanov <eugenis@...gle.com>,
        Kevin Brodsky <kevin.brodsky@....com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Will Deacon <will.deacon@....com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: [kasan]  97593cad00: RIP:kasan_record_aux_stack


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 97593cad003c668e2532cb2939a24a031f8de52d ("kasan: sanitize objects when metadata doesn't fit")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master


in testcase: trinity
version: trinity-i386-4d2343bd-1_20200320
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+--------------------------------------------------------------------------+------------+------------+
|                                                                          | 3933c17571 | 97593cad00 |
+--------------------------------------------------------------------------+------------+------------+
| boot_successes                                                           | 4          | 1          |
| boot_failures                                                            | 0          | 3          |
| BUG:sleeping_function_called_from_invalid_context_at_arch/x86/mm/fault.c | 0          | 3          |
| RIP:kasan_record_aux_stack                                               | 0          | 3          |
| BUG:kernel_NULL_pointer_dereference,address                              | 0          | 3          |
| Oops:#[##]                                                               | 0          | 3          |
| Kernel_panic-not_syncing:Fatal_exception                                 | 0          | 3          |
+--------------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  235.553325] BUG: sleeping function called from invalid context at arch/x86/mm/fault.c:1351
[  235.554684] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 7515, name: trinity-c1
[  235.555890] 2 locks held by trinity-c1/7515:
[  235.556506]  #0: ffffffff8323dd38 (&ids->rwsem){....}-{3:3}, at: semctl_down+0x6d/0x686
[  235.557684]  #1: ffff888128ccc868 (&mm->mmap_lock#2){....}-{3:3}, at: do_user_addr_fault+0x196/0x59e
[  235.559020] CPU: 1 PID: 7515 Comm: trinity-c1 Not tainted 5.10.0-g97593cad003c #2
[  235.560317] Call Trace:
[  235.560767]  dump_stack+0x7d/0xa3
[  235.561371]  ___might_sleep+0x2c4/0x2df
[  235.562063]  ? do_user_addr_fault+0x196/0x59e
[  235.562834]  do_user_addr_fault+0x234/0x59e
[  235.563519]  exc_page_fault+0x70/0x8b
[  235.564112]  asm_exc_page_fault+0x1b/0x20
[  235.564754] RIP: 0010:kasan_record_aux_stack+0x64/0x74
[  235.565603] Code: 48 f7 fe 8b 47 24 49 89 f0 8d 70 ff 41 0f af f0 48 01 ce 48 29 d3 48 39 f3 48 0f 46 f3 e8 6f e5 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 fb e2 ff ff 89 43 08 5b c3 53 48 89 f3 e8 61
[  235.568479] RSP: 0000:ffff88811f29fce8 EFLAGS: 00010046
[  235.569415] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88813a800000
[  235.570645] RDX: 0000000000000080 RSI: ffff88813a800000 RDI: 0000000000000800
[  235.571721] RBP: 00000000001ea2c0 R08: 0000000000000000 R09: 0000000000000001
[  235.572728] R10: ffffed1027500013 R11: ffff88813a800093 R12: ffff88813a800080
[  235.573700] R13: 0000000000000000 R14: ffff88813a8000f8 R15: 0000000000000246
[  235.574793]  ? kasan_record_aux_stack+0x5c/0x74
[  235.575536]  ? sem_more_checks+0x6c/0x6c
[  235.576171]  call_rcu+0xbe/0x96f
[  235.576668]  ? lock_downgrade+0x46b/0x46b
[  235.577343]  ? do_nocb_bypass_wakeup_timer+0x65/0x65
[  235.578220]  semctl_down+0x602/0x686
[  235.579015]  ? sem_lock_and_putref+0x1b/0x1b
[  235.579762]  ? kvm_sched_clock_read+0x5/0xd
[  235.580517]  ? paravirt_sched_clock+0x5/0x8
[  235.581259]  compat_ksys_semctl+0x1a8/0x1de
[  235.582005]  ? semctl_main+0x81b/0x81b
[  235.582675]  ? lock_downgrade+0x46b/0x46b
[  235.583340]  ? get_vtime_delta+0x83/0x115
[  235.583994]  ? do_write_seqcount_end+0x12/0x42
[  235.584724]  do_int80_syscall_32+0x38/0x45
[  235.585383]  entry_INT80_compat+0x82/0x87
[  235.586014] RIP: 0023:0xf7ef1a02
[  235.586543] Code: 95 01 00 05 25 36 02 00 83 ec 14 8d 80 e8 99 ff ff 50 6a 02 e8 1f ff 00 00 c7 04 24 7f 00 00 00 e8 7e 87 01 00 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 1c 24 c3 8d b6 00 00
[  235.589764] RSP: 002b:00000000ffe6b0f8 EFLAGS: 00000292 ORIG_RAX: 000000000000018a
[  235.591049] RAX: ffffffffffffffda RBX: 0000000000000081 RCX: 0000000000000001
[  235.592230] RDX: 0000000000000000 RSI: 0000000000004000 RDI: 00000000000000ff
[  235.593329] RBP: 000000007aeed3f6 R08: 0000000000000000 R09: 0000000000000000
[  235.594454] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  235.595609] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  235.596810] BUG: kernel NULL pointer dereference, address: 0000000000000008
[  235.598027] #PF: supervisor read access in kernel mode
[  235.598952] #PF: error_code(0x0000) - not-present page
[  235.599857] PGD 8000000118306067 P4D 8000000118306067 PUD 11ac1e067 PMD 15b2e9067 PTE 0
[  235.601232] Oops: 0000 [#1] SMP KASAN PTI
[  235.601936] CPU: 1 PID: 7515 Comm: trinity-c1 Tainted: G        W         5.10.0-g97593cad003c #2
[  235.603475] RIP: 0010:kasan_record_aux_stack+0x64/0x74
[  235.604329] Code: 48 f7 fe 8b 47 24 49 89 f0 8d 70 ff 41 0f af f0 48 01 ce 48 29 d3 48 39 f3 48 0f 46 f3 e8 6f e5 ff ff bf 00 08 00 00 48 89 c3 <8b> 40 08 89 43 0c e8 fb e2 ff ff 89 43 08 5b c3 53 48 89 f3 e8 61
[  235.607111] RSP: 0000:ffff88811f29fce8 EFLAGS: 00010046
[  235.607964] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88813a800000
[  235.609165] RDX: 0000000000000080 RSI: ffff88813a800000 RDI: 0000000000000800
[  235.610409] RBP: 00000000001ea2c0 R08: 0000000000000000 R09: 0000000000000001
[  235.611834] R10: ffffed1027500013 R11: ffff88813a800093 R12: ffff88813a800080
[  235.613110] R13: 0000000000000000 R14: ffff88813a8000f8 R15: 0000000000000246
[  235.614379] FS:  0000000000000000(0000) GS:ffff8881e8a00000(0063) knlGS:00000000f7eec840
[  235.615685] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  235.616545] CR2: 0000000000000008 CR3: 00000001100b0000 CR4: 00000000000406a0
[  235.617684] Call Trace:
[  235.618092]  ? sem_more_checks+0x6c/0x6c
[  235.618706]  call_rcu+0xbe/0x96f
[  235.619190]  ? lock_downgrade+0x46b/0x46b
[  235.619825]  ? do_nocb_bypass_wakeup_timer+0x65/0x65
[  235.620678]  semctl_down+0x602/0x686
[  235.621319]  ? sem_lock_and_putref+0x1b/0x1b
[  235.622096]  ? kvm_sched_clock_read+0x5/0xd
[  235.622855]  ? paravirt_sched_clock+0x5/0x8
[  235.623616]  compat_ksys_semctl+0x1a8/0x1de
[  235.624377]  ? semctl_main+0x81b/0x81b
[  235.625066]  ? lock_downgrade+0x46b/0x46b
[  235.625799]  ? get_vtime_delta+0x83/0x115
[  235.626468]  ? do_write_seqcount_end+0x12/0x42
[  235.627214]  do_int80_syscall_32+0x38/0x45
[  235.627854]  entry_INT80_compat+0x82/0x87
[  235.628552] RIP: 0023:0xf7ef1a02
[  235.629128] Code: 95 01 00 05 25 36 02 00 83 ec 14 8d 80 e8 99 ff ff 50 6a 02 e8 1f ff 00 00 c7 04 24 7f 00 00 00 e8 7e 87 01 00 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 1c 24 c3 8d b6 00 00
[  235.632253] RSP: 002b:00000000ffe6b0f8 EFLAGS: 00000292 ORIG_RAX: 000000000000018a
[  235.633500] RAX: ffffffffffffffda RBX: 0000000000000081 RCX: 0000000000000001
[  235.634649] RDX: 0000000000000000 RSI: 0000000000004000 RDI: 00000000000000ff
[  235.635722] RBP: 000000007aeed3f6 R08: 0000000000000000 R09: 0000000000000000
[  235.636865] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  235.638130] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  235.639416] Modules linked in: mousedev crc32c_intel evdev psmouse autofs4
[  235.640669] CR2: 0000000000000008
[  235.641281] ---[ end trace 21817c93fd871d30 ]---


To reproduce:

        # build kernel
	cd linux
	cp config-5.10.0-g97593cad003c .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.10.0-g97593cad003c" of type "text/plain" (136035 bytes)

View attachment "job-script" of type "text/plain" (4269 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (20176 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ