| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210204071131.GB17757@xsang-OptiPlex-9020>
Date: Thu, 4 Feb 2021 15:11:31 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, io-uring@...r.kernel.org,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Christian Brauner <christian.brauner@...ntu.com>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
Kees Cook <keescook@...omium.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>
Subject: 0ac0c30c8f: WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be ("Reimplement RLIMIT_MEMLOCK on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210201-222426
in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------------+------------+------------+
| | 82b53805c5 | 0ac0c30c8f |
+------------------------------------------------+------------+------------+
| Oops:#[##] | 4 | 3 |
| RIP:is_ucounts_overlimit | 4 | 1 |
| Kernel_panic-not_syncing:Fatal_exception | 4 | 3 |
| RIP:inc_rlimit_ucounts_and_test | 0 | 3 |
| WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts | 0 | 1 |
| RIP:dec_rlimit_ucounts | 0 | 1 |
+------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 31.706679] WARNING: CPU: 1 PID: 760 at kernel/ucount.c:291 dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:291 (discriminator 1))
[ 31.707605] Modules linked in: mpls_router ip_tunnel af_key vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ieee802154_socket ieee802154 hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_user nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom ata_generic ppdev bochs_drm drm_vram_helper drm_ttm_helper ttm drm_kms_helper intel_rapl_msr intel_rapl_common crct10dif_pclmul syscopyarea crc32_pclmul sysfillrect crc32c_intel sysimgblt fb_sys_fops ghash_clmulni_intel rapl drm ata_piix joydev serio_raw parport_pc parport i2c_piix4 libata
[ 31.713767] CPU: 1 PID: 760 Comm: kworker/1:3 Not tainted 5.11.0-rc2-00008-g0ac0c30c8ff7 #1
[ 31.714811] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 31.715844] Workqueue: events free_ipc
[ 31.716626] RIP: 0010:dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:291 (discriminator 1))
[ 31.717485] Code: 01 49 89 c0 48 89 c6 49 29 d0 f0 4c 0f b1 01 48 39 c6 75 ed 48 85 c0 78 11 48 8b 47 10 48 8b b8 e0 01 00 00 48 85 ff 75 d1 c3 <0f> 0b eb eb 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00
All code
========
0: 01 49 89 add %ecx,-0x77(%rcx)
3: c0 48 89 c6 rorb $0xc6,-0x77(%rax)
7: 49 29 d0 sub %rdx,%r8
a: f0 4c 0f b1 01 lock cmpxchg %r8,(%rcx)
f: 48 39 c6 cmp %rax,%rsi
12: 75 ed jne 0x1
14: 48 85 c0 test %rax,%rax
17: 78 11 js 0x2a
19: 48 8b 47 10 mov 0x10(%rdi),%rax
1d: 48 8b b8 e0 01 00 00 mov 0x1e0(%rax),%rdi
24: 48 85 ff test %rdi,%rdi
27: 75 d1 jne 0xfffffffffffffffa
29: c3 retq
2a:* 0f 0b ud2 <-- trapping instruction
2c: eb eb jmp 0x19
2e: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
35: 00 00 00 00
39: 66 data16
3a: 66 data16
3b: 2e cs
3c: 0f .byte 0xf
3d: 1f (bad)
3e: 84 00 test %al,(%rax)
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: eb eb jmp 0xffffffffffffffef
4: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
b: 00 00 00 00
f: 66 data16
10: 66 data16
11: 2e cs
12: 0f .byte 0xf
13: 1f (bad)
14: 84 00 test %al,(%rax)
[ 31.719705] RSP: 0018:ffffa61e002e7dd0 EFLAGS: 00010286
[ 31.720626] RAX: fffffffffffffe00 RBX: ffff89896b751800 RCX: ffff89894012da48
[ 31.721648] RDX: 00000000000a1c00 RSI: fffffffffffffe00 RDI: ffff89894012d9c0
[ 31.722688] RBP: ffff89896b799f00 R08: fffffffffff5e200 R09: 0000000000000088
[ 31.723717] R10: 0000000000000000 R11: ffff89896a6ab918 R12: ffff898969bd6400
[ 31.724743] R13: 0000000000000001 R14: ffff89896b799f00 R15: ffff89896b751800
[ 31.725757] FS: 0000000000000000(0000) GS:ffff898a77d00000(0000) knlGS:0000000000000000
[ 31.726743] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 31.727891] CR2: 00007f98a32e22fc CR3: 000000012e20c000 CR4: 00000000000406e0
[ 31.729080] DR0: 0000000000000000 DR1: 00007f98a1bd1000 DR2: 00007f98a22d1000
[ 31.729880] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 31.730674] Call Trace:
[ 31.731292] shm_destroy (kbuild/src/consumer/ipc/shm.c:293)
[ 31.731936] free_ipcs (kbuild/src/consumer/ipc/namespace.c:106 (discriminator 2))
[ 31.732569] ? shm_destroy (kbuild/src/consumer/ipc/shm.c:114)
[ 31.733224] shm_exit_ns (kbuild/src/consumer/ipc/shm.c:132)
[ 31.733855] free_ipc (kbuild/src/consumer/ipc/namespace.c:29 (discriminator 6) kbuild/src/consumer/ipc/namespace.c:128 (discriminator 6) kbuild/src/consumer/ipc/namespace.c:141 (discriminator 6))
[ 31.734479] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280)
[ 31.735136] ? process_one_work (kbuild/src/consumer/kernel/workqueue.c:2364)
[ 31.735777] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422)
[ 31.736416] ? process_one_work (kbuild/src/consumer/kernel/workqueue.c:2364)
[ 31.737065] kthread (kbuild/src/consumer/kernel/kthread.c:292)
[ 31.737656] ? kthread_park (kbuild/src/consumer/kernel/kthread.c:245)
[ 31.738275] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302)
[ 31.738890] ---[ end trace 7a58348982bc0099 ]---
[ 306.675403] sh: can't kill pid 503: No such process
[ 313.160211] sysrq: Emergency Sync
[ 313.160911] sysrq: Resetting
[ 313.1612
Kboot worker: lkp-worker60
Elapsed time: 360
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-91.cgz
-m 8192
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::32032-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
ip=::::vm-snb-91::dhcp
root=/dev/ram0
user=lkp
job=/job-script
ARCH=x86_64
kconfig=x86_64-rhel-8.3-kbuiltin
branch=linux-devel/devel-catchup-20210202-110043
commit=0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be
BOOT_IMAGE=/pkg/linux/x86_64-rhel-8.3-kbuiltin/gcc-9/0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be/vmlinuz-5.11.0-rc2-00008-g0ac0c30c8ff7
vmalloc=512M
max_uptime=2100
RESULT_ROOT=/result/trinity/300s/vm-snb/yocto-x86_64-minimal-20190520.cgz/x86_64-rhel-8.3-kbuiltin/gcc-9/0ac0c30c8ff725f0300cb52c2e63700dcb1dd7be/0
result_service=tmpfs
selinux=0
debug
apic=debug
sysrq_always_enabled
rcupdate.rcu_cpu_stall_timeout=100
net.ifnames=0
printk.devkmsg=on
panic=-1
softlockup_panic=1
nmi_watchdog=panic
oops=panic
load_ramdisk=2
prompt_ramdisk=0
drbd.minor_count=8
systemd.log_level=err
ignore_loglevel
console=tty0
earlyprintk=ttyS0,115200
console=ttyS0,115200
vga=normal
rw
rcuperf.shutdown=0
watchdog_thresh=240
)
"${kvm[@]}" -append "${append[*]}"
To reproduce:
# build kernel
cd linux
cp config-5.11.0-rc2-00008-g0ac0c30c8ff7 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Oliver Sang
View attachment "config-5.11.0-rc2-00008-g0ac0c30c8ff7" of type "text/plain" (171262 bytes)
View attachment "job-script" of type "text/plain" (4117 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14472 bytes)
View attachment "trinity" of type "text/plain" (2788 bytes)
Powered by blists - more mailing lists