[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210301065134.GA12822@xsang-OptiPlex-9020>
Date: Mon, 1 Mar 2021 14:51:34 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>,
kernel test robot <oliver.sang@...el.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
io-uring@...r.kernel.org,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Linux Containers <containers@...ts.linux-foundation.org>,
linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Christian Brauner <christian.brauner@...ntu.com>,
"Eric W . Biederman" <ebiederm@...ssion.com>,
Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
Kees Cook <keescook@...omium.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>
Subject: 5b5c35b757: BUG:KASAN:use-after-free_in_dec_rlimit_ucounts
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 5b5c35b757a192cc54eb96137761da67e7ce0520 ("[PATCH v7 6/7] Reimplement RLIMIT_MEMLOCK on top of ucounts")
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210222-175836
base: https://git.kernel.org/cgit/linux/kernel/git/shuah/linux-kselftest.git next
in testcase: trinity
version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28
with following parameters:
group: ["group-00", "group-01", "group-02", "group-03", "group-04"]
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------------+------------+------------+
| | d28296d248 | 5b5c35b757 |
+------------------------------------------------+------------+------------+
| boot_failures | 0 | 5 |
| BUG:KASAN:use-after-free_in_dec_rlimit_ucounts | 0 | 5 |
| canonical_address#:#[##] | 0 | 1 |
| RIP:dec_rlimit_ucounts | 0 | 1 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 1 |
+------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 235.817305] BUG: KASAN: use-after-free in dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3))
[ 235.818278] Read of size 8 at addr ffff88810687b1d0 by task trinity-c2/4730
[ 235.819266]
[ 235.819585] CPU: 0 PID: 4730 Comm: trinity-c2 Not tainted 5.11.0-rc7-00017-g5b5c35b757a1 #1
[ 235.820944] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 235.822206] Call Trace:
[ 235.822646] dump_stack (kbuild/src/consumer/lib/dump_stack.c:131)
[ 235.823195] print_address_description+0x21/0x140
[ 235.824066] ? dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3))
[ 235.824815] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:397 kbuild/src/consumer/mm/kasan/report.c:413)
[ 235.825530] ? dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3))
[ 235.826260] __asan_load8 (kbuild/src/consumer/mm/kasan/generic.c:252)
[ 235.826848] dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3))
[ 235.827549] user_shm_unlock (kbuild/src/consumer/include/linux/spinlock.h:394 kbuild/src/consumer/mm/mlock.c:851)
[ 235.828237] shmem_lock (kbuild/src/consumer/mm/shmem.c:2247)
[ 235.828867] ksys_shmctl+0xc1b/0xe70
[ 235.829658] ? __fsnotify_parent (kbuild/src/consumer/fs/notify/fsnotify.c:200)
[ 235.830391] ? shm_mmap (kbuild/src/consumer/ipc/shm.c:1139)
[ 235.831035] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225)
[ 235.831765] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225)
[ 235.832545] ? pvclock_clocksource_read (kbuild/src/consumer/arch/x86/kernel/pvclock.c:80)
[ 235.833390] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:227)
[ 235.834154] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225)
[ 235.834866] ? get_vtime_delta (kbuild/src/consumer/kernel/sched/cputime.c:658 (discriminator 3))
[ 235.835497] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:227)
[ 235.836217] __x64_sys_shmctl (kbuild/src/consumer/ipc/shm.c:1193)
[ 235.836912] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 235.837540] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127)
[ 235.838348] RIP: 0033:0x453b29
[ 235.838867] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
0: 00 f3 add %dh,%bl
2: c3 retq
3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 0f 83 3b 84 00 00 jae 0x8471
36: c3 retq
37: 66 data16
38: 2e cs
39: 0f .byte 0xf
3a: 1f (bad)
3b: 84 00 test %al,(%rax)
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 0f 83 3b 84 00 00 jae 0x8447
c: c3 retq
d: 66 data16
e: 2e cs
f: 0f .byte 0xf
10: 1f (bad)
11: 84 00 test %al,(%rax)
13: 00 00 add %al,(%rax)
...
[ 235.841605] RSP: 002b:00007ffd5b1195a8 EFLAGS: 00000246 ORIG_RAX: 000000000000001f
[ 235.842731] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 0000000000453b29
[ 235.843745] RDX: 00007f903f38e000 RSI: 000000000000000c RDI: 0000000000000000
[ 235.844880] RBP: 00007ffd5b119650 R08: 00000000000000de R09: ffffffffffffffff
[ 235.845958] R10: 0000000000000200 R11: 0000000000000246 R12: 0000000000000002
[ 235.847062] R13: 00007f903f899058 R14: 00000000010a2830 R15: 00007f903f899000
[ 235.848178]
[ 235.848538] Allocated by task 4043:
[ 235.849196] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39)
[ 235.849892] ____kasan_kmalloc+0x87/0xb0
[ 235.850711] __kasan_slab_alloc (kbuild/src/consumer/mm/kasan/common.c:438)
[ 235.851394] kmem_cache_alloc (kbuild/src/consumer/include/linux/kasan.h:209 kbuild/src/consumer/mm/slab.h:512 kbuild/src/consumer/mm/slub.c:2892 kbuild/src/consumer/mm/slub.c:2900 kbuild/src/consumer/mm/slub.c:2905)
[ 235.852114] create_user_ns (kbuild/src/consumer/include/linux/slab.h:672 kbuild/src/consumer/kernel/user_namespace.c:105)
[ 235.852801] unshare_userns (kbuild/src/consumer/kernel/user_namespace.c:168)
[ 235.853464] ksys_unshare (kbuild/src/consumer/kernel/fork.c:2956)
[ 235.854145] __x64_sys_unshare (kbuild/src/consumer/kernel/fork.c:3031)
[ 235.854827] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46)
[ 235.855485] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127)
[ 235.856368]
[ 235.856733] Freed by task 5:
[ 235.857292] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39)
[ 235.857967] kasan_set_track (kbuild/src/consumer/mm/kasan/common.c:46)
[ 235.858627] kasan_set_free_info (kbuild/src/consumer/mm/kasan/generic.c:358)
[ 235.859329] ____kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:364)
[ 235.860068] __kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:370)
[ 235.860761] kmem_cache_free (kbuild/src/consumer/mm/slub.c:1580 kbuild/src/consumer/mm/slub.c:3143 kbuild/src/consumer/mm/slub.c:3159)
[ 235.861439] free_user_ns (kbuild/src/consumer/kernel/user_namespace.c:39 kbuild/src/consumer/kernel/user_namespace.c:202)
[ 235.862059] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280)
[ 235.862754] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422)
[ 235.863378] kthread (kbuild/src/consumer/kernel/kthread.c:292)
[ 235.863912] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302)
[ 235.864576]
[ 235.864940] Last potentially related work creation:
[ 235.865717] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39)
[ 235.866382] kasan_record_aux_stack (kbuild/src/consumer/mm/kasan/generic.c:344)
[ 235.867124] insert_work (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:134 kbuild/src/consumer/kernel/workqueue.c:615 kbuild/src/consumer/kernel/workqueue.c:622 kbuild/src/consumer/kernel/workqueue.c:1334)
[ 235.867769] __queue_work (kbuild/src/consumer/kernel/workqueue.c:1500)
[ 235.868448] queue_work_on (kbuild/src/consumer/kernel/workqueue.c:1525)
[ 235.869116] __put_user_ns (kbuild/src/consumer/kernel/user_namespace.c:210)
[ 235.869752] cleanup_net (kbuild/src/consumer/include/linux/user_namespace.h:142 kbuild/src/consumer/include/linux/user_namespace.h:139 kbuild/src/consumer/net/core/net_namespace.c:622)
[ 235.870370] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280)
[ 235.871057] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422)
[ 235.871706] kthread (kbuild/src/consumer/kernel/kthread.c:292)
[ 235.872321] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302)
[ 235.872974]
[ 235.873343] Second to last potentially related work creation:
[ 235.874266] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39)
[ 235.874934] kasan_record_aux_stack (kbuild/src/consumer/mm/kasan/generic.c:344)
[ 235.875695] insert_work (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:134 kbuild/src/consumer/kernel/workqueue.c:615 kbuild/src/consumer/kernel/workqueue.c:622 kbuild/src/consumer/kernel/workqueue.c:1334)
[ 235.876369] __queue_work (kbuild/src/consumer/kernel/workqueue.c:1500)
[ 235.877033] queue_work_on (kbuild/src/consumer/kernel/workqueue.c:1525)
[ 235.877677] __put_user_ns (kbuild/src/consumer/kernel/user_namespace.c:210)
[ 235.878286] put_cred_rcu (kbuild/src/consumer/include/linux/user_namespace.h:142 kbuild/src/consumer/kernel/cred.c:125)
[ 235.878875] rcu_do_batch+0x1e2/0x940
[ 235.879591] rcu_core (kbuild/src/consumer/kernel/rcu/tree.c:2723)
[ 235.880212] rcu_core_si (kbuild/src/consumer/kernel/rcu/tree.c:2737)
[ 235.880832] __do_softirq (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/irq.h:142 kbuild/src/consumer/kernel/softirq.c:344)
[ 235.881520]
[ 235.881867] The buggy address belongs to the object at ffff88810687aff8
[ 235.881867] which belongs to the cache user_namespace of size 592
[ 235.883687] The buggy address is located 472 bytes inside of
[ 235.883687] 592-byte region [ffff88810687aff8, ffff88810687b248)
[ 235.885560] The buggy address belongs to the page:
[ 235.886343] page:0000000066c321d7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810687b3a8 pfn:0x106878
[ 235.887924] head:0000000066c321d7 order:2 compound_mapcount:0 compound_pincount:0
[ 235.889214] flags: 0x8000000000010200(slab|head)
[ 235.889993] raw: 8000000000010200 ffff888100c25648 ffff888100c25648 ffff888100c8ccc0
[ 235.891261] raw: ffff88810687b3a8 000000000011000a 00000001ffffffff 0000000000000000
[ 235.892557] page dumped because: kasan: bad access detected
[ 235.893490]
[ 235.893838] Memory state around the buggy address:
[ 235.894636] ffff88810687b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 235.895858] ffff88810687b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 235.897103] >ffff88810687b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 235.898294] ^
[ 235.899208] ffff88810687b200: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
[ 235.900359] ffff88810687b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 235.902866] ==================================================================
[ 235.904088] Disabling lock debugging due to kernel taint
Kboot worker: lkp-worker52
Elapsed time: 240
To reproduce:
# build kernel
cd linux
cp config-5.11.0-rc7-00017-g5b5c35b757a1 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Oliver Sang
View attachment "config-5.11.0-rc7-00017-g5b5c35b757a1" of type "text/plain" (126328 bytes)
View attachment "job-script" of type "text/plain" (4345 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14968 bytes)
Powered by blists - more mailing lists