| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 14 Mar 2021 21:55:28 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Christoph Hellwig <hch@....de>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Daniel Vetter <daniel@...ll.ch>, Nadav Amit <namit@...are.com>,
"VMware, Inc." <pv-drivers@...are.com>,
"Michael S. Tsirkin" <mst@...hat.com>,
David Hildenbrand <david@...hat.com>,
Minchan Kim <minchan@...nel.org>,
Nitin Gupta <ngupta@...are.org>,
Jason Gunthorpe <jgg@...dia.com>,
Alex Williamson <alex.williamson@...hat.com>,
linuxppc-dev@...ts.ozlabs.org, dri-devel@...ts.freedesktop.org,
virtualization@...ts.linux-foundation.org,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org
Subject: [iomem] e14497b88f: BUG:KASAN:null-ptr-deref_in_alloc_anon_inode
Greeting,
FYI, we noticed the following commit (built with clang-13):
commit: e14497b88f9919aeedd47efb2762dfa5fc6b640e ("[PATCH 7/9] iomem: remove the iomem file system")
url: https://github.com/0day-ci/linux/commits/Christoph-Hellwig/fs-rename-alloc_anon_inode-to-alloc_anon_inode_sb/20210310-005356
base: https://git.kernel.org/cgit/linux/kernel/git/gregkh/char-misc.git 080951f99de1e483a9a48f34c079b634f2912a54
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+----------------------------------------------+------------+------------+
| | 0befbcb842 | e14497b88f |
+----------------------------------------------+------------+------------+
| BUG:KASAN:null-ptr-deref_in_alloc_anon_inode | 0 | 12 |
| RIP:alloc_anon_inode | 0 | 12 |
+----------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 3.359173] BUG: KASAN: null-ptr-deref in alloc_anon_inode (kbuild/src/consumer/fs/anon_inodes.c:235)
[ 3.359395] Read of size 8 at addr 0000000000000008 by task swapper/0/1
[ 3.359395]
[ 3.359395] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2-00012-ge14497b88f99 #2
[ 3.359395] Call Trace:
[ 3.359395] dump_stack (kbuild/src/consumer/include/linux/instrumented.h:86 kbuild/src/consumer/include/asm-generic/atomic-instrumented.h:45 kbuild/src/consumer/lib/dump_stack.c:123)
[ 3.359395] kasan_report (kbuild/src/consumer/mm/kasan/report.c:403 kbuild/src/consumer/mm/kasan/report.c:416)
[ 3.359395] ? amd_cache_northbridges (kbuild/src/consumer/arch/x86/kernel/amd_nb.c:240)
[ 3.359395] ? alloc_anon_inode (kbuild/src/consumer/fs/anon_inodes.c:235)
[ 3.359395] ? reserve_setup (kbuild/src/consumer/kernel/resource.c:1843)
[ 3.359395] __asan_load8 (kbuild/src/consumer/mm/kasan/generic.c:253)
[ 3.359395] alloc_anon_inode (kbuild/src/consumer/fs/anon_inodes.c:235)
[ 3.359395] iomem_init_inode (kbuild/src/consumer/kernel/resource.c:1846)
[ 3.359395] do_one_initcall (kbuild/src/consumer/init/main.c:1226)
[ 3.359395] ? next_arg (kbuild/src/consumer/lib/cmdline.c:257)
[ 3.359395] ? parse_args (kbuild/src/consumer/kernel/params.c:179)
[ 3.359395] do_initcall_level (kbuild/src/consumer/init/main.c:1298)
[ 3.359395] do_initcalls (kbuild/src/consumer/init/main.c:1312)
[ 3.359395] do_basic_setup (kbuild/src/consumer/init/main.c:1336)
[ 3.359395] kernel_init_freeable (kbuild/src/consumer/init/main.c:1541)
[ 3.359395] ? rest_init (kbuild/src/consumer/init/main.c:1421)
[ 3.359395] kernel_init (kbuild/src/consumer/init/main.c:1426)
[ 3.359395] ? rest_init (kbuild/src/consumer/init/main.c:1421)
[ 3.359395] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:300)
[ 3.359395] ==================================================================
[ 3.359395] Disabling lock debugging due to kernel taint
[ 3.359437] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 3.360918] #PF: supervisor read access in kernel mode
[ 3.361918] #PF: error_code(0x0000) - not-present page
[ 3.362728] PGD 0 P4D 0
[ 3.362728] Oops: 0000 [#1] SMP KASAN
[ 3.362728] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 5.12.0-rc2-00012-ge14497b88f99 #2
[ 3.362728] RIP: 0010:alloc_anon_inode (kbuild/src/consumer/fs/anon_inodes.c:235)
[ 3.362728] Code: 71 fe ff ff 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 48 89 e5 53 48 8b 1d 54 45 cc 02 48 8d 7b 08 e8 4b 8e f4 ff <48> 8b 7b 08 e8 c2 a5 fc ff 5b 5d c3 66 66 2e 0f 1f 84 00 00 00 00
All code
========
0: 71 fe jno 0x0
2: ff (bad)
3: ff 5d c3 lcall *-0x3d(%rbp)
6: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
d: 00 00 00 00
11: 0f 1f 40 00 nopl 0x0(%rax)
15: 55 push %rbp
16: 48 89 e5 mov %rsp,%rbp
19: 53 push %rbx
1a: 48 8b 1d 54 45 cc 02 mov 0x2cc4554(%rip),%rbx # 0x2cc4575
21: 48 8d 7b 08 lea 0x8(%rbx),%rdi
25: e8 4b 8e f4 ff callq 0xfffffffffff48e75
2a:* 48 8b 7b 08 mov 0x8(%rbx),%rdi <-- trapping instruction
2e: e8 c2 a5 fc ff callq 0xfffffffffffca5f5
33: 5b pop %rbx
34: 5d pop %rbp
35: c3 retq
36: 66 data16
37: 66 data16
38: 2e cs
39: 0f .byte 0xf
3a: 1f (bad)
3b: 84 00 test %al,(%rax)
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 48 8b 7b 08 mov 0x8(%rbx),%rdi
4: e8 c2 a5 fc ff callq 0xfffffffffffca5cb
9: 5b pop %rbx
a: 5d pop %rbp
b: c3 retq
c: 66 data16
d: 66 data16
e: 2e cs
f: 0f .byte 0xf
10: 1f (bad)
11: 84 00 test %al,(%rax)
13: 00 00 add %al,(%rax)
...
[ 3.362728] RSP: 0000:ffff8881001afd10 EFLAGS: 00010282
[ 3.362728] RAX: ffff8881001a0001 RBX: 0000000000000000 RCX: ffffffff811b7d0f
[ 3.362728] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffffffff83c11c58
[ 3.362728] RBP: ffff8881001afd18 R08: dffffc0000000000 R09: fffffbfff078238c
[ 3.362728] R10: fffffbfff078238c R11: 0000000000000000 R12: 0000000000000000
[ 3.362728] R13: 0000000000000000 R14: ffffffff8435b9c0 R15: ffffffff8361c400
[ 3.362728] FS: 0000000000000000(0000) GS:ffff8881e8600000(0000) knlGS:0000000000000000
[ 3.362728] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3.362728] CR2: 0000000000000008 CR3: 0000000003616000 CR4: 00000000000006b0
[ 3.362728] Call Trace:
[ 3.362728] iomem_init_inode (kbuild/src/consumer/kernel/resource.c:1846)
[ 3.362728] do_one_initcall (kbuild/src/consumer/init/main.c:1226)
[ 3.362728] ? next_arg (kbuild/src/consumer/lib/cmdline.c:257)
[ 3.362728] ? parse_args (kbuild/src/consumer/kernel/params.c:179)
[ 3.362728] do_initcall_level (kbuild/src/consumer/init/main.c:1298)
[ 3.362728] do_initcalls (kbuild/src/consumer/init/main.c:1312)
[ 3.362728] do_basic_setup (kbuild/src/consumer/init/main.c:1336)
[ 3.362728] kernel_init_freeable (kbuild/src/consumer/init/main.c:1541)
[ 3.362728] ? rest_init (kbuild/src/consumer/init/main.c:1421)
[ 3.362728] kernel_init (kbuild/src/consumer/init/main.c:1426)
[ 3.362728] ? rest_init (kbuild/src/consumer/init/main.c:1421)
[ 3.362728] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:300)
[ 3.362728] Modules linked in:
[ 3.362728] CR2: 0000000000000008
[ 3.362728] ---[ end trace e17c94a42475f8e5 ]---
[ 3.362728] RIP: 0010:alloc_anon_inode (kbuild/src/consumer/fs/anon_inodes.c:235)
[ 3.362728] Code: 71 fe ff ff 5d c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 48 89 e5 53 48 8b 1d 54 45 cc 02 48 8d 7b 08 e8 4b 8e f4 ff <48> 8b 7b 08 e8 c2 a5 fc ff 5b 5d c3 66 66 2e 0f 1f 84 00 00 00 00
All code
========
0: 71 fe jno 0x0
2: ff (bad)
3: ff 5d c3 lcall *-0x3d(%rbp)
6: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
d: 00 00 00 00
11: 0f 1f 40 00 nopl 0x0(%rax)
15: 55 push %rbp
16: 48 89 e5 mov %rsp,%rbp
19: 53 push %rbx
1a: 48 8b 1d 54 45 cc 02 mov 0x2cc4554(%rip),%rbx # 0x2cc4575
21: 48 8d 7b 08 lea 0x8(%rbx),%rdi
25: e8 4b 8e f4 ff callq 0xfffffffffff48e75
2a:* 48 8b 7b 08 mov 0x8(%rbx),%rdi <-- trapping instruction
2e: e8 c2 a5 fc ff callq 0xfffffffffffca5f5
33: 5b pop %rbx
34: 5d pop %rbp
35: c3 retq
36: 66 data16
37: 66 data16
38: 2e cs
39: 0f .byte 0xf
3a: 1f (bad)
3b: 84 00 test %al,(%rax)
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 48 8b 7b 08 mov 0x8(%rbx),%rdi
4: e8 c2 a5 fc ff callq 0xfffffffffffca5cb
9: 5b pop %rbx
a: 5d pop %rbp
b: c3 retq
c: 66 data16
d: 66 data16
e: 2e cs
f: 0f .byte 0xf
10: 1f (bad)
11: 84 00 test %al,(%rax)
13: 00 00 add %al,(%rax)
To reproduce:
# build kernel
cd linux
cp config-5.12.0-rc2-00012-ge14497b88f99 .config
make HOSTCC=clang-13 CC=clang-13 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.12.0-rc2-00012-ge14497b88f99" of type "text/plain" (152970 bytes)
View attachment "job-script" of type "text/plain" (4602 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (7756 bytes)
Powered by blists - more mailing lists