| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Sep 2021 10:13:36 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <legion@...nel.org>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: 6e52a9f053: WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 6e52a9f0532f912af37bab4caf18b57d1b9845f4 ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+--------------------------------------------------+------------+------------+
| | 21d1c5e386 | 6e52a9f053 |
+--------------------------------------------------+------------+------------+
| boot_successes | 130 | 109 |
| WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts | 0 | 14 |
| RIP:dec_rlimit_ucounts | 0 | 14 |
+--------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 221.319449][ T3387] WARNING: CPU: 0 PID: 3387 at kernel/ucount.c:267 dec_rlimit_ucounts (kernel/ucount.c:267 (discriminator 1))
[ 221.322995][ T3387] Modules linked in: ieee802154_socket ieee802154 mpls_router ip_tunnel vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci 8021q garp stp mrp llc af_key hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_user ib_core nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom ata_generic bochs_drm drm_vram_helper drm_ttm_helper intel_rapl_msr ttm intel_rapl_common crct10dif_pclmul crc32_pclmul ppdev crc32c_intel drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt rapl fb_sys_fops ata_piix drm joydev serio_raw libata i2c_piix4 parport_pc parport
[ 221.348649][ T3387] CPU: 0 PID: 3387 Comm: trinity-c4 Not tainted 5.12.0-00005-g6e52a9f0532f #1
[ 221.352218][ T3387] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 221.355826][ T3387] RIP: 0010:dec_rlimit_ucounts (kernel/ucount.c:267 (discriminator 1))
[ 221.358979][ T3387] Code: c8 f0 48 0f c1 04 31 48 29 d0 78 1e 48 39 cf 4c 0f 44 c0 48 8b 41 10 48 8b 88 e8 01 00 00 48 85 c9 75 db 4d 85 c0 0f 94 c0 c3 <0f> 0b eb de 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00
All code
========
0: c8 f0 48 0f enterq $0x48f0,$0xf
4: c1 04 31 48 roll $0x48,(%rcx,%rsi,1)
8: 29 d0 sub %edx,%eax
a: 78 1e js 0x2a
c: 48 39 cf cmp %rcx,%rdi
f: 4c 0f 44 c0 cmove %rax,%r8
13: 48 8b 41 10 mov 0x10(%rcx),%rax
17: 48 8b 88 e8 01 00 00 mov 0x1e8(%rax),%rcx
1e: 48 85 c9 test %rcx,%rcx
21: 75 db jne 0xfffffffffffffffe
23: 4d 85 c0 test %r8,%r8
26: 0f 94 c0 sete %al
29: c3 retq
2a:* 0f 0b ud2 <-- trapping instruction
2c: eb de jmp 0xc
2e: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
35: 00 00 00 00
39: 66 data16
3a: 66 data16
3b: 2e cs
3c: 0f .byte 0xf
3d: 1f (bad)
3e: 84 00 test %al,(%rax)
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: eb de jmp 0xffffffffffffffe2
4: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
b: 00 00 00 00
f: 66 data16
10: 66 data16
11: 2e cs
12: 0f .byte 0xf
13: 1f (bad)
14: 84 00 test %al,(%rax)
[ 221.366284][ T3387] RSP: 0018:ffff9ee7022afe88 EFLAGS: 00010283
[ 221.369509][ T3387] RAX: fffffffffffebc40 RBX: ffff8f8d8a7da588 RCX: ffff8f8d8a54c780
[ 221.372924][ T3387] RDX: 00000000000143c0 RSI: 0000000000000078 RDI: ffff8f906fc9ce80
[ 221.376301][ T3387] RBP: ffff9ee7022afea8 R08: 0000000000000000 R09: fffffffffffebc40
[ 221.379637][ T3387] R10: 0000000000000005 R11: 0000000000000000 R12: 00000000000143c0
[ 221.382909][ T3387] R13: dead000000000122 R14: ffff9ee7022afea8 R15: dead000000000100
[ 221.386151][ T3387] FS: 000000000280a880(0000) GS:ffff8f906fc00000(0000) knlGS:0000000000000000
[ 221.389593][ T3387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 221.392702][ T3387] CR2: 00007f932fb28bfc CR3: 000000014ca1c000 CR4: 00000000000406f0
[ 221.395956][ T3387] DR0: 00007f932deb3000 DR1: 00007f932e5b3000 DR2: 0000000000000000
[ 221.399120][ T3387] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000030602
[ 221.402318][ T3387] Call Trace:
[ 221.408997][ T3387] mqueue_evict_inode (ipc/mqueue.c:544)
[ 221.411771][ T3387] evict (fs/inode.c:583)
[ 221.414312][ T3387] __x64_sys_mq_unlink (ipc/mqueue.c:979 ipc/mqueue.c:940 ipc/mqueue.c:940)
[ 221.416953][ T3387] do_syscall_64 (arch/x86/entry/common.c:46)
[ 221.419478][ T3387] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:112)
[ 221.422135][ T3387] RIP: 0033:0x463519
[ 221.424521][ T3387] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 59 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
0: 00 f3 add %dh,%bl
2: c3 retq
3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 0f 83 db 59 00 00 jae 0x5a11
36: c3 retq
37: 66 data16
38: 2e cs
39: 0f .byte 0xf
3a: 1f (bad)
3b: 84 00 test %al,(%rax)
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 0f 83 db 59 00 00 jae 0x59e7
c: c3 retq
d: 66 data16
e: 2e cs
f: 0f .byte 0xf
10: 1f (bad)
11: 84 00 test %al,(%rax)
13: 00 00 add %al,(%rax)
...
[ 221.430740][ T3387] RSP: 002b:00007fffbabd13d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f1
[ 221.433749][ T3387] RAX: ffffffffffffffda RBX: 00000000000000f1 RCX: 0000000000463519
[ 221.439071][ T3387] RDX: 00120a451171f6b6 RSI: 0000004190280000 RDI: 00007f932e2b3000
[ 221.441991][ T3387] RBP: 00007f932e7cb000 R08: 0000000000005656 R09: 0000000035353535
[ 221.444853][ T3387] R10: 0000000000000028 R11: 0000000000000246 R12: 0000000000000002
[ 221.447716][ T3387] R13: 00007f932e7cb058 R14: 000000000280a850 R15: 00007f932e7cb000
[ 221.450516][ T3387] ---[ end trace be5abbe525165e44 ]---
[ 312.081601][ T425] sh: can't kill pid 563: No such process
[ 322.499412][ T393] sysrq: Emergency Sync
[ 322.502349][ T393] sysrq: Resetting
[ 322.50
Kboot worker: lkp-worker41
Elapsed time: 360
kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-154.cgz
-m 16384
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::32032-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
-serial stdio
-display none
-monitor null
)
append=(
ip=::::vm-snb-154::dhcp
root=/dev/ram0
user=lkp
job=/job-script
ARCH=x86_64
kconfig=x86_64-rhel-8.3
branch=linus/master
commit=6e52a9f0532f912af37bab4caf18b57d1b9845f4
BOOT_IMAGE=/pkg/linux/x86_64-rhel-8.3/gcc-9/6e52a9f0532f912af37bab4caf18b57d1b9845f4/vmlinuz-5.12.0-00005-g6e52a9f0532f
vmalloc=128M
initramfs_async=0
page_owner=on
max_uptime=2100
RESULT_ROOT=/result/trinity/300s/vm-snb/yocto-x86_64-minimal-20190520.cgz/x86_64-rhel-8.3/gcc-9/6e52a9f0532f912af37bab4caf18b57d1b9845f4/3
result_service=tmpfs
To reproduce:
# build kernel
cd linux
cp config-5.12.0-00005-g6e52a9f0532f .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.12.0-00005-g6e52a9f0532f" of type "text/plain" (172891 bytes)
View attachment "job-script" of type "text/plain" (4184 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (16524 bytes)
View attachment "trinity" of type "text/plain" (3679 bytes)
Powered by blists - more mailing lists