lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210907021336.GA7504@xsang-OptiPlex-9020>
Date:   Tue, 7 Sep 2021 10:13:36 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Alexey Gladkov <legion@...nel.org>
Cc:     "Eric W. Biederman" <ebiederm@...ssion.com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: 6e52a9f053: WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 6e52a9f0532f912af37bab4caf18b57d1b9845f4 ("Reimplement RLIMIT_MSGQUEUE on top of ucounts")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master


in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+--------------------------------------------------+------------+------------+
|                                                  | 21d1c5e386 | 6e52a9f053 |
+--------------------------------------------------+------------+------------+
| boot_successes                                   | 130        | 109        |
| WARNING:at_kernel/ucount.c:#dec_rlimit_ucounts   | 0          | 14         |
| RIP:dec_rlimit_ucounts                           | 0          | 14         |
+--------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 221.319449][ T3387] WARNING: CPU: 0 PID: 3387 at kernel/ucount.c:267 dec_rlimit_ucounts (kernel/ucount.c:267 (discriminator 1)) 
[  221.322995][ T3387] Modules linked in: ieee802154_socket ieee802154 mpls_router ip_tunnel vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci 8021q garp stp mrp llc af_key hidp bnep rfcomm bluetooth ecdh_generic ecc rfkill can_bcm can_raw can crypto_user ib_core nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom ata_generic bochs_drm drm_vram_helper drm_ttm_helper intel_rapl_msr ttm intel_rapl_common crct10dif_pclmul crc32_pclmul ppdev crc32c_intel drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt rapl fb_sys_fops ata_piix drm joydev serio_raw libata i2c_piix4 parport_pc parport
[  221.348649][ T3387] CPU: 0 PID: 3387 Comm: trinity-c4 Not tainted 5.12.0-00005-g6e52a9f0532f #1
[  221.352218][ T3387] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 221.355826][ T3387] RIP: 0010:dec_rlimit_ucounts (kernel/ucount.c:267 (discriminator 1)) 
[ 221.358979][ T3387] Code: c8 f0 48 0f c1 04 31 48 29 d0 78 1e 48 39 cf 4c 0f 44 c0 48 8b 41 10 48 8b 88 e8 01 00 00 48 85 c9 75 db 4d 85 c0 0f 94 c0 c3 <0f> 0b eb de 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00
All code
========
   0:	c8 f0 48 0f          	enterq $0x48f0,$0xf
   4:	c1 04 31 48          	roll   $0x48,(%rcx,%rsi,1)
   8:	29 d0                	sub    %edx,%eax
   a:	78 1e                	js     0x2a
   c:	48 39 cf             	cmp    %rcx,%rdi
   f:	4c 0f 44 c0          	cmove  %rax,%r8
  13:	48 8b 41 10          	mov    0x10(%rcx),%rax
  17:	48 8b 88 e8 01 00 00 	mov    0x1e8(%rax),%rcx
  1e:	48 85 c9             	test   %rcx,%rcx
  21:	75 db                	jne    0xfffffffffffffffe
  23:	4d 85 c0             	test   %r8,%r8
  26:	0f 94 c0             	sete   %al
  29:	c3                   	retq   
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	eb de                	jmp    0xc
  2e:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  35:	00 00 00 00 
  39:	66                   	data16
  3a:	66                   	data16
  3b:	2e                   	cs
  3c:	0f                   	.byte 0xf
  3d:	1f                   	(bad)  
  3e:	84 00                	test   %al,(%rax)

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	eb de                	jmp    0xffffffffffffffe2
   4:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
   b:	00 00 00 00 
   f:	66                   	data16
  10:	66                   	data16
  11:	2e                   	cs
  12:	0f                   	.byte 0xf
  13:	1f                   	(bad)  
  14:	84 00                	test   %al,(%rax)
[  221.366284][ T3387] RSP: 0018:ffff9ee7022afe88 EFLAGS: 00010283
[  221.369509][ T3387] RAX: fffffffffffebc40 RBX: ffff8f8d8a7da588 RCX: ffff8f8d8a54c780
[  221.372924][ T3387] RDX: 00000000000143c0 RSI: 0000000000000078 RDI: ffff8f906fc9ce80
[  221.376301][ T3387] RBP: ffff9ee7022afea8 R08: 0000000000000000 R09: fffffffffffebc40
[  221.379637][ T3387] R10: 0000000000000005 R11: 0000000000000000 R12: 00000000000143c0
[  221.382909][ T3387] R13: dead000000000122 R14: ffff9ee7022afea8 R15: dead000000000100
[  221.386151][ T3387] FS:  000000000280a880(0000) GS:ffff8f906fc00000(0000) knlGS:0000000000000000
[  221.389593][ T3387] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  221.392702][ T3387] CR2: 00007f932fb28bfc CR3: 000000014ca1c000 CR4: 00000000000406f0
[  221.395956][ T3387] DR0: 00007f932deb3000 DR1: 00007f932e5b3000 DR2: 0000000000000000
[  221.399120][ T3387] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000030602
[  221.402318][ T3387] Call Trace:
[ 221.408997][ T3387] mqueue_evict_inode (ipc/mqueue.c:544) 
[ 221.411771][ T3387] evict (fs/inode.c:583) 
[ 221.414312][ T3387] __x64_sys_mq_unlink (ipc/mqueue.c:979 ipc/mqueue.c:940 ipc/mqueue.c:940) 
[ 221.416953][ T3387] do_syscall_64 (arch/x86/entry/common.c:46) 
[ 221.419478][ T3387] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:112) 
[  221.422135][ T3387] RIP: 0033:0x463519
[ 221.424521][ T3387] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 59 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
   0:	00 f3                	add    %dh,%bl
   2:	c3                   	retq   
   3:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   a:	00 00 00 
   d:	0f 1f 40 00          	nopl   0x0(%rax)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	0f 83 db 59 00 00    	jae    0x5a11
  36:	c3                   	retq   
  37:	66                   	data16
  38:	2e                   	cs
  39:	0f                   	.byte 0xf
  3a:	1f                   	(bad)  
  3b:	84 00                	test   %al,(%rax)
  3d:	00 00                	add    %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	0f 83 db 59 00 00    	jae    0x59e7
   c:	c3                   	retq   
   d:	66                   	data16
   e:	2e                   	cs
   f:	0f                   	.byte 0xf
  10:	1f                   	(bad)  
  11:	84 00                	test   %al,(%rax)
  13:	00 00                	add    %al,(%rax)
	...
[  221.430740][ T3387] RSP: 002b:00007fffbabd13d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f1
[  221.433749][ T3387] RAX: ffffffffffffffda RBX: 00000000000000f1 RCX: 0000000000463519
[  221.439071][ T3387] RDX: 00120a451171f6b6 RSI: 0000004190280000 RDI: 00007f932e2b3000
[  221.441991][ T3387] RBP: 00007f932e7cb000 R08: 0000000000005656 R09: 0000000035353535
[  221.444853][ T3387] R10: 0000000000000028 R11: 0000000000000246 R12: 0000000000000002
[  221.447716][ T3387] R13: 00007f932e7cb058 R14: 000000000280a850 R15: 00007f932e7cb000
[  221.450516][ T3387] ---[ end trace be5abbe525165e44 ]---
[  312.081601][  T425] sh: can't kill pid 563: No such process
[  322.499412][  T393] sysrq: Emergency Sync
[  322.502349][  T393] sysrq: Resetting
[  322.50
Kboot worker: lkp-worker41
Elapsed time: 360

kvm=(
qemu-system-x86_64
-enable-kvm
-cpu SandyBridge
-kernel $kernel
-initrd initrd-vm-snb-154.cgz
-m 16384
-smp 2
-device e1000,netdev=net0
-netdev user,id=net0,hostfwd=tcp::32032-:22
-boot order=nc
-no-reboot
-watchdog i6300esb
-watchdog-action debug
-rtc base=localtime
-serial stdio
-display none
-monitor null
)

append=(
ip=::::vm-snb-154::dhcp
root=/dev/ram0
user=lkp
job=/job-script
ARCH=x86_64
kconfig=x86_64-rhel-8.3
branch=linus/master
commit=6e52a9f0532f912af37bab4caf18b57d1b9845f4
BOOT_IMAGE=/pkg/linux/x86_64-rhel-8.3/gcc-9/6e52a9f0532f912af37bab4caf18b57d1b9845f4/vmlinuz-5.12.0-00005-g6e52a9f0532f
vmalloc=128M
initramfs_async=0
page_owner=on
max_uptime=2100
RESULT_ROOT=/result/trinity/300s/vm-snb/yocto-x86_64-minimal-20190520.cgz/x86_64-rhel-8.3/gcc-9/6e52a9f0532f912af37bab4caf18b57d1b9845f4/3
result_service=tmpfs


To reproduce:

        # build kernel
	cd linux
	cp config-5.12.0-00005-g6e52a9f0532f .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.12.0-00005-g6e52a9f0532f" of type "text/plain" (172891 bytes)

View attachment "job-script" of type "text/plain" (4184 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (16524 bytes)

View attachment "trinity" of type "text/plain" (3679 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ