lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 25 Nov 2021 21:18:59 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Like Xu <like.xu.linux@...il.com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        lkp@...ts.01.org, Paolo Bonzini <pbonzini@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
        Like Xu <likexu@...cent.com>
Subject: [KVM]  54244a5dd7: BUG:KASAN:stack-out-of-bounds_in_find_first_bit



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 54244a5dd79183120f8c5f26d3a89f3966b48022 ("[PATCH 7/7] KVM: x86/pmu: Setup the {inte|amd}_event_mapping[] when hardware_setup")
url: https://github.com/0day-ci/linux/commits/Like-Xu/KVM-x86-pmu-Four-functional-fixes/20211112-175332
base: https://git.kernel.org/cgit/virt/kvm/kvm.git queue
patch link: https://lore.kernel.org/kvm/20211112095139.21775-8-likexu@tencent.com

in testcase: kvm-unit-tests
version: kvm-unit-tests-x86_64-49934b5-1_20211109
with following parameters:

	ucode: 0x28



on test machine: 8 threads 1 sockets Intel(R) Core(TM) i7-4790T CPU @ 2.70GHz with 16G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 84.771702][ T4365] BUG: KASAN: stack-out-of-bounds in _find_first_bit (lib/find_bit.c:83) 
[   84.780637][ T4365] Read of size 8 at addr ffffc9000c60f8f8 by task qemu-system-x86/4365
[   84.790296][ T4365]
[   84.794004][ T4365] CPU: 0 PID: 4365 Comm: qemu-system-x86 Not tainted 5.15.0-rc2-00208-g54244a5dd791 #1
[   84.805011][ T4365] Hardware name: Gigabyte Technology Co., Ltd. Z97X-UD5H/Z97X-UD5H, BIOS F9 04/21/2015
[   84.816034][ T4365] Call Trace:
[ 84.820699][ T4365] dump_stack_lvl (lib/dump_stack.c:107) 
[ 84.826539][ T4365] print_address_description+0x21/0x140 
[ 84.834470][ T4365] ? _find_first_bit (lib/find_bit.c:83) 
[ 84.840512][ T4365] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) 
[ 84.846572][ T4365] ? _find_first_bit (lib/find_bit.c:83) 
[ 84.852560][ T4365] _find_first_bit (lib/find_bit.c:83) 
[ 84.858377][ T4365] intel_pmu_refresh (arch/x86/kvm/vmx/pmu_intel.c:513 (discriminator 3) arch/x86/kvm/vmx/pmu_intel.c:553 (discriminator 3)) kvm_intel
[ 84.865539][ T4365] ? __kernel_text_address (kernel/extable.c:105) 
[ 84.871885][ T4365] ? vmemdup_user (mm/util.c:200) 
[ 84.877581][ T4365] ? intel_msr_idx_to_pmc (arch/x86/kvm/vmx/pmu_intel.c:518) kvm_intel
[ 84.885068][ T4365] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:26) 
[ 84.890932][ T4365] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142) 
[ 84.896629][ T4365] kvm_vcpu_after_set_cpuid (arch/x86/kvm/cpuid.c:1125 arch/x86/kvm/cpuid.h:77 arch/x86/kvm/cpuid.h:89 arch/x86/kvm/cpuid.c:204) kvm
[ 84.903810][ T4365] kvm_vcpu_ioctl_set_cpuid2 (arch/x86/kvm/cpuid.c:327) kvm
[ 84.910961][ T4365] kvm_arch_vcpu_ioctl (arch/x86/kvm/x86.c:5208) kvm
[ 84.917710][ T4365] ? kmem_cache_alloc (mm/slab.h:520 mm/slub.c:3206 mm/slub.c:3214 mm/slub.c:3219) 
[ 84.923632][ T4365] ? vm_area_alloc (kernel/fork.c:349) 
[ 84.929232][ T4365] ? mmap_region (mm/mmap.c:1767) 
[ 84.934827][ T4365] ? do_mmap (mm/mmap.c:1575) 
[ 84.939958][ T4365] ? vm_mmap_pgoff (mm/util.c:519) 
[ 84.945616][ T4365] ? ksys_mmap_pgoff (mm/mmap.c:1624) 
[ 84.951437][ T4365] ? kvm_arch_vcpu_put (arch/x86/kvm/x86.c:5124) kvm
[ 84.957991][ T4365] ? rmqueue_bulk (mm/page_alloc.c:3677) 
[ 84.963736][ T4365] ? kernel_init_free_pages+0xc7/0x1c0 
[ 84.970700][ T4365] ? prep_new_page (mm/page_alloc.c:1267 mm/page_alloc.c:2414 mm/page_alloc.c:2424) 
[ 84.976358][ T4365] ? get_page_from_freelist (mm/page_alloc.c:4159) 
[ 84.982821][ T4365] ? mem_cgroup_oom_trylock (mm/memcontrol.c:2531) 
[ 84.989391][ T4365] ? __alloc_pages_slowpath+0x1fc0/0x1fc0 
[ 84.997091][ T4365] ? __mod_memcg_lruvec_state (mm/memcontrol.c:684) 
[ 85.003658][ T4365] ? __mod_lruvec_page_state (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:719 mm/memcontrol.c:729) 
[ 85.010244][ T4365] ? pagevec_add_and_need_flush (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 include/linux/swap.h:355 mm/swap.c:223 mm/swap.c:218) 
[ 85.016966][ T4365] ? mutex_lock_killable (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:443 include/linux/atomic/atomic-instrumented.h:1669 kernel/locking/mutex.c:165 kernel/locking/mutex.c:949) 
[ 85.023061][ T4365] ? __mutex_lock_killable_slowpath (kernel/locking/mutex.c:946) 
[ 85.030041][ T4365] kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:3747) kvm
[ 85.036224][ T4365] ? fiemap_prep (fs/ioctl.c:778) 
[ 85.041714][ T4365] ? kvm_set_memory_region (arch/x86/kvm/../../../virt/kvm/kvm_main.c:3743) kvm
[ 85.048494][ T4365] ? copy_page_range (mm/memory.c:4609) 
[ 85.054537][ T4365] ? __might_fault (mm/memory.c:5263) 
[ 85.060056][ T4365] ? down_read_trylock (arch/x86/include/asm/atomic64_64.h:34 include/linux/atomic/atomic-long.h:41 include/linux/atomic/atomic-instrumented.h:1198 kernel/locking/rwsem.c:171 kernel/locking/rwsem.c:176 kernel/locking/rwsem.c:1249 kernel/locking/rwsem.c:1503) 
[ 85.066011][ T4365] ? __fget_files (fs/file.c:865) 
[ 85.071629][ T4365] __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:874 fs/ioctl.c:860 fs/ioctl.c:860) 
[ 85.077309][ T4365] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 85.082620][ T4365] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   85.089453][ T4365] RIP: 0033:0x7f06dc8f1427
[ 85.094794][ T4365] Code: 00 00 90 48 8b 05 69 aa 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 aa 0c 00 f7 d8 64 89 01 48
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	90                   	nop
   3:	48 8b 05 69 aa 0c 00 	mov    0xcaa69(%rip),%rax        # 0xcaa73
   a:	64 c7 00 26 00 00 00 	movl   $0x26,%fs:(%rax)
  11:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
  18:	c3                   	retq   
  19:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  20:	00 00 00 
  23:	b8 10 00 00 00       	mov    $0x10,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 39 aa 0c 00 	mov    0xcaa39(%rip),%rcx        # 0xcaa73
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 39 aa 0c 00 	mov    0xcaa39(%rip),%rcx        # 0xcaa49
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
[   85.116510][ T4365] RSP: 002b:00007f06d9f6c558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   85.125943][ T4365] RAX: ffffffffffffffda RBX: 000000004008ae90 RCX: 00007f06dc8f1427
[   85.134961][ T4365] RDX: 00007f06d9f6c6d0 RSI: 000000004008ae90 RDI: 000000000000000e
[   85.143958][ T4365] RBP: 00007f06d9f6c6d0 R08: 000000000000000c R09: 0000000000000000
[   85.152953][ T4365] R10: 0000000000000000 R11: 0000000000000246 R12: 000055b6978d4620
[   85.161952][ T4365] R13: 0000000000000020 R14: 000055b6978d4620 R15: 0000000000000022
[   85.170960][ T4365]
[   85.174322][ T4365]
[   85.177658][ T4365] addr ffffc9000c60f8f8 is located in stack of task qemu-system-x86/4365 at offset 48 in frame:
[ 85.189115][ T4365] intel_pmu_refresh (arch/x86/kvm/vmx/pmu_intel.c:518) kvm_intel
[   85.195987][ T4365]
[   85.199373][ T4365] this frame has 2 objects:
[   85.204920][ T4365]  [48, 52) 'avail_cpuid_events'
[   85.204922][ T4365]  [64, 92) 'x86_pmu'
[   85.210898][ T4365]
[   85.219235][ T4365] Memory state around the buggy address:
[   85.225867][ T4365]  ffffc9000c60f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.234910][ T4365]  ffffc9000c60f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.243951][ T4365] >ffffc9000c60f880: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04
[   85.252982][ T4365]                                                                 ^
[   85.261951][ T4365]  ffffc9000c60f900: f2 00 00 00 04 f3 f3 f3 f3 00 00 00 00 00 00 00
[   85.270999][ T4365]  ffffc9000c60f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.280044][ T4365] ==================================================================
[   85.289098][ T4365] Disabling lock debugging due to kernel taint
[   95.394905][  T375] IPMI BMC is not supported on this machine, skip bmc-watchdog setup!
[   95.394916][  T375]
[   97.539025][  T375]
[   97.555987][  T375]
[   99.429527][  T375]
[  101.300244][  T375]
[  103.169726][  T375]
[  105.510268][  T375]
[  107.393317][ T5543] kvm: emulating exchange as write
[  107.481028][  T375]
[  109.383408][  T375]
[  111.259366][  T375]
[  113.128375][  T375]
[  115.008256][  T375]
[  116.886251][  T375]
[  119.219491][  T375]
[  122.445594][  T375]
[  124.341055][  T375]
[  126.072608][  T375]
[  129.915795][  T375]
[  131.824177][  T375]
[  138.705573][  T375]
[  140.580108][  T375]
[  142.455213][  T375]
[  144.326085][  T375]
[  146.221456][  T375]
[  148.105465][  T375]
[  150.001780][  T375]
[  150.013556][  T375]
[  150.024507][  T375]
[  155.625268][  T375]
[  157.506774][  T375]
[  159.384324][  T375]
[  161.257915][  T375]
[  163.132870][  T375]
[  165.008923][  T375]
[  165.020671][  T375]
[  167.307168][T10789] kvm [10786]: vcpu0, guest rIP: 0x4091d8 vmx_set_msr: BTF|LBR in IA32_DEBUGCTLMSR 0x3, nop
[  167.320146][T10789] kvm [10786]: vcpu0, guest rIP: 0x409277 vmx_set_msr: BTF|LBR in IA32_DEBUGCTLMSR 0x3, nop
[  179.394522][  T375]
[  181.402357][  T375]
[  183.369745][  T375]
[  185.345571][  T375]
[  187.293076][  T375]
[  189.262862][  T375]
[  191.364860][  T375]
[  193.434728][  T375]


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.15.0-rc2-00208-g54244a5dd791" of type "text/plain" (174617 bytes)

View attachment "job-script" of type "text/plain" (5413 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (4396 bytes)

View attachment "kvm-unit-tests" of type "text/plain" (2562 bytes)

View attachment "job.yaml" of type "text/plain" (4389 bytes)

View attachment "reproduce" of type "text/plain" (16 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ