| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211203034105.GD5881@xsang-OptiPlex-9020>
Date: Fri, 3 Dec 2021 11:41:05 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Stefan Roesch <shr@...com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, io-uring@...r.kernel.org,
linux-fsdevel@...r.kernel.org, kernel-team@...com, shr@...com
Subject: [fs] 196bdb1966: WARNING:at_mm/util.c:#kvmalloc_node
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 196bdb1966d10c48b5a747318d1d19d9f8d809f6 ("[PATCH v2 3/5] fs: split off do_getxattr from getxattr")
url: https://github.com/0day-ci/linux/commits/Stefan-Roesch/io_uring-add-xattr-support/20211201-135318
patch link: https://lore.kernel.org/io-uring/20211201055144.3141001-4-shr@fb.com
in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 202.127315][ T750] WARNING: CPU: 1 PID: 750 at mm/util.c:597 kvmalloc_node (mm/util.c:597 (discriminator 1))
[ 202.128248][ T750] Modules linked in:
[ 202.128673][ T750] CPU: 1 PID: 750 Comm: trinity-c1 Not tainted 5.16.0-rc3-00093-g196bdb1966d1 #1
[ 202.129745][ T750] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 202.132511][ T750] EIP: kvmalloc_node (mm/util.c:597 (discriminator 1))
[ 202.133075][ T750] Code: c7 83 c4 0c 8d 65 f4 5b 89 f8 5e 5f 5d c3 8d 74 26 00 89 da 89 f0 e8 7f 57 05 00 89 c7 8d 65 f4 89 f8 5b 5e 5f 5d c3 8d 76 00 <0f> 0b 6a 00 b8 48 6d df c2 31 c9 ba 01 00 00 00 e8 fb 18 f4 ff 58
All code
========
0: c7 83 c4 0c 8d 65 f4 movl $0xf8895bf4,0x658d0cc4(%rbx)
7: 5b 89 f8
a: 5e pop %rsi
b: 5f pop %rdi
c: 5d pop %rbp
d: c3 retq
e: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
12: 89 da mov %ebx,%edx
14: 89 f0 mov %esi,%eax
16: e8 7f 57 05 00 callq 0x5579a
1b: 89 c7 mov %eax,%edi
1d: 8d 65 f4 lea -0xc(%rbp),%esp
20: 89 f8 mov %edi,%eax
22: 5b pop %rbx
23: 5e pop %rsi
24: 5f pop %rdi
25: 5d pop %rbp
26: c3 retq
27: 8d 76 00 lea 0x0(%rsi),%esi
2a:* 0f 0b ud2 <-- trapping instruction
2c: 6a 00 pushq $0x0
2e: b8 48 6d df c2 mov $0xc2df6d48,%eax
33: 31 c9 xor %ecx,%ecx
35: ba 01 00 00 00 mov $0x1,%edx
3a: e8 fb 18 f4 ff callq 0xfffffffffff4193a
3f: 58 pop %rax
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 6a 00 pushq $0x0
4: b8 48 6d df c2 mov $0xc2df6d48,%eax
9: 31 c9 xor %ecx,%ecx
b: ba 01 00 00 00 mov $0x1,%edx
10: e8 fb 18 f4 ff callq 0xfffffffffff41910
15: 58 pop %rax
[ 202.135919][ T750] EAX: 00000000 EBX: 00000dc0 ECX: 00000000 EDX: 00000000
[ 202.136621][ T750] ESI: fffffffe EDI: 00000000 EBP: f4103de0 ESP: f4103dd0
[ 202.137271][ T750] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010282
[ 202.137823][ T750] CR0: 80050033 CR2: b7532000 CR3: 05901000 CR4: 00040690
[ 202.138363][ T750] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 202.138943][ T750] DR6: fffe0ff0 DR7: 00000400
[ 202.139414][ T750] Call Trace:
[ 202.139769][ T750] do_getxattr (include/linux/slab.h:741 include/linux/slab.h:749 fs/xattr.c:679)
[ 202.140257][ T750] getxattr (fs/xattr.c:715)
[ 202.140975][ T750] ? check_preemption_disabled (lib/smp_processor_id.c:16)
[ 202.141838][ T750] ? free_unref_page (mm/page_alloc.c:3409 (discriminator 1))
[ 202.142409][ T750] ? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
[ 202.142988][ T750] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4356)
[ 202.143549][ T750] ? free_unref_page (mm/page_alloc.c:3409 (discriminator 1))
[ 202.144130][ T750] ? free_unref_page (mm/page_alloc.c:3409 (discriminator 3))
[ 202.144682][ T750] ? __free_pages (mm/page_alloc.c:5458)
[ 202.145195][ T750] ? slob_free_pages (mm/slob.c:220)
[ 202.145756][ T750] ? __kmem_cache_free (mm/slob.c:656)
[ 202.146299][ T750] ? kmem_cache_free (mm/slob.c:678)
[ 202.147340][ T750] ? putname (fs/namei.c:271)
[ 202.147932][ T750] ? user_path_at_empty (fs/namei.c:2811)
[ 202.149489][ T750] path_getxattr (fs/xattr.c:728)
[ 202.150497][ T750] __ia32_sys_lgetxattr (fs/xattr.c:743)
[ 202.151682][ T750] __do_fast_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:178)
[ 202.152771][ T750] ? __do_fast_syscall_32 (arch/x86/entry/common.c:183)
[ 202.154069][ T750] ? __do_fast_syscall_32 (arch/x86/entry/common.c:183)
[ 202.155250][ T750] ? irqentry_exit_to_user_mode (kernel/entry/common.c:316)
[ 202.156934][ T750] ? irqentry_exit (kernel/entry/common.c:441)
[ 202.158066][ T750] do_fast_syscall_32 (arch/x86/entry/common.c:203)
[ 202.159216][ T750] do_SYSENTER_32 (arch/x86/entry/common.c:247)
[ 202.159761][ T750] entry_SYSENTER_32 (arch/x86/entry/entry_32.S:872)
[ 202.160133][ T750] EIP: 0xb7fd7549
[ 202.160647][ T750] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
All code
========
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d 76 00 lea 0x0(%rsi),%esi
35: 58 pop %rax
36: b8 77 00 00 00 mov $0x77,%eax
3b: cd 80 int $0x80
3d: 90 nop
3e: 8d .byte 0x8d
3f: 76 .byte 0x76
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 8d 76 00 lea 0x0(%rsi),%esi
b: 58 pop %rax
c: b8 77 00 00 00 mov $0x77,%eax
11: cd 80 int $0x80
13: 90 nop
14: 8d .byte 0x8d
15: 76 .byte 0x76
To reproduce:
# build kernel
cd linux
cp config-5.16.0-rc3-00093-g196bdb1966d1 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.16.0-rc3-00093-g196bdb1966d1" of type "text/plain" (136589 bytes)
View attachment "job-script" of type "text/plain" (4519 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (21200 bytes)
View attachment "trinity" of type "text/plain" (6921 bytes)
Powered by blists - more mailing lists