| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Dec 2021 22:55:54 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Tejun Heo <tj@...nel.org>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
Linus Torvalds <torvalds@...uxfoundation.org>,
Michal Koutný <mkoutny@...e.com>,
LKML <linux-kernel@...r.kernel.org>, cgroups@...r.kernel.org,
lkp@...ts.01.org, lkp@...el.com
Subject: [cgroup] 26b1b4f9c8:
WARNING:at_lib/refcount.c:#refcount_warn_saturate
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 26b1b4f9c86e294d1e9b07478d725412601e804d ("cgroup: Use open-time cgroup namespace for process migration perm checks")
https://git.kernel.org/cgit/linux/kernel/git/tj/cgroup.git review-migration-perms
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 7.207892][ T1] WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 refcount_warn_saturate (lib/refcount.c:28 (discriminator 3))
[ 7.208794][ T1] Modules linked in: ip_tables
[ 7.209281][ T1] CPU: 0 PID: 1 Comm: systemd Not tainted 5.16.0-rc4-00166-g26b1b4f9c86e #1
[ 7.210135][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 7.211044][ T1] RIP: 0010:refcount_warn_saturate (lib/refcount.c:28 (discriminator 3))
[ 7.211638][ T1] Code: 05 4d 42 77 01 01 e8 4a 5e 65 00 0f 0b c3 80 3d 3b 42 77 01 00 75 95 48 c7 c7 a0 6f ba 8f c6 05 2b 42 77 01 01 e8 2b 5e 65 00 <0f> 0b c3 80 3d 1a 42 77 01 00 0f 85 72 ff ff ff 48 c7 c7 f8 6f ba
All code
========
0: 05 4d 42 77 01 add $0x177424d,%eax
5: 01 e8 add %ebp,%eax
7: 4a 5e rex.WX pop %rsi
9: 65 00 0f add %cl,%gs:(%rdi)
c: 0b c3 or %ebx,%eax
e: 80 3d 3b 42 77 01 00 cmpb $0x0,0x177423b(%rip) # 0x1774250
15: 75 95 jne 0xffffffffffffffac
17: 48 c7 c7 a0 6f ba 8f mov $0xffffffff8fba6fa0,%rdi
1e: c6 05 2b 42 77 01 01 movb $0x1,0x177422b(%rip) # 0x1774250
25: e8 2b 5e 65 00 callq 0x655e55
2a:* 0f 0b ud2 <-- trapping instruction
2c: c3 retq
2d: 80 3d 1a 42 77 01 00 cmpb $0x0,0x177421a(%rip) # 0x177424e
34: 0f 85 72 ff ff ff jne 0xffffffffffffffac
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: c7 .byte 0xc7
3d: f8 clc
3e: 6f outsl %ds:(%rsi),(%dx)
3f: ba .byte 0xba
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: c3 retq
3: 80 3d 1a 42 77 01 00 cmpb $0x0,0x177421a(%rip) # 0x1774224
a: 0f 85 72 ff ff ff jne 0xffffffffffffff82
10: 48 rex.W
11: c7 .byte 0xc7
12: c7 .byte 0xc7
13: f8 clc
14: 6f outsl %ds:(%rsi),(%dx)
15: ba .byte 0xba
[ 7.213432][ T1] RSP: 0018:ffffb7be40013e48 EFLAGS: 00010286
[ 7.214142][ T1] RAX: 0000000000000000 RBX: ffff9677729f9200 RCX: c0000000ffff7fff
[ 7.214995][ T1] RDX: ffffb7be40013c70 RSI: 00000000ffff7fff RDI: 0000000000000000
[ 7.215825][ T1] RBP: ffff9678fafafa80 R08: 0000000000000000 R09: ffffb7be40013c68
[ 7.216687][ T1] R10: 0000000000000001 R11: 0000000000000001 R12: ffff96777297c500
[ 7.217499][ T1] R13: ffff9678fafaf540 R14: ffff96776f912600 R15: ffff967740290000
[ 7.218309][ T1] FS: 0000000000000000(0000) GS:ffff967a6fc00000(0063) knlGS:00000000f77736c0
[ 7.219217][ T1] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 7.219876][ T1] CR2: 0000000057b5f724 CR3: 0000000100066000 CR4: 00000000000406f0
[ 7.220694][ T1] Call Trace:
[ 7.221066][ T1] <TASK>
[ 7.221400][ T1] cgroup_file_release (include/linux/refcount.h:283 include/linux/refcount.h:315 include/linux/refcount.h:333 include/linux/cgroup.h:889 include/linux/cgroup.h:887 kernel/cgroup/cgroup.c:3848)
[ 7.221926][ T1] kernfs_fop_release (fs/kernfs/file.c:745 fs/kernfs/file.c:726 fs/kernfs/file.c:756)
[ 7.222474][ T1] __fput (fs/file_table.c:281)
[ 7.222899][ T1] task_work_run (kernel/task_work.c:166 (discriminator 1))
[ 7.223358][ T1] exit_to_user_mode_prepare (include/linux/tracehook.h:189 kernel/entry/common.c:175 kernel/entry/common.c:207)
[ 7.223964][ T1] syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:27 include/linux/context_tracking_state.h:31 include/linux/context_tracking.h:40 kernel/entry/common.c:130 kernel/entry/common.c:302)
[ 7.224555][ T1] __do_fast_syscall_32 (arch/x86/entry/common.c:183)
[ 7.225089][ T1] do_fast_syscall_32 (arch/x86/entry/common.c:203)
[ 7.225601][ T1] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:141)
[ 7.226222][ T1] RIP: 0023:0xf7edf549
[ 7.226687][ T1] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
All code
========
0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi
4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d
a: 10 06 adc %al,(%rsi)
c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi
10: 10 07 adc %al,(%rdi)
12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
16: 10 08 adc %cl,(%rax)
18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
1c: 00 00 add %al,(%rax)
1e: 00 00 add %al,(%rax)
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
39: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
f: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
[ 7.228546][ T1] RSP: 002b:00000000ffaebba8 EFLAGS: 00000206 ORIG_RAX: 0000000000000006
[ 7.229383][ T1] RAX: 0000000000000000 RBX: 000000000000001e RCX: 0000000000000660
[ 7.230197][ T1] RDX: 00000000f7b70300 RSI: 00000000f7b70960 RDI: 0000000000000000
[ 7.231031][ T1] RBP: 00000000f7b72000 R08: 0000000000000000 R09: 0000000000000000
[ 7.231848][ T1] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 7.232663][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 7.233526][ T1] </TASK>
[ 7.233888][ T1] ---[ end trace 41a8ced2c1edd838 ]---
[ 7.251575][ T1] list_add corruption. next->prev should be prev (ffff96777261ab38), but was 0000000000000000. (next=ffff9677724c5da0).
[ 7.252805][ T1] ------------[ cut here ]------------
To reproduce:
# build kernel
cd linux
cp config-5.16.0-rc4-00166-g26b1b4f9c86e .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.16.0-rc4-00166-g26b1b4f9c86e" of type "text/plain" (173551 bytes)
View attachment "job-script" of type "text/plain" (4624 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (13232 bytes)
Powered by blists - more mailing lists