lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 28 Feb 2022 12:52:48 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Yu Kuai <yukuai3@...wei.com>
Cc:     lkp@...ts.01.org, lkp@...el.com,
        LKML <linux-kernel@...r.kernel.org>
Subject: [block]  950a69daae:
 BUG:KASAN:use-after-free_in_throtl_pending_timer_fn


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 950a69daaecf6a7149cb245ca9291c0b68957e83 ("block: cancel all throttled bios in del_gendisk()")
linux-devel devel-catchup-20220228-041508

in testcase: xfstests
version: xfstests-x86_64-1de1db8-1_20220217
with following parameters:

	disk: 4HDD
	fs: xfs
	test: xfs-group-05
	ucode: 0x21

test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git


on test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz with 8G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 114.399742][ C3] BUG: KASAN: use-after-free in throtl_pending_timer_fn (block/blk-throttle.c:1141) 
[  114.407689][    C3] Read of size 8 at addr ffff8881014a6078 by task systemd-udevd/176
[  114.415638][    C3]
[  114.417871][    C3] CPU: 3 PID: 176 Comm: systemd-udevd Not tainted 5.17.0-rc2-00081-g950a69daaecf #1
[  114.427224][    C3] Hardware name: Hewlett-Packard HP Pro 3340 MT/17A1, BIOS 8.07 01/24/2013
[  114.435764][    C3] Call Trace:
[  114.438922][    C3]  <IRQ>
[ 114.441683][ C3] dump_stack_lvl (lib/dump_stack.c:107) 
[ 114.446097][ C3] print_address_description+0x21/0x180 
[ 114.452599][ C3] ? throtl_pending_timer_fn (block/blk-throttle.c:1141) 
[ 114.458144][ C3] kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) 
[ 114.462890][ C3] ? update_rq_clock (kernel/sched/core.c:691 kernel/sched/core.c:679) 
[ 114.467643][ C3] ? throtl_pending_timer_fn (block/blk-throttle.c:1141) 
[ 114.473193][ C3] throtl_pending_timer_fn (block/blk-throttle.c:1141) 
[ 114.478563][ C3] ? throtl_pd_offline (block/blk-throttle.c:1137) 
[ 114.483573][ C3] call_timer_fn (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/timer.h:125 kernel/time/timer.c:1422) 
[ 114.487992][ C3] run_timer_softirq (kernel/time/timer.c:1467 kernel/time/timer.c:1734 kernel/time/timer.c:1710 kernel/time/timer.c:1747) 
[ 114.492940][ C3] ? trace_event_raw_event_hrtimer_start (kernel/time/timer.c:1744) 
[ 114.499537][ C3] ? __next_base (kernel/time/hrtimer.c:506) 
[ 114.504054][ C3] ? sched_clock_cpu (kernel/sched/clock.c:371) 
[ 114.508814][ C3] ? setup_local_APIC (arch/x86/kernel/apic/apic.c:475) 
[ 114.513749][ C3] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/irq.h:142 kernel/softirq.c:559) 
[ 114.518205][ C3] irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:637 kernel/softirq.c:649) 
[ 114.522609][ C3] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1097 (discriminator 14)) 
[  114.528171][    C3]  </IRQ>
[  114.531013][    C3]  <TASK>
[ 114.533856][ C3] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:638) 
[ 114.539722][ C3] RIP: 0010:call_rcu (kernel/rcu/tree.c:3105) 
[ 114.544680][ C3] Code: 02 00 0f 85 47 0b 00 00 48 8b 05 d8 2b 5b 03 49 03 87 f0 00 00 00 49 39 c5 0f 8f ea 04 00 00 fb 48 b8 00 00 00 00 00 fc ff df <48> c7 04 03 00 00 00 00 48 8b 84 24 88 00 00 00 65 48 33 04 25 28
All code
========
   0:	02 00                	add    (%rax),%al
   2:	0f 85 47 0b 00 00    	jne    0xb4f
   8:	48 8b 05 d8 2b 5b 03 	mov    0x35b2bd8(%rip),%rax        # 0x35b2be7
   f:	49 03 87 f0 00 00 00 	add    0xf0(%r15),%rax
  16:	49 39 c5             	cmp    %rax,%r13
  19:	0f 8f ea 04 00 00    	jg     0x509
  1f:	fb                   	sti    
  20:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  27:	fc ff df 
  2a:*	48 c7 04 03 00 00 00 	movq   $0x0,(%rbx,%rax,1)		<-- trapping instruction
  31:	00 
  32:	48 8b 84 24 88 00 00 	mov    0x88(%rsp),%rax
  39:	00 
  3a:	65                   	gs
  3b:	48                   	rex.W
  3c:	33                   	.byte 0x33
  3d:	04 25                	add    $0x25,%al
  3f:	28                   	.byte 0x28

Code starting with the faulting instruction
===========================================
   0:	48 c7 04 03 00 00 00 	movq   $0x0,(%rbx,%rax,1)
   7:	00 
   8:	48 8b 84 24 88 00 00 	mov    0x88(%rsp),%rax
   f:	00 
  10:	65                   	gs
  11:	48                   	rex.W
  12:	33                   	.byte 0x33
  13:	04 25                	add    $0x25,%al
  15:	28                   	.byte 0x28
[  114.564349][    C3] RSP: 0018:ffffc90000637cd0 EFLAGS: 00000287
[  114.570370][    C3] RAX: dffffc0000000000 RBX: 1ffff920000c6fa0 RCX: ffffffff81350c19
[  114.578304][    C3] RDX: 1ffff11035037166 RSI: 0000000000000008 RDI: ffff8881a81b8b00
[  114.586259][    C3] RBP: ffff888211d1d9b0 R08: 0000000000000001 R09: ffff8881a81b8b00
[  114.594210][    C3] R10: ffff8881a81b8b07 R11: ffffed1035037160 R12: ffff8881a81b8b30
[  114.602148][    C3] R13: 000000000000001f R14: ffff8881a81b8ab8 R15: ffff8881a81b8a40
[ 114.610093][ C3] ? call_rcu (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-long.h:29 include/linux/atomic/atomic-instrumented.h:1266 kernel/rcu/rcu_segcblist.h:50 kernel/rcu/tree.c:2928 kernel/rcu/tree.c:3059 kernel/rcu/tree.c:3106) 
[ 114.614422][ C3] ? rcu_implicit_dynticks_qs (kernel/rcu/tree.c:3105) 
[ 114.620054][ C3] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 114.624715][ C3] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:153) 
[ 114.629760][ C3] ? ___d_drop (arch/x86/include/asm/bitops.h:94 arch/x86/include/asm/bitops.h:113 include/asm-generic/bitops/instrumented-lock.h:43 include/linux/bit_spinlock.h:80 include/linux/list_bl.h:153 fs/dcache.c:501) 
[ 114.634069][ C3] __dentry_kill (fs/dcache.c:622) 
[ 114.638556][ C3] dput (fs/dcache.c:746 fs/dcache.c:913) 
[ 114.642283][ C3] do_unlinkat (fs/namei.c:4223) 
[ 114.646604][ C3] ? __x64_sys_rmdir (fs/namei.c:4179) 
[ 114.651317][ C3] ? __check_object_size (mm/usercopy.c:241 mm/usercopy.c:287 mm/usercopy.c:257) 
[ 114.656558][ C3] ? getname_flags (fs/namei.c:149 fs/namei.c:128) 
[ 114.661179][ C3] __x64_sys_unlink (fs/namei.c:4264) 
[ 114.665778][ C3] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 114.670129][ C3] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[  114.675918][    C3] RIP: 0033:0x7f3ccc633fc7
[ 114.680227][ C3] Code: f0 ff ff 73 01 c3 48 8b 0d c6 ee 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 99 ee 0c 00 f7 d8 64 89 01 48
All code
========
   0:	f0 ff                	lock (bad) 
   2:	ff 73 01             	pushq  0x1(%rbx)
   5:	c3                   	retq   
   6:	48 8b 0d c6 ee 0c 00 	mov    0xceec6(%rip),%rcx        # 0xceed3
   d:	f7 d8                	neg    %eax
   f:	64 89 01             	mov    %eax,%fs:(%rcx)
  12:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  16:	c3                   	retq   
  17:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  1e:	00 00 00 
  21:	66 90                	xchg   %ax,%ax
  23:	b8 57 00 00 00       	mov    $0x57,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 99 ee 0c 00 	mov    0xcee99(%rip),%rcx        # 0xceed3
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 99 ee 0c 00 	mov    0xcee99(%rip),%rcx        # 0xceea9
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.17.0-rc2-00081-g950a69daaecf" of type "text/plain" (166407 bytes)

View attachment "job-script" of type "text/plain" (5845 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (8844 bytes)

View attachment "xfstests" of type "text/plain" (1249 bytes)

View attachment "job.yaml" of type "text/plain" (4898 bytes)

View attachment "reproduce" of type "text/plain" (925 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ