lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 28 Mar 2022 14:50:43 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Eric Dumazet <edumazet@...gle.com>
Cc:     Jakub Kicinski <kuba@...nel.org>,
        赵子轩 <beraphin@...il.com>,
        Stoyan Manolov <smanolov@...e.de>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: [llc]  764f4eb684: canonical_address#:#[##]



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 764f4eb6846f5475f1244767d24d25dd86528a4a ("llc: fix netdevice reference leaks in llc_ui_bind()")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   75.521971][ T1314] WARNING: The mand mount option has been deprecated and
[   75.521971][ T1314]          and is ignored by this kernel. Remove the mand
[   75.521971][ T1314]          option from the mount to silence this warning.
[   75.521971][ T1314] =======================================================
[   78.959259][ T1387] can: request_module (can-proto-2) failed.
[   80.594912][ T1423] can: request_module (can-proto-1) failed.
[   81.345613][ T1436] futex_wake_op: trinity-c2 tries to shift op by -1703; fix this program
[   85.385564][ T1544] can: request_module (can-proto-1) failed.
[   89.567017][ T1623] general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#1] KASAN
[   89.569460][ T1623] KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]
[   89.571360][ T1623] CPU: 0 PID: 1623 Comm: trinity-c1 Not tainted 5.17.0-rc8-02809-g764f4eb6846f #1
[ 89.573563][ T1623] RIP: 0010:llc_ui_sendmsg (net/llc/af_llc.c:947) 
[ 89.574622][ T1623] Code: 80 3c 02 00 0f 85 98 0c 00 00 49 8b 84 24 38 05 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d b8 de 00 00 00 48 89 f9 48 c1 e9 03 <0f> b6 0c 11 48 89 fa 83 e2 07 ff c2 38 ca 7c 08 84 c9 0f 85 e5 05
All code
========
   0:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   4:	0f 85 98 0c 00 00    	jne    0xca2
   a:	49 8b 84 24 38 05 00 	mov    0x538(%r12),%rax
  11:	00 
  12:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  19:	fc ff df 
  1c:	48 8d b8 de 00 00 00 	lea    0xde(%rax),%rdi
  23:	48 89 f9             	mov    %rdi,%rcx
  26:	48 c1 e9 03          	shr    $0x3,%rcx
  2a:*	0f b6 0c 11          	movzbl (%rcx,%rdx,1),%ecx		<-- trapping instruction
  2e:	48 89 fa             	mov    %rdi,%rdx
  31:	83 e2 07             	and    $0x7,%edx
  34:	ff c2                	inc    %edx
  36:	38 ca                	cmp    %cl,%dl
  38:	7c 08                	jl     0x42
  3a:	84 c9                	test   %cl,%cl
  3c:	0f                   	.byte 0xf
  3d:	85 e5                	test   %esp,%ebp
  3f:	05                   	.byte 0x5

Code starting with the faulting instruction
===========================================
   0:	0f b6 0c 11          	movzbl (%rcx,%rdx,1),%ecx
   4:	48 89 fa             	mov    %rdi,%rdx
   7:	83 e2 07             	and    $0x7,%edx
   a:	ff c2                	inc    %edx
   c:	38 ca                	cmp    %cl,%dl
   e:	7c 08                	jl     0x18
  10:	84 c9                	test   %cl,%cl
  12:	0f                   	.byte 0xf
  13:	85 e5                	test   %esp,%ebp
  15:	05                   	.byte 0x5
[   89.574622][ T1623] RSP: 0018:ffffc900001efa68 EFLAGS: 00010207
[   89.574622][ T1623] RAX: 0000000000000000 RBX: ffffc900001efe60 RCX: 000000000000001b
[   89.574622][ T1623] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 00000000000000de
[   89.574622][ T1623] RBP: ffffc900001efb60 R08: 1ffff11021ffca07 R09: ffffed1021ffca08
[   89.574622][ T1623] R10: ffff88810ffe5538 R11: ffffed1021ffca07 R12: ffff88810ffe5000
[   89.574622][ T1623] R13: ffffc900001efd40 R14: ffff8881409ac5c0 R15: ffffc900001efb38
[   89.574622][ T1623] FS:  000000000109a880(0000) GS:ffffffff83ee6000(0000) knlGS:0000000000000000
[   89.574622][ T1623] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   89.574622][ T1623] CR2: 00007f03db89f7fc CR3: 0000000126691000 CR4: 00000000000406f0
[   89.574622][ T1623] Call Trace:
[   89.574622][ T1623]  <TASK>
[ 89.574622][ T1623] ? lock_downgrade (kernel/locking/lockdep.c:5647) 
[ 89.574622][ T1623] ? llc_ui_autobind (net/llc/af_llc.c:919) 
[ 89.574622][ T1623] ? __might_sleep (kernel/sched/core.c:9515 (discriminator 14)) 
[ 89.574622][ T1623] ? __kasan_check_write (mm/kasan/shadow.c:38) 
[ 89.574622][ T1623] ? llc_ui_autobind (net/llc/af_llc.c:919) 
[ 89.574622][ T1623] ____sys_sendmsg (net/socket.c:708 net/socket.c:725 net/socket.c:2413) 
[ 89.574622][ T1623] ? sock_write_iter (net/socket.c:2360) 
[ 89.574622][ T1623] ? pvclock_clocksource_read (arch/x86/include/asm/atomic64_64.h:184 include/linux/atomic/atomic-instrumented.h:1123 arch/x86/kernel/pvclock.c:107) 
[ 89.574622][ T1623] ? __lock_acquire (kernel/locking/lockdep.c:5027) 
[ 89.574622][ T1623] ___sys_sendmsg (net/socket.c:2469) 
[ 89.574622][ T1623] ? __kasan_check_write (mm/kasan/shadow.c:38) 
[ 89.574622][ T1623] ? sendmsg_copy_msghdr (net/socket.c:2456) 
[ 89.574622][ T1623] ? check_prev_add (kernel/locking/lockdep.c:3757) 
[ 89.574622][ T1623] ? __kasan_check_write (mm/kasan/shadow.c:38) 
[ 89.574622][ T1623] ? pvclock_clocksource_read (arch/x86/include/asm/atomic64_64.h:184 include/linux/atomic/atomic-instrumented.h:1123 arch/x86/kernel/pvclock.c:107) 
[ 89.574622][ T1623] ? __fdget (fs/file.c:1018) 
[ 89.574622][ T1623] ? sockfd_lookup_light (net/socket.c:551) 
[ 89.574622][ T1623] __sys_sendmsg (include/linux/file.h:32 net/socket.c:2498) 
[ 89.574622][ T1623] ? __sys_sendmsg_sock (net/socket.c:2484) 
[ 89.574622][ T1623] ? rapl_pmu_event_stop (arch/x86/events/rapl.c:300) 
[ 89.574622][ T1623] ? syscall_enter_from_user_mode (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 kernel/entry/common.c:107) 
[ 89.574622][ T1623] __x64_sys_sendmsg (net/socket.c:2503) 
[ 89.574622][ T1623] ? syscall_enter_from_user_mode (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 kernel/entry/common.c:107) 
[ 89.574622][ T1623] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 89.574622][ T1623] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) 
[   89.574622][ T1623] RIP: 0033:0x463519
[ 89.574622][ T1623] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 59 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
   0:	00 f3                	add    %dh,%bl
   2:	c3                   	retq   
   3:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   a:	00 00 00 
   d:	0f 1f 40 00          	nopl   0x0(%rax)
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48 89 ca             	mov    %rcx,%rdx
  1d:	4d 89 c2             	mov    %r8,%r10
  20:	4d 89 c8             	mov    %r9,%r8
  23:	4c 8b 4c 24 08       	mov    0x8(%rsp),%r9
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	0f 83 db 59 00 00    	jae    0x5a11
  36:	c3                   	retq   
  37:	66                   	data16
  38:	2e                   	cs
  39:	0f                   	.byte 0xf
  3a:	1f                   	(bad)  
  3b:	84 00                	test   %al,(%rax)
  3d:	00 00                	add    %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	0f 83 db 59 00 00    	jae    0x59e7
   c:	c3                   	retq   
   d:	66                   	data16
   e:	2e                   	cs
   f:	0f                   	.byte 0xf
  10:	1f                   	(bad)  
  11:	84 00                	test   %al,(%rax)
  13:	00 00                	add    %al,(%rax)


To reproduce:

        # build kernel
	cd linux
	cp config-5.17.0-rc8-02809-g764f4eb6846f .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.17.0-rc8-02809-g764f4eb6846f" of type "text/plain" (111435 bytes)

View attachment "job-script" of type "text/plain" (4375 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (13208 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ