| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220414132205.GB6935@xsang-OptiPlex-9020>
Date: Thu, 14 Apr 2022 21:22:05 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Shiyang Ruan <ruansy.fnst@...itsu.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, linux-xfs@...r.kernel.org,
nvdimm@...ts.linux.dev, linux-mm@...ck.org,
linux-fsdevel@...r.kernel.org, djwong@...nel.org,
dan.j.williams@...el.com, david@...morbit.com, hch@...radead.org,
jane.chu@...cle.com
Subject: [xfs] bf68be0c39: BUG:KASAN:null-ptr-deref_in_fs_put_dax
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: bf68be0c39b8ecc4223b948a9ee126af167d74f0 ("[PATCH v12 6/7] xfs: Implement ->notify_failure() for XFS")
url: https://github.com/intel-lab-lkp/linux/commits/Shiyang-Ruan/fsdax-introduce-fs-query-to-support-reflink/20220411-001048
base: https://github.com/hnaz/linux-mm master
patch link: https://lore.kernel.org/lkml/20220410160904.3758789-7-ruansy.fnst@fujitsu.com
in testcase: xfstests
version: xfstests-x86_64-1de1db8-1_20220217
with following parameters:
disk: 4HDD
fs: xfs
test: xfs-group-05
ucode: 0x21
test-description: xfstests is a regression test suite for xfs and other files ystems.
test-url: git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
on test machine: 4 threads 1 sockets Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz with 8G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 62.111233][ T1606] BUG: KASAN: null-ptr-deref in fs_put_dax (drivers/dax/super.c:116 (discriminator 1))
[ 62.117884][ T1606] Write of size 8 at addr 00000000000002f0 by task umount/1606
[ 62.125379][ T1606]
[ 62.127616][ T1606] CPU: 2 PID: 1606 Comm: umount Not tainted 5.18.0-rc1-mm1-00194-gbf68be0c39b8 #1
[ 62.136760][ T1606] Hardware name: Hewlett-Packard HP Pro 3340 MT/17A1, BIOS 8.07 01/24/2013
[ 62.145339][ T1606] Call Trace:
[ 62.148554][ T1606] <TASK>
[ 62.151404][ T1606] ? fs_put_dax (drivers/dax/super.c:116 (discriminator 1))
[ 62.155651][ T1606] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 62.160110][ T1606] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 62.164447][ T1606] ? fs_put_dax (drivers/dax/super.c:116 (discriminator 1))
[ 62.168677][ T1606] kasan_check_range (mm/kasan/generic.c:190)
[ 62.173427][ T1606] fs_put_dax (drivers/dax/super.c:116 (discriminator 1))
[ 62.177519][ T1606] xfs_free_buftarg (fs/xfs/kmem.h:62 fs/xfs/xfs_buf.c:1917) xfs
[ 62.182900][ T1606] xfs_fs_put_super (fs/xfs/xfs_super.c:1101) xfs
[ 62.188326][ T1606] generic_shutdown_super (fs/super.c:464)
[ 62.193636][ T1606] kill_block_super (fs/super.c:1395)
[ 62.198325][ T1606] deactivate_locked_super (fs/super.c:339)
[ 62.203656][ T1606] cleanup_mnt (fs/namespace.c:138 fs/namespace.c:1187)
[ 62.208023][ T1606] ? path_umount (fs/namespace.c:1808)
[ 62.212530][ T1606] task_work_run (kernel/task_work.c:166 (discriminator 1))
[ 62.216932][ T1606] exit_to_user_mode_loop (include/linux/resume_user_mode.h:49 kernel/entry/common.c:169)
[ 62.222253][ T1606] exit_to_user_mode_prepare (kernel/entry/common.c:201)
[ 62.227749][ T1606] syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:27 include/linux/context_tracking_state.h:31 include/linux/context_tracking.h:40 kernel/entry/common.c:132 kernel/entry/common.c:296)
[ 62.233149][ T1606] do_syscall_64 (arch/x86/entry/common.c:87)
[ 62.237447][ T1606] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 62.243288][ T1606] RIP: 0033:0x7fa858fee507
[ 62.247649][ T1606] Code: 19 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 19 0c 00 f7 d8 64 89 01 48
All code
========
0: 19 0c 00 sbb %ecx,(%rax,%rax,1)
3: f7 d8 neg %eax
5: 64 89 01 mov %eax,%fs:(%rcx)
8: 48 83 c8 ff or $0xffffffffffffffff,%rax
c: c3 retq
d: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
13: 31 f6 xor %esi,%esi
15: e9 09 00 00 00 jmpq 0x23
1a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
21: 00 00
23: b8 a6 00 00 00 mov $0xa6,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1993
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1969
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 62.267385][ T1606] RSP: 002b:00007ffe344b8b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 62.275814][ T1606] RAX: 0000000000000000 RBX: 00005639c92b5970 RCX: 00007fa858fee507
[ 62.283744][ T1606] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00005639c92b5b80
[ 62.291682][ T1606] RBP: 0000000000000000 R08: 00005639c92b5ba0 R09: 00007fa85906fe80
[ 62.299622][ T1606] R10: 0000000000000000 R11: 0000000000000246 R12: 00005639c92b5b80
[ 62.307568][ T1606] R13: 00007fa8591141c4 R14: 00005639c92b5a68 R15: 0000000000000000
[ 62.315510][ T1606] </TASK>
[ 62.318445][ T1606] ==================================================================
[ 62.326514][ T1606] Disabling lock debugging due to kernel taint
[ 62.332634][ T1606] BUG: kernel NULL pointer dereference, address: 00000000000002f0
[ 62.340410][ T1606] #PF: supervisor write access in kernel mode
[ 62.346422][ T1606] #PF: error_code(0x0002) - not-present page
[ 62.352357][ T1606] PGD 0 P4D 0
[ 62.355658][ T1606] Oops: 0002 [#1] SMP KASAN PTI
[ 62.360475][ T1606] CPU: 2 PID: 1606 Comm: umount Tainted: G B 5.18.0-rc1-mm1-00194-gbf68be0c39b8 #1
[ 62.371045][ T1606] Hardware name: Hewlett-Packard HP Pro 3340 MT/17A1, BIOS 8.07 01/24/2013
[ 62.379598][ T1606] RIP: 0010:fs_put_dax (drivers/dax/super.c:116 (discriminator 1))
[ 62.384466][ T1606] Code: 40 00 0f 1f 44 00 00 55 48 89 fd 53 48 85 f6 74 27 48 89 f3 48 8d bf f0 02 00 00 be 08 00 00 00 e8 9d a8 29 ff 48 89 d8 31 d2 <f0> 48 0f b1 95 f0 02 00 00 48 39 c3 74 12 48 85 ed 74 0a 48 89 ef
All code
========
0: 40 00 0f add %cl,(%rdi)
3: 1f (bad)
4: 44 00 00 add %r8b,(%rax)
7: 55 push %rbp
8: 48 89 fd mov %rdi,%rbp
b: 53 push %rbx
c: 48 85 f6 test %rsi,%rsi
f: 74 27 je 0x38
11: 48 89 f3 mov %rsi,%rbx
14: 48 8d bf f0 02 00 00 lea 0x2f0(%rdi),%rdi
1b: be 08 00 00 00 mov $0x8,%esi
20: e8 9d a8 29 ff callq 0xffffffffff29a8c2
25: 48 89 d8 mov %rbx,%rax
28: 31 d2 xor %edx,%edx
2a:* f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp) <-- trapping instruction
31: 00 00
33: 48 39 c3 cmp %rax,%rbx
36: 74 12 je 0x4a
38: 48 85 ed test %rbp,%rbp
3b: 74 0a je 0x47
3d: 48 89 ef mov %rbp,%rdi
Code starting with the faulting instruction
===========================================
0: f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp)
7: 00 00
9: 48 39 c3 cmp %rax,%rbx
c: 74 12 je 0x20
e: 48 85 ed test %rbp,%rbp
11: 74 0a je 0x1d
13: 48 89 ef mov %rbp,%rdi
[ 62.404142][ T1606] RSP: 0018:ffffc90000f5fd90 EFLAGS: 00010246
[ 62.410137][ T1606] RAX: ffff888140f34000 RBX: ffff888140f34000 RCX: ffffffff811992e6
[ 62.418085][ T1606] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff85c0b600
[ 62.426032][ T1606] RBP: 0000000000000000 R08: 0000000000000001 R09: ffffffff85c0b607
[ 62.433997][ T1606] R10: fffffbfff0b816c0 R11: 0000000000000000 R12: ffff8882189e80b8
[ 62.441943][ T1606] R13: ffff888140f34180 R14: ffff888140f34188 R15: ffff8881312f4180
[ 62.449876][ T1606] FS: 00007fa858bc8080(0000) GS:ffff8881aad00000(0000) knlGS:0000000000000000
[ 62.458774][ T1606] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 62.465317][ T1606] CR2: 00000000000002f0 CR3: 0000000134b6a002 CR4: 00000000001706e0
[ 62.473283][ T1606] Call Trace:
[ 62.476463][ T1606] <TASK>
[ 62.479331][ T1606] xfs_free_buftarg (fs/xfs/kmem.h:62 fs/xfs/xfs_buf.c:1917) xfs
[ 62.484688][ T1606] xfs_fs_put_super (fs/xfs/xfs_super.c:1101) xfs
[ 62.490091][ T1606] generic_shutdown_super (fs/super.c:464)
[ 62.495390][ T1606] kill_block_super (fs/super.c:1395)
[ 62.500072][ T1606] deactivate_locked_super (fs/super.c:339)
[ 62.505394][ T1606] cleanup_mnt (fs/namespace.c:138 fs/namespace.c:1187)
[ 62.509717][ T1606] ? path_umount (fs/namespace.c:1808)
[ 62.514233][ T1606] task_work_run (kernel/task_work.c:166 (discriminator 1))
[ 62.518679][ T1606] exit_to_user_mode_loop (include/linux/resume_user_mode.h:49 kernel/entry/common.c:169)
[ 62.524009][ T1606] exit_to_user_mode_prepare (kernel/entry/common.c:201)
[ 62.529493][ T1606] syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:27 include/linux/context_tracking_state.h:31 include/linux/context_tracking.h:40 kernel/entry/common.c:132 kernel/entry/common.c:296)
[ 62.534902][ T1606] do_syscall_64 (arch/x86/entry/common.c:87)
[ 62.539220][ T1606] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 62.545042][ T1606] RIP: 0033:0x7fa858fee507
[ 62.549388][ T1606] Code: 19 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 19 0c 00 f7 d8 64 89 01 48
All code
========
0: 19 0c 00 sbb %ecx,(%rax,%rax,1)
3: f7 d8 neg %eax
5: 64 89 01 mov %eax,%fs:(%rcx)
8: 48 83 c8 ff or $0xffffffffffffffff,%rax
c: c3 retq
d: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
13: 31 f6 xor %esi,%esi
15: e9 09 00 00 00 jmpq 0x23
1a: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
21: 00 00
23: b8 a6 00 00 00 mov $0xa6,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1993
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 59 19 0c 00 mov 0xc1959(%rip),%rcx # 0xc1969
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 62.569097][ T1606] RSP: 002b:00007ffe344b8b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
[ 62.577467][ T1606] RAX: 0000000000000000 RBX: 00005639c92b5970 RCX: 00007fa858fee507
[ 62.585386][ T1606] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 00005639c92b5b80
[ 62.593265][ T1606] RBP: 0000000000000000 R08: 00005639c92b5ba0 R09: 00007fa85906fe80
[ 62.601248][ T1606] R10: 0000000000000000 R11: 0000000000000246 R12: 00005639c92b5b80
[ 62.609151][ T1606] R13: 00007fa8591141c4 R14: 00005639c92b5a68 R15: 0000000000000000
[ 62.617075][ T1606] </TASK>
[ 62.619995][ T1606] Modules linked in: xfs dm_mod netconsole btrfs blake2b_generic xor raid6_pq zstd_compress libcrc32c sd_mod t10_pi crc64_rocksoft_generic intel_rapl_msr crc64_rocksoft intel_rapl_common crc64 sg x86_pkg_temp_thermal intel_powerclamp coretemp ipmi_devintf i915 ipmi_msghandler kvm_intel kvm intel_gtt drm_buddy drm_dp_helper ttm irqbypass crct10dif_pclmul crc32_pclmul drm_kms_helper wmi_bmof crc32c_intel syscopyarea ghash_clmulni_intel rapl intel_cstate sysfillrect sysimgblt ahci fb_sys_fops libahci intel_uncore mei_me drm libata mei video wmi ip_tables
[ 62.670932][ T1606] CR2: 00000000000002f0
[ 62.675025][ T1606] ---[ end trace 0000000000000000 ]---
[ 62.680557][ T1606] RIP: 0010:fs_put_dax (drivers/dax/super.c:116 (discriminator 1))
[ 62.685457][ T1606] Code: 40 00 0f 1f 44 00 00 55 48 89 fd 53 48 85 f6 74 27 48 89 f3 48 8d bf f0 02 00 00 be 08 00 00 00 e8 9d a8 29 ff 48 89 d8 31 d2 <f0> 48 0f b1 95 f0 02 00 00 48 39 c3 74 12 48 85 ed 74 0a 48 89 ef
All code
========
0: 40 00 0f add %cl,(%rdi)
3: 1f (bad)
4: 44 00 00 add %r8b,(%rax)
7: 55 push %rbp
8: 48 89 fd mov %rdi,%rbp
b: 53 push %rbx
c: 48 85 f6 test %rsi,%rsi
f: 74 27 je 0x38
11: 48 89 f3 mov %rsi,%rbx
14: 48 8d bf f0 02 00 00 lea 0x2f0(%rdi),%rdi
1b: be 08 00 00 00 mov $0x8,%esi
20: e8 9d a8 29 ff callq 0xffffffffff29a8c2
25: 48 89 d8 mov %rbx,%rax
28: 31 d2 xor %edx,%edx
2a:* f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp) <-- trapping instruction
31: 00 00
33: 48 39 c3 cmp %rax,%rbx
36: 74 12 je 0x4a
38: 48 85 ed test %rbp,%rbp
3b: 74 0a je 0x47
3d: 48 89 ef mov %rbp,%rdi
Code starting with the faulting instruction
===========================================
0: f0 48 0f b1 95 f0 02 lock cmpxchg %rdx,0x2f0(%rbp)
7: 00 00
9: 48 39 c3 cmp %rax,%rbx
c: 74 12 je 0x20
e: 48 85 ed test %rbp,%rbp
11: 74 0a je 0x1d
13: 48 89 ef mov %rbp,%rdi
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc1-mm1-00194-gbf68be0c39b8" of type "text/plain" (167051 bytes)
View attachment "job-script" of type "text/plain" (5982 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (4300 bytes)
View attachment "xfstests" of type "text/plain" (15325 bytes)
View attachment "job.yaml" of type "text/plain" (4859 bytes)
Powered by blists - more mailing lists