lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20220512145627.GC36375@xsang-OptiPlex-9020>
Date:   Thu, 12 May 2022 22:56:27 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Christian König 
        <ckoenig.leichtzumerken@...il.com>
Cc:     0day robot <lkp@...el.com>,
        Christian König <christian.koenig@....com>,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        daniel@...ll.ch, linaro-mm-sig@...ts.linaro.org,
        dri-devel@...ts.freedesktop.org, linux-media@...r.kernel.org
Subject: [dma]  a9290ca07a:
 BUG:KASAN:slab-out-of-bounds_in__dma_fence_unwrap_merge



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: a9290ca07a36882b114c3cd9bbd8f66ed47508bd ("[PATCH 4/5] dma-buf: generalize dma_fence unwrap & merging v2")
url: https://github.com/intel-lab-lkp/linux/commits/Christian-K-nig/dma-buf-cleanup-dma_fence_unwrap-selftest-v2/20220506-221317
base: git://anongit.freedesktop.org/drm/drm drm-next
patch link: https://lore.kernel.org/dri-devel/20220506141009.18047-4-christian.koenig@amd.com

in testcase: igt
version: igt-x86_64-eddc67c5-1_20220430
with following parameters:

	group: group-04
	ucode: 0xc2



on test machine: 20 threads 1 sockets Commet Lake with 16G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


kern :err : [   35.911985] BUG: KASAN: slab-out-of-bounds in __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) 
kern  :err   : [   35.920255] Write of size 8 at addr ffff888105400508 by task api_intel_bb/1309

kern  :err   : [   35.930379] CPU: 4 PID: 1309 Comm: api_intel_bb Not tainted 5.18.0-rc5-01118-ga9290ca07a36 #1
kern  :err   : [   35.939601] Hardware name: Intel Corporation CometLake Client Platform/CometLake S UDIMM (ERB/CRB), BIOS CMLSFWR1.R00.2212.D00.2104290922 04/29/2021
kern  :err   : [   35.953601] Call Trace:
kern  :err   : [   35.956758]  <TASK>
kern :err : [   35.959564] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) 
kern :err : [   35.965157] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
kern :err : [   35.969534] print_address_description+0x1f/0x200 
kern :err : [   35.975983] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) 
kern :err : [   35.981562] print_report.cold (mm/kasan/report.c:430) 
kern :err : [   35.986277] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
kern :err : [   35.991606] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) 
kern :err : [   35.995892] ? __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) 
kern :err : [   36.001474] __dma_fence_unwrap_merge (drivers/dma-buf/dma-fence-unwrap.c:130) 
kern :err : [   36.006878] sync_file_merge+0xf7/0x240 
kern :err : [   36.012465] ? _raw_spin_lock (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
kern :err : [   36.017088] ? sync_file_create (drivers/dma-buf/sync_file.c:159) 
kern :err : [   36.021798] ? __fget_files (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2293 include/linux/atomic/atomic-arch-fallback.h:2318 include/linux/atomic/atomic-long.h:491 include/linux/atomic/atomic-instrumented.h:1846 fs/file.c:903 fs/file.c:934) 
kern :err : [   36.026342] sync_file_ioctl (drivers/dma-buf/sync_file.c:235 drivers/dma-buf/sync_file.c:360) 
kern :err : [   36.030966] ? sync_file_ioctl_fence_info (drivers/dma-buf/sync_file.c:355) 
kern :err : [   36.036717] ? task_work_run (kernel/task_work.c:167 (discriminator 1)) 
kern :err : [   36.041254] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) 
kern :err : [   36.045884] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
kern :err : [   36.050166] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
kern  :err   : [   36.055922] RIP: 0033:0x7fd878745e57
kern :err : [ 36.060203] Code: 00 00 90 48 8b 05 39 a0 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 09 a0 0c 00 f7 d8 64 89 01 48
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	90                   	nop
   3:	48 8b 05 39 a0 0c 00 	mov    0xca039(%rip),%rax        # 0xca043
   a:	64 c7 00 26 00 00 00 	movl   $0x26,%fs:(%rax)
  11:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
  18:	c3                   	retq   
  19:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  20:	00 00 00 
  23:	b8 10 00 00 00       	mov    $0x10,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 09 a0 0c 00 	mov    0xca009(%rip),%rcx        # 0xca043
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 09 a0 0c 00 	mov    0xca009(%rip),%rcx        # 0xca019
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W
kern  :err   : [   36.079659] RSP: 002b:00007ffe4d4d2e88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
kern  :err   : [   36.087937] RAX: ffffffffffffffda RBX: 00005558619a1940 RCX: 00007fd878745e57
kern  :err   : [   36.095770] RDX: 00007ffe4d4d2e90 RSI: 00000000c0303e03 RDI: 0000000000000008
kern  :err   : [   36.103613] RBP: 0000000000000006 R08: 000000000000000f R09: 00005558619a4c30
kern  :err   : [   36.111444] R10: 0000000000000006 R11: 0000000000000246 R12: 00005558619a1a00
kern  :err   : [   36.119279] R13: 00005558619a46e0 R14: 00007ffe4d4d2ef0 R15: 0000000000000000
kern  :err   : [   36.127113]  </TASK>

kern  :err   : [   36.132209] Allocated by task 1309:
kern :warn : [   36.136405] kasan_save_stack (mm/kasan/common.c:39) 
kern :warn : [   36.140943] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524) 
kern :warn : [   36.145395] __dma_fence_unwrap_merge (include/linux/slab.h:621 drivers/dma-buf/dma-fence-unwrap.c:81) 
kern :warn : [   36.150800] sync_file_merge+0xf7/0x240 
kern :warn : [   36.156386] sync_file_ioctl (drivers/dma-buf/sync_file.c:235 drivers/dma-buf/sync_file.c:360) 
kern :warn : [   36.161010] __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) 
kern :warn : [   36.165643] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
kern :warn : [   36.169921] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 

kern  :err   : [   36.177867] The buggy address belongs to the object at ffff888105400500
which belongs to the cache kmalloc-8 of size 8
kern  :err   : [   36.191437] The buggy address is located 0 bytes to the right of
8-byte region [ffff888105400500, ffff888105400508)

kern  :err   : [   36.206942] The buggy address belongs to the physical page:
kern  :warn  : [   36.213220] page:00000000c4ee5dee refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8881054008c0 pfn:0x105400
kern  :warn  : [   36.224636] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
kern  :warn  : [   36.232305] raw: 0017ffffc0000200 ffffea0004155e80 dead000000000002 ffff888100042280
kern  :warn  : [   36.240745] raw: ffff8881054008c0 0000000080660035 00000001ffffffff 0000000000000000
kern  :warn  : [   36.249190] page dumped because: kasan: bad access detected

kern  :err   : [   36.257659] Memory state around the buggy address:
kern  :err   : [   36.263155]  ffff888105400400: fc fc fa fc fc fc fc fb fc fc fc fc fb fc fc fc
kern  :err   : [   36.271079]  ffff888105400480: fc fb fc fc fc fc fb fc fc fc fc fb fc fc fc fc
kern  :err   : [   36.279001] >ffff888105400500: 00 fc fc fc fc fb fc fc fc fc fa fc fc fc fc fb
kern  :err   : [   36.286921]                       ^
kern  :err   : [   36.291117]  ffff888105400580: fc fc fc fc fb fc fc fc fc fb fc fc fc fc fb fc
kern  :err   : [   36.299043]  ffff888105400600: fc fc fc fa fc fc fc fc fb fc fc fc fc fb fc fc
kern  :err   : [   36.306970] ==================================================================
kern  :warn  : [   36.314953] Disabling lock debugging due to kernel taint
user  :info  : [   36.321624] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   36.381966] Console: switching to colour frame buffer device 160x64
kern  :info  : [   36.448188] Console: switching to colour dummy device 80x25
user  :info  : [   36.454538] [IGT] api_intel_bb: executing
user  :info  : [   36.459757] [IGT] api_intel_bb: starting subtest blit-noreloc-keep-cache-random
user  :info  : [   36.471434] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   36.531917] Console: switching to colour frame buffer device 160x64
kern  :info  : [   36.598425] Console: switching to colour dummy device 80x25
user  :info  : [   36.604786] [IGT] api_intel_bb: executing
user  :info  : [   36.609923] [IGT] api_intel_bb: starting subtest blit-noreloc-purge-cache
user  :info  : [   36.621155] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   36.681867] Console: switching to colour frame buffer device 160x64
kern  :info  : [   36.748514] Console: switching to colour dummy device 80x25
user  :info  : [   36.755092] [IGT] api_intel_bb: executing
user  :info  : [   36.760433] [IGT] api_intel_bb: starting subtest blit-noreloc-purge-cache-random
user  :info  : [   36.772151] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   36.831817] Console: switching to colour frame buffer device 160x64
kern  :info  : [   36.897995] Console: switching to colour dummy device 80x25
user  :info  : [   36.904350] [IGT] api_intel_bb: executing
user  :info  : [   36.909457] [IGT] api_intel_bb: starting subtest blit-reloc-keep-cache
user  :info  : [   36.921693] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   36.981895] Console: switching to colour frame buffer device 160x64
kern  :info  : [   37.047892] Console: switching to colour dummy device 80x25
user  :info  : [   37.054232] [IGT] api_intel_bb: executing
user  :info  : [   37.059343] [IGT] api_intel_bb: starting subtest blit-reloc-purge-cache
user  :info  : [   37.071548] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   37.131724] Console: switching to colour frame buffer device 160x64
kern  :info  : [   37.197818] Console: switching to colour dummy device 80x25
user  :info  : [   37.204190] [IGT] api_intel_bb: executing
user  :info  : [   37.209296] [IGT] api_intel_bb: starting subtest delta-check
user  :info  : [   37.216856] [IGT] api_intel_bb: exiting, ret=0
user  :notice: [   37.245164] result_service: raw_upload, RESULT_MNT: /internal-lkp-server/result, RESULT_ROOT: /internal-lkp-server/result/igt/group-04-ucode=0xc2/lkp-cml-d02/debian-10.4-x86_64-20200603.cgz/x86_64-rhel-8.3-func/gcc-11/a9290ca07a36882b114c3cd9bbd8f66ed47508bd/1, TMP_RESULT_ROOT: /tmp/lkp/result

user  :notice: [   37.276355] run-job /lkp/jobs/scheduled/lkp-cml-d02/igt-group-04-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a9290ca07a36882b114c3cd9bbd8f66ed47508bd-20220511-19224-132epq3-1.yaml

kern  :info  : [   37.281678] Console: switching to colour frame buffer device 160x64
kern  :info  : [   37.366074] Console: switching to colour dummy device 80x25
user  :info  : [   37.372429] [IGT] api_intel_bb: executing
user  :info  : [   37.377548] [IGT] api_intel_bb: starting subtest destroy-bb
user  :info  : [   37.388923] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   37.431625] Console: switching to colour frame buffer device 160x64
kern  :info  : [   37.497522] Console: switching to colour dummy device 80x25
user  :info  : [   37.503871] [IGT] api_intel_bb: executing
user  :info  : [   37.508999] [IGT] api_intel_bb: starting subtest full-batch
user  :info  : [   37.516733] [IGT] api_intel_bb: exiting, ret=0
kern  :info  : [   37.564907] Console: switching to colour frame buffer device 160x64
kern  :info  : [   37.630954] Console: switching to colour dummy device 80x25
user  :info  : [   37.637306] [IGT] api_intel_bb: executing
user  :info  : [   37.642423] [IGT] api_intel_bb: starting subtest intel-bb-blit-none
user  :notice: [   38.035871] /usr/bin/wget -q --timeout=1800 --tries=1 --local-encoding=UTF-8 http://internal-lkp-server:80/~lkp/cgi-bin/lkp-jobfile-append-var?job_file=/lkp/jobs/scheduled/lkp-cml-d02/igt-group-04-ucode=0xc2-debian-10.4-x86_64-20200603.cgz-a9290ca07a36882b114c3cd9bbd8f66ed47508bd-20220511-19224-132epq3-1.yaml&job_state=running -O /dev/null

user  :notice: [   38.069080] target ucode: 0xc2

user  :notice: [   38.075557] current_version: c2, target_version: c2



To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.18.0-rc5-01118-ga9290ca07a36" of type "text/plain" (166223 bytes)

View attachment "job-script" of type "text/plain" (5438 bytes)

Download attachment "kmsg.xz" of type "application/x-xz" (49256 bytes)

View attachment "igt" of type "text/plain" (157553 bytes)

View attachment "job.yaml" of type "text/plain" (4316 bytes)

View attachment "reproduce" of type "text/plain" (17535 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ