| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Jun 2022 10:47:49 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Jens Axboe <axboe@...nel.dk>
Cc: Ammar Faizi <ammarfaizi2@...weeb.org>,
linux-kernel@...r.kernel.org, lkp@...ts.01.org, lkp@...el.com
Subject: [iov_iter] 8416b73063: canonical_address#:#[##]
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 8416b73063d19b0a1b487cb9336641b5d1dea33e ("iov_iter: import single segments iovecs as ITER_UBUF")
https://github.com/ammarfaizi2/linux-block axboe/linux-block/for-5.20/io_uring-iter
in testcase: trinity
version: trinity-x86_64-3f8670b2-1_20220518
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 24.905349][ T526] can: broadcast manager protocol
[ 25.142446][ T449] uffd: Set unprivileged_userfaultfd sysctl knob to 1 if kernel faults must be handled without obtaining CAP_SYS_PTRACE capability
[ 25.201512][ T576] Zero length message leads to an empty skb
[ 25.213383][ T576] VFS: Warning: trinity-c6 using old stat() call. Recompile your binary.
[ 25.220033][ T576] Attempt to set a LOCK_MAND lock via flock(2). This support has been removed and the request ignored.
[ 26.203411][ T588] general protection fault, probably for non-canonical address 0xe0000bf8965a3800: 0000 [#1] SMP KASAN PTI
[ 26.205435][ T588] KASAN: probably user-memory-access in range [0x00007fc4b2d1c000-0x00007fc4b2d1c007]
[ 26.207211][ T588] CPU: 1 PID: 588 Comm: trinity-c1 Not tainted 5.19.0-rc2-00317-g8416b73063d1 #8
[ 26.208955][ T588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 26.210789][ T588] RIP: do_loop_readv_writev+0x120/0x300
[ 26.212422][ T588] Code: 7c 01 00 00 49 8b 55 10 48 85 d2 0f 84 b8 00 00 00 48 8b 44 24 10 80 38 00 0f 85 48 01 00 00 49 8b 45 18 48 89 c1 48 c1 e9 03 <80> 3c 29 00 0f 85 12 01 00 00 48 8b 7c 24 18 48 8b 30 80 3f 00 0f
All code
========
0: 7c 01 jl 0x3
2: 00 00 add %al,(%rax)
4: 49 8b 55 10 mov 0x10(%r13),%rdx
8: 48 85 d2 test %rdx,%rdx
b: 0f 84 b8 00 00 00 je 0xc9
11: 48 8b 44 24 10 mov 0x10(%rsp),%rax
16: 80 38 00 cmpb $0x0,(%rax)
19: 0f 85 48 01 00 00 jne 0x167
1f: 49 8b 45 18 mov 0x18(%r13),%rax
23: 48 89 c1 mov %rax,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
2a:* 80 3c 29 00 cmpb $0x0,(%rcx,%rbp,1) <-- trapping instruction
2e: 0f 85 12 01 00 00 jne 0x146
34: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
39: 48 8b 30 mov (%rax),%rsi
3c: 80 3f 00 cmpb $0x0,(%rdi)
3f: 0f .byte 0xf
Code starting with the faulting instruction
===========================================
0: 80 3c 29 00 cmpb $0x0,(%rcx,%rbp,1)
4: 0f 85 12 01 00 00 jne 0x11c
a: 48 8b 7c 24 18 mov 0x18(%rsp),%rdi
f: 48 8b 30 mov (%rax),%rsi
12: 80 3f 00 cmpb $0x0,(%rdi)
15: 0f .byte 0xf
[ 26.216124][ T588] RSP: 0018:ffffc900007cfc20 EFLAGS: 00010206
[ 26.217797][ T588] RAX: 00007fc4b2d1c000 RBX: ffff888141e1d280 RCX: 00000ff8965a3800
[ 26.219592][ T588] RDX: 0000000000000014 RSI: ffffc900007cfd58 RDI: ffff888141e1d2a8
[ 26.221378][ T588] RBP: dffffc0000000000 R08: 0000000000000014 R09: ffffc900007cfd50
[ 26.223159][ T588] R10: fffff520000f9fb5 R11: 0000000000000001 R12: 0000000000000000
[ 26.224915][ T588] R13: ffffc900007cfd50 R14: ffffc900007cfec8 R15: ffff888141e1d2c4
[ 26.226678][ T588] FS: 00007fc4b4971600(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000
[ 26.228499][ T588] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 26.230193][ T588] CR2: 00007fc4b4089f4c CR3: 0000000162456000 CR4: 00000000000406e0
[ 26.231973][ T588] DR0: 00007fc4b2b1c000 DR1: 0000000000000000 DR2: 0000000000000000
[ 26.233737][ T588] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 26.235504][ T588] Call Trace:
[ 26.236991][ T588] <TASK>
[ 26.238440][ T588] do_iter_write (kbuild/src/x86_64-2/fs/read_write.c:753 kbuild/src/x86_64-2/fs/read_write.c:868)
[ 26.239985][ T588] vfs_writev (kbuild/src/x86_64-2/fs/read_write.c:940)
[ 26.241495][ T588] ? vfs_iter_write (kbuild/src/x86_64-2/fs/read_write.c:930)
[ 26.243021][ T588] ? __hrtimer_start_range_ns (kbuild/src/x86_64-2/kernel/time/hrtimer.c:1258)
To reproduce:
# build kernel
cd linux
cp config-5.19.0-rc2-00317-g8416b73063d1 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.19.0-rc2-00317-g8416b73063d1" of type "text/plain" (167363 bytes)
View attachment "job-script" of type "text/plain" (4808 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14908 bytes)
Powered by blists - more mailing lists