lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 7 Sep 2022 10:52:39 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Yury Norov <yury.norov@...il.com>
CC:     <lkp@...ts.01.org>, <lkp@...el.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        <linux-kernel@...r.kernel.org>
Subject: [lib/find_bit]  cbf7464bcc:
 BUG:KASAN:slab-out-of-bounds_in_find_next_bit


(please be noted we reported
"[lib/find_bit] cbf7464bcc: BUG:KASAN:global-out-of-bounds_in_find_next_bit"
at
https://lists.01.org/hyperkitty/list/lkp@lists.01.org/thread/WTEBGHMIIA7P6LXHRKVJ6FFIMZ56VM2D/
when the patch is still on branch
https://github.com/norov/linux cpumask

now we noticed this patch has already been merged into linux-next/master
and the issue still exists.

report again FYI)


Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: cbf7464bcc349a9c42687fc123d2d7e3fbfb3fbe ("lib/find_bit: optimize find_next_bit() functions")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
Link: https://lore.kernel.org/r/202209071048.1fcfbec0-oliver.sang@intel.com


[ 1.802523][ T1] BUG: KASAN: slab-out-of-bounds in _find_next_bit (lib/find_bit.c:109) 
[    1.802523][    T1] Read of size 8 at addr ffff88810020bc88 by task swapper/0/1
[    1.802523][    T1]
[    1.802523][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc4-00003-gcbf7464bcc34 #1
[    1.802523][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[    1.802523][    T1] Call Trace:
[    1.802523][    T1]  <TASK>
[ 1.802523][ T1] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 1.802523][ T1] print_address_description+0x1f/0x200 
[ 1.802523][ T1] print_report.cold (mm/kasan/report.c:434) 
[ 1.802523][ T1] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 1.802523][ T1] ? _find_next_bit (lib/find_bit.c:109) 
[ 1.802523][ T1] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497) 
[ 1.802523][ T1] ? _find_next_bit (lib/find_bit.c:109) 
[ 1.802523][ T1] _find_next_bit (lib/find_bit.c:109) 
[ 1.802523][ T1] set_cpu_sibling_map (arch/x86/kernel/smpboot.c:647 (discriminator 1)) 
[ 1.802523][ T1] ? alloc_cpumask_var_node (lib/cpumask.c:60) 
[ 1.802523][ T1] ? smp_prepare_cpus_common (arch/x86/kernel/smpboot.c:1392) 
[ 1.802523][ T1] native_smp_prepare_cpus (arch/x86/kernel/smpboot.c:1404) 
[ 1.802523][ T1] kernel_init_freeable (init/main.c:1607) 
[ 1.802523][ T1] ? console_on_rootfs (init/main.c:1594) 
[ 1.802523][ T1] ? usleep_range_state (kernel/time/timer.c:1897) 
[ 1.802523][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:169) 
[ 1.802523][ T1] ? rest_init (init/main.c:1504) 
[ 1.802523][ T1] kernel_init (init/main.c:1514) 
[ 1.802523][ T1] ret_from_fork (arch/x86/entry/entry_64.S:312) 
[    1.802523][    T1]  </TASK>
[    1.802523][    T1]
[    1.802523][    T1] Allocated by task 1:
[ 1.802523][ T1] kasan_save_stack (mm/kasan/common.c:39) 
[ 1.802523][ T1] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525) 
[ 1.802523][ T1] alloc_cpumask_var_node (lib/cpumask.c:60) 
[ 1.802523][ T1] smp_prepare_cpus_common (arch/x86/kernel/smpboot.c:1377) 
[ 1.802523][ T1] native_smp_prepare_cpus (arch/x86/kernel/smpboot.c:1404) 
[ 1.802523][ T1] kernel_init_freeable (init/main.c:1607) 
[ 1.802523][ T1] kernel_init (init/main.c:1514) 
[ 1.802523][ T1] ret_from_fork (arch/x86/entry/entry_64.S:312) 
[    1.802523][    T1]
[    1.802523][    T1] The buggy address belongs to the object at ffff88810020bc80
[    1.802523][    T1]  which belongs to the cache kmalloc-8 of size 8
[    1.802523][    T1] The buggy address is located 0 bytes to the right of
[    1.802523][    T1]  8-byte region [ffff88810020bc80, ffff88810020bc88)
[    1.802523][    T1]
[    1.802523][    T1] The buggy address belongs to the physical page:
[    1.802523][    T1] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10020b
[    1.802523][    T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[    1.802523][    T1] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff888100041280
[    1.802523][    T1] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
[    1.802523][    T1] page dumped because: kasan: bad access detected
[    1.802523][    T1]
[    1.802523][    T1] Memory state around the buggy address:
[    1.802523][    T1]  ffff88810020bb80: fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc fc
[    1.802523][    T1]  ffff88810020bc00: fc 00 fc fc fc fc fc fc fc fc fc 04 fc fc fc fc
[    1.802523][    T1] >ffff88810020bc80: 00 fc fc fc fc fc fc fc fc fc 00 fc fc fc fc fc
[    1.802523][    T1]                       ^
[    1.802523][    T1]  ffff88810020bd00: fc fc fc fc fc fc fc fc fc fa fc fc fc fc fc fc
[    1.802523][    T1]  ffff88810020bd80: fc fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc
[    1.802523][    T1] ==================================================================
[    1.802538][    T1] Disabling lock debugging due to kernel taint
[    1.803945][    T1] smpboot: CPU0: Intel Xeon E312xx (Sandy Bridge) (family: 0x6, model: 0x2a, stepping: 0x1)
[    1.806242][    T1] cblist_init_generic: Setting adjustable number of callback queues.
[    1.806531][    T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[    1.807743][    T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[    1.809042][    T1] Performance Events: unsupported p6 CPU model 42 no PMU driver, software events only.
[    1.810310][    T1] rcu: Hierarchical SRCU implementation.
[    1.810839][    T1] rcu: 	Max phase no-delay instances is 400.
[    1.814558][    T1] NMI watchdog: Perf NMI watchdog permanently disabled
[    1.816789][    T1] smp: Bringing up secondary CPUs ...
[    1.818323][    T1] x86: Booting SMP configuration:
[    1.818847][    T1] .... node  #0, CPUs:      #1
[    0.123480][    T0] masked ExtINT on CPU#1
[    1.821699][    T1] smp: Brought up 1 node, 2 CPUs
[    1.823420][    T1] smpboot: Max logical packages: 1
[    1.823816][    T1] smpboot: Total of 2 processors activated (8779.66 BogoMIPS)
[    1.993111][   T23] node 0 deferred pages initialised in 166ms
[    2.088450][    T1] allocated 268435456 bytes of page_ext
[    2.089049][    T1] Node 0, zone      DMA: page owner found early allocated 0 pages
[    2.091471][    T1] Node 0, zone    DMA32: page owner found early allocated 10 pages
[    2.128894][    T1] Node 0, zone   Normal: page owner found early allocated 66780 pages
[    2.130682][    T1] devtmpfs: initialized
[    2.132093][    T1] x86/mm: Memory block size: 128MB
[    2.163715][    T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
[    2.165131][    T1] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
[    2.166355][    T1] pinctrl core: initialized pinctrl subsystem
[    2.172699][    T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    2.175678][    T1] audit: initializing netlink subsys (disabled)
[    2.178768][   T27] audit: type=2000 audit(1662481814.904:1): state=initialized audit_enabled=0 res=1
[    2.178916][    T1] thermal_sys: Registered thermal governor 'fair_share'
[    2.180070][    T1] thermal_sys: Registered thermal governor 'bang_bang'
[    2.180875][    T1] thermal_sys: Registered thermal governor 'step_wise'
[    2.181870][    T1] thermal_sys: Registered thermal governor 'user_space'
[    2.183009][    T1] cpuidle: using governor menu
[    2.185407][    T1] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
[    2.186810][    T1] PCI: Using configuration type 1 for base access
[    2.221895][    T1] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[    2.224753][    T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[    2.225995][    T1] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[    2.276206][    T1] cryptd: max_cpu_qlen set to 1000
[    2.280057][    T1] ACPI: Added _OSI(Module Device)
[    2.280847][    T1] ACPI: Added _OSI(Processor Device)
[    2.281528][    T1] ACPI: Added _OSI(3.0 _SCP Extensions)


To reproduce:

        # build kernel
	cd linux
	cp config-6.0.0-rc4-00003-gcbf7464bcc34 .config
	make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-6.0.0-rc4-00003-gcbf7464bcc34" of type "text/plain" (164628 bytes)

View attachment "job-script" of type "text/plain" (4758 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (13156 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ