| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202209071048.1fcfbec0-oliver.sang@intel.com>
Date: Wed, 7 Sep 2022 10:52:39 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Yury Norov <yury.norov@...il.com>
CC: <lkp@...ts.01.org>, <lkp@...el.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Linux Memory Management List <linux-mm@...ck.org>,
<linux-kernel@...r.kernel.org>
Subject: [lib/find_bit] cbf7464bcc:
BUG:KASAN:slab-out-of-bounds_in_find_next_bit
(please be noted we reported
"[lib/find_bit] cbf7464bcc: BUG:KASAN:global-out-of-bounds_in_find_next_bit"
at
https://lists.01.org/hyperkitty/list/lkp@lists.01.org/thread/WTEBGHMIIA7P6LXHRKVJ6FFIMZ56VM2D/
when the patch is still on branch
https://github.com/norov/linux cpumask
now we noticed this patch has already been merged into linux-next/master
and the issue still exists.
report again FYI)
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: cbf7464bcc349a9c42687fc123d2d7e3fbfb3fbe ("lib/find_bit: optimize find_next_bit() functions")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
Link: https://lore.kernel.org/r/202209071048.1fcfbec0-oliver.sang@intel.com
[ 1.802523][ T1] BUG: KASAN: slab-out-of-bounds in _find_next_bit (lib/find_bit.c:109)
[ 1.802523][ T1] Read of size 8 at addr ffff88810020bc88 by task swapper/0/1
[ 1.802523][ T1]
[ 1.802523][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.0.0-rc4-00003-gcbf7464bcc34 #1
[ 1.802523][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 1.802523][ T1] Call Trace:
[ 1.802523][ T1] <TASK>
[ 1.802523][ T1] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 1.802523][ T1] print_address_description+0x1f/0x200
[ 1.802523][ T1] print_report.cold (mm/kasan/report.c:434)
[ 1.802523][ T1] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 1.802523][ T1] ? _find_next_bit (lib/find_bit.c:109)
[ 1.802523][ T1] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:497)
[ 1.802523][ T1] ? _find_next_bit (lib/find_bit.c:109)
[ 1.802523][ T1] _find_next_bit (lib/find_bit.c:109)
[ 1.802523][ T1] set_cpu_sibling_map (arch/x86/kernel/smpboot.c:647 (discriminator 1))
[ 1.802523][ T1] ? alloc_cpumask_var_node (lib/cpumask.c:60)
[ 1.802523][ T1] ? smp_prepare_cpus_common (arch/x86/kernel/smpboot.c:1392)
[ 1.802523][ T1] native_smp_prepare_cpus (arch/x86/kernel/smpboot.c:1404)
[ 1.802523][ T1] kernel_init_freeable (init/main.c:1607)
[ 1.802523][ T1] ? console_on_rootfs (init/main.c:1594)
[ 1.802523][ T1] ? usleep_range_state (kernel/time/timer.c:1897)
[ 1.802523][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:169)
[ 1.802523][ T1] ? rest_init (init/main.c:1504)
[ 1.802523][ T1] kernel_init (init/main.c:1514)
[ 1.802523][ T1] ret_from_fork (arch/x86/entry/entry_64.S:312)
[ 1.802523][ T1] </TASK>
[ 1.802523][ T1]
[ 1.802523][ T1] Allocated by task 1:
[ 1.802523][ T1] kasan_save_stack (mm/kasan/common.c:39)
[ 1.802523][ T1] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:437 mm/kasan/common.c:516 mm/kasan/common.c:525)
[ 1.802523][ T1] alloc_cpumask_var_node (lib/cpumask.c:60)
[ 1.802523][ T1] smp_prepare_cpus_common (arch/x86/kernel/smpboot.c:1377)
[ 1.802523][ T1] native_smp_prepare_cpus (arch/x86/kernel/smpboot.c:1404)
[ 1.802523][ T1] kernel_init_freeable (init/main.c:1607)
[ 1.802523][ T1] kernel_init (init/main.c:1514)
[ 1.802523][ T1] ret_from_fork (arch/x86/entry/entry_64.S:312)
[ 1.802523][ T1]
[ 1.802523][ T1] The buggy address belongs to the object at ffff88810020bc80
[ 1.802523][ T1] which belongs to the cache kmalloc-8 of size 8
[ 1.802523][ T1] The buggy address is located 0 bytes to the right of
[ 1.802523][ T1] 8-byte region [ffff88810020bc80, ffff88810020bc88)
[ 1.802523][ T1]
[ 1.802523][ T1] The buggy address belongs to the physical page:
[ 1.802523][ T1] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10020b
[ 1.802523][ T1] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 1.802523][ T1] raw: 0017ffffc0000200 0000000000000000 dead000000000122 ffff888100041280
[ 1.802523][ T1] raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000
[ 1.802523][ T1] page dumped because: kasan: bad access detected
[ 1.802523][ T1]
[ 1.802523][ T1] Memory state around the buggy address:
[ 1.802523][ T1] ffff88810020bb80: fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc fc
[ 1.802523][ T1] ffff88810020bc00: fc 00 fc fc fc fc fc fc fc fc fc 04 fc fc fc fc
[ 1.802523][ T1] >ffff88810020bc80: 00 fc fc fc fc fc fc fc fc fc 00 fc fc fc fc fc
[ 1.802523][ T1] ^
[ 1.802523][ T1] ffff88810020bd00: fc fc fc fc fc fc fc fc fc fa fc fc fc fc fc fc
[ 1.802523][ T1] ffff88810020bd80: fc fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc
[ 1.802523][ T1] ==================================================================
[ 1.802538][ T1] Disabling lock debugging due to kernel taint
[ 1.803945][ T1] smpboot: CPU0: Intel Xeon E312xx (Sandy Bridge) (family: 0x6, model: 0x2a, stepping: 0x1)
[ 1.806242][ T1] cblist_init_generic: Setting adjustable number of callback queues.
[ 1.806531][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.807743][ T1] cblist_init_generic: Setting shift to 1 and lim to 1.
[ 1.809042][ T1] Performance Events: unsupported p6 CPU model 42 no PMU driver, software events only.
[ 1.810310][ T1] rcu: Hierarchical SRCU implementation.
[ 1.810839][ T1] rcu: Max phase no-delay instances is 400.
[ 1.814558][ T1] NMI watchdog: Perf NMI watchdog permanently disabled
[ 1.816789][ T1] smp: Bringing up secondary CPUs ...
[ 1.818323][ T1] x86: Booting SMP configuration:
[ 1.818847][ T1] .... node #0, CPUs: #1
[ 0.123480][ T0] masked ExtINT on CPU#1
[ 1.821699][ T1] smp: Brought up 1 node, 2 CPUs
[ 1.823420][ T1] smpboot: Max logical packages: 1
[ 1.823816][ T1] smpboot: Total of 2 processors activated (8779.66 BogoMIPS)
[ 1.993111][ T23] node 0 deferred pages initialised in 166ms
[ 2.088450][ T1] allocated 268435456 bytes of page_ext
[ 2.089049][ T1] Node 0, zone DMA: page owner found early allocated 0 pages
[ 2.091471][ T1] Node 0, zone DMA32: page owner found early allocated 10 pages
[ 2.128894][ T1] Node 0, zone Normal: page owner found early allocated 66780 pages
[ 2.130682][ T1] devtmpfs: initialized
[ 2.132093][ T1] x86/mm: Memory block size: 128MB
[ 2.163715][ T1] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns
[ 2.165131][ T1] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
[ 2.166355][ T1] pinctrl core: initialized pinctrl subsystem
[ 2.172699][ T1] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 2.175678][ T1] audit: initializing netlink subsys (disabled)
[ 2.178768][ T27] audit: type=2000 audit(1662481814.904:1): state=initialized audit_enabled=0 res=1
[ 2.178916][ T1] thermal_sys: Registered thermal governor 'fair_share'
[ 2.180070][ T1] thermal_sys: Registered thermal governor 'bang_bang'
[ 2.180875][ T1] thermal_sys: Registered thermal governor 'step_wise'
[ 2.181870][ T1] thermal_sys: Registered thermal governor 'user_space'
[ 2.183009][ T1] cpuidle: using governor menu
[ 2.185407][ T1] acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5
[ 2.186810][ T1] PCI: Using configuration type 1 for base access
[ 2.221895][ T1] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[ 2.224753][ T1] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 2.225995][ T1] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 2.276206][ T1] cryptd: max_cpu_qlen set to 1000
[ 2.280057][ T1] ACPI: Added _OSI(Module Device)
[ 2.280847][ T1] ACPI: Added _OSI(Processor Device)
[ 2.281528][ T1] ACPI: Added _OSI(3.0 _SCP Extensions)
To reproduce:
# build kernel
cd linux
cp config-6.0.0-rc4-00003-gcbf7464bcc34 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-6.0.0-rc4-00003-gcbf7464bcc34" of type "text/plain" (164628 bytes)
View attachment "job-script" of type "text/plain" (4758 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (13156 bytes)
Powered by blists - more mailing lists