lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202212261504.41a8268b-oliver.sang@intel.com>
Date:   Mon, 26 Dec 2022 15:36:10 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Yu Kuai <yukuai3@...wei.com>
CC:     <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
        Jens Axboe <axboe@...nel.dk>, Jan Kara <jack@...e.cz>,
        <linux-kernel@...r.kernel.org>, <linux-block@...r.kernel.org>
Subject: [linus:master] [block, bfq]  64dc8c732f:
 BUG:KASAN:use-after-free_in_bfq_exit_icq_bfqq



Greeting,

FYI, we noticed BUG:KASAN:use-after-free_in_bfq_exit_icq_bfqq due to commit (built with gcc-11):

commit: 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ("block, bfq: fix possible uaf for 'bfqq->bic'")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master

[test failed on linux-next/master e45fb347b630ee76482fe938ba76cf8eab811290]

in testcase: blktests
version: blktests-x86_64-b35866f-1_20221206
with following parameters:

	disk: 1SSD
	test: block-027



on test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Link: https://lore.kernel.org/oe-lkp/202212261504.41a8268b-oliver.sang@intel.com


[ 68.195492][ T862] BUG: KASAN: use-after-free in bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321) 
[   68.203861][  T862] Read of size 8 at addr ffff8888019ded20 by task check/862
[   68.212059][  T862]
[   68.215294][  T862] CPU: 2 PID: 862 Comm: check Not tainted 6.1.0-09942-g64dc8c732f5c #1
[   68.224446][  T862] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[   68.233607][  T862] Call Trace:
[   68.237830][  T862]  <TASK>
[ 68.241700][ T862] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) 
[ 68.247130][ T862] print_address_description+0x87/0x2a1 
[ 68.254648][ T862] print_report (mm/kasan/report.c:418) 
[ 68.260075][ T862] ? kasan_addr_to_slab (mm/kasan/common.c:35) 
[ 68.265933][ T862] ? bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321) 
[ 68.271970][ T862] kasan_report (mm/kasan/report.c:519) 
[ 68.277213][ T862] ? bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321) 
[ 68.283232][ T862] bfq_exit_icq_bfqq (block/bfq-iosched.c:392 block/bfq-iosched.c:5321) 
[ 68.289077][ T862] bfq_exit_icq (block/bfq-iosched.c:5349) 
[ 68.294394][ T862] ioc_destroy_icq (block/blk-ioc.c:56 block/blk-ioc.c:93) 
[ 68.300055][ T862] ioc_clear_queue (block/blk-ioc.c:187) 
[ 68.305717][ T862] ? ioc_find_get_icq (block/blk-ioc.c:173) 
[ 68.311633][ T862] ? mutex_lock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:443 include/linux/atomic/atomic-instrumented.h:1781 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285) 
[ 68.316855][ T862] ? __mutex_lock_slowpath (kernel/locking/mutex.c:282) 
[ 68.323034][ T862] elevator_exit (block/elevator.c:164) 
[ 68.328355][ T862] del_gendisk (block/genhd.c:660) 
[ 68.333667][ T862] ? __pm_runtime_resume (drivers/base/power/runtime.c:1174) 
[ 68.339759][ T862] sd_remove (drivers/scsi/sd.c:3577) sd_mod
[ 68.345507][ T862] device_release_driver_internal (drivers/base/dd.c:1251 drivers/base/dd.c:1275) 
[ 68.352473][ T862] ? klist_put (include/linux/kref.h:66 lib/klist.c:206 lib/klist.c:217) 
[ 68.357778][ T862] bus_remove_device (drivers/base/bus.c:530) 
[ 68.363592][ T862] device_del (drivers/base/core.c:3705) 
[ 68.368811][ T862] ? __device_link_del (drivers/base/core.c:3660) 
[ 68.374815][ T862] ? __kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3800) 
[ 68.380815][ T862] ? kobject_put (arch/x86/include/asm/atomic.h:190 include/linux/atomic/atomic-instrumented.h:177 include/linux/refcount.h:272 include/linux/refcount.h:315 include/linux/refcount.h:333 include/linux/kref.h:64 lib/kobject.c:721) 
[ 68.386114][ T862] ? sysfs_kf_bin_read (fs/sysfs/file.c:129) 
[ 68.392104][ T862] __scsi_remove_device (drivers/scsi/scsi_sysfs.c:1475) 
[ 68.398182][ T862] sdev_store_delete (drivers/scsi/scsi_sysfs.c:1516 drivers/scsi/scsi_sysfs.c:797) 
[ 68.403917][ T862] kernfs_fop_write_iter (fs/kernfs/file.c:334) 
[ 68.410059][ T862] vfs_write (include/linux/fs.h:2186 fs/read_write.c:491 fs/read_write.c:584) 
[ 68.415130][ T862] ? kernel_write (fs/read_write.c:565) 
[ 68.420608][ T862] ? __fget_light (include/linux/atomic/atomic-arch-fallback.h:227 include/linux/atomic/atomic-instrumented.h:35 fs/file.c:1015) 
[ 68.425971][ T862] ksys_write (fs/read_write.c:637) 
[ 68.430950][ T862] ? __ia32_sys_read (fs/read_write.c:627) 
[ 68.436450][ T862] ? fput (arch/x86/include/asm/atomic64_64.h:118 include/linux/atomic/atomic-long.h:467 include/linux/atomic/atomic-instrumented.h:1814 fs/file_table.c:371) 
[ 68.441057][ T862] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 68.446152][ T862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[   68.452696][  T862] RIP: 0033:0x7f746cf6a8f3
[ 68.457767][ T862] Code: 8b 15 a1 25 0e 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
All code
========
   0:	8b 15 a1 25 0e 00    	mov    0xe25a1(%rip),%edx        # 0xe25a7
   6:	f7 d8                	neg    %eax
   8:	64 89 02             	mov    %eax,%fs:(%rdx)
   b:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
  12:	eb b7                	jmp    0xffffffffffffffcb
  14:	0f 1f 00             	nopl   (%rax)
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 14                	jne    0x37
  23:	b8 01 00 00 00       	mov    $0x1,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 55                	ja     0x87
  32:	c3                   	retq   
  33:	0f 1f 40 00          	nopl   0x0(%rax)
  37:	48 83 ec 28          	sub    $0x28,%rsp
  3b:	48 89 54 24 18       	mov    %rdx,0x18(%rsp)

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 55                	ja     0x5d
   8:	c3                   	retq   
   9:	0f 1f 40 00          	nopl   0x0(%rax)
   d:	48 83 ec 28          	sub    $0x28,%rsp
  11:	48 89 54 24 18       	mov    %rdx,0x18(%rsp)
[   68.478908][  T862] RSP: 002b:00007ffcb26ee558 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   68.488041][  T862] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f746cf6a8f3
[   68.496744][  T862] RDX: 0000000000000002 RSI: 000055dcfd0b7750 RDI: 0000000000000001
[   68.505450][  T862] RBP: 000055dcfd0b7750 R08: 000000000000000a R09: 0000000000000001
[   68.514154][  T862] R10: 000055dcfd122a00 R11: 0000000000000246 R12: 0000000000000002
[   68.522852][  T862] R13: 00007f746d04e6a0 R14: 0000000000000002 R15: 00007f746d049880
[   68.531556][  T862]  </TASK>
[   68.535303][  T862]
[   68.538338][  T862] Allocated by task 1400:
[ 68.543367][ T862] kasan_save_stack (mm/kasan/common.c:46) 
[ 68.548731][ T862] kasan_set_track (mm/kasan/common.c:52) 
[ 68.554011][ T862] __kasan_slab_alloc (mm/kasan/common.c:328) 
[ 68.559529][ T862] kmem_cache_alloc_node (mm/slab.h:761 mm/slub.c:3452 mm/slub.c:3497) 
[ 68.565469][ T862] bfq_get_queue (block/bfq-iosched.c:5689) 
[ 68.570714][ T862] bfq_get_bfqq_handle_split (block/bfq-iosched.c:6591) 
[ 68.576912][ T862] bfq_init_rq (block/bfq-iosched.c:6710) 
[ 68.582053][ T862] bfq_insert_request+0xdd/0x700 
[ 68.588230][ T862] bfq_insert_requests (include/linux/list.h:292 block/bfq-iosched.c:6134) 
[ 68.593961][ T862] blk_mq_sched_insert_request (block/blk-mq-sched.c:457) 
[ 68.600379][ T862] blk_mq_submit_bio (block/blk-mq.c:2995) 
[ 68.606010][ T862] submit_bio_noacct_nocheck (include/linux/bio.h:609 block/blk-core.c:682 block/blk-core.c:698 block/blk-core.c:687) 
[ 68.612243][ T862] __blkdev_direct_IO_async (block/fops.c:355) 
[ 68.618382][ T862] blkdev_read_iter (block/fops.c:362 block/fops.c:581) 
[ 68.623828][ T862] aio_read (fs/aio.c:1520 fs/aio.c:1560) 
[ 68.628583][ T862] io_submit_one (include/linux/instrumented.h:102 include/linux/atomic/atomic-instrumented.h:176 include/linux/refcount.h:272 include/linux/refcount.h:315 include/linux/refcount.h:333 fs/aio.c:1186 fs/aio.c:2022) 
[ 68.633764][ T862] __x64_sys_io_submit (fs/aio.c:2078 fs/aio.c:2048 fs/aio.c:2048) 
[ 68.639467][ T862] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 68.644473][ T862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[   68.650960][  T862]
[   68.653882][  T862] Freed by task 862:
[ 68.658366][ T862] kasan_save_stack (mm/kasan/common.c:46) 
[ 68.663632][ T862] kasan_set_track (mm/kasan/common.c:52) 
[ 68.668810][ T862] kasan_save_free_info (mm/kasan/generic.c:520) 
[ 68.674425][ T862] __kasan_slab_free (mm/kasan/common.c:238 mm/kasan/common.c:200 mm/kasan/common.c:244) 
[ 68.679954][ T862] kmem_cache_free (mm/slub.c:1807 mm/slub.c:3787 mm/slub.c:3809) 
[ 68.685313][ T862] bfq_put_queue (block/bfq-iosched.c:5266) 
[ 68.690504][ T862] bfq_exit_icq_bfqq (block/bfq-iosched.c:389 block/bfq-iosched.c:5321) 
[ 68.696030][ T862] bfq_exit_icq (block/bfq-iosched.c:5349) 
[ 68.701037][ T862] ioc_destroy_icq (block/blk-ioc.c:56 block/blk-ioc.c:93) 
[ 68.706388][ T862] ioc_clear_queue (block/blk-ioc.c:187) 
[ 68.711737][ T862] elevator_exit (block/elevator.c:164) 
[ 68.716734][ T862] del_gendisk (block/genhd.c:660) 
[ 68.721731][ T862] sd_remove (drivers/scsi/sd.c:3577) sd_mod
[ 68.727158][ T862] device_release_driver_internal (drivers/base/dd.c:1251 drivers/base/dd.c:1275) 
[ 68.733799][ T862] bus_remove_device (drivers/base/bus.c:530) 
[ 68.739318][ T862] device_del (drivers/base/core.c:3705) 
[ 68.744228][ T862] __scsi_remove_device (drivers/scsi/scsi_sysfs.c:1475) 
[ 68.750005][ T862] sdev_store_delete (drivers/scsi/scsi_sysfs.c:1516 drivers/scsi/scsi_sysfs.c:797) 
[ 68.755442][ T862] kernfs_fop_write_iter (fs/kernfs/file.c:334) 
[ 68.761313][ T862] vfs_write (include/linux/fs.h:2186 fs/read_write.c:491 fs/read_write.c:584) 
[ 68.766145][ T862] ksys_write (fs/read_write.c:637) 
[ 68.770971][ T862] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 68.775963][ T862] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) 
[   68.782442][  T862]
[   68.785361][  T862] The buggy address belongs to the object at ffff8888019deb80
[   68.785361][  T862]  which belongs to the cache bfq_queue of size 568
[   68.800590][  T862] The buggy address is located 416 bytes inside of
[   68.800590][  T862]  568-byte region [ffff8888019deb80, ffff8888019dedb8)
[   68.815221][  T862]
[   68.818171][  T862] The buggy address belongs to the physical page:
[   68.825204][  T862] page:0000000059db31a7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8019dc
[   68.836068][  T862] head:0000000059db31a7 order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[   68.846747][  T862] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[   68.855593][  T862] raw: 0017ffffc0010200 ffff8881103ea500 dead000000000122 0000000000000000
[   68.864771][  T862] raw: 0000000000000000 0000000080170017 00000001ffffffff 0000000000000000
[   68.873944][  T862] page dumped because: kasan: bad access detected
[   68.880954][  T862]
[   68.883885][  T862] Memory state around the buggy address:
[   68.890120][  T862]  ffff8888019dec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.898794][  T862]  ffff8888019dec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.907453][  T862] >ffff8888019ded00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.916109][  T862]                                ^
[   68.921828][  T862]  ffff8888019ded80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
[   68.930509][  T862]  ffff8888019dee00: fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb fb
[   68.939190][  T862] ==================================================================
[   68.947879][  T862] Disabling lock debugging due to kernel taint


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        sudo bin/lkp install job.yaml           # job file is attached in this email
        bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
        sudo bin/lkp run generated-yaml-file

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests



View attachment "config-6.1.0-09942-g64dc8c732f5c" of type "text/plain" (171690 bytes)

View attachment "job-script" of type "text/plain" (5517 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (41780 bytes)

View attachment "blktests" of type "text/plain" (1278 bytes)

View attachment "job.yaml" of type "text/plain" (4592 bytes)

View attachment "reproduce" of type "text/plain" (34 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ