| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Jan 2023 21:27:02 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
<devel@...verdev.osuosl.org>, <linux-kernel@...r.kernel.org>
Subject: [driver-core:kobject-const] [bus] fd1ca1d869:
BUG:KASAN:double-free_in_bus_register
Greeting,
FYI, we noticed BUG:KASAN:double-free_in_bus_register due to commit (built with gcc-11):
commit: fd1ca1d869f4167b8141ad3c3fc74cbe8d771ac0 ("bus: step 1")
https://git.kernel.org/cgit/linux/kernel/git/gregkh/driver-core.git kobject-const
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-----------------------------------------------------------+------------+------------+
| | 4789953230 | fd1ca1d869 |
+-----------------------------------------------------------+------------+------------+
| boot_successes | 23 | 0 |
| boot_failures | 0 | 18 |
| BUG:KASAN:double-free_in_bus_register | 0 | 18 |
| WARNING:at_drivers/base/core.c:#device_release | 0 | 18 |
| RIP:device_release | 0 | 18 |
| WARNING:at_drivers/base/auxiliary.c:#auxiliary_bus_init | 0 | 18 |
| RIP:auxiliary_bus_init | 0 | 18 |
| Kernel_panic-not_syncing:Failed_to_register_CPU_subsystem | 0 | 18 |
| BUG:KFENCE:invalid_free_in_bus_register | 0 | 12 |
+-----------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Link: https://lore.kernel.org/oe-lkp/202301091653.af6d16b0-oliver.sang@intel.com
[ 2.324038][ T1] BUG: KASAN: double-free in bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] Free of addr ffff8881003f7000 by task swapper/0/1
[ 2.324038][ T1]
[ 2.324038][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.2.0-rc2-00018-gfd1ca1d869f4 #4
[ 2.324038][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
[ 2.324038][ T1] Call Trace:
[ 2.324038][ T1] <TASK>
[ 2.324038][ T1] ? bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] dump_stack_lvl (kbuild/src/x86_64-2/lib/dump_stack.c:107 (discriminator 1))
[ 2.324038][ T1] print_address_description+0x87/0x2a1
[ 2.324038][ T1] ? bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] print_report (kbuild/src/x86_64-2/mm/kasan/report.c:418)
[ 2.324038][ T1] ? bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] ? kasan_addr_to_slab (kbuild/src/x86_64-2/mm/kasan/common.c:35)
[ 2.324038][ T1] ? bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] kasan_report_invalid_free (kbuild/src/x86_64-2/mm/kasan/report.c:484)
[ 2.324038][ T1] ? bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] ____kasan_slab_free (kbuild/src/x86_64-2/mm/kasan/common.c:226)
[ 2.324038][ T1] ? bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] __kmem_cache_free (kbuild/src/x86_64-2/mm/slub.c:1807 kbuild/src/x86_64-2/mm/slub.c:3787 kbuild/src/x86_64-2/mm/slub.c:3800)
[ 2.324038][ T1] ? bus_release (kbuild/src/x86_64-2/drivers/base/bus.c:183)
[ 2.324038][ T1] bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:889)
[ 2.324038][ T1] ? pm_runtime_init (kbuild/src/x86_64-2/drivers/base/power/runtime.c:1735)
[ 2.324038][ T1] platform_bus_init (kbuild/src/x86_64-2/drivers/base/platform.c:1522)
[ 2.324038][ T1] driver_init (kbuild/src/x86_64-2/drivers/base/init.c:37)
[ 2.324038][ T1] kernel_init_freeable (kbuild/src/x86_64-2/init/main.c:1412 kbuild/src/x86_64-2/init/main.c:1634)
[ 2.324038][ T1] ? console_on_rootfs (kbuild/src/x86_64-2/init/main.c:1604)
[ 2.324038][ T1] ? usleep_range_state (kbuild/src/x86_64-2/kernel/time/timer.c:2129)
[ 2.324038][ T1] ? _raw_spin_lock_bh (kbuild/src/x86_64-2/kernel/locking/spinlock.c:169)
[ 2.324038][ T1] ? rest_init (kbuild/src/x86_64-2/init/main.c:1514)
[ 2.324038][ T1] kernel_init (kbuild/src/x86_64-2/init/main.c:1524)
[ 2.324038][ T1] ret_from_fork (kbuild/src/x86_64-2/arch/x86/entry/entry_64.S:314)
[ 2.324038][ T1] </TASK>
[ 2.324038][ T1]
[ 2.324038][ T1] Allocated by task 1:
[ 2.324038][ T1] kasan_save_stack (kbuild/src/x86_64-2/mm/kasan/common.c:46)
[ 2.324038][ T1] kasan_set_track (kbuild/src/x86_64-2/mm/kasan/common.c:52)
[ 2.324038][ T1] __kasan_kmalloc (kbuild/src/x86_64-2/mm/kasan/common.c:371 kbuild/src/x86_64-2/mm/kasan/common.c:330 kbuild/src/x86_64-2/mm/kasan/common.c:380)
[ 2.324038][ T1] bus_register (kbuild/src/x86_64-2/include/linux/slab.h:580 kbuild/src/x86_64-2/include/linux/slab.h:720 kbuild/src/x86_64-2/drivers/base/bus.c:814)
[ 2.324038][ T1] platform_bus_init (kbuild/src/x86_64-2/drivers/base/platform.c:1522)
[ 2.324038][ T1] driver_init (kbuild/src/x86_64-2/drivers/base/init.c:37)
[ 2.324038][ T1] kernel_init_freeable (kbuild/src/x86_64-2/init/main.c:1412 kbuild/src/x86_64-2/init/main.c:1634)
[ 2.324038][ T1] kernel_init (kbuild/src/x86_64-2/init/main.c:1524)
[ 2.324038][ T1] ret_from_fork (kbuild/src/x86_64-2/arch/x86/entry/entry_64.S:314)
[ 2.324038][ T1]
[ 2.324038][ T1] Freed by task 1:
[ 2.324038][ T1] kasan_save_stack (kbuild/src/x86_64-2/mm/kasan/common.c:46)
[ 2.324038][ T1] kasan_set_track (kbuild/src/x86_64-2/mm/kasan/common.c:52)
[ 2.324038][ T1] kasan_save_free_info (kbuild/src/x86_64-2/mm/kasan/generic.c:520)
[ 2.324038][ T1] ____kasan_slab_free (kbuild/src/x86_64-2/mm/kasan/common.c:238 kbuild/src/x86_64-2/mm/kasan/common.c:200)
[ 2.324038][ T1] __kmem_cache_free (kbuild/src/x86_64-2/mm/slub.c:1807 kbuild/src/x86_64-2/mm/slub.c:3787 kbuild/src/x86_64-2/mm/slub.c:3800)
[ 2.324038][ T1] bus_release (kbuild/src/x86_64-2/drivers/base/bus.c:183)
[ 2.324038][ T1] kobject_cleanup (kbuild/src/x86_64-2/lib/kobject.c:677)
[ 2.324038][ T1] bus_register (kbuild/src/x86_64-2/drivers/base/bus.c:886)
[ 2.324038][ T1] platform_bus_init (kbuild/src/x86_64-2/drivers/base/platform.c:1522)
[ 2.324038][ T1] driver_init (kbuild/src/x86_64-2/drivers/base/init.c:37)
[ 2.324038][ T1] kernel_init_freeable (kbuild/src/x86_64-2/init/main.c:1412 kbuild/src/x86_64-2/init/main.c:1634)
[ 2.324038][ T1] kernel_init (kbuild/src/x86_64-2/init/main.c:1524)
[ 2.324038][ T1] ret_from_fork (kbuild/src/x86_64-2/arch/x86/entry/entry_64.S:314)
[ 2.324038][ T1]
[ 2.324038][ T1] The buggy address belongs to the object at ffff8881003f7000
[ 2.324038][ T1] which belongs to the cache kmalloc-512 of size 512
[ 2.324038][ T1] The buggy address is located 0 bytes inside of
[ 2.324038][ T1] 512-byte region [ffff8881003f7000, ffff8881003f7200)
[ 2.324038][ T1]
[ 2.324038][ T1] The buggy address belongs to the physical page:
[ 2.324038][ T1] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1003f4
[ 2.324038][ T1] head:(____ptrval____) order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
[ 2.324038][ T1] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 2.324038][ T1] raw: 0017ffffc0010200 ffff888100041c80 dead000000000122 0000000000000000
[ 2.324038][ T1] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 2.324038][ T1] page dumped because: kasan: bad access detected
[ 2.324038][ T1] page_owner tracks the page as allocated
[ 2.324038][ T1] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, tgid 1 (swapper/0), ts 2278035063, free_ts 0
[ 2.324038][ T1] register_early_stack (kbuild/src/x86_64-2/mm/page_owner.c:68 kbuild/src/x86_64-2/mm/page_owner.c:83)
[ 2.324038][ T1] init_page_owner (kbuild/src/x86_64-2/mm/page_owner.c:94)
[ 2.324038][ T1] kernel_init_freeable (kbuild/src/x86_64-2/init/main.c:1410 kbuild/src/x86_64-2/init/main.c:1634)
[ 2.324038][ T1] kernel_init (kbuild/src/x86_64-2/init/main.c:1524)
[ 2.324038][ T1] page_owner free stack trace missing
[ 2.324038][ T1]
[ 2.324038][ T1] Memory state around the buggy address:
[ 2.324038][ T1] ffff8881003f6f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.324038][ T1] ffff8881003f6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 2.324038][ T1] >ffff8881003f7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2.324038][ T1] ^
[ 2.324038][ T1] ffff8881003f7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2.324038][ T1] ffff8881003f7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 2.324038][ T1] ==================================================================
[ 2.324057][ T1] Disabling lock debugging due to kernel taint
[ 2.325165][ T1] ------------[ cut here ]------------
[ 2.326048][ T1] Device 'platform' does not have a release() function, it is broken and must be fixed. See Documentation/core-api/kobject.rst.
[ 2.327738][ T1] WARNING: CPU: 0 PID: 1 at drivers/base/core.c:2333 device_release (kbuild/src/x86_64-2/drivers/base/core.c:2333)
[ 2.328596][ T1] Modules linked in:
[ 2.329328][ T1] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G B 6.2.0-rc2-00018-gfd1ca1d869f4 #4
[ 2.330603][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
[ 2.331623][ T1] RIP: 0010:device_release (kbuild/src/x86_64-2/drivers/base/core.c:2333)
[ 2.332374][ T1] Code: 48 8d 7d 50 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 89 00 00 00 48 8b 75 50 48 85 f6 74 13 48 c7 c7 40 0f ef 83 e8 1a ff 06 01 <0f> 0b e9 0f ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 89 ea 48 c1
All code
========
0: 48 8d 7d 50 lea 0x50(%rbp),%rdi
4: 48 89 fa mov %rdi,%rdx
7: 48 c1 ea 03 shr $0x3,%rdx
b: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
f: 0f 85 89 00 00 00 jne 0x9e
15: 48 8b 75 50 mov 0x50(%rbp),%rsi
19: 48 85 f6 test %rsi,%rsi
1c: 74 13 je 0x31
1e: 48 c7 c7 40 0f ef 83 mov $0xffffffff83ef0f40,%rdi
25: e8 1a ff 06 01 callq 0x106ff44
2a:* 0f 0b ud2 <-- trapping instruction
2c: e9 0f ff ff ff jmpq 0xffffffffffffff40
31: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
38: fc ff df
3b: 48 89 ea mov %rbp,%rdx
3e: 48 rex.W
3f: c1 .byte 0xc1
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: e9 0f ff ff ff jmpq 0xffffffffffffff16
7: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
e: fc ff df
11: 48 89 ea mov %rbp,%rdx
14: 48 rex.W
15: c1 .byte 0xc1
[ 2.333969][ T1] RSP: 0000:ffffc9000001fdd8 EFLAGS: 00010286
[ 2.334404][ T1] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 2.335551][ T1] RDX: 0000000000000000 RSI: 0000000000000000 RDI: fffff52000003fad
[ 2.336535][ T1] RBP: ffffffff853d9480 R08: 0000000000000000 R09: ffffc9000001fb0f
[ 2.337571][ T1] R10: fffff52000003f61 R11: 0000000000000001 R12: ffff888100278600
[ 2.338584][ T1] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 2.339537][ T1] FS: 0000000000000000(0000) GS:ffff8883af200000(0000) knlGS:0000000000000000
[ 2.340592][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.341427][ T1] CR2: ffff88843ffff000 CR3: 0000000004a14000 CR4: 00000000000406f0
[ 2.342543][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.343625][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.344557][ T1] Call Trace:
[ 2.345052][ T1] <TASK>
[ 2.345736][ T1] kobject_cleanup (kbuild/src/x86_64-2/lib/kobject.c:677)
[ 2.346354][ T1] platform_bus_init (kbuild/src/x86_64-2/drivers/base/platform.c:1527)
[ 2.347049][ T1] driver_init (kbuild/src/x86_64-2/drivers/base/init.c:37)
[ 2.347937][ T1] kernel_init_freeable (kbuild/src/x86_64-2/init/main.c:1412 kbuild/src/x86_64-2/init/main.c:1634)
[ 2.348359][ T1] ? console_on_rootfs (kbuild/src/x86_64-2/init/main.c:1604)
[ 2.349395][ T1] ? usleep_range_state (kbuild/src/x86_64-2/kernel/time/timer.c:2129)
[ 2.350382][ T1] ? _raw_spin_lock_bh (kbuild/src/x86_64-2/kernel/locking/spinlock.c:169)
[ 2.351356][ T1] ? rest_init (kbuild/src/x86_64-2/init/main.c:1514)
[ 2.352048][ T1] ? rest_init (kbuild/src/x86_64-2/init/main.c:1514)
[ 2.352960][ T1] kernel_init (kbuild/src/x86_64-2/init/main.c:1524)
[ 2.353352][ T1] ret_from_fork (kbuild/src/x86_64-2/arch/x86/entry/entry_64.S:314)
[ 2.354049][ T1] </TASK>
[ 2.354706][ T1] ---[ end trace 0000000000000000 ]---
To reproduce:
# build kernel
cd linux
cp config-6.2.0-rc2-00018-gfd1ca1d869f4 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
View attachment "config-6.2.0-rc2-00018-gfd1ca1d869f4" of type "text/plain" (197020 bytes)
View attachment "job-script" of type "text/plain" (4797 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (8848 bytes)
Powered by blists - more mailing lists