| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202301311549.6afc9591-oliver.sang@intel.com>
Date: Tue, 31 Jan 2023 16:08:06 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Ajay Kaher <akaher@...are.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
Steven Rostedt <rostedt@...dmis.org>,
Ching-lin Yu <chinglinyu@...gle.com>,
<linux-kernel@...r.kernel.org>,
<linux-trace-kernel@...r.kernel.org>, <mhiramat@...nel.org>,
<namit@...are.com>, <srivatsab@...are.com>,
<srivatsa@...il.mit.edu>, <amakhalov@...are.com>,
<vsirnapalli@...are.com>, <tkundu@...are.com>,
<er.ajay.kaher@...il.com>, Ajay Kaher <akaher@...are.com>
Subject: Re: [PATCH 8/8] eventfs: moving tracing/events to eventfs
Greeting,
FYI, we noticed BUG:KASAN:use-after-free_in_dcache_dir_open_wrapper due to commit (built with gcc-11):
commit: be995c36ba2232edcd4fa64e4581b9a6763c75e6 ("[PATCH 8/8] eventfs: moving tracing/events to eventfs")
url: https://github.com/intel-lab-lkp/linux/commits/Ajay-Kaher/eventfs-adding-eventfs-dir-add-functions/20230123-010956
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 2241ab53cbb5cdb08a6b2d4688feb13971058f65
patch link: https://lore.kernel.org/all/1674407228-49109-8-git-send-email-akaher@vmware.com/
patch subject: [PATCH 8/8] eventfs: moving tracing/events to eventfs
in testcase: kernel-selftests
version: kernel-selftests-x86_64-d4cf28ee-1_20230110
with following parameters:
group: ftrace
test-description: The kernel contains a set of "self tests" under the tools/testing/selftests/ directory. These are intended to be small unit tests to exercise individual code paths in the kernel.
test-url: https://www.kernel.org/doc/Documentation/kselftest.txt
on test machine: 4 threads Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz (Skylake) with 16G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Link: https://lore.kernel.org/oe-lkp/202301311549.6afc9591-oliver.sang@intel.com
[ 218.042115][ T2485] BUG: KASAN: use-after-free in dcache_dir_open_wrapper (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:304)
[ 218.049977][ T2485] Read of size 8 at addr ffff8881bf289000 by task ftracetest/2485
[ 218.057664][ T2485]
[ 218.059869][ T2485] CPU: 1 PID: 2485 Comm: ftracetest Not tainted 6.2.0-rc5-00008-gbe995c36ba22 #5
[ 218.068863][ T2485] Hardware name: HP HP Z238 Microtower Workstation/8183, BIOS N51 Ver. 01.63 10/05/2017
[ 218.078463][ T2485] Call Trace:
[ 218.081623][ T2485] <TASK>
[ 218.084431][ T2485] dump_stack_lvl (kbuild/src/x86_64-3/lib/dump_stack.c:107 (discriminator 4))
[ 218.088814][ T2485] print_address_description+0x87/0x2a1
[ 218.095300][ T2485] print_report (kbuild/src/x86_64-3/mm/kasan/report.c:418)
[ 218.099696][ T2485] ? kasan_addr_to_slab (kbuild/src/x86_64-3/mm/kasan/common.c:35)
[ 218.104511][ T2485] ? dcache_dir_open_wrapper (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:304)
[ 218.110027][ T2485] kasan_report (kbuild/src/x86_64-3/mm/kasan/report.c:184 kbuild/src/x86_64-3/mm/kasan/report.c:519)
[ 218.114322][ T2485] ? dcache_dir_open_wrapper (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:304)
[ 218.119838][ T2485] dcache_dir_open_wrapper (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:304)
[ 218.125177][ T2485] ? fsnotify_perm+0x13b/0x4a0
[ 218.130426][ T2485] do_dentry_open (kbuild/src/x86_64-3/fs/open.c:883)
[ 218.135077][ T2485] ? eventfs_create_dir (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:292)
[ 218.140157][ T2485] ? may_open (kbuild/src/x86_64-3/fs/namei.c:3186)
[ 218.144283][ T2485] do_open (kbuild/src/x86_64-3/fs/namei.c:3558)
[ 218.148249][ T2485] path_openat (kbuild/src/x86_64-3/fs/namei.c:3714)
[ 218.152545][ T2485] ? do_open (kbuild/src/x86_64-3/fs/namei.c:3696)
[ 218.156667][ T2485] ? __lock_acquire (kbuild/src/x86_64-3/kernel/locking/lockdep.c:5055)
[ 218.161484][ T2485] do_filp_open (kbuild/src/x86_64-3/fs/namei.c:3741)
[ 218.165865][ T2485] ? may_open_dev (kbuild/src/x86_64-3/fs/namei.c:3735)
[ 218.170267][ T2485] ? alloc_fd (kbuild/src/x86_64-3/fs/file.c:555 (discriminator 10))
[ 218.174478][ T2485] ? do_raw_spin_lock (kbuild/src/x86_64-3/arch/x86/include/asm/atomic.h:202 kbuild/src/x86_64-3/include/linux/atomic/atomic-instrumented.h:543 kbuild/src/x86_64-3/include/asm-generic/qspinlock.h:111 kbuild/src/x86_64-3/kernel/locking/spinlock_debug.c:115)
[ 218.179379][ T2485] ? lock_is_held_type (kbuild/src/x86_64-3/kernel/locking/lockdep.c:5409 kbuild/src/x86_64-3/kernel/locking/lockdep.c:5711)
[ 218.184298][ T2485] ? alloc_fd (kbuild/src/x86_64-3/fs/file.c:555 (discriminator 10))
[ 218.188517][ T2485] ? _raw_spin_unlock (kbuild/src/x86_64-3/arch/x86/include/asm/preempt.h:85 kbuild/src/x86_64-3/include/linux/spinlock_api_smp.h:143 kbuild/src/x86_64-3/kernel/locking/spinlock.c:186)
[ 218.193265][ T2485] ? alloc_fd (kbuild/src/x86_64-3/fs/file.c:555 (discriminator 10))
[ 218.197478][ T2485] ? getname_flags (kbuild/src/x86_64-3/fs/namei.c:205)
[ 218.202642][ T2485] do_sys_openat2 (kbuild/src/x86_64-3/fs/open.c:1310)
[ 218.207197][ T2485] ? lock_is_held_type (kbuild/src/x86_64-3/kernel/locking/lockdep.c:5409 kbuild/src/x86_64-3/kernel/locking/lockdep.c:5711)
[ 218.212093][ T2485] ? build_open_flags (kbuild/src/x86_64-3/fs/open.c:1296)
[ 218.216995][ T2485] ? __might_fault (kbuild/src/x86_64-3/mm/memory.c:5647 kbuild/src/x86_64-3/mm/memory.c:5640)
[ 218.221550][ T2485] ? lock_release (kbuild/src/x86_64-3/kernel/locking/lockdep.c:466 kbuild/src/x86_64-3/kernel/locking/lockdep.c:5690)
[ 218.226011][ T2485] ? rseq_ip_fixup (kbuild/src/x86_64-3/kernel/rseq.c:228 kbuild/src/x86_64-3/kernel/rseq.c:262)
[ 218.230651][ T2485] __x64_sys_openat (kbuild/src/x86_64-3/fs/open.c:1337)
[ 218.235382][ T2485] ? __x64_sys_open (kbuild/src/x86_64-3/fs/open.c:1337)
[ 218.240110][ T2485] ? lockdep_hardirqs_on_prepare (kbuild/src/x86_64-3/kernel/locking/lockdep.c:4528)
[ 218.246579][ T2485] ? syscall_enter_from_user_mode (kbuild/src/x86_64-3/arch/x86/include/asm/irqflags.h:45 kbuild/src/x86_64-3/arch/x86/include/asm/irqflags.h:80 kbuild/src/x86_64-3/kernel/entry/common.c:111)
[ 218.252351][ T2485] ? trace_hardirqs_on (kbuild/src/x86_64-3/kernel/trace/trace_preemptirq.c:50 (discriminator 22))
[ 218.257273][ T2485] do_syscall_64 (kbuild/src/x86_64-3/arch/x86/entry/common.c:50 kbuild/src/x86_64-3/arch/x86/entry/common.c:80)
[ 218.261566][ T2485] ? syscall_exit_to_user_mode (kbuild/src/x86_64-3/kernel/entry/common.c:131 kbuild/src/x86_64-3/kernel/entry/common.c:298)
[ 218.267072][ T2485] ? lockdep_hardirqs_on_prepare (kbuild/src/x86_64-3/kernel/locking/lockdep.c:4528)
[ 218.273544][ T2485] ? do_syscall_64 (kbuild/src/x86_64-3/arch/x86/entry/common.c:87)
[ 218.278012][ T2485] ? do_syscall_64 (kbuild/src/x86_64-3/arch/x86/entry/common.c:87)
[ 218.282475][ T2485] ? do_user_addr_fault (kbuild/src/x86_64-3/arch/x86/mm/fault.c:1457)
[ 218.287556][ T2485] ? irqentry_exit_to_user_mode (kbuild/src/x86_64-3/kernel/entry/common.c:131 kbuild/src/x86_64-3/kernel/entry/common.c:311)
[ 218.293069][ T2485] ? lockdep_hardirqs_on_prepare (kbuild/src/x86_64-3/kernel/locking/lockdep.c:4528)
[ 218.299541][ T2485] entry_SYSCALL_64_after_hwframe (kbuild/src/x86_64-3/arch/x86/entry/entry_64.S:120)
[ 218.305327][ T2485] RIP: 0033:0x7f25686e8e41
[ 218.309637][ T2485] Code: 44 24 18 31 c0 41 83 e2 40 75 3e 89 f0 25 00 00 41 00 3d 00 00 41 00 74 30 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 3f 48 8b 54 24 18 64 48 2b 14 25 28 00 00 00
All code
========
0: 44 24 18 rex.R and $0x18,%al
3: 31 c0 xor %eax,%eax
5: 41 83 e2 40 and $0x40,%r10d
9: 75 3e jne 0x49
b: 89 f0 mov %esi,%eax
d: 25 00 00 41 00 and $0x410000,%eax
12: 3d 00 00 41 00 cmp $0x410000,%eax
17: 74 30 je 0x49
19: 89 f2 mov %esi,%edx
1b: b8 01 01 00 00 mov $0x101,%eax
20: 48 89 fe mov %rdi,%rsi
23: bf 9c ff ff ff mov $0xffffff9c,%edi
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 3f ja 0x71
32: 48 8b 54 24 18 mov 0x18(%rsp),%rdx
37: 64 48 2b 14 25 28 00 sub %fs:0x28,%rdx
3e: 00 00
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 3f ja 0x47
8: 48 8b 54 24 18 mov 0x18(%rsp),%rdx
d: 64 48 2b 14 25 28 00 sub %fs:0x28,%rdx
14: 00 00
[ 218.329163][ T2485] RSP: 002b:00007ffe4be3f710 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
[ 218.337457][ T2485] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f25686e8e41
[ 218.345319][ T2485] RDX: 0000000000090800 RSI: 0000558c50eafef0 RDI: 00000000ffffff9c
[ 218.353183][ T2485] RBP: 00007ffe4be3f8a0 R08: 0000000000000000 R09: 0000000000000000
[ 218.361045][ T2485] R10: 0000000000000000 R11: 0000000000000287 R12: 0000558c50eae789
[ 218.368906][ T2485] R13: 0000558c50eae788 R14: 0000558c50eca760 R15: 0000000000000800
[ 218.376772][ T2485] </TASK>
[ 218.379669][ T2485]
[ 218.381867][ T2485] Allocated by task 2337:
[ 218.386070][ T2485] kasan_save_stack (kbuild/src/x86_64-3/mm/kasan/common.c:46)
[ 218.390626][ T2485] kasan_set_track (kbuild/src/x86_64-3/mm/kasan/common.c:52)
[ 218.395089][ T2485] __kasan_kmalloc (kbuild/src/x86_64-3/mm/kasan/common.c:381)
[ 218.399557][ T2485] eventfs_add_subsystem_dir (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:417)
[ 218.404985][ T2485] event_subsystem_dir (kbuild/src/x86_64-3/kernel/trace/trace_events.c:2320)
[ 218.409970][ T2485] event_create_dir (kbuild/src/x86_64-3/kernel/trace/trace_events.c:2414)
[ 218.414608][ T2485] trace_add_event_call (kbuild/src/x86_64-3/kernel/trace/trace_events.c:3597 kbuild/src/x86_64-3/kernel/trace/trace_events.c:2910)
[ 218.419593][ T2485] trace_probe_register_event_call (kbuild/src/x86_64-3/kernel/trace/trace_probe.c:1128)
[ 218.425628][ T2485] register_trace_kprobe (kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:1736 kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:646)
[ 218.430793][ T2485] __trace_kprobe_create (kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:882)
[ 218.435950][ T2485] trace_probe_create (kbuild/src/x86_64-3/kernel/trace/trace_probe.c:1234)
[ 218.440680][ T2485] create_or_delete_trace_kprobe (kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:918)
[ 218.446368][ T2485] trace_parse_run_command (kbuild/src/x86_64-3/kernel/trace/trace.c:10133)
[ 218.451707][ T2485] vfs_write (kbuild/src/x86_64-3/fs/read_write.c:582)
[ 218.455831][ T2485] ksys_write (kbuild/src/x86_64-3/fs/read_write.c:637)
[ 218.459952][ T2485] do_syscall_64 (kbuild/src/x86_64-3/arch/x86/entry/common.c:50 kbuild/src/x86_64-3/arch/x86/entry/common.c:80)
[ 218.464260][ T2485] entry_SYSCALL_64_after_hwframe (kbuild/src/x86_64-3/arch/x86/entry/entry_64.S:120)
[ 218.470040][ T2485]
[ 218.472258][ T2485] Freed by task 2337:
[ 218.476112][ T2485] kasan_save_stack (kbuild/src/x86_64-3/mm/kasan/common.c:46)
[ 218.480663][ T2485] kasan_set_track (kbuild/src/x86_64-3/mm/kasan/common.c:52)
[ 218.485133][ T2485] kasan_save_free_info (kbuild/src/x86_64-3/mm/kasan/generic.c:520)
[ 218.490040][ T2485] __kasan_slab_free (kbuild/src/x86_64-3/mm/kasan/common.c:238 kbuild/src/x86_64-3/mm/kasan/common.c:200 kbuild/src/x86_64-3/mm/kasan/common.c:244)
[ 218.494857][ T2485] slab_free_freelist_hook (kbuild/src/x86_64-3/mm/slub.c:1807)
[ 218.500110][ T2485] __kmem_cache_free (kbuild/src/x86_64-3/mm/slub.c:3787 kbuild/src/x86_64-3/mm/slub.c:3800)
[ 218.504928][ T2485] eventfs_remove (kbuild/src/x86_64-3/fs/tracefs/event_inode.c:618)
[ 218.509396][ T2485] remove_event_file_dir (kbuild/src/x86_64-3/include/linux/list.h:134 kbuild/src/x86_64-3/include/linux/list.h:148 kbuild/src/x86_64-3/kernel/trace/trace_events.c:978 kbuild/src/x86_64-3/kernel/trace/trace_events.c:1001)
[ 218.514553][ T2485] event_remove (kbuild/src/x86_64-3/kernel/trace/trace_events.c:2481 kbuild/src/x86_64-3/kernel/trace/trace_events.c:2520)
[ 218.518928][ T2485] trace_remove_event_call (kbuild/src/x86_64-3/kernel/trace/trace_events.c:2924 kbuild/src/x86_64-3/kernel/trace/trace_events.c:2960 kbuild/src/x86_64-3/kernel/trace/trace_events.c:2980)
[ 218.524270][ T2485] trace_kprobe_release (kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:547 kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:1091)
[ 218.529347][ T2485] dyn_events_release_all (kbuild/src/x86_64-3/kernel/trace/trace_dynevent.c:213)
[ 218.534596][ T2485] probes_open (kbuild/src/x86_64-3/kernel/trace/trace_kprobe.c:1151)
[ 218.538717][ T2485] do_dentry_open (kbuild/src/x86_64-3/fs/open.c:883)
[ 218.543349][ T2485] do_open (kbuild/src/x86_64-3/fs/namei.c:3558)
[ 218.547309][ T2485] path_openat (kbuild/src/x86_64-3/fs/namei.c:3714)
[ 218.551612][ T2485] do_filp_open (kbuild/src/x86_64-3/fs/namei.c:3741)
[ 218.555993][ T2485] do_sys_openat2 (kbuild/src/x86_64-3/fs/open.c:1310)
[ 218.560548][ T2485] __x64_sys_openat (kbuild/src/x86_64-3/fs/open.c:1337)
[ 218.565284][ T2485] do_syscall_64 (kbuild/src/x86_64-3/arch/x86/entry/common.c:50 kbuild/src/x86_64-3/arch/x86/entry/common.c:80)
[ 218.569573][ T2485] entry_SYSCALL_64_after_hwframe (kbuild/src/x86_64-3/arch/x86/entry/entry_64.S:120)
[ 218.575340][ T2485]
[ 218.577545][ T2485] The buggy address belongs to the object at ffff8881bf289000
[ 218.577545][ T2485] which belongs to the cache kmalloc-16 of size 16
[ 218.591321][ T2485] The buggy address is located 0 bytes inside of
[ 218.591321][ T2485] 16-byte region [ffff8881bf289000, ffff8881bf289010)
[ 218.604229][ T2485]
[ 218.606431][ T2485] The buggy address belongs to the physical page:
[ 218.612722][ T2485] page:0000000007538459 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bf289
[ 218.622847][ T2485] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 218.630534][ T2485] raw: 0017ffffc0000200 ffff8881000423c0 dead000000000122 0000000000000000
[ 218.639008][ T2485] raw: 0000000000000000 0000000000800080 00000001ffffffff 0000000000000000
[ 218.647478][ T2485] page dumped because: kasan: bad access detected
[ 218.653773][ T2485]
[ 218.655978][ T2485] Memory state around the buggy address:
[ 218.661485][ T2485] ffff8881bf288f00: 00 00 00 fc fc 00 00 00 fc fc 00 00 00 fc fc 00
[ 218.669446][ T2485] ffff8881bf288f80: 00 00 fc fc 00 00 00 fc fc 00 00 00 fc fc fc fc
[ 218.677389][ T2485] >ffff8881bf289000: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[ 218.685333][ T2485] ^
[ 218.689278][ T2485] ffff8881bf289080: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
[ 218.697237][ T2485] ffff8881bf289100: fa fb fc fc fa fb fc fc fa fb fc fc fa fb fc fc
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
View attachment "config-6.2.0-rc5-00008-gbe995c36ba22" of type "text/plain" (169783 bytes)
View attachment "job-script" of type "text/plain" (6543 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (48756 bytes)
View attachment "kernel-selftests" of type "text/plain" (210724 bytes)
View attachment "job.yaml" of type "text/plain" (5098 bytes)
Powered by blists - more mailing lists