| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Jun 2024 10:57:29 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Vlastimil Babka <vbabka@...e.cz>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
<oliver.sang@...el.com>
Subject: [vbabka:b4/fault-injection-statickeys] [fault] 1ab5c34bcc:
BUG:KASAN:stack-out-of-bounds_in_debugfs_prob_set
Hello,
kernel test robot noticed "BUG:KASAN:stack-out-of-bounds_in_debugfs_prob_set" on:
commit: 1ab5c34bcc6c6d033cfac4aa89846ffb3eb49e3f ("fault-inject: add support for static keys around fault injection sites")
https://git.kernel.org/cgit/linux/kernel/git/vbabka/linux.git b4/fault-injection-statickeys
in testcase: blktests
version: blktests-x86_64-1c4ae4f-1_20240611
with following parameters:
disk: 1SSD
test: block-group-01
compiler: gcc-13
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202406181001.86c775d7-oliver.sang@intel.com
[ 313.831312][ T3950] BUG: KASAN: stack-out-of-bounds in debugfs_prob_set (lib/fault-inject.c:204)
[ 313.838759][ T3950] Read of size 8 at addr ffffc90000037d68 by task check/3950
[ 313.845940][ T3950]
[ 313.848115][ T3950] CPU: 3 PID: 3950 Comm: check Not tainted 6.10.0-rc1-00002-g1ab5c34bcc6c #1
[ 313.856680][ T3950] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[ 313.864726][ T3950] Call Trace:
[ 313.867849][ T3950] <TASK>
[ 313.870627][ T3950] dump_stack_lvl (lib/dump_stack.c:117)
[ 313.874962][ T3950] print_address_description+0x30/0x410
[ 313.881371][ T3950] ? debugfs_prob_set (lib/fault-inject.c:204)
[ 313.886049][ T3950] print_report (mm/kasan/report.c:489)
[ 313.890296][ T3950] ? kasan_addr_to_slab (mm/kasan/common.c:37)
[ 313.895061][ T3950] ? debugfs_prob_set (lib/fault-inject.c:204)
[ 313.899739][ T3950] kasan_report (mm/kasan/report.c:603)
[ 313.903987][ T3950] ? debugfs_prob_set (lib/fault-inject.c:204)
[ 313.908667][ T3950] ? __pfx_debugfs_prob_set (lib/fault-inject.c:199)
[ 313.913865][ T3950] debugfs_prob_set (lib/fault-inject.c:204)
[ 313.918374][ T3950] ? __pfx_debugfs_prob_set (lib/fault-inject.c:199)
[ 313.923567][ T3950] simple_attr_write_xsigned+0x1a1/0x260
[ 313.929629][ T3950] ? __pfx_simple_attr_write_xsigned+0x10/0x10
[ 313.936205][ T3950] ? folio_unlock (arch/x86/include/asm/bitops.h:101 include/asm-generic/bitops/instrumented-lock.h:80 include/linux/page-flags.h:762 mm/filemap.c:1508)
[ 313.940548][ T3950] full_proxy_write (fs/debugfs/file.c:328 (discriminator 1))
[ 313.945161][ T3950] vfs_write (fs/read_write.c:588)
[ 313.949243][ T3950] ? down_read_trylock (arch/x86/include/asm/atomic64_64.h:20 include/linux/atomic/atomic-arch-fallback.h:2629 include/linux/atomic/atomic-long.h:79 include/linux/atomic/atomic-instrumented.h:3224 kernel/locking/rwsem.c:176 kernel/locking/rwsem.c:181 kernel/locking/rwsem.c:1288 kernel/locking/rwsem.c:1565)
[ 313.954192][ T3950] ? __pfx_vfs_write (fs/read_write.c:571)
[ 313.958791][ T3950] ? __fget_light (include/linux/atomic/atomic-arch-fallback.h:479 (discriminator 2) include/linux/atomic/atomic-instrumented.h:50 (discriminator 2) fs/file.c:1145 (discriminator 2))
[ 313.963221][ T3950] ksys_write (fs/read_write.c:643)
[ 313.967298][ T3950] ? __pfx_ksys_write (fs/read_write.c:633)
[ 313.971978][ T3950] ? do_user_addr_fault (arch/x86/mm/fault.c:1342)
[ 313.977004][ T3950] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
[ 313.981340][ T3950] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 313.987057][ T3950] RIP: 0033:0x7f563926c240
[ 313.991304][ T3950] Code: 40 00 48 8b 15 c1 9b 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d a1 23 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
All code
========
0: 40 00 48 8b add %cl,-0x75(%rax)
4: 15 c1 9b 0d 00 adc $0xd9bc1,%eax
9: f7 d8 neg %eax
b: 64 89 02 mov %eax,%fs:(%rdx)
e: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
15: eb b7 jmp 0xffffffffffffffce
17: 0f 1f 00 nopl (%rax)
1a: 80 3d a1 23 0e 00 00 cmpb $0x0,0xe23a1(%rip) # 0xe23c2
21: 74 17 je 0x3a
23: b8 01 00 00 00 mov $0x1,%eax
28: 0f 05 syscall
2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
30: 77 58 ja 0x8a
32: c3 retq
33: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
3a: 48 83 ec 28 sub $0x28,%rsp
3e: 48 rex.W
3f: 89 .byte 0x89
Code starting with the faulting instruction
===========================================
0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
6: 77 58 ja 0x60
8: c3 retq
9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
10: 48 83 ec 28 sub $0x28,%rsp
14: 48 rex.W
15: 89 .byte 0x89
[ 314.010655][ T3950] RSP: 002b:00007fff65b08d98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 314.018875][ T3950] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f563926c240
[ 314.026658][ T3950] RDX: 0000000000000004 RSI: 0000556c73d1f0f0 RDI: 0000000000000001
[ 314.034442][ T3950] RBP: 0000556c73d1f0f0 R08: 0000000000000007 R09: 0000000000000073
[ 314.042228][ T3950] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000004
[ 314.050013][ T3950] R13: 00007f5639347760 R14: 0000000000000004 R15: 00007f56393429e0
[ 314.057802][ T3950] </TASK>
[ 314.060668][ T3950]
[ 314.062843][ T3950] The buggy address belongs to the virtual mapping at
[ 314.062843][ T3950] [ffffc90000030000, ffffc90000039000) created by:
[ 314.062843][ T3950] dup_task_struct (kernel/fork.c:1116)
[ 314.080302][ T3950]
[ 314.082489][ T3950] The buggy address belongs to the physical page:
[ 314.088733][ T3950] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d62b
[ 314.097382][ T3950] flags: 0x17ffffc0000000(node=0|zone=2|lastcpupid=0x1fffff)
[ 314.104576][ T3950] raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000
[ 314.112965][ T3950] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[ 314.121355][ T3950] page dumped because: kasan: bad access detected
[ 314.127585][ T3950]
[ 314.129759][ T3950] Memory state around the buggy address:
[ 314.135214][ T3950] ffffc90000037c00: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00
[ 314.143086][ T3950] ffffc90000037c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 314.150958][ T3950] >ffffc90000037d00: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 f2 f2 f2
[ 314.158832][ T3950] ^
[ 314.166099][ T3950] ffffc90000037d80: 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00 00 00
[ 314.173969][ T3950] ffffc90000037e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[ 314.181851][ T3950] ==================================================================
[ 314.189769][ T3950] Disabling lock debugging due to kernel taint
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240618/202406181001.86c775d7-oliver.sang@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists