| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACT4Y+Z+zyUipyMceoPS_=LFEfvTURXFRMmLUTZJz1K0b+xsaA@mail.gmail.com>
Date: Thu, 26 Sep 2024 08:48:53 +0200
From: Dmitry Vyukov <dvyukov@...gle.com>
To: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
syzkaller <syzkaller@...glegroups.com>, Marco Elver <elver@...gle.com>,
Alexander Potapenko <glider@...gle.com>
Cc: syzbot <syzbot+d5db198a0f40411f24c3@...kaller.appspotmail.com>,
syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org
Subject: Re: [syzbot] upstream test error: BUG: stack guard page was hit in corrupted
On Mon, 23 Sept 2024 at 16:04, Tetsuo Handa
<penguin-kernel@...ove.sakura.ne.jp> wrote:
>
> This bug suggests code added by commit 6cd0dd934b03 ("kcov: Add interrupt handling self test").
>
> The location that triggers page fault looks like
>
> pos = READ_ONCE(area[0]) + 1;
>
> in __sanitizer_cov_trace_pc().
> When is t->kcov_area initialized with appropriate buffer
> after selftest() does current->kcov_mode = KCOV_MODE_TRACE_PC ?
>
> At commit de5cb0dcb74c ("Merge branch 'address-masking'"):
> $ ./scripts/faddr2line vmlinux-de5cb0dc asm_exc_page_fault+0x26/0x30 sched_clock+0xb/0x60 __sanitizer_cov_trace_pc+0x53/0x70 sched_clock+0xb/0x60 lock_pin_lock+0x1a9/0x2d0 preempt_schedule_irq+0x51/0x90 __schedule+0x2f2/0x5920 lockdep_hardirqs_on+0x7c/0x110 preempt_schedule_thunk+0x1a/0x30 preempt_schedule_common+0x44/0xc0 preempt_schedule_thunk+0x1a/0x30 __pfx___schedule+0x10/0x10 vprintk_emit+0x39e/0x6f0 __pfx_vprintk_emit+0x10/0x10 __debugfs_create_file+0x40e/0x660 __pfx_lock_release+0x10/0x10 preempt_schedule_irq+0x51/0x90 irqentry_exit+0x36/0x90 asm_sysvec_apic_timer_interrupt+0x1a/0x20 __wake_up_klogd.part.0+0x99/0xf0 vprintk+0x86/0xa0 kcov_init+0xcc/0x120 kcov_init+0xb3/0x120
> asm_exc_page_fault+0x26/0x30:
> asm_exc_page_fault at arch/x86/include/asm/idtentry.h:623
>
> sched_clock+0xb/0x60:
> __preempt_count_add at arch/x86/include/asm/preempt.h:79
> (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
>
> __sanitizer_cov_trace_pc+0x53/0x70:
> __sanitizer_cov_trace_pc at kernel/kcov.c:222
>
> sched_clock+0xb/0x60:
> __preempt_count_add at arch/x86/include/asm/preempt.h:79
> (inlined by) sched_clock at arch/x86/kernel/tsc.c:283
>
> lock_pin_lock+0x1a9/0x2d0:
> __lock_pin_lock at kernel/locking/lockdep.c:5593
> (inlined by) lock_pin_lock at kernel/locking/lockdep.c:5915
>
> preempt_schedule_irq+0x51/0x90:
> native_save_fl at arch/x86/include/asm/irqflags.h:26
> (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
>
> __schedule+0x2f2/0x5920:
> __schedule at kernel/sched/core.c:6579
>
> lockdep_hardirqs_on+0x7c/0x110:
> lockdep_hardirqs_on at kernel/locking/lockdep.c:4465
>
> preempt_schedule_thunk+0x1a/0x30:
> preempt_schedule_thunk at arch/x86/entry/thunk.S:12
>
> preempt_schedule_common+0x44/0xc0:
> __preempt_count_sub at arch/x86/include/asm/preempt.h:84
> (inlined by) preempt_schedule_common at kernel/sched/core.c:6855
>
> preempt_schedule_thunk+0x1a/0x30:
> preempt_schedule_thunk at arch/x86/entry/thunk.S:12
>
> __pfx___schedule+0x10/0x10:
> __schedule at kernel/sched/core.c:6533
>
> vprintk_emit+0x39e/0x6f0:
> vprintk_emit at kernel/printk/printk.c:2356
>
> __pfx_vprintk_emit+0x10/0x10:
> vprintk_emit at kernel/printk/printk.c:2356
>
> __debugfs_create_file+0x40e/0x660:
> end_creating at fs/debugfs/inode.c:409
> (inlined by) __debugfs_create_file at fs/debugfs/inode.c:450
>
> __pfx_lock_release+0x10/0x10:
> lock_release at kernel/locking/lockdep.c:5830
>
> preempt_schedule_irq+0x51/0x90:
> native_save_fl at arch/x86/include/asm/irqflags.h:26
> (inlined by) arch_local_save_flags at arch/x86/include/asm/irqflags.h:87
> (inlined by) arch_irqs_disabled at arch/x86/include/asm/irqflags.h:147
> (inlined by) preempt_schedule_irq at kernel/sched/core.c:6997
>
> irqentry_exit+0x36/0x90:
> irqentry_exit at kernel/entry/common.c:357
>
> asm_sysvec_apic_timer_interrupt+0x1a/0x20:
> asm_sysvec_apic_timer_interrupt at arch/x86/include/asm/idtentry.h:702
>
> __wake_up_klogd.part.0+0x99/0xf0:
> __wake_up_klogd at kernel/printk/printk.c:4495
>
> vprintk+0x86/0xa0:
> vprintk at kernel/printk/printk_safe.c:69
>
> kcov_init+0xcc/0x120:
> selftest at kernel/kcov.c:1090
> (inlined by) kcov_init at kernel/kcov.c:1117
>
> kcov_init+0xb3/0x120:
> selftest at kernel/kcov.c:1088
> (inlined by) kcov_init at kernel/kcov.c:1117
The call chain here seems to be:
asm_sysvec_apic_timer_interrupt
irqentry_exit (calls next function inside of instrumentation_begin/end
thus undetected statically)
irqentry_exit_cond_resched
raw_irqentry_exit_cond_resched
preempt_schedule_irq
[some locking function]
lock_pin_lock
sched_clock
__sanitizer_cov_trace_pc
[BOOM]
All functions in the scheduler and lockdep (preempt_schedule_irq,
lock_pin_lock) are not instrumented due to KCOV_INSTRUMENT := n in
Makefiles.
But sched_clock is instrumented. It has notrace, but no noinstr.
Should notrace imply noinstr? Or should we mark sched_clock as noinstr as well?
> On 2024/09/19 7:23, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 4a39ac5b7d62 Merge tag 'random-6.12-rc1-for-linus' of git:..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=153e7fc7980000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c78e7c8f41d443e6
> > dashboard link: https://syzkaller.appspot.com/bug?extid=d5db198a0f40411f24c3
> > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Powered by blists - more mailing lists