lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <202410281338.59203d1a-oliver.sang@intel.com>
Date: Mon, 28 Oct 2024 14:10:14 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Namhyung Kim <namhyung@...nel.org>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
	<linux-perf-users@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
	<oliver.sang@...el.com>
Subject: [namhyung-perf:perf/ibs-swfilt-v4] [perf/core] 5c5371bf97:
 BUG:KASAN:slab-out-of-bounds_in__perf_read_group_add



Hello,

kernel test robot noticed "BUG:KASAN:slab-out-of-bounds_in__perf_read_group_add" on:

commit: 5c5371bf97a3e321d5e032779f1996a0dd054cc0 ("perf/core: Add PERF_FORMAT_DROPPED")
https://git.kernel.org/cgit/linux/kernel/git/namhyung/linux-perf.git perf/ibs-swfilt-v4

in testcase: trinity
version: trinity-i386-abe9de86-1_20230429
with following parameters:

	runtime: 300s
	group: group-02
	nr_groups: 5



config: x86_64-randconfig-121-20241024
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)


+------------------------------------------------------+------------+------------+
|                                                      | de20037e1b | 5c5371bf97 |
+------------------------------------------------------+------------+------------+
| boot_successes                                       | 6          | 0          |
| boot_failures                                        | 0          | 6          |
| BUG:KASAN:slab-out-of-bounds_in__perf_read_group_add | 0          | 6          |
+------------------------------------------------------+------------+------------+


If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202410281338.59203d1a-oliver.sang@intel.com


[ 142.100293][ T3684] BUG: KASAN: slab-out-of-bounds in __perf_read_group_add (kernel/events/core.c:5701) 
[  142.101343][ T3684] Write of size 8 at addr ffff88810b667d68 by task trinity-c0/3684
[  142.102099][ T3690] module: module-autoload: duplicate request for module net-pf-8
[  142.102283][ T3684]
[  142.102322][ T3684] CPU: 0 UID: 65534 PID: 3684 Comm: trinity-c0 Not tainted 6.12.0-rc2-00016-g5c5371bf97a3 #1 36c1eff993709d0a36f75e4a1cd3187be70e0857
[  142.105131][ T3684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[  142.106411][ T3684] Call Trace:
[  142.106907][ T3684]  <TASK>
[ 142.107367][ T3684] dump_stack_lvl (lib/dump_stack.c:123) 
[ 142.108032][ T3684] print_address_description+0x53/0x2d5 
[ 142.108745][ T3684] ? __perf_read_group_add (kernel/events/core.c:5701) 
[ 142.109300][ T3684] print_report (mm/kasan/report.c:489) 
[  142.109568][ T3690] module: module-autoload: duplicate request for module net-pf-43
[ 142.109627][ T3684] ? virt_to_folio (include/linux/mm.h:1282) 
[ 142.109639][ T3684] ? virt_to_slab (mm/slab.h:209) 
[ 142.111632][ T3684] ? kmem_cache_debug_flags (mm/slab.h:544) 
[ 142.112072][ T3684] ? kasan_complete_mode_report_info (mm/kasan/report_generic.c:172) 
[ 142.112649][ T3684] ? __perf_read_group_add (kernel/events/core.c:5701) 
[ 142.113134][ T3684] kasan_report (mm/kasan/report.c:603) 
[ 142.113513][ T3684] ? __perf_read_group_add (kernel/events/core.c:5701) 
[ 142.114066][ T3684] __asan_report_store8_noabort (mm/kasan/report_generic.c:386) 
[ 142.114548][ T3684] __perf_read_group_add (kernel/events/core.c:5701) 
[ 142.115189][ T3684] perf_read_group (kernel/events/core.c:5737) 
[ 142.118413][ T3684] perf_read (kernel/events/core.c:5820 kernel/events/core.c:5839) 
[ 142.118976][ T3684] do_loop_readv_writev+0x1e4/0x2b0 
[ 142.119468][ T3684] ? perf_read_one (kernel/events/core.c:5829) 
[ 142.119866][ T3684] vfs_readv (fs/read_write.c:1029) 
[ 142.120240][ T3684] ? check_prev_add (kernel/locking/lockdep.c:3860) 
[ 142.120844][ T3684] ? __ia32_compat_sys_sendfile64 (fs/read_write.c:999) 
[ 142.121591][ T3684] ? fdget (fs/file.c:1129) 
[ 142.122022][ T3684] do_readv (fs/read_write.c:1088) 
[ 142.122378][ T3684] ? vfs_readv (fs/read_write.c:1077) 
[ 142.122799][ T3684] ? syscall_enter_from_user_mode_prepare (arch/x86/include/asm/irqflags.h:42 arch/x86/include/asm/irqflags.h:97 kernel/entry/common.c:78) 
[ 142.123307][ T3684] __ia32_sys_readv (fs/read_write.c:1175) 
[ 142.123734][ T3684] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-121-20241024/./arch/x86/include/generated/asm/syscalls_32.h:146) 
[ 142.124147][ T3684] __do_fast_syscall_32 (arch/x86/entry/common.c:165 arch/x86/entry/common.c:386) 
[ 142.124558][ T3684] do_fast_syscall_32 (arch/x86/entry/common.c:411) 
[ 142.124963][ T3684] do_SYSENTER_32 (arch/x86/entry/common.c:450) 
[ 142.125341][ T3684] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127) 
[  142.125840][ T3684] RIP: 0023:0xf7f50579
[ 142.126207][ T3684] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
All code
========
   0:	b8 01 10 06 03       	mov    $0x3061001,%eax
   5:	74 b4                	je     0xffffffffffffffbb
   7:	01 10                	add    %edx,(%rax)
   9:	07                   	(bad)  
   a:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   e:	10 08                	adc    %cl,(%rax)
  10:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
	...
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:*	89 e5                	mov    %esp,%ebp		<-- trapping instruction
  26:	0f 34                	sysenter 
  28:	cd 80                	int    $0x80
  2a:	5d                   	pop    %rbp
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq   
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  39:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi

Code starting with the faulting instruction
===========================================
   0:	5d                   	pop    %rbp
   1:	5a                   	pop    %rdx
   2:	59                   	pop    %rcx
   3:	c3                   	retq   
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
   f:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
[  142.127543][ T3684] RSP: 002b:00000000ff9a427c EFLAGS: 00000292 ORIG_RAX: 0000000000000091
[  142.128188][ T3684] RAX: ffffffffffffffda RBX: 0000000000000120 RCX: 000000005710a850
[  142.128806][ T3684] RDX: 0000000000000001 RSI: 0000000000010000 RDI: 00000000ffffffff
[  142.129417][ T3684] RBP: 00000000a000009c R08: 0000000000000000 R09: 0000000000000000
[  142.130027][ T3684] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  142.130637][ T3684] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  142.131268][ T3684]  </TASK>
[  142.131551][ T3684]
[  142.131789][ T3684] Allocated by task 3684:
[ 142.132155][ T3684] stack_trace_save (kernel/stacktrace.c:114) 
[ 142.132540][ T3684] kasan_save_stack (mm/kasan/common.c:48) 
[ 142.132928][ T3684] kasan_save_track (arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) 
[ 142.133306][ T3684] kasan_save_alloc_info (mm/kasan/generic.c:566) 
[ 142.133710][ T3684] poison_kmalloc_redzone (mm/kasan/common.c:379) 
[ 142.134115][ T3684] __kasan_kmalloc (mm/kasan/common.c:398) 
[ 142.134489][ T3684] __kmalloc_noprof (mm/slub.c:4265 mm/slub.c:4276) 
[ 142.134877][ T3684] kzalloc_noprof (include/linux/slab.h:882 include/linux/slab.h:1014) 
[ 142.135297][ T3684] perf_read_group (kernel/events/core.c:5728 (discriminator 9)) 
[ 142.135773][ T3684] perf_read (kernel/events/core.c:5820 kernel/events/core.c:5839) 
[ 142.136282][ T3684] do_loop_readv_writev+0x1e4/0x2b0 
[ 142.136956][ T3684] vfs_readv (fs/read_write.c:1029) 
[ 142.137484][ T3684] do_readv (fs/read_write.c:1088) 
[ 142.138001][ T3684] __ia32_sys_readv (fs/read_write.c:1175) 
[ 142.138565][ T3684] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-121-20241024/./arch/x86/include/generated/asm/syscalls_32.h:146) 
[ 142.139070][ T3684] __do_fast_syscall_32 (arch/x86/entry/common.c:165 arch/x86/entry/common.c:386) 
[  142.139246][ T3689] module: module-autoload: duplicate request for module net-pf-14
[ 142.139329][ T3684] do_fast_syscall_32 (arch/x86/entry/common.c:411) 
[ 142.139334][ T3684] do_SYSENTER_32 (arch/x86/entry/common.c:450) 
[ 142.141382][ T3684] entry_SYSENTER_compat_after_hwframe (arch/x86/entry/entry_64_compat.S:127) 
[  142.141559][ T3689] module: module-autoload: duplicate request for module net-pf-18
[  142.141824][ T3684]
[  142.141830][ T3684] The buggy address belongs to the object at ffff88810b667d40
[  142.141830][ T3684]  which belongs to the cache kmalloc-rnd-11-64 of size 64
[  142.141837][ T3684] The buggy address is located 0 bytes to the right of
[  142.141837][ T3684]  allocated 40-byte region [ffff88810b667d40, ffff88810b667d68)
[  142.141844][ T3684]
[  142.141848][ T3684] The buggy address belongs to the physical page:
[  142.141853][ T3684] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810b667c40 pfn:0x10b667
[  142.141859][ T3684] flags: 0x4000000000000200(workingset|zone=2)
[  142.149380][ T3684] page_type: f5(slab)
[  142.149887][ T3684] raw: 4000000000000200 ffff8881000644c0 ffffea00058f9150 ffff888100062810
[  142.150834][ T3684] raw: ffff88810b667c40 0000000000100003 00000001f5000000 0000000000000000
[  142.151803][ T3684] page dumped because: kasan: bad access detected
[  142.152528][ T3684] page_owner tracks the page as allocated
[  142.153360][ T3684] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 11494771432, free_ts 0
[ 142.155275][ T3684] __set_page_owner (mm/page_owner.c:322) 
[ 142.155879][ T3684] post_alloc_hook (mm/page_alloc.c:1539) 
[ 142.156485][ T3684] get_page_from_freelist (mm/page_alloc.c:1547 mm/page_alloc.c:3457) 
[ 142.157133][ T3684] __alloc_pages_noprof (mm/page_alloc.c:4734) 
[ 142.157761][ T3684] __alloc_pages_node_noprof (include/linux/gfp.h:265) 
[ 142.158343][ T3684] alloc_slab_page (mm/slub.c:2416) 
[ 142.158884][ T3684] allocate_slab (mm/slub.c:2579) 
[ 142.159439][ T3684] new_slab (mm/slub.c:2633 (discriminator 9)) 
[ 142.159917][ T3684] ___slab_alloc (mm/slub.c:3819 (discriminator 3)) 
[ 142.160482][ T3684] __slab_alloc+0x68/0xd7 
[ 142.161121][ T3684] __kmalloc_noprof (mm/slub.c:3961 mm/slub.c:4122 mm/slub.c:4263 mm/slub.c:4276) 
[ 142.161718][ T3684] kzalloc_noprof (include/linux/slab.h:1015) 
[ 142.162323][ T3684] acpi_evaluate_object (drivers/acpi/acpica/nsxfeval.c:247 (discriminator 4)) 
[ 142.162974][ T3684] acpi_evaluate_dsm (drivers/acpi/utils.c:799) 
[ 142.163625][ T3684] acpi_evaluate_dsm_typed+0x1f/0x6c 
[ 142.164399][ T3684] pci_acpi_preserve_config (drivers/pci/pci-acpi.c:137) 
[  142.165061][ T3684] page_owner free stack trace missing
[  142.165716][ T3684]
[  142.166092][ T3684] Memory state around the buggy address:
[  142.166790][ T3684]  ffff88810b667c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  142.167816][ T3684]  ffff88810b667c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  142.168826][ T3684] >ffff88810b667d00: fc fc fc fc fc fc fc fc 00 00 00 00 00 fc fc fc
[  142.169800][ T3684]                                                           ^
[  142.170756][ T3684]  ffff88810b667d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  142.171758][ T3684]  ffff88810b667e00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[  142.172753][ T3684] ==================================================================
[  142.173487][ T3690] module: module-autoload: duplicate request for module net-pf-13


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20241028/202410281338.59203d1a-oliver.sang@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ