lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <88f1df7e-8347-45f7-a2a1-e321e72e4009@linux.ibm.com>
Date: Tue, 7 Oct 2025 10:59:12 +0530
From: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>
To: LKML <linux-kernel@...r.kernel.org>,
        linuxppc-dev <linuxppc-dev@...ts.ozlabs.org>,
        Madhavan Srinivasan <maddy@...ux.ibm.com>,
        linux-kselftest@...r.kernel.org
Subject: [linux-next20251003] tmp2 selftests resulting in Kernel OOPs

Greetings!!!


IBM CI has reported a kernel OOPs while running TPM2selftests on IBM 
Power11 system with linux-next20251002 kernel.


Test Case:

make run_tests
TAP version 13
1..3
# timeout set to 600
# selftests: tpm2: test_smoke.sh
# test_read_partial_overwrite (tpm2_tests.SmokeTest) ... ok
# test_read_partial_resp (tpm2_tests.SmokeTest) ... ok
# test_seal_with_auth (tpm2_tests.SmokeTest) ... ok
# test_seal_with_policy (tpm2_tests.SmokeTest) ... ok
# test_seal_with_too_long_auth (tpm2_tests.SmokeTest) ... ok
# test_send_two_cmds (tpm2_tests.SmokeTest) ... ok
# test_too_short_cmd (tpm2_tests.SmokeTest) ... ok
# test_unseal_with_wrong_auth (tpm2_tests.SmokeTest) ... ok
# test_unseal_with_wrong_policy (tpm2_tests.SmokeTest) ... ERROR
#
# ======================================================================
# ERROR: test_unseal_with_wrong_policy (tpm2_tests.SmokeTest)
# -----------------------------------------------------


Traces:


[  452.604333] BUG: KASAN: slab-use-after-free in tpmrm_release+0x78/0xa8
[  452.604345] Read of size 8 at addr c00000001c650000 by task python3/1856
[  452.604353]
[  452.604358] CPU: 24 UID: 0 PID: 1856 Comm: python3 Kdump: loaded Not 
tainted 6.17.0-next-20251003 #1 VOLUNTARY
[  452.604364] Hardware name: IBM,9080-HEX Power11 (architected) 
0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
[  452.604368] Call Trace:
[  452.604370] [c0000000c1867840] [c00000000187ea4c] 
dump_stack_lvl+0x84/0xe8 (unreliable)
[  452.604380] [c0000000c1867870] [c000000000803754] 
print_address_description.constprop.0+0x11c/0x56c
[  452.604388] [c0000000c1867910] [c000000000803c84] print_report+0xe0/0x358
[  452.604394] [c0000000c18679e0] [c000000000804124] 
kasan_report+0x128/0x1f4
[  452.604400] [c0000000c1867af0] [c0000000008062b4] __asan_load8+0xa8/0xe0
[  452.604406] [c0000000c1867b10] [c000000000f2ec18] tpmrm_release+0x78/0xa8
[  452.604412] [c0000000c1867b40] [c0000000008b6a2c] __fput+0x21c/0x60c
[  452.604417] [c0000000c1867bc0] [c0000000008ada70] sys_close+0x74/0xd0
[  452.604424] [c0000000c1867bf0] [c000000000039270] 
system_call_exception+0x1e0/0x460
[  452.604431] [c0000000c1867e50] [c00000000000d05c] 
system_call_vectored_common+0x15c/0x2ec
[  452.604438] ---- interrupt: 3000 at 0x7fffb7534ab4
[  452.604443] NIP:  00007fffb7534ab4 LR: 00007fffb7534ab4 CTR: 
0000000000000000
[  452.604446] REGS: c0000000c1867e80 TRAP: 3000   Not tainted 
(6.17.0-next-20251003)
[  452.604449] MSR:  800000000280f033 
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 44284422  XER: 00000000
[  452.604466] IRQMASK: 0
[  452.604466] GPR00: 0000000000000006 00007ffff65d76b0 00007fffb7c17700 
0000000000000006
[  452.604466] GPR04: 0000000000000000 0000000000000000 0000000000000000 
0000000000000004
[  452.604466] GPR08: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[  452.604466] GPR12: 0000000000000000 00007fffb7e6b8e0 00000000000000a1 
00007fffb67acec0
[  452.604466] GPR16: 0000000164032ad0 00007fffb67aceb0 00007fffb76f6a90 
0000000000000000
[  452.604466] GPR20: 00007fffb6f21850 0000000000000000 00007fffb71062c0 
0000000164034490
[  452.604466] GPR24: 00007fffb6f2fea0 00007fffb67acea8 0000000164032b18 
00007fffb7c45b32
[  452.604466] GPR28: 00007fffb7c678e0 00007fffb67aceb8 0000000000000006 
0000000164034490
[  452.604510] NIP [00007fffb7534ab4] 0x7fffb7534ab4
[  452.604513] LR [00007fffb7534ab4] 0x7fffb7534ab4
[  452.604516] ---- interrupt: 3000
[  452.604518]
[  452.604601] Allocated by task 1856:
[  452.604607]  kasan_save_stack+0x34/0x64
[  452.604614]  kasan_save_track+0x2c/0x50
[  452.604621]  kasan_save_alloc_info+0x58/0x74
[  452.604628]  __kasan_kmalloc+0x12c/0x168
[  452.604635]  __kmalloc_cache_noprof+0x1d8/0x71c
[  452.604643]  tpmrm_open+0x88/0x168
[  452.604649]  chrdev_open+0x1f4/0x484
[  452.604656]  do_dentry_open+0x578/0x9cc
[  452.604663]  vfs_open+0x68/0x23c
[  452.604670]  do_open+0x514/0x74c
[  452.604676]  path_openat+0x16c/0x380
[  452.604682]  do_filp_open+0x104/0x230
[  452.604689]  do_sys_openat2+0xb8/0x154
[  452.604696]  sys_openat+0xcc/0x130
[  452.604703]  system_call_exception+0x1e0/0x460
[  452.604710]  system_call_vectored_common+0x15c/0x2ec
[  452.604718]
[  452.604722] Freed by task 1856:
[  452.604726]  kasan_save_stack+0x34/0x64
[  452.604733]  kasan_save_track+0x2c/0x50
[  452.604739]  __kasan_save_free_info+0x64/0x110
[  452.604747]  __kasan_slab_free+0xb0/0x10c
[  452.604753]  kfree+0x220/0x624
[  452.604760]  tpmrm_release+0x6c/0xa8
[  452.604766]  __fput+0x21c/0x60c
[  452.604772]  sys_close+0x74/0xd0
[  452.604779]  system_call_exception+0x1e0/0x460
[  452.604786]  system_call_vectored_common+0x15c/0x2ec
[  452.604794]
[  452.604797] The buggy address belongs to the object at c00000001c650000
[  452.604797]  which belongs to the cache kmalloc-8k of size 8192
[  452.604806] The buggy address is located 0 bytes inside of
[  452.604806]  freed 8192-byte region [c00000001c650000, c00000001c652000)
[  452.604815]
[  452.604818] The buggy address belongs to the physical page:
[  452.604824] page: refcount:0 mapcount:0 mapping:0000000000000000 
index:0xc00000001c644000 pfn:0x1c60
[  452.604833] head: order:3 mapcount:0 entire_mapcount:0 
nr_pages_mapped:0 pincount:0
[  452.604840] flags: 
0x3ffffe00000040(head|node=0|zone=0|lastcpupid=0x1fffff)
[  452.604849] page_type: f5(slab)
[  452.604856] raw: 003ffffe00000040 c000000007012300 5deadbeef0000122 
0000000000000000
[  452.604864] raw: c00000001c644000 000000008020001e 00000000f5000000 
0000000000000000
[  452.604872] head: 003ffffe00000040 c000000007012300 5deadbeef0000122 
0000000000000000
[  452.604879] head: c00000001c644000 000000008020001e 00000000f5000000 
0000000000000000
[  452.604887] head: 003ffffe00000003 c00c000000071801 00000000ffffffff 
00000000ffffffff
[  452.604894] head: ffffffffffffffff 0000000000000000 00000000ffffffff 
0000000000000008
[  452.604900] page dumped because: kasan: bad access detected
[  452.604905]
[  452.604908] Memory state around the buggy address:
[  452.604914]  c00000001c64ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc fc fc
[  452.604920]  c00000001c64ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc 
fc fc fc
[  452.604927] >c00000001c650000: fa fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[  452.604933]                    ^
[  452.604937]  c00000001c650080: fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[  452.604944]  c00000001c650100: fb fb fb fb fb fb fb fb fb fb fb fb fb 
fb fb fb
[  452.604950] 
==================================================================
[  452.604955] Disabling lock debugging due to kernel taint
[  452.604961] Kernel attempted to read user page (770) - exploit 
attempt? (uid: 0)
[  452.604969] BUG: Kernel NULL pointer dereference on read at 0x00000770
[  452.604975] Faulting instruction address: 0xc0000000002b2e0c
[  452.604982] Oops: Kernel access of bad area, sig: 11 [#1]
[  452.604987] LE PAGE_SIZE=64K MMU=Radix  SMP NR_CPUS=8192 NUMA pSeries
[  452.604996] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 
nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct 
nft_chain_nat nf_nat bonding nf_conntrack tls nf_defrag_ipv6 
nf_defrag_ipv4 rfkill ip_set nf_tables nfnetlink sunrpc pseries_rng 
vmx_crypto fuse ext4 crc16 mbcache jbd2 sd_mod sg ibmvscsi ibmveth 
scsi_transport_srp pseries_wdt
[  452.605073] CPU: 24 UID: 0 PID: 1856 Comm: python3 Kdump: loaded 
Tainted: G    B               6.17.0-next-20251003 #1 VOLUNTARY
[  452.605084] Tainted: [B]=BAD_PAGE
[  452.605089] Hardware name: IBM,9080-HEX Power11 (architected) 
0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
[  452.605096] NIP:  c0000000002b2e0c LR: c0000000002b2e08 CTR: 
0000000000000000
[  452.605103] REGS: c0000000c1867820 TRAP: 0300   Tainted: G B          
       (6.17.0-next-20251003)
[  452.605110] MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 
28284420  XER: 0000000d
[  452.605132] CFAR: c000000000807920 DAR: 0000000000000770 DSISR: 
40000000 IRQMASK: 0
[  452.605132] GPR00: c0000000002b2e08 c0000000c1867ac0 c00000000234a500 
0000000000000001
[  452.605132] GPR04: 0000000000000008 0000000000000000 c0000000002b2e08 
0000000000000001
[  452.605132] GPR08: 0000000000000020 0000000000000001 0000000000000001 
a80e000000000000
[  452.605132] GPR12: c00e0000009b1c8c c000000d0ddeb700 0000000000000000 
0000000000000000
[  452.605132] GPR16: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[  452.605132] GPR20: 0000000000000008 0000000000000000 c000000008202f00 
c00000007b9ff620
[  452.605132] GPR24: c00000008a76cb20 c00000008a76cb40 c00000008a76cb08 
c000000002201e80
[  452.605132] GPR28: c000000061569248 0000000000000770 c00000008a76cb00 
0000000000000768
[  452.605227] NIP [c0000000002b2e0c] up_read+0x50/0x17c
[  452.605237] LR [c0000000002b2e08] up_read+0x4c/0x17c
[  452.605245] Call Trace:
[  452.605249] [c0000000c1867ac0] [c0000000002b2e08] up_read+0x4c/0x17c 
(unreliable)
[  452.605261] [c0000000c1867b10] [c000000000f2ec28] tpmrm_release+0x88/0xa8
[  452.605271] [c0000000c1867b40] [c0000000008b6a2c] __fput+0x21c/0x60c
[  452.605280] [c0000000c1867bc0] [c0000000008ada70] sys_close+0x74/0xd0
[  452.605291] [c0000000c1867bf0] [c000000000039270] 
system_call_exception+0x1e0/0x460
[  452.605301] [c0000000c1867e50] [c00000000000d05c] 
system_call_vectored_common+0x15c/0x2ec
[  452.605312] ---- interrupt: 3000 at 0x7fffb7534ab4
[  452.605319] NIP:  00007fffb7534ab4 LR: 00007fffb7534ab4 CTR: 
0000000000000000
[  452.605326] REGS: c0000000c1867e80 TRAP: 3000   Tainted: G B          
       (6.17.0-next-20251003)
[  452.605333] MSR:  800000000280f033 
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 44284422  XER: 00000000
[  452.605362] IRQMASK: 0
[  452.605362] GPR00: 0000000000000006 00007ffff65d76b0 00007fffb7c17700 
0000000000000006
[  452.605362] GPR04: 0000000000000000 0000000000000000 0000000000000000 
0000000000000004
[  452.605362] GPR08: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[  452.605362] GPR12: 0000000000000000 00007fffb7e6b8e0 00000000000000a1 
00007fffb67acec0
[  452.605362] GPR16: 0000000164032ad0 00007fffb67aceb0 00007fffb76f6a90 
0000000000000000
[  452.605362] GPR20: 00007fffb6f21850 0000000000000000 00007fffb71062c0 
0000000164034490
[  452.605362] GPR24: 00007fffb6f2fea0 00007fffb67acea8 0000000164032b18 
00007fffb7c45b32
[  452.605362] GPR28: 00007fffb7c678e0 00007fffb67aceb8 0000000000000006 
0000000164034490
[  452.605450] NIP [00007fffb7534ab4] 0x7fffb7534ab4
[  452.605456] LR [00007fffb7534ab4] 0x7fffb7534ab4
[  452.605462] ---- interrupt: 3000
[  452.605467] Code: fbc1fff0 7c7f1b78 f8010010 f821ffb1 e92d0c78 
f9210028 39200000 3ba30008 38800008 7fa3eb78 48554af5 60000000 
<ebdf0008> eb8d0908 7bc90764 fbc10020
[  452.605501] ---[ end trace 0000000000000000 ]---
[  452.613685] pstore: backend (nvram) writing error (-1)
[  452.613691]



If you happen to fix this, please add below tag.


Reported-by: Venkat Rao Bagalkote <venkat88@...ux.ibm.com>


Regards,

Venkat.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ