| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Apr 2020 01:12:45 +0530
From: Naresh Kamboju <naresh.kamboju@...aro.org>
To: open list <linux-kernel@...r.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@...r.kernel.org>, linux-mm <linux-mm@...ck.org>,
bpf <bpf@...r.kernel.org>, Netdev <netdev@...r.kernel.org>
Cc: lkft-triage@...ts.linaro.org, Shuah Khan <shuah@...nel.org>,
Anders Roxell <anders.roxell@...aro.org>,
Michael Ellerman <mpe@...erman.id.au>,
Arnd Bergmann <arnd@...db.de>,
Brendan Higgins <brendanhiggins@...gle.com>,
Heikki Krogerus <heikki.krogerus@...ux.intel.com>,
Sakari Ailus <sakari.ailus@...ux.intel.com>
Subject: BUG: kernel NULL pointer dereference, address: 00000041 - EIP: kmem_cache_alloc_trace
While running kselftest bpf tests the following kernel BUG (s) noticed on
i386 kernel running x86_64 device running maining 5.7.0 kernel.
The similar issue was reported a month back.
https://lore.kernel.org/linux-kselftest/CAFd5g46Bwd8HS9-xjHLh_rB59Nfw8iAnM6aFe0QPcveewDUT6g@mail.gmail.com/T/
steps to reproduce:
----------------------------
# cd /opt/kselftests/default-in-kernel/
# ./run_kselftest.sh
Test log:
-----------
[ 337.393528] test_bpf: #3 DIV_MOD_KX
[ 337.393535] BUG: kernel NULL pointer dereference, address: 00000041
[ 337.404663] #PF: supervisor read access in kernel mode
[ 337.409794] #PF: error_code(0x0000) - not-present page
[ 337.414925] *pde = 00000000
[ 337.417803] Oops: 0000 [#2] SMP
[ 337.420940] CPU: 1 PID: 6931 Comm: modprobe Tainted: G D W
5.7.0-rc1 #1
[ 337.428676] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[ 337.436152] EIP: __kmalloc_track_caller+0x9f/0x310
[ 337.440941] Code: 9f 01 00 00 89 75 e0 8b 07 64 8b 50 04 64 03 05
d8 32 3a df 8b 08 85 c9 89 4d f0 0f 84 0a 02 00 00 8b 75 f0 8b 47 14
8d 4a 01 <8b> 1c 06 89 f0 8b 37 64 0f c7 0e 75 d0 8b 75 e0 8b 47 14 0f
18 04
[ 337.459680] EAX: 00000040 EBX: 00002cc0 ECX: 000017fb EDX: 000017fa
[ 337.465936] ESI: 00000001 EDI: f5403680 EBP: f26f3d2c ESP: f26f3d0c
[ 337.472193] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010202
[ 337.478972] CR0: 80050033 CR2: 00000041 CR3: 33db3000 CR4: 003406d0
[ 337.485238] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 337.491494] DR6: fffe0ff0 DR7: 00000400
[ 337.495324] Call Trace:
[ 337.497771] ? bpf_prepare_filter+0x2bd/0x5f0
[ 337.502131] kmemdup+0x1b/0x40
[ 337.505189] bpf_prepare_filter+0x2bd/0x5f0
[ 337.509376] bpf_prog_create+0x65/0xa0
[ 337.513127] test_bpf_init+0x1f8/0xd8f [test_bpf]
[ 337.517832] ? free_pcppages_bulk+0x4e0/0x550
[ 337.522186] ? build_test_skb+0x156/0x156 [test_bpf]
[ 337.527150] do_one_initcall+0x54/0x2e0
[ 337.530990] ? __might_sleep+0x33/0x80
[ 337.534742] ? _cond_resched+0x17/0x30
[ 337.538493] ? kmem_cache_alloc_trace+0x209/0x2b0
[ 337.543191] ? do_init_module+0x21/0x1f7
[ 337.547108] ? do_init_module+0x21/0x1f7
[ 337.551024] do_init_module+0x50/0x1f7
[ 337.554771] load_module+0x1e32/0x2540
[ 337.558528] __ia32_sys_finit_module+0x8f/0xe0
[ 337.562982] do_fast_syscall_32+0x7f/0x330
[ 337.567076] entry_SYSENTER_32+0xaa/0x102
[ 337.571078] EIP: 0xb7f9dce1
[ 337.573870] Code: 5e 5d c3 8d b6 00 00 00 00 b8 40 42 0f 00 eb c1
8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 51 52 55 89 e5 0f
34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90
8d 76
[ 337.592626] EAX: ffffffda EBX: 00000005 ECX: 0806233a EDX: 00000000
#[
# Socket 1 6 337.598898] ESI: 0977f840 EDI: 0977f480 EBP: 0977f700
ESP: bf9e017c
[ 337.606542] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 337.613323] Modules linked in: test_bpf(+) test_printf(+) cls_bpf
sch_fq 8021q sch_ingress veth algif_hash x86_pkg_temp_thermal fuse
[last unloaded: test_strscpy]
[ 337.627829] CR2: 0000000000000041
[ 337.631139] ---[ end trace 09f43fd7981266ca ]---
[ 337.635750] EIP: ida_free+0x61/0x130
[ 337.639319] Code: 00 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 0f
88 c4 00 00 00 89 d3 e8 0d 8e 87 00 89 c7 8d 45 d8 e8 93 1e 01 00 a8
01 75 3f <0f> a3 30 72 72 8b 45 d8 89 fa e8 e0 8f 87 00 53 68 08 ab fd
de e8
[ 337.658058] EAX: 00000000 EBX: 00000000 ECX: e422d8c0 EDX: 00000000
[ 337.664322] ESI: 00000000 EDI: 00000246 EBP: e5d63cdc ESP: e5d63cb0
[ 337.670580] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010046
[ 337.677358] CR0: 80050033 CR2: 00000041 CR3: 33db3000 CR4: 003406d0
[ 337.683640] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 337.689897] DR6: fffe0ff0 DR7: 00000400
[ 337.693728] BUG: sleeping function called from invalid context at
/usr/src/kernel/include/linux/percpu-rwsem.h:49
[ 337.703971] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid:
6931, name: modprobe
[ 337.711962] INFO: lockdep is turned off.
[ 337.715878] irq event stamp: 0
[ 337.718930] hardirqs last enabled at (0): [<00000000>] 0x0
[ 337.724497] hardirqs last disabled at (0): [<ddeeddaa>]
copy_process+0x3ea/0x17d0
[ 337.731974] softirqs last enabled at (0): [<ddeeddaa>]
copy_process+0x3ea/0x17d0
[ 337.739444] softirqs last disabled at (0): [<00000000>] 0x0
[ 337.745010] CPU: 1 PID: 6931 Comm: modprobe Tainted: G D W
5.7.0-rc1 #1
[ 337.752747] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[ 337.760218] Call Trace:
[ 337.762675] dump_stack+0x6e/0x96
[ 337.765990] ___might_sleep+0x14d/0x240
[ 337.769822] __might_sleep+0x33/0x80
[ 337.773402] exit_signals+0x2a/0x2d0
[ 337.776980] do_exit+0x8e/0xb40
[ 337.780126] rewind_stack_do_exit+0x11/0x13
[ 337.784310] EIP: 0xb7f9dce1
[ 337.787101] Code: 5e 5d c3 8d b6 00 00 00 00 b8 40 42 0f 00 eb c1
8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 51 52 55 89 e5 0f
34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90
8d 76
[ 337.805838] EAX: ffffffda EBX: 00000005 ECX: 0806233a EDX: 00000000
[ 337.812097] ESI: 0977f840 EDI: 0977f480 EBP: 0977f700 ESP: bf9e017c
[ 337.818354] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
<trim>
[ 338.570731] BUG: kernel NULL pointer dereference, address: 00000041
[ 338.577558] #PF: supervisor read access in kernel mode
[ 338.582702] #PF: error_code(0x0000) - not-present page
[ 338.587842] *pde = 00000000
[ 338.590738] Oops: 0000 [#3] SMP
[ 338.593894] CPU: 1 PID: 7032 Comm: ip Tainted: G D W
5.7.0-rc1 #1
[ 338.601119] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[ 338.608598] EIP: kmem_cache_alloc_trace+0x81/0x2b0
[ 338.613389] Code: f5 01 00 00 89 75 e8 8b 07 64 8b 50 04 64 03 05
d8 32 3a df 8b 08 85 c9 89 4d f0 0f 84 b8 01 00 00 8b 75 f0 8b 47 14
8d 4a 01 <8b> 1c 06 89 f0 8b 37 64 0f c7 0e 75 d0 8b 75 e8 8b 47 14 0f
18 04
[ 338.632133] EAX: 00000040 EBX: 00000dc0 ECX: 000017fb EDX: 000017fa
[ 338.638391] ESI: 00000001 EDI: f5403680 EBP: f240def0 ESP: f240ded0
[ 338.644649] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010202
[ 338.651424] CR0: 80050033 CR2: 00000041 CR3: 25d76000 CR4: 003406d0
[ 338.657683] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 338.663939] DR6: fffe0ff0 DR7: 00000400
[ 338.667770] Call Trace:
[ 338.670214] ? alloc_mnt_ns+0x52/0x120
[ 338.673959] alloc_mnt_ns+0x52/0x120
[ 338.677529] copy_mnt_ns+0x49/0x2f0
[ 338.681013] ? kmem_cache_alloc+0x219/0x2c0
[ 338.685190] ? create_new_namespaces+0x29/0x290
[ 338.689717] create_new_namespaces+0x4f/0x290
[ 338.694074] unshare_nsproxy_namespaces+0x47/0xa0
[ 338.698772] ksys_unshare+0x19e/0x330
[ 338.702429] ? __might_fault+0x41/0x80
[ 338.706174] __ia32_sys_unshare+0xf/0x20
[ 338.710097] do_fast_syscall_32+0x7f/0x330
[ 338.714191] entry_SYSENTER_32+0xaa/0x102
[ 338.718201] EIP: 0xb7f8fce1
[ 338.720990] Code: 5e 5d c3 8d b6 00 00 00 00 b8 40 42 0f 00 eb c1
8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 51 52 55 89 e5 0f
34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90
8d 76
[ 338.739729] EAX: ffffffda EBX: 00020000 ECX: 40000000 EDX: 080e5000
[ 338.745985] ESI: bf8fbc75 EDI: 00000005 EBP: bf8fae08 ESP: bf8f7bdc
[ 338.752245] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
[ 338.759030] Modules linked in: test_bpf(+) test_printf(+) cls_bpf
sch_fq 8021q sch_ingress veth algif_hash x86_pkg_temp_thermal fuse
[last unloaded: test_blackhole_dev]
[ 338.774049] CR2: 0000000000000041
[ 338.777361] ---[ end trace 09f43fd7981266cb ]---
[ 338.781978] EIP: ida_free+0x61/0x130
[ 338.785550] Code: 00 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 0f
88 c4 00 00 00 89 d3 e8 0d 8e 87 00 89 c7 8d 45 d8 e8 93 1e 01 00 a8
01 75 3f <0f> a3 30 72 72 8b 45 d8 89 fa e8 e0 8f 87 00 53 68 08 ab fd
de e8
[ 338.804285] EAX: 00000000 EBX: 00000000 ECX: e422d8c0 EDX: 00000000
[ 338.810543] ESI: 00000000 EDI: 00000246 EBP: e5d63cdc ESP: e5d63cb0
[ 338.816800] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010046
[ 338.823579] CR0: 80050033 CR2: 00000041 CR3: 25d76000 CR4: 003406d0
[ 338.829834] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 338.836091] DR6: fffe0ff0 DR7: 00000400
[ 338.839922] BUG: sleeping function called from invalid context at
/usr/src/kernel/include/linux/percpu-rwsem.h:49
[ 338.850168] in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid:
7032, name: ip
[ 338.857647] INFO: lockdep is turned off.
[ 338.861570] irq event stamp: 0
[ 338.864623] hardirqs last enabled at (0): [<00000000>] 0x0
[ 338.870187] hardirqs last disabled at (0): [<ddeeddaa>]
copy_process+0x3ea/0x17d0
[ 338.877657] softirqs last enabled at (0): [<ddeeddaa>]
copy_process+0x3ea/0x17d0
[ 338.885129] softirqs last disabled at (0): [<00000000>] 0x0
[ 338.890700] CPU: 1 PID: 7032 Comm: ip Tainted: G D W
5.7.0-rc1 #1
[ 338.897911] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[ 338.905382] Call Trace:
[ 338.907827] dump_stack+0x6e/0x96
[ 338.911146] ___might_sleep+0x14d/0x240
[ 338.914984] __might_sleep+0x33/0x80
[ 338.918557] ? unshare_nsproxy_namespaces+0x47/0xa0
[ 338.923435] exit_signals+0x2a/0x2d0
[ 338.927014] do_exit+0x8e/0xb40
[ 338.930150] ? __ia32_sys_unshare+0xf/0x20
[ 338.934244] rewind_stack_do_exit+0x11/0x13
[ 338.938425] EIP: 0xb7f8fce1
[ 338.941218] Code: 5e 5d c3 8d b6 00 00 00 00 b8 40 42 0f 00 eb c1
8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 51 52 55 89 e5 0f
34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90
8d 76
[ 338.959955] EAX: ffffffda EBX: 00020000 ECX: 40000000 EDX: 080e5000
[ 338.966211] ESI: bf8fbc75 EDI: 00000005 EBP: bf8fae08 ESP: bf8f7bdc
[ 338.972469] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
<trim>
[ 339.061988] BUG: kernel NULL pointer dereference, address: 00000041
[ 339.068782] #PF: supervisor read access in kernel mode
[ 339.073918] #PF: error_code(0x0000) - not-present page
[ 339.079051] *pde = 00000000
[ 339.081929] Oops: 0000 [#4] SMP
[ 339.085075] CPU: 1 PID: 7064 Comm: ip Tainted: G D W
5.7.0-rc1 #1
[ 339.092284] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS
2.0b 07/27/2017
[ 339.099756] EIP: __kmalloc+0xa2/0x310
[ 339.103422] Code: 9c 01 00 00 89 75 e4 8b 07 64 8b 50 04 64 03 05
d8 32 3a df 8b 08 85 c9 89 4d f0 0f 84 07 02 00 00 8b 75 f0 8b 47 14
8d 4a 01 <8b> 1c 06 89 f0 8b 37 64 0f c7 0e 75 d0 8b 75 e4 8b 47 14 0f
18 04
[ 339.122167] EAX: 00000040 EBX: 00000dc0 ECX: 000017fb EDX: 000017fa
[ 339.128425] ESI: 00000001 EDI: f5403680 EBP: f394bf0c ESP: f394beec
[ 339.134690] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010202
[ 339.141467] CR0: 80050033 CR2: 00000041 CR3: 3305d000 CR4: 003406d0
[ 339.147724] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 339.153982] DR6: fffe0ff0 DR7: 00000400
[ 339.157811] Call Trace:
[ 339.160257] ? net_alloc_generic+0x1a/0x30
[ 339.164356] net_alloc_generic+0x1a/0x30
[ 339.168272] copy_net_ns+0x50/0x210
[ 339.171758] create_new_namespaces+0xf5/0x290
[ 339.176117] unshare_nsproxy_namespaces+0x47/0xa0
[ 339.180824] ksys_unshare+0x19e/0x330
[ 339.184488] ? __might_fault+0x41/0x80
[ 339.188234] __ia32_sys_unshare+0xf/0x20
[ 339.192160] do_fast_syscall_32+0x7f/0x330
[ 339.196258] entry_SYSENTER_32+0xaa/0x102
[ 339.200261] EIP: 0xb7f61ce1
[ 339.203051] Code: 5e 5d c3 8d b6 00 00 00 00 b8 40 42 0f 00 eb c1
8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 51 52 55 89 e5 0f
34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90
8d 76
[ 339.221790] EAX: ffffffda EBX: 40000000 ECX: 080a8b31 EDX: 00000000
[ 339.228054] ESI: 00000001 EDI: bf8e9e70 EBP: bf8e7c00 ESP: bf8e7bbc
[ 339.234313] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292
[ 339.241100] Modules linked in: test_bpf(+) test_printf(+) cls_bpf
sch_fq 8021q sch_ingress veth algif_hash x86_pkg_temp_thermal fuse
[last unloaded: test_blackhole_dev]
[ 339.256116] CR2: 0000000000000041
[ 339.259427] ---[ end trace 09f43fd7981266cc ]---
[ 339.264040] EIP: ida_free+0x61/0x130
[ 339.267618] Code: 00 c7 45 e8 00 00 00 00 c7 45 ec 00 00 00 00 0f
88 c4 00 00 00 89 d3 e8 0d 8e 87 00 89 c7 8d 45 d8 e8 93 1e 01 00 a8
01 75 3f <0f> a3 30 72 72 8b 45 d8 89 fa e8 e0 8f 87 00 53 68 08 ab fd
de e8
[ 339.286363] EAX: 00000000 EBX: 00000000 ECX: e422d8c0 EDX: 00000000
[ 339.292619] ESI: 00000000 EDI: 00000246 EBP: e5d63cdc ESP: e5d63cb0
[ 339.298877] DS: 007b ES: 007b FS: 00d8 GS: 00e0 : 0068 EFLAGS: 00010046
[ 339.305655] CR0: 80050033 CR2: 00000041 CR3: 3305d000 CR4: 003406d0
[ 339.311913] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 339.318178] DR6: fffe0ff0 DR7: 00000400
Full test log,
https://lkft.validation.linaro.org/scheduler/job/1362555#L7962
metadata:
git branch: master
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel-config:
http://snapshots.linaro.org/openembedded/lkft/lkft/sumo/intel-core2-32/lkft/linux-mainline/2611/config
Reported-by: Naresh Kamboju <naresh.kamboju@...aro.org>
--
Linaro LKFT
https://lkft.linaro.org
Powered by blists - more mailing lists