| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Aug 2022 22:19:52 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Pavel Begunkov <asml.silence@...il.com>
CC: <netdev@...r.kernel.org>, <lkp@...ts.01.org>, <lkp@...el.com>
Subject: [net/ipv6] 9a7635855a:
WARNING:at_lib/refcount.c:#refcount_warn_saturate
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 9a7635855aaff9e781cae7353f4496aca03b0451 ("net/ipv6: optimise zc sk_wmem_alloc refcounting")
https://github.com/isilence/linux net/zc-ref-optimisation
in testcase: trinity
version: trinity-x86_64-3f8670b2-1_20220518
with following parameters:
runtime: 300s
group: group-04
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 330.978858][ T6314] ------------[ cut here ]------------
[ 331.005356][ T6314] refcount_t: underflow; use-after-free.
[ 331.031616][ T6314] WARNING: CPU: 1 PID: 6314 at lib/refcount.c:28 refcount_warn_saturate (kbuild/src/x86_64-2/lib/refcount.c:28 (discriminator 3))
[ 331.069005][ T6314] Modules linked in: udp_diag vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock vmw_vmci ieee802154_socket ieee802154 af_key mpls_router ip_tunnel inet_diag can_bcm can_raw can crypto_user nfnetlink scsi_transport_iscsi atm sctp ip6_udp_tunnel udp_tunnel libcrc32c sr_mod cdrom sg ata_generic intel_rapl_msr bochs ata_piix drm_vram_helper intel_rapl_common drm_ttm_helper crc32c_intel ppdev ttm rapl libata drm_kms_helper parport_pc i2c_piix4 joydev syscopyarea ipmi_devintf ipmi_msghandler serio_raw sysfillrect sysimgblt fb_sys_fops parport fuse drm ip_tables
[ 331.150260][ T6314] CPU: 1 PID: 6314 Comm: trinity-c5 Tainted: G N 5.19.0-05305-g9a7635855aaf #3
[ 331.155892][ T6314] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 331.161393][ T6314] RIP: 0010:refcount_warn_saturate (kbuild/src/x86_64-2/lib/refcount.c:28 (discriminator 3))
[ 331.166033][ T6314] Code: 6d 63 1a 03 01 e8 94 6c 43 01 0f 0b eb d1 80 3d 5b 63 1a 03 00 75 c8 48 c7 c7 c0 97 e1 83 c6 05 4b 63 1a 03 01 e8 74 6c 43 01 <0f> 0b eb b1 80 3d 39 63 1a 03 00 75 a8 48 c7 c7 80 98 e1 83 c6 05
All code
========
0: 6d insl (%dx),%es:(%rdi)
1: 63 1a movslq (%rdx),%ebx
3: 03 01 add (%rcx),%eax
5: e8 94 6c 43 01 callq 0x1436c9e
a: 0f 0b ud2
c: eb d1 jmp 0xffffffffffffffdf
e: 80 3d 5b 63 1a 03 00 cmpb $0x0,0x31a635b(%rip) # 0x31a6370
15: 75 c8 jne 0xffffffffffffffdf
17: 48 c7 c7 c0 97 e1 83 mov $0xffffffff83e197c0,%rdi
1e: c6 05 4b 63 1a 03 01 movb $0x1,0x31a634b(%rip) # 0x31a6370
25: e8 74 6c 43 01 callq 0x1436c9e
2a:* 0f 0b ud2 <-- trapping instruction
2c: eb b1 jmp 0xffffffffffffffdf
2e: 80 3d 39 63 1a 03 00 cmpb $0x0,0x31a6339(%rip) # 0x31a636e
35: 75 a8 jne 0xffffffffffffffdf
37: 48 c7 c7 80 98 e1 83 mov $0xffffffff83e19880,%rdi
3e: c6 .byte 0xc6
3f: 05 .byte 0x5
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: eb b1 jmp 0xffffffffffffffb5
4: 80 3d 39 63 1a 03 00 cmpb $0x0,0x31a6339(%rip) # 0x31a6344
b: 75 a8 jne 0xffffffffffffffb5
d: 48 c7 c7 80 98 e1 83 mov $0xffffffff83e19880,%rdi
14: c6 .byte 0xc6
15: 05 .byte 0x5
[ 331.176980][ T6314] RSP: 0018:ffffc900042e7478 EFLAGS: 00010282
[ 331.181732][ T6314] RAX: 0000000000000000 RBX: ffff888132289e14 RCX: 0000000000000000
[ 331.186838][ T6314] RDX: 0000000000000004 RSI: 0000000000000008 RDI: fffff5200085ce81
[ 331.191927][ T6314] RBP: 0000000000000003 R08: 0000000000000001 R09: ffff88839d733607
[ 331.197047][ T6314] R10: ffffed1073ae66c0 R11: 0000000000000001 R12: 0000000000000900
[ 331.202147][ T6314] R13: ffff888132289e14 R14: ffff888132289d20 R15: ffff888132289f70
[ 331.207231][ T6314] FS: 00007f8ba53b6600(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000
[ 331.216955][ T6314] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 331.221817][ T6314] CR2: 00007f8ba2de5000 CR3: 000000013a6c6000 CR4: 00000000000006e0
[ 331.227030][ T6314] DR0: 00007f8ba335c000 DR1: 00007f8ba3361000 DR2: 0000000000000000
[ 331.232178][ T6314] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 000000000037060a
[ 331.238635][ T6314] Call Trace:
[ 331.242833][ T6314] <TASK>
[ 331.247316][ T6314] sock_wfree (kbuild/src/x86_64-2/include/linux/refcount.h:283 kbuild/src/x86_64-2/include/linux/refcount.h:310 kbuild/src/x86_64-2/net/core/sock.c:2360)
[ 331.251638][ T6314] ? __ip6_append_data+0x2c50/0x43c0
[ 331.256288][ T6314] skb_release_head_state (kbuild/src/x86_64-2/include/linux/skbuff.h:4542 kbuild/src/x86_64-2/net/core/skbuff.c:742)
[ 331.260864][ T6314] kfree_skb_reason (kbuild/src/x86_64-2/net/core/skbuff.c:751 kbuild/src/x86_64-2/net/core/skbuff.c:766 kbuild/src/x86_64-2/net/core/skbuff.c:788 kbuild/src/x86_64-2/net/core/skbuff.c:780)
[ 331.265305][ T6314] __ip6_append_data+0x2c50/0x43c0
[ 331.269912][ T6314] ? ip_reply_glue_bits (kbuild/src/x86_64-2/net/ipv4/ip_output.c:932)
[ 331.274447][ T6314] ? ip6_dst_lookup_tail+0x9fc/0x1940
[ 331.279167][ T6314] ? ip6_dst_lookup (kbuild/src/x86_64-2/net/ipv6/ip6_output.c:1446)
[ 331.283534][ T6314] ? ip6_setup_cork (kbuild/src/x86_64-2/arch/x86/include/asm/bitops.h:207 kbuild/src/x86_64-2/include/asm-generic/bitops/instrumented-non-atomic.h:135 kbuild/src/x86_64-2/include/net/sock.h:924 kbuild/src/x86_64-2/include/net/sock.h:2698 kbuild/src/x86_64-2/include/net/sock.h:2705 kbuild/src/x86_64-2/net/ipv6/ip6_output.c:1435)
[ 331.287940][ T6314] ip6_make_skb (kbuild/src/x86_64-2/net/ipv6/ip6_output.c:2062)
[ 331.292274][ T6314] ? ip_reply_glue_bits (kbuild/src/x86_64-2/net/ipv4/ip_output.c:932)
[ 331.296755][ T6314] ? ip6_push_pending_frames (kbuild/src/x86_64-2/net/ipv6/ip6_output.c:2032)
[ 331.303788][ T6314] ? ip6_dst_lookup_flow (kbuild/src/x86_64-2/net/ipv6/ip6_output.c:1218)
[ 331.308277][ T6314] ? ip6_dst_lookup_tail+0x1940/0x1940
[ 331.317237][ T6314] ? unwind_next_frame (kbuild/src/x86_64-2/arch/x86/kernel/unwind_orc.c:596)
[ 331.321644][ T6314] ? udpv6_sendmsg (kbuild/src/x86_64-2/net/ipv6/udp.c:1549)
[ 331.326373][ T6314] udpv6_sendmsg (kbuild/src/x86_64-2/net/ipv6/udp.c:1549)
[ 331.330687][ T6314] ? ip_reply_glue_bits (kbuild/src/x86_64-2/net/ipv4/ip_output.c:932)
[ 331.334951][ T6314] ? udp_v6_push_pending_frames (kbuild/src/x86_64-2/net/ipv6/udp.c:1295)
[ 331.339390][ T6314] ? stack_trace_save (kbuild/src/x86_64-2/kernel/stacktrace.c:123)
[ 331.343555][ T6314] ? kfree (kbuild/src/x86_64-2/mm/slub.c:3534 kbuild/src/x86_64-2/mm/slub.c:4562)
[ 331.347679][ T6314] ? kasan_save_stack (kbuild/src/x86_64-2/mm/kasan/common.c:40)
[ 331.351916][ T6314] ? kasan_save_stack (kbuild/src/x86_64-2/mm/kasan/common.c:39)
[ 331.356042][ T6314] ? kasan_set_track (kbuild/src/x86_64-2/mm/kasan/common.c:45)
[ 331.360104][ T6314] ? kasan_set_free_info (kbuild/src/x86_64-2/mm/kasan/generic.c:372)
[ 331.364227][ T6314] ? ____kasan_slab_free (kbuild/src/x86_64-2/mm/kasan/common.c:369 kbuild/src/x86_64-2/mm/kasan/common.c:329)
[ 331.368372][ T6314] ? slab_free_freelist_hook (kbuild/src/x86_64-2/mm/slub.c:1780)
[ 331.372557][ T6314] ? kfree (kbuild/src/x86_64-2/mm/slub.c:3534 kbuild/src/x86_64-2/mm/slub.c:4562)
[ 331.376273][ T6314] ? proc_sys_call_handler (kbuild/src/x86_64-2/fs/proc/proc_sysctl.c:623)
[ 331.380162][ T6314] ? new_sync_read (kbuild/src/x86_64-2/fs/read_write.c:391 (discriminator 1))
[ 331.383816][ T6314] ? aa_af_perm (kbuild/src/x86_64-2/security/apparmor/net.c:165)
[ 331.395471][ T6314] ? iovec_from_user (kbuild/src/x86_64-2/lib/iov_iter.c:1851)
[ 331.423953][ T6314] ? inet6_compat_ioctl (kbuild/src/x86_64-2/net/ipv6/af_inet6.c:644)
[ 331.459567][ T6314] ? sock_sendmsg (kbuild/src/x86_64-2/net/socket.c:717 kbuild/src/x86_64-2/net/socket.c:734)
[ 331.489443][ T6314] sock_sendmsg (kbuild/src/x86_64-2/net/socket.c:717 kbuild/src/x86_64-2/net/socket.c:734)
[ 331.514623][ T6314] ____sys_sendmsg (kbuild/src/x86_64-2/net/socket.c:2482)
[ 331.539866][ T6314] ? kernel_sendmsg (kbuild/src/x86_64-2/net/socket.c:2429)
[ 331.564789][ T6314] ? __copy_msghdr (kbuild/src/x86_64-2/net/socket.c:2409)
[ 331.589392][ T6314] ___sys_sendmsg (kbuild/src/x86_64-2/net/socket.c:2538)
[ 331.619395][ T6314] ? __ia32_sys_recvmmsg (kbuild/src/x86_64-2/net/socket.c:2525)
[ 331.640747][ T6314] ? run_posix_cpu_timers (kbuild/src/x86_64-2/arch/x86/include/asm/atomic64_64.h:22 kbuild/src/x86_64-2/include/linux/atomic/atomic-instrumented.h:647 kbuild/src/x86_64-2/kernel/time/posix-cpu-timers.c:236 kbuild/src/x86_64-2/kernel/time/posix-cpu-timers.c:1147 kbuild/src/x86_64-2/kernel/time/posix-cpu-timers.c:1393)
[ 331.653931][ T6314] ? timerqueue_add (kbuild/src/x86_64-2/lib/timerqueue.c:41)
[ 331.658013][ T6314] ? enqueue_hrtimer (kbuild/src/x86_64-2/kernel/time/hrtimer.c:1092 (discriminator 3))
[ 331.661252][ T6314] ? __fget_light (kbuild/src/x86_64-2/arch/x86/include/asm/atomic.h:29 kbuild/src/x86_64-2/include/linux/atomic/atomic-instrumented.h:28 kbuild/src/x86_64-2/fs/file.c:1005)
[ 331.664125][ T6314] __sys_sendmsg (kbuild/src/x86_64-2/include/linux/file.h:31 kbuild/src/x86_64-2/net/socket.c:2567)
[ 331.666985][ T6314] ? __sys_sendmsg_sock (kbuild/src/x86_64-2/net/socket.c:2553)
[ 331.669940][ T6314] ? irqtime_account_irq (kbuild/src/x86_64-2/kernel/sched/cputime.c:60)
[ 331.672903][ T6314] do_syscall_64 (kbuild/src/x86_64-2/arch/x86/entry/common.c:50 kbuild/src/x86_64-2/arch/x86/entry/common.c:80)
[ 331.675853][ T6314] entry_SYSCALL_64_after_hwframe (kbuild/src/x86_64-2/arch/x86/entry/entry_64.S:120)
[ 331.678874][ T6314] RIP: 0033:0x7f8ba52e89b9
[ 331.681933][ T6314] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54e1
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54b7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
To reproduce:
# build kernel
cd linux
cp config-5.19.0-05305-g9a7635855aaf .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.19.0-05305-g9a7635855aaf" of type "text/plain" (165651 bytes)
View attachment "job-script" of type "text/plain" (4598 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (20188 bytes)
View attachment "trinity" of type "text/plain" (7112 bytes)
Powered by blists - more mailing lists