| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89i+2t0V6XMHPRziW_mZ=LvH7wOJuZfHbRPuKrcDGSOxGVg@mail.gmail.com>
Date: Wed, 8 Feb 2023 14:38:56 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: kernel test robot <oliver.sang@...el.com>
Cc: oe-lkp@...ts.linux.dev, lkp@...el.com,
Paolo Abeni <pabeni@...hat.com>,
Soheil Hassas Yeganeh <soheil@...gle.com>,
netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, eric.dumazet@...il.com
Subject: Re: [PATCH v2 net-next 4/4] net: add dedicated kmem_cache for
typical/small skb->head
On Wed, Feb 8, 2023 at 9:37 AM kernel test robot <oliver.sang@...el.com> wrote:
>
>
> Greeting,
>
> FYI, we noticed kernel_BUG_at_mm/usercopy.c due to commit (built with gcc-11):
>
> commit: b9943e1e516b7fd27d5163cfee1250309fb10dd3 ("[PATCH v2 net-next 4/4] net: add dedicated kmem_cache for typical/small skb->head")
> url: https://github.com/intel-lab-lkp/linux/commits/Eric-Dumazet/net-add-SKB_HEAD_ALIGN-helper/20230207-013333
> base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git c21adf256f8dcfbc07436d45be4ba2edf7a6f463
> patch link: https://lore.kernel.org/all/20230206173103.2617121-5-edumazet@google.com/
> patch subject: [PATCH v2 net-next 4/4] net: add dedicated kmem_cache for typical/small skb->head
>
Thanks for the report, I will use kmem_cache_create_usercopy() instead
of kmem_cache_create()
> in testcase: boot
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
> If you fix the issue, kindly add following tag
> | Reported-by: kernel test robot <oliver.sang@...el.com>
> | Link: https://lore.kernel.org/oe-lkp/202302081521.8e1a1948-oliver.sang@intel.com
>
>
> [ 133.916379][ T1] ------------[ cut here ]------------
> [ 133.917321][ T1] kernel BUG at mm/usercopy.c:102!
> [ 133.918172][ T1] invalid opcode: 0000 [#1] SMP PTI
> [ 133.919045][ T1] CPU: 1 PID: 1 Comm: systemd Not tainted 6.2.0-rc6-01338-gb9943e1e516b #2
> [ 133.920417][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
> [ 133.921959][ T1] RIP: 0010:usercopy_abort (kbuild/src/x86_64-2/mm/usercopy.c:102 (discriminator 16))
> [ 133.922891][ T1] Code: e8 dc d5 73 fe ff 74 24 08 49 89 d9 4d 89 e8 ff 74 24 08 4c 89 e1 4c 89 fa 48 89 ee 41 56 48 c7 c7 90 49 5c 83 e8 98 ea fe ff <0f> 0b e8 b0 d5 73 fe 41 0f b6 d5 4d 89 e0 48 89 e9 31 f6 48 c7 c7
> All code
> ========
> 0: e8 dc d5 73 fe callq 0xfffffffffe73d5e1
> 5: ff 74 24 08 pushq 0x8(%rsp)
> 9: 49 89 d9 mov %rbx,%r9
> c: 4d 89 e8 mov %r13,%r8
> f: ff 74 24 08 pushq 0x8(%rsp)
> 13: 4c 89 e1 mov %r12,%rcx
> 16: 4c 89 fa mov %r15,%rdx
> 19: 48 89 ee mov %rbp,%rsi
> 1c: 41 56 push %r14
> 1e: 48 c7 c7 90 49 5c 83 mov $0xffffffff835c4990,%rdi
> 25: e8 98 ea fe ff callq 0xfffffffffffeeac2
> 2a:* 0f 0b ud2 <-- trapping instruction
> 2c: e8 b0 d5 73 fe callq 0xfffffffffe73d5e1
> 31: 41 0f b6 d5 movzbl %r13b,%edx
> 35: 4d 89 e0 mov %r12,%r8
> 38: 48 89 e9 mov %rbp,%rcx
> 3b: 31 f6 xor %esi,%esi
> 3d: 48 rex.W
> 3e: c7 .byte 0xc7
> 3f: c7 .byte 0xc7
>
> Code starting with the faulting instruction
> ===========================================
> 0: 0f 0b ud2
> 2: e8 b0 d5 73 fe callq 0xfffffffffe73d5b7
> 7: 41 0f b6 d5 movzbl %r13b,%edx
> b: 4d 89 e0 mov %r12,%r8
> e: 48 89 e9 mov %rbp,%rcx
> 11: 31 f6 xor %esi,%esi
> 13: 48 rex.W
> 14: c7 .byte 0xc7
> 15: c7 .byte 0xc7
> [ 133.925607][ T1] RSP: 0018:ffffc90000013c00 EFLAGS: 00010286
> [ 133.926544][ T1] RAX: 000000000000006a RBX: ffffffff835877b0 RCX: 0000000000000000
> [ 133.927822][ T1] RDX: 0000000000000000 RSI: ffffffff811f3595 RDI: ffffffff83bd7cd8
> [ 133.929183][ T1] RBP: ffffffff835407f4 R08: ffffffff850ba350 R09: 0000000000000000
> [ 133.930540][ T1] R10: 0000000000000004 R11: 0001ffffffffffff R12: ffffffff8354969c
> [ 133.931802][ T1] R13: ffffffff8354a96e R14: ffffffff8354a96f R15: ffffffff835429ca
> [ 133.933094][ T1] FS: 00007fa58ae35900(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
> [ 133.934557][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 133.935583][ T1] CR2: 00007fa58b9aff30 CR3: 0000000100e58000 CR4: 00000000000406e0
> [ 133.936852][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 133.938174][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 133.939489][ T1] Call Trace:
> [ 133.940122][ T1] <TASK>
> [ 133.940724][ T1] __check_heap_object (kbuild/src/x86_64-2/mm/slub.c:4738)
> [ 133.941613][ T1] check_heap_object (kbuild/src/x86_64-2/mm/usercopy.c:196)
> [ 133.942520][ T1] __check_object_size (kbuild/src/x86_64-2/mm/usercopy.c:113 kbuild/src/x86_64-2/mm/usercopy.c:127 kbuild/src/x86_64-2/mm/usercopy.c:254 kbuild/src/x86_64-2/mm/usercopy.c:213)
> [ 133.943386][ T1] ? skb_put (kbuild/src/x86_64-2/net/core/skbuff.c:2313)
> [ 133.944151][ T1] netlink_sendmsg (kbuild/src/x86_64-2/include/linux/uio.h:187 kbuild/src/x86_64-2/include/linux/uio.h:194 kbuild/src/x86_64-2/include/linux/skbuff.h:3977 kbuild/src/x86_64-2/net/netlink/af_netlink.c:1927)
> [ 133.944969][ T1] ? __pfx_netlink_sendmsg (kbuild/src/x86_64-2/net/netlink/af_netlink.c:1861)
> [ 133.945824][ T1] sock_sendmsg (kbuild/src/x86_64-2/net/socket.c:722 kbuild/src/x86_64-2/net/socket.c:745)
> [ 133.946591][ T1] __sys_sendto (kbuild/src/x86_64-2/net/socket.c:2142)
> [ 133.947478][ T1] ? netlink_getsockopt (kbuild/src/x86_64-2/net/netlink/af_netlink.c:1840)
> [ 133.948404][ T1] ? write_comp_data (kbuild/src/x86_64-2/kernel/kcov.c:236)
> [ 133.949240][ T1] ? __pfx_netlink_getsockopt (kbuild/src/x86_64-2/net/netlink/af_netlink.c:1742)
> [ 133.950214][ T1] ? __sys_getsockopt (kbuild/src/x86_64-2/net/socket.c:2325)
> [ 133.951117][ T1] __x64_sys_sendto (kbuild/src/x86_64-2/net/socket.c:2150)
> [ 133.951965][ T1] do_syscall_64 (kbuild/src/x86_64-2/arch/x86/entry/common.c:50 kbuild/src/x86_64-2/arch/x86/entry/common.c:80)
> [ 133.952772][ T1] entry_SYSCALL_64_after_hwframe (kbuild/src/x86_64-2/arch/x86/entry/entry_64.S:120)
> [ 133.953782][ T1] RIP: 0033:0x7fa58b613366
> [ 133.954582][ T1] Code: eb 0b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 11 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 72 c3 90 55 48 83 ec 30 44 89 4c 24 2c 4c 89
> All code
> ========
> 0: eb 0b jmp 0xd
> 2: 00 f7 add %dh,%bh
> 4: d8 64 89 02 fsubs 0x2(%rcx,%rcx,4)
> 8: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
> f: eb b8 jmp 0xffffffffffffffc9
> 11: 0f 1f 00 nopl (%rax)
> 14: 41 89 ca mov %ecx,%r10d
> 17: 64 8b 04 25 18 00 00 mov %fs:0x18,%eax
> 1e: 00
> 1f: 85 c0 test %eax,%eax
> 21: 75 11 jne 0x34
> 23: b8 2c 00 00 00 mov $0x2c,%eax
> 28: 0f 05 syscall
> 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
> 30: 77 72 ja 0xa4
> 32: c3 retq
> 33: 90 nop
> 34: 55 push %rbp
> 35: 48 83 ec 30 sub $0x30,%rsp
> 39: 44 89 4c 24 2c mov %r9d,0x2c(%rsp)
> 3e: 4c rex.WR
> 3f: 89 .byte 0x89
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
> 6: 77 72 ja 0x7a
> 8: c3 retq
> 9: 90 nop
> a: 55 push %rbp
> b: 48 83 ec 30 sub $0x30,%rsp
> f: 44 89 4c 24 2c mov %r9d,0x2c(%rsp)
> 14: 4c rex.WR
> 15: 89 .byte 0x89
> [ 133.957460][ T1] RSP: 002b:00007ffe1e572498 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> [ 133.958872][ T1] RAX: ffffffffffffffda RBX: 00007ffe1e57251c RCX: 00007fa58b613366
> [ 133.960240][ T1] RDX: 0000000000000020 RSI: 00005600c1e5bf80 RDI: 0000000000000004
> [ 133.961601][ T1] RBP: 00005600c1e5fd10 R08: 00007ffe1e5724a0 R09: 0000000000000010
> [ 133.962897][ T1] R10: 0000000000000000 R11: 0000000000000246 R12: 00005600c1e5fdf0
> [ 133.966272][ T1] R13: 0000000000000001 R14: 00005600c1e5c790 R15: 00005600c0f4e543
> [ 133.967615][ T1] </TASK>
> [ 133.968228][ T1] Modules linked in: ip_tables
> [ 133.969143][ T1] ---[ end trace 0000000000000000 ]---
> [ 133.970098][ T1] RIP: 0010:usercopy_abort (kbuild/src/x86_64-2/mm/usercopy.c:102 (discriminator 16))
> [ 133.971164][ T1] Code: e8 dc d5 73 fe ff 74 24 08 49 89 d9 4d 89 e8 ff 74 24 08 4c 89 e1 4c 89 fa 48 89 ee 41 56 48 c7 c7 90 49 5c 83 e8 98 ea fe ff <0f> 0b e8 b0 d5 73 fe 41 0f b6 d5 4d 89 e0 48 89 e9 31 f6 48 c7 c7
> All code
> ========
> 0: e8 dc d5 73 fe callq 0xfffffffffe73d5e1
> 5: ff 74 24 08 pushq 0x8(%rsp)
> 9: 49 89 d9 mov %rbx,%r9
> c: 4d 89 e8 mov %r13,%r8
> f: ff 74 24 08 pushq 0x8(%rsp)
> 13: 4c 89 e1 mov %r12,%rcx
> 16: 4c 89 fa mov %r15,%rdx
> 19: 48 89 ee mov %rbp,%rsi
> 1c: 41 56 push %r14
> 1e: 48 c7 c7 90 49 5c 83 mov $0xffffffff835c4990,%rdi
> 25: e8 98 ea fe ff callq 0xfffffffffffeeac2
> 2a:* 0f 0b ud2 <-- trapping instruction
> 2c: e8 b0 d5 73 fe callq 0xfffffffffe73d5e1
> 31: 41 0f b6 d5 movzbl %r13b,%edx
> 35: 4d 89 e0 mov %r12,%r8
> 38: 48 89 e9 mov %rbp,%rcx
> 3b: 31 f6 xor %esi,%esi
> 3d: 48 rex.W
> 3e: c7 .byte 0xc7
> 3f: c7 .byte 0xc7
>
> Code starting with the faulting instruction
> ===========================================
> 0: 0f 0b ud2
> 2: e8 b0 d5 73 fe callq 0xfffffffffe73d5b7
> 7: 41 0f b6 d5 movzbl %r13b,%edx
> b: 4d 89 e0 mov %r12,%r8
> e: 48 89 e9 mov %rbp,%rcx
> 11: 31 f6 xor %esi,%esi
> 13: 48 rex.W
> 14: c7 .byte 0xc7
> 15: c7 .byte 0xc7
>
>
> To reproduce:
>
> # build kernel
> cd linux
> cp config-6.2.0-rc6-01338-gb9943e1e516b .config
> make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
> make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
> cd <mod-install-dir>
> find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
>
>
> git clone https://github.com/intel/lkp-tests.git
> cd lkp-tests
> bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
>
> # if come across any failure that blocks the test,
> # please remove ~/.lkp and /lkp dir to run from a clean state.
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests
>
>
Powered by blists - more mailing lists