Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210118064734.GC7554@xsang-OptiPlex-9020>
Date: Mon, 18 Jan 2021 14:47:34 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
	lkp@...ts.01.org, io-uring@...r.kernel.org,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Linux Containers <containers@...ts.linux-foundation.org>,
	linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Christian Brauner <christian.brauner@...ntu.com>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>,
	Kees Cook <keescook@...omium.org>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Oleg Nesterov <oleg@...hat.com>
Subject: 14c3c8a27f: kernel_BUG_at_kernel/cred.c


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 14c3c8a27f70d6d6b7c1d64a9af899eb80169495 ("[RFC PATCH v3 2/8] Add a reference to ucounts for each cred")
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210115-230051
base: https://git.kernel.org/cgit/linux/kernel/git/shuah/linux-kselftest.git next

in testcase: trinity
version: trinity-i386
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------------+------------+------------+
|                                                   | c25050162e | 14c3c8a27f |
+---------------------------------------------------+------------+------------+
| boot_successes                                    | 0          | 0          |
| boot_failures                                     | 8          | 8          |
| WARNING:at_lib/refcount.c:#refcount_warn_saturate | 7          | 8          |
| EIP:refcount_warn_saturate                        | 7          | 8          |
| BUG:kernel_hang_in_boot_stage                     | 1          |            |
| kernel_BUG_at_kernel/cred.c                       | 0          | 3          |
| invalid_opcode:#[##]                              | 0          | 3          |
| EIP:__put_cred                                    | 0          | 7          |
| Kernel_panic-not_syncing:Fatal_exception          | 0          | 7          |
| BUG:kernel_NULL_pointer_dereference,address       | 0          | 4          |
| Oops:#[##]                                        | 0          | 4          |
+---------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   77.068709] kernel BUG at kernel/cred.c:150!
[   77.069392] invalid opcode: 0000 [#1] SMP
[   77.070035] CPU: 1 PID: 895 Comm: trinity-c7 Tainted: G        W         5.11.0-rc2-00004-g14c3c8a27f70 #1
[   77.071425] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   77.072871] EIP: __put_cred (kbuild/src/consumer/kernel/cred.c:150 (discriminator 1)) 
[ 77.073493] Code: 66 90 ba 90 b4 e7 c3 89 c8 e8 f4 6e 04 00 5d c3 66 90 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 89 c2 64 8b 0d cc 66 0e c5 8b 81 a8 04 00
All code
========
   0:	66 90                	xchg   %ax,%ax
   2:	ba 90 b4 e7 c3       	mov    $0xc3e7b490,%edx
   7:	89 c8                	mov    %ecx,%eax
   9:	e8 f4 6e 04 00       	callq  0x46f02
   e:	5d                   	pop    %rbp
   f:	c3                   	retq   
  10:	66 90                	xchg   %ax,%ax
  12:	0f 0b                	ud2    
  14:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  1a:	0f 0b                	ud2    
  1c:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  22:	0f 0b                	ud2    
  24:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  32:	89 c2                	mov    %eax,%edx
  34:	64 8b 0d cc 66 0e c5 	mov    %fs:-0x3af19934(%rip),%ecx        # 0xffffffffc50e6707
  3b:	8b                   	.byte 0x8b
  3c:	81                   	.byte 0x81
  3d:	a8 04                	test   $0x4,%al
	...

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
   8:	89 c2                	mov    %eax,%edx
   a:	64 8b 0d cc 66 0e c5 	mov    %fs:-0x3af19934(%rip),%ecx        # 0xffffffffc50e66dd
  11:	8b                   	.byte 0x8b
  12:	81                   	.byte 0x81
  13:	a8 04                	test   $0x4,%al
	...
[   77.076068] EAX: de3ef880 EBX: de2af080 ECX: 00000000 EDX: 00000000
[   77.076997] ESI: de3ef880 EDI: 00000000 EBP: de349f74 ESP: de349f50
[   77.077896] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282
[   77.078914] CR0: 80050033 CR2: b7cb2ff0 CR3: 030a4000 CR4: 000406d0
[   77.079858] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[   77.080745] DR6: fffe0ff0 DR7: 00000400
[   77.081373] Call Trace:
[   77.081834] ? keyctl_session_to_parent (kbuild/src/consumer/security/keys/keyctl.c:1711) 
[   77.082629] __ia32_sys_keyctl (kbuild/src/consumer/security/keys/keyctl.c:1951 kbuild/src/consumer/security/keys/keyctl.c:1869 kbuild/src/consumer/security/keys/keyctl.c:1869) 
[   77.083320] __do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:78 kbuild/src/consumer/arch/x86/entry/common.c:137) 
[   77.084032] do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:160) 
[   77.084704] do_SYSENTER_32 (kbuild/src/consumer/arch/x86/entry/common.c:204) 
[   77.085316] entry_SYSENTER_32 (kbuild/src/consumer/arch/x86/entry/entry_32.S:953) 
[   77.085973] EIP: 0xb7f04549
[ 77.086493] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
All code
========
   0:	03 74 c0 01          	add    0x1(%rax,%rax,8),%esi
   4:	10 05 03 74 b8 01    	adc    %al,0x1b87403(%rip)        # 0x1b8740d
   a:	10 06                	adc    %al,(%rsi)
   c:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
  10:	10 07                	adc    %al,(%rdi)
  12:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
  16:	10 08                	adc    %cl,(%rax)
  18:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1c:	00 00                	add    %al,(%rax)
  1e:	00 00                	add    %al,(%rax)
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	89 e5                	mov    %esp,%ebp
  26:	0f 34                	sysenter 
  28:	cd 80                	int    $0x80
  2a:*	5d                   	pop    %rbp		<-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq   
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	8d 76 00             	lea    0x0(%rsi),%esi
  35:	58                   	pop    %rax
  36:	b8 77 00 00 00       	mov    $0x77,%eax
  3b:	cd 80                	int    $0x80
  3d:	90                   	nop
  3e:	8d                   	.byte 0x8d
  3f:	76                   	.byte 0x76

Code starting with the faulting instruction
===========================================
   0:	5d                   	pop    %rbp
   1:	5a                   	pop    %rdx
   2:	59                   	pop    %rcx
   3:	c3                   	retq   
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	8d 76 00             	lea    0x0(%rsi),%esi
   b:	58                   	pop    %rax
   c:	b8 77 00 00 00       	mov    $0x77,%eax
  11:	cd 80                	int    $0x80
  13:	90                   	nop
  14:	8d                   	.byte 0x8d
  15:	76                   	.byte 0x76
[   77.089120] EAX: ffffffda EBX: 00000012 ECX: ffff8a8b EDX: ffffffff
[   77.090075] ESI: 7d7d7d7d EDI: 000000a3 EBP: 426bb44d ESP: bfaa6c8c
[   77.091007] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[   77.092031] Modules linked in:
[   77.092629] ---[ end trace 66869751d0fb6313 ]---
[   77.093388] EIP: __put_cred (kbuild/src/consumer/kernel/cred.c:150 (discriminator 1)) 
[ 77.094000] Code: 66 90 ba 90 b4 e7 c3 89 c8 e8 f4 6e 04 00 5d c3 66 90 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 89 c2 64 8b 0d cc 66 0e c5 8b 81 a8 04 00
All code
========
   0:	66 90                	xchg   %ax,%ax
   2:	ba 90 b4 e7 c3       	mov    $0xc3e7b490,%edx
   7:	89 c8                	mov    %ecx,%eax
   9:	e8 f4 6e 04 00       	callq  0x46f02
   e:	5d                   	pop    %rbp
   f:	c3                   	retq   
  10:	66 90                	xchg   %ax,%ax
  12:	0f 0b                	ud2    
  14:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  1a:	0f 0b                	ud2    
  1c:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  22:	0f 0b                	ud2    
  24:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  32:	89 c2                	mov    %eax,%edx
  34:	64 8b 0d cc 66 0e c5 	mov    %fs:-0x3af19934(%rip),%ecx        # 0xffffffffc50e6707
  3b:	8b                   	.byte 0x8b
  3c:	81                   	.byte 0x81
  3d:	a8 04                	test   $0x4,%al
	...

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
   8:	89 c2                	mov    %eax,%edx
   a:	64 8b 0d cc 66 0e c5 	mov    %fs:-0x3af19934(%rip),%ecx        # 0xffffffffc50e66dd
  11:	8b                   	.byte 0x8b
  12:	81                   	.byte 0x81
  13:	a8 04                	test   $0x4,%al


To reproduce:

        # build kernel
	cd linux
	cp config-5.11.0-rc2-00004-g14c3c8a27f70 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc2-00004-g14c3c8a27f70" of type "text/plain" (123245 bytes)

View attachment "job-script" of type "text/plain" (3980 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (12756 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.