|
Message-ID: <20210301065134.GA12822@xsang-OptiPlex-9020> Date: Mon, 1 Mar 2021 14:51:34 +0800 From: kernel test robot <oliver.sang@...el.com> To: Alexey Gladkov <gladkov.alexey@...il.com> Cc: 0day robot <lkp@...el.com>, kernel test robot <oliver.sang@...el.com>, LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org, io-uring@...r.kernel.org, Kernel Hardening <kernel-hardening@...ts.openwall.com>, Linux Containers <containers@...ts.linux-foundation.org>, linux-mm@...ck.org, Alexey Gladkov <legion@...nel.org>, Andrew Morton <akpm@...ux-foundation.org>, Christian Brauner <christian.brauner@...ntu.com>, "Eric W . Biederman" <ebiederm@...ssion.com>, Jann Horn <jannh@...gle.com>, Jens Axboe <axboe@...nel.dk>, Kees Cook <keescook@...omium.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com> Subject: 5b5c35b757: BUG:KASAN:use-after-free_in_dec_rlimit_ucounts Greeting, FYI, we noticed the following commit (built with gcc-9): commit: 5b5c35b757a192cc54eb96137761da67e7ce0520 ("[PATCH v7 6/7] Reimplement RLIMIT_MEMLOCK on top of ucounts") url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210222-175836 base: https://git.kernel.org/cgit/linux/kernel/git/shuah/linux-kselftest.git next in testcase: trinity version: trinity-static-x86_64-x86_64-f93256fb_2019-08-28 with following parameters: group: ["group-00", "group-01", "group-02", "group-03", "group-04"] test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +------------------------------------------------+------------+------------+ | | d28296d248 | 5b5c35b757 | +------------------------------------------------+------------+------------+ | boot_failures | 0 | 5 | | BUG:KASAN:use-after-free_in_dec_rlimit_ucounts | 0 | 5 | | canonical_address#:#[##] | 0 | 1 | | RIP:dec_rlimit_ucounts | 0 | 1 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 1 | +------------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot <oliver.sang@...el.com> [ 235.817305] BUG: KASAN: use-after-free in dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) [ 235.818278] Read of size 8 at addr ffff88810687b1d0 by task trinity-c2/4730 [ 235.819266] [ 235.819585] CPU: 0 PID: 4730 Comm: trinity-c2 Not tainted 5.11.0-rc7-00017-g5b5c35b757a1 #1 [ 235.820944] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 235.822206] Call Trace: [ 235.822646] dump_stack (kbuild/src/consumer/lib/dump_stack.c:131) [ 235.823195] print_address_description+0x21/0x140 [ 235.824066] ? dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) [ 235.824815] kasan_report.cold (kbuild/src/consumer/mm/kasan/report.c:397 kbuild/src/consumer/mm/kasan/report.c:413) [ 235.825530] ? dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) [ 235.826260] __asan_load8 (kbuild/src/consumer/mm/kasan/generic.c:252) [ 235.826848] dec_rlimit_ucounts (kbuild/src/consumer/kernel/ucount.c:302 (discriminator 3)) [ 235.827549] user_shm_unlock (kbuild/src/consumer/include/linux/spinlock.h:394 kbuild/src/consumer/mm/mlock.c:851) [ 235.828237] shmem_lock (kbuild/src/consumer/mm/shmem.c:2247) [ 235.828867] ksys_shmctl+0xc1b/0xe70 [ 235.829658] ? __fsnotify_parent (kbuild/src/consumer/fs/notify/fsnotify.c:200) [ 235.830391] ? shm_mmap (kbuild/src/consumer/ipc/shm.c:1139) [ 235.831035] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225) [ 235.831765] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225) [ 235.832545] ? pvclock_clocksource_read (kbuild/src/consumer/arch/x86/kernel/pvclock.c:80) [ 235.833390] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:227) [ 235.834154] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:225) [ 235.834866] ? get_vtime_delta (kbuild/src/consumer/kernel/sched/cputime.c:658 (discriminator 3)) [ 235.835497] ? ftrace_likely_update (kbuild/src/consumer/kernel/trace/trace_branch.c:227) [ 235.836217] __x64_sys_shmctl (kbuild/src/consumer/ipc/shm.c:1193) [ 235.836912] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) [ 235.837540] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) [ 235.838348] RIP: 0033:0x453b29 [ 235.838867] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 84 00 00 c3 66 2e 0f 1f 84 00 00 00 00 All code ======== 0: 00 f3 add %dh,%bl 2: c3 retq 3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) a: 00 00 00 d: 0f 1f 40 00 nopl 0x0(%rax) 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 0f 83 3b 84 00 00 jae 0x8471 36: c3 retq 37: 66 data16 38: 2e cs 39: 0f .byte 0xf 3a: 1f (bad) 3b: 84 00 test %al,(%rax) 3d: 00 00 add %al,(%rax) ... Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 0f 83 3b 84 00 00 jae 0x8447 c: c3 retq d: 66 data16 e: 2e cs f: 0f .byte 0xf 10: 1f (bad) 11: 84 00 test %al,(%rax) 13: 00 00 add %al,(%rax) ... [ 235.841605] RSP: 002b:00007ffd5b1195a8 EFLAGS: 00000246 ORIG_RAX: 000000000000001f [ 235.842731] RAX: ffffffffffffffda RBX: 000000000000001f RCX: 0000000000453b29 [ 235.843745] RDX: 00007f903f38e000 RSI: 000000000000000c RDI: 0000000000000000 [ 235.844880] RBP: 00007ffd5b119650 R08: 00000000000000de R09: ffffffffffffffff [ 235.845958] R10: 0000000000000200 R11: 0000000000000246 R12: 0000000000000002 [ 235.847062] R13: 00007f903f899058 R14: 00000000010a2830 R15: 00007f903f899000 [ 235.848178] [ 235.848538] Allocated by task 4043: [ 235.849196] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) [ 235.849892] ____kasan_kmalloc+0x87/0xb0 [ 235.850711] __kasan_slab_alloc (kbuild/src/consumer/mm/kasan/common.c:438) [ 235.851394] kmem_cache_alloc (kbuild/src/consumer/include/linux/kasan.h:209 kbuild/src/consumer/mm/slab.h:512 kbuild/src/consumer/mm/slub.c:2892 kbuild/src/consumer/mm/slub.c:2900 kbuild/src/consumer/mm/slub.c:2905) [ 235.852114] create_user_ns (kbuild/src/consumer/include/linux/slab.h:672 kbuild/src/consumer/kernel/user_namespace.c:105) [ 235.852801] unshare_userns (kbuild/src/consumer/kernel/user_namespace.c:168) [ 235.853464] ksys_unshare (kbuild/src/consumer/kernel/fork.c:2956) [ 235.854145] __x64_sys_unshare (kbuild/src/consumer/kernel/fork.c:3031) [ 235.854827] do_syscall_64 (kbuild/src/consumer/arch/x86/entry/common.c:46) [ 235.855485] entry_SYSCALL_64_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64.S:127) [ 235.856368] [ 235.856733] Freed by task 5: [ 235.857292] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) [ 235.857967] kasan_set_track (kbuild/src/consumer/mm/kasan/common.c:46) [ 235.858627] kasan_set_free_info (kbuild/src/consumer/mm/kasan/generic.c:358) [ 235.859329] ____kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:364) [ 235.860068] __kasan_slab_free (kbuild/src/consumer/mm/kasan/common.c:370) [ 235.860761] kmem_cache_free (kbuild/src/consumer/mm/slub.c:1580 kbuild/src/consumer/mm/slub.c:3143 kbuild/src/consumer/mm/slub.c:3159) [ 235.861439] free_user_ns (kbuild/src/consumer/kernel/user_namespace.c:39 kbuild/src/consumer/kernel/user_namespace.c:202) [ 235.862059] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280) [ 235.862754] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422) [ 235.863378] kthread (kbuild/src/consumer/kernel/kthread.c:292) [ 235.863912] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302) [ 235.864576] [ 235.864940] Last potentially related work creation: [ 235.865717] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) [ 235.866382] kasan_record_aux_stack (kbuild/src/consumer/mm/kasan/generic.c:344) [ 235.867124] insert_work (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:134 kbuild/src/consumer/kernel/workqueue.c:615 kbuild/src/consumer/kernel/workqueue.c:622 kbuild/src/consumer/kernel/workqueue.c:1334) [ 235.867769] __queue_work (kbuild/src/consumer/kernel/workqueue.c:1500) [ 235.868448] queue_work_on (kbuild/src/consumer/kernel/workqueue.c:1525) [ 235.869116] __put_user_ns (kbuild/src/consumer/kernel/user_namespace.c:210) [ 235.869752] cleanup_net (kbuild/src/consumer/include/linux/user_namespace.h:142 kbuild/src/consumer/include/linux/user_namespace.h:139 kbuild/src/consumer/net/core/net_namespace.c:622) [ 235.870370] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280) [ 235.871057] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422) [ 235.871706] kthread (kbuild/src/consumer/kernel/kthread.c:292) [ 235.872321] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:302) [ 235.872974] [ 235.873343] Second to last potentially related work creation: [ 235.874266] kasan_save_stack (kbuild/src/consumer/mm/kasan/common.c:39) [ 235.874934] kasan_record_aux_stack (kbuild/src/consumer/mm/kasan/generic.c:344) [ 235.875695] insert_work (kbuild/src/consumer/include/linux/instrumented.h:71 kbuild/src/consumer/include/asm-generic/bitops/instrumented-non-atomic.h:134 kbuild/src/consumer/kernel/workqueue.c:615 kbuild/src/consumer/kernel/workqueue.c:622 kbuild/src/consumer/kernel/workqueue.c:1334) [ 235.876369] __queue_work (kbuild/src/consumer/kernel/workqueue.c:1500) [ 235.877033] queue_work_on (kbuild/src/consumer/kernel/workqueue.c:1525) [ 235.877677] __put_user_ns (kbuild/src/consumer/kernel/user_namespace.c:210) [ 235.878286] put_cred_rcu (kbuild/src/consumer/include/linux/user_namespace.h:142 kbuild/src/consumer/kernel/cred.c:125) [ 235.878875] rcu_do_batch+0x1e2/0x940 [ 235.879591] rcu_core (kbuild/src/consumer/kernel/rcu/tree.c:2723) [ 235.880212] rcu_core_si (kbuild/src/consumer/kernel/rcu/tree.c:2737) [ 235.880832] __do_softirq (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/irq.h:142 kbuild/src/consumer/kernel/softirq.c:344) [ 235.881520] [ 235.881867] The buggy address belongs to the object at ffff88810687aff8 [ 235.881867] which belongs to the cache user_namespace of size 592 [ 235.883687] The buggy address is located 472 bytes inside of [ 235.883687] 592-byte region [ffff88810687aff8, ffff88810687b248) [ 235.885560] The buggy address belongs to the page: [ 235.886343] page:0000000066c321d7 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88810687b3a8 pfn:0x106878 [ 235.887924] head:0000000066c321d7 order:2 compound_mapcount:0 compound_pincount:0 [ 235.889214] flags: 0x8000000000010200(slab|head) [ 235.889993] raw: 8000000000010200 ffff888100c25648 ffff888100c25648 ffff888100c8ccc0 [ 235.891261] raw: ffff88810687b3a8 000000000011000a 00000001ffffffff 0000000000000000 [ 235.892557] page dumped because: kasan: bad access detected [ 235.893490] [ 235.893838] Memory state around the buggy address: [ 235.894636] ffff88810687b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.895858] ffff88810687b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.897103] >ffff88810687b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 235.898294] ^ [ 235.899208] ffff88810687b200: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 235.900359] ffff88810687b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 235.902866] ================================================================== [ 235.904088] Disabling lock debugging due to kernel taint Kboot worker: lkp-worker52 Elapsed time: 240 To reproduce: # build kernel cd linux cp config-5.11.0-rc7-00017-g5b5c35b757a1 .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email Thanks, Oliver Sang View attachment "config-5.11.0-rc7-00017-g5b5c35b757a1" of type "text/plain" (126328 bytes) View attachment "job-script" of type "text/plain" (4345 bytes) Download attachment "dmesg.xz" of type "application/x-xz" (14968 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.