[mt76] c1e0d2be0a: BUG:pagefault_on_kernel_address#in_non-whitelisted_uaccess
by kernel test robot
FYI, we noticed the following commit (built with gcc-7):
commit: c1e0d2be0acff5e99a59ddcc5af415e48abc6c5e ("mt76: mmio: introduce mt76x02_check_tx_hang watchdog")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------------------------+------------+------------+
| | 87e86f9019 | c1e0d2be0a |
+------------------------------------------------------------+------------+------------+
| boot_successes | 167 | 140 |
| boot_failures | 0 | 23 |
| BUG:pagefault_on_kernel_address#in_non-whitelisted_uaccess | 0 | 23 |
| BUG:unable_to_handle_kernel | 0 | 23 |
| Oops:#[##] | 0 | 23 |
| RIP:strncpy_from_user | 0 | 23 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 23 |
+------------------------------------------------------------+------------+------------+
[ 10.383586] BUG: pagefault on kernel address 0xffff93d4b5cd8000 in non-whitelisted uaccess
[ 10.390934] BUG: unable to handle kernel paging request at ffff93d4b5cd8000
[ 10.390934] #PF error: [normal kernel read fault]
[ 10.390934] PGD 21e00067 P4D 21e00067 PUD 21e04067 PMD 78b57067 PTE 800fffff8a327060
[ 10.390934] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 10.390934] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G T 5.0.0-rc1-00033-gc1e0d2b #1
[ 10.390934] RIP: 0010:strncpy_from_user+0x87/0x10c
[ 10.390934] Code: 00 00 66 66 90 4c 39 c2 48 bb ff fe fe fe fe fe fe fe 49 ba 80 80 80 80 80 80 80 80 4c 0f 46 c2 31 c0 45 31 db eb 4c 44 89 d9 <4c> 8b 0c 06 85 c9 74 05 45 31 d2 eb 61 49 8d 0c 19 4c 89 0c 07 49
[ 10.390934] RSP: 0000:ffffbd8c00323bc0 EFLAGS: 00010206
[ 10.390934] RAX: 0000000000000028 RBX: fefefefefefefeff RCX: 0000000000000000
[ 10.390934] RDX: 0000000000000fe0 RSI: ffff93d4b5cd7fd6 RDI: ffff93d4af5e3020
[ 10.390934] RBP: 00000000ffffff9c R08: 0000000000000fe0 R09: 8c93909d92868cd1
[ 10.390934] R10: 8080808080808080 R11: 0000000000000000 R12: ffff93d4b5cd7fd6
[ 10.390934] R13: ffff93d4b5cd7fd6 R14: 0000000000000000 R15: 0000000000000000
[ 10.390934] FS: 0000000000000000(0000) GS:ffff93d4b6400000(0000) knlGS:0000000000000000
[ 10.390934] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 10.390934] CR2: ffff93d4b5cd8000 CR3: 0000000020c15000 CR4: 00000000000006e0
[ 10.390934] Call Trace:
[ 10.390934] ? getname_flags+0x6f/0x199
[ 10.390934] ? user_path_at_empty+0x18/0x2f
[ 10.390934] ? vfs_statx+0x6d/0xb3
[ 10.390934] ? clean_path+0x5c/0x102
[ 10.390934] ? do_name+0xf4/0x40e
[ 10.390934] ? write_buffer+0x52/0x8a
[ 10.390934] ? flush_buffer+0xe7/0x140
[ 10.390934] ? initrd_load+0xa8/0xa8
[ 10.390934] ? __gunzip+0x53a/0x6b7
[ 10.390934] ? bunzip2+0x76a/0x76a
[ 10.390934] ? write_buffer+0x8a/0x8a
[ 10.390934] ? gunzip+0x39/0x3d
[ 10.390934] ? initrd_load+0xa8/0xa8
[ 10.390934] ? unpack_to_rootfs+0x1c6/0x3c6
[ 10.390934] ? initrd_load+0xa8/0xa8
[ 10.390934] ? populate_rootfs+0x94/0x213
[ 10.390934] ? clean_rootfs+0x23b/0x23b
[ 10.390934] ? do_one_initcall+0x61/0x12a
[ 10.390934] ? kernel_init_freeable+0x1a8/0x305
[ 10.390934] ? rest_init+0x13a/0x13a
[ 10.390934] ? kernel_init+0x5/0xeb
[ 10.390934] ? ret_from_fork+0x35/0x40
[ 10.390934] Modules linked in:
[ 10.390934] CR2: ffff93d4b5cd8000
[ 10.390934] ---[ end trace 81b307b1a0dd06e6 ]---
To reproduce:
# build kernel
cd linux
cp config-5.0.0-rc1-00033-gc1e0d2b .config
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Rong Chen
3 years, 4 months
[appletalk] 6377f787ae: INFO:trying_to_register_non-static_key
by kernel test robot
FYI, we noticed the following commit (built with gcc-7):
commit: 6377f787aeb945cae7abbb6474798de129e1f3ac ("appletalk: Fix use-after-free in atalk_proc_exit")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-----------------------------------------------------+------------+------------+
| | e2bcd8b0ce | 6377f787ae |
+-----------------------------------------------------+------------+------------+
| boot_successes | 251 | 172 |
| boot_failures | 0 | 80 |
| INFO:trying_to_register_non-static_key | 0 | 14 |
| BUG:unable_to_handle_kernel | 0 | 77 |
| Oops:#[##] | 0 | 77 |
| RIP:__sock_release | 0 | 74 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 77 |
| WARNING:at_kernel/locking/lockdep.c:#lock_downgrade | 0 | 7 |
| RIP:lock_downgrade | 0 | 7 |
+-----------------------------------------------------+------------+------------+
[ 258.830340] INFO: trying to register non-static key.
[ 258.831833] the code is fine but needs lockdep annotation.
[ 258.833361] turning off the locking correctness validator.
[ 258.834982] CPU: 1 PID: 1295 Comm: trinity-c4 Tainted: G T 5.0.0-rc8-00103-g6377f78 #1
[ 258.837622] Call Trace:
[ 258.838363] ? dump_stack+0x46/0x59
[ 258.839447] ? register_lock_class+0x22b/0x424
[ 258.840759] ? __lock_acquire+0x56/0x70c
[ 258.842067] ? lock_acquire+0x3d/0x50
[ 258.843119] ? _raw_write_lock_bh+0x2e/0x5f
[ 258.844406] ? __sock_release+0x2d/0x86
[ 258.845544] ? sock_close+0xc/0xf
[ 258.846521] ? __fput+0x10b/0x1a6
[ 258.847516] ? task_work_run+0x7d/0x9f
[ 258.848637] ? do_exit+0x408/0x9f5
[ 258.849686] ? do_group_exit+0xa4/0xa4
[ 258.850803] ? __x64_sys_exit_group+0xf/0xf
[ 258.852024] ? do_syscall_64+0x1ae/0x25e
[ 258.853243] ? async_page_fault+0x8/0x30
[ 258.854440] ? perf_swevent_put_recursion_context+0x10/0x2a
[ 258.856167] ? __perf_sw_event+0x47/0x5b
[ 258.857328] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 258.914951] [main] 65475 iterations. [F:43837 S:21614 HI:3023]
[ 258.914956]
[ 258.939181] BUG: unable to handle kernel paging request at ffffffffc030f0b0
[ 258.941309] #PF error: [normal kernel read fault]
[ 258.942761] PGD 42619067 P4D 42619067 PUD 4261b067 PMD 4e10e067 PTE 0
[ 258.944794] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 258.946411] CPU: 1 PID: 1249 Comm: trinity-c7 Tainted: G T 5.0.0-rc8-00103-g6377f78 #1
[ 258.949001] RIP: 0010:__sock_release+0x24/0x86
[ 258.950218] Code: ff 89 e8 5b 5d c3 55 53 48 89 fb 48 83 7f 28 00 74 3f 48 85 f6 48 89 f5 74 09 48 8d 7e 58 e8 8f a2 19 00 48 8b 43 28 48 89 df <48> 8b 40 10 e8 0b 8a 3e 00 48 85 ed 48 c7 43 20 00 00 00 00 74 09
[ 258.955449] RSP: 0018:ffffa5774082fdb8 EFLAGS: 00010246
[ 258.957106] RAX: ffffffffc030f0a0 RBX: ffff8eadfa36bb80 RCX: 0000000000000000
[ 258.959093] RDX: ffffffffb46181d5 RSI: ffffffffb46181d5 RDI: ffff8eadfa36bb80
[ 258.961122] RBP: ffff8eadfa36bbb0 R08: 0000000000000000 R09: 0000000000000000
[ 258.963145] R10: ffff8eadfa36bbb0 R11: ffffffffffffffff R12: ffff8eadfa36bbb0
[ 258.965162] R13: ffff8eadcf4fef28 R14: ffff8eaded3a2ed8 R15: ffff8eadfa36bbb0
[ 258.967275] FS: 00007fec54927b40(0000) GS:ffff8eae36400000(0000) knlGS:0000000000000000
[ 258.969657] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 258.971343] CR2: ffffffffc030f0b0 CR3: 00000000280d3000 CR4: 00000000000006e0
[ 258.973384] Call Trace:
[ 258.974148] ? sock_close+0xc/0xf
[ 258.975181] ? __fput+0x10b/0x1a6
[ 258.976250] ? task_work_run+0x7d/0x9f
[ 258.977462] ? do_exit+0x408/0x9f5
[ 258.978463] ? do_group_exit+0xa4/0xa4
[ 258.979578] ? __x64_sys_exit_group+0xf/0xf
[ 258.980780] ? do_syscall_64+0x1ae/0x25e
[ 258.981926] ? async_page_fault+0x8/0x30
[ 258.983101] ? perf_swevent_put_recursion_context+0x10/0x2a
[ 258.984782] ? __perf_sw_event+0x47/0x5b
[ 258.986089] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 258.987634] Modules linked in: ieee802154_socket caif_socket caif hidp hid can_raw can af_packet dn_rtmsg cn decnet crct10dif_pclmul crct10dif_common ghash_clmulni_intel aesni_intel aes_x86_64 input_leds led_class serio_raw rtc_cmos qemu_fw_cfg button
[ 258.993831] CR2: ffffffffc030f0b0
[ 258.994762] ---[ end trace 033ec3faa0079cf9 ]---
To reproduce:
# build kernel
cd linux
cp config-5.0.0-rc8-00103-g6377f78 .config
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
lkp
3 years, 4 months
[sched/core] f4dfad99bf: WARNING:inconsistent_lock_state
by kernel test robot
FYI, we noticed the following commit (built with gcc-7):
commit: f4dfad99bfe39733564e94ee520f902ae209705d ("sched/core: Prevent race condition between cpuset and __sched_setscheduler()")
https://github.com/jlelli/linux.git fixes/deadline/root-domain-account-v7
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 2G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------+------------+------------+
| | c61fc953c4 | f4dfad99bf |
+-------------------------------------------------+------------+------------+
| boot_successes | 5 | 0 |
| boot_failures | 1 | 4 |
| BUG:soft_lockup-CPU##stuck_for#s | 1 | 1 |
| EIP:drm_mm_insert_node_in_range | 1 | 1 |
| Kernel_panic-not_syncing:softlockup:hung_tasks | 1 | 1 |
| WARNING:inconsistent_lock_state | 0 | 4 |
| inconsistent{IN-HARDIRQ-W}->{HARDIRQ-ON-W}usage | 0 | 4 |
+-------------------------------------------------+------------+------------+
[ 19.549992] WARNING: inconsistent lock state
[ 19.549992] 5.1.0-rc1-00005-gf4dfad9 #113 Not tainted
[ 19.549992] --------------------------------
[ 19.549992] inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage.
[ 19.549992] swapper/1 [HC0[0]:SC0[0]:HE1:SE1] takes:
[ 19.549992] (ptrval) (&rq->lock){?.-.}, at: __task_rq_lock+0x30/0x72
[ 19.549992] {IN-HARDIRQ-W} state was registered at:
[ 19.549992] lock_acquire+0xe9/0x107
[ 19.549992] _raw_spin_lock+0x21/0x30
[ 19.549992] scheduler_tick+0x1d/0x95
[ 19.549992] update_process_times+0x34/0x37
[ 19.549992] tick_periodic+0x98/0xa4
[ 19.549992] tick_handle_periodic+0x13/0x4f
[ 19.549992] timer_interrupt+0xf/0x16
[ 19.549992] __handle_irq_event_percpu+0xb5/0x1c2
[ 19.549992] handle_irq_event_percpu+0x19/0x3f
[ 19.549992] handle_irq_event+0x29/0x42
[ 19.549992] handle_level_irq+0x88/0xb4
[ 19.549992] handle_irq+0x6b/0xb6
[ 19.549992] irq event stamp: 23
[ 19.549992] hardirqs last enabled at (23): [<41d69539>] _raw_spin_unlock_irq+0x22/0x2c
[ 19.549992] hardirqs last disabled at (22): [<41d69384>] _raw_spin_lock_irq+0xc/0x36
[ 19.549992] softirqs last enabled at (18): [<41d6aeac>] __do_softirq+0x28c/0x2ba
[ 19.549992] softirqs last disabled at (13): [<41005d27>] call_on_stack+0x40/0x46
[ 19.549992]
[ 19.549992] other info that might help us debug this:
[ 19.549992] Possible unsafe locking scenario:
[ 19.549992]
[ 19.549992] CPU0
[ 19.549992] ----
[ 19.549992] lock(&rq->lock);
[ 19.549992] <Interrupt>
[ 19.549992] lock(&rq->lock);
[ 19.549992]
[ 19.549992] *** DEADLOCK ***
[ 19.549992]
[ 19.549992] 1 lock held by swapper/1:
[ 19.549992] #0: (ptrval) (&p->pi_lock){+.+.}, at: __sched_setscheduler+0xe8/0x52b
[ 19.549992]
[ 19.549992] stack backtrace:
[ 19.549992] CPU: 0 PID: 1 Comm: swapper Not tainted 5.1.0-rc1-00005-gf4dfad9 #113
[ 19.549992] Call Trace:
[ 19.549992] dump_stack+0x16/0x18
[ 19.549992] print_usage_bug+0x1f0/0x1fa
[ 19.549992] mark_lock+0x32f/0x472
[ 19.549992] __lock_acquire+0x2f0/0xe2e
[ 19.549992] ? __lock_acquire+0x20e/0xe2e
[ 19.549992] lock_acquire+0xe9/0x107
[ 19.549992] ? __task_rq_lock+0x30/0x72
[ 19.549992] _raw_spin_lock+0x21/0x30
[ 19.549992] ? __task_rq_lock+0x30/0x72
[ 19.549992] __task_rq_lock+0x30/0x72
[ 19.549992] __sched_setscheduler+0xf2/0x52b
[ 19.549992] _sched_setscheduler+0x68/0x70
[ 19.549992] sched_setscheduler_nocheck+0x1f/0x21
[ 19.549992] __kthread_create_on_node+0xfd/0x11e
[ 19.549992] kthread_create_on_node+0x18/0x1a
[ 19.549992] create_worker+0xa2/0x11e
[ 19.549992] ? process_scheduled_works+0x22/0x22
[ 19.549992] workqueue_init+0x9d/0x102
[ 19.549992] ? rest_init+0x108/0x108
[ 19.549992] kernel_init_freeable+0x30/0x261
[ 19.549992] ? rest_init+0x108/0x108
[ 19.549992] kernel_init+0x8/0xd0
[ 19.549992] ret_from_fork+0x33/0x40
[ 19.582773] Performance Events: no PMU driver, software events only.
[ 19.657957] NMI watchdog: Perf NMI watchdog permanently disabled
[ 19.747678] devtmpfs: initialized
[ 20.441420] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 20.463487] futex hash table entries: 16 (order: -3, 704 bytes)
[ 20.513740] xor: automatically using best checksumming function avx
[ 20.531164] pinctrl core: initialized pinctrl subsystem
[ 20.585967] regulator-dummy: no parameters
[ 20.643658] NET: Registered protocol family 16
[ 20.856939] cpuidle: using governor ladder
[ 21.135177] ACPI: bus type PCI registered
[ 21.234115] PCI: PCI BIOS area is rw and x. Use pci=nobios if you want it NX.
[ 21.252069] PCI: PCI BIOS revision 2.10 entry at 0xfd501, last bus=0
[ 21.281678] PCI: Using configuration type 1 for base access
[ 21.670940] random: fast init done
[ 22.118956] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages
[ 22.183623] cryptd: max_cpu_qlen set to 1000
[ 22.410884] raid6: sse2x2 gen() 88 MB/s
[ 22.601685] raid6: sse2x2 xor() 271 MB/s
[ 22.792282] raid6: sse2x1 gen() 12 MB/s
[ 22.981381] raid6: sse2x1 xor() 381 MB/s
[ 23.172166] raid6: sse1x2 gen() 32 MB/s
[ 23.362778] raid6: sse1x1 gen() 8 MB/s
[ 23.370357] raid6: using algorithm sse2x2 gen() 88 MB/s
[ 23.381153] raid6: .... xor() 271 MB/s, rmw enabled
[ 23.390425] raid6: using ssse3x1 recovery algorithm
[ 23.415221] gpio-f7188x: Not a Fintek device at 0x0000002e
[ 23.434667] gpio-f7188x: Not a Fintek device at 0x0000004e
[ 23.504128] ACPI: Added _OSI(Module Device)
[ 23.521917] ACPI: Added _OSI(Processor Device)
[ 23.541403] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 23.551537] ACPI: Added _OSI(Processor Aggregator Device)
[ 23.583167] ACPI: Added _OSI(Linux-Dell-Video)
[ 23.612856] ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
[ 23.637000] ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)
[ 23.833938] ACPI: 1 ACPI AML tables successfully acquired and loaded
To reproduce:
# build kernel
cd linux
cp config-5.1.0-rc1-00005-gf4dfad9 .config
make HOSTCC=gcc-7 CC=gcc-7 ARCH=i386 olddefconfig
make HOSTCC=gcc-7 CC=gcc-7 ARCH=i386 prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=i386 modules_prepare
make HOSTCC=gcc-7 CC=gcc-7 ARCH=i386 SHELL=/bin/bash
make HOSTCC=gcc-7 CC=gcc-7 ARCH=i386 bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Rong Chen
3 years, 4 months
[mm/vmalloc.c] 7ae76449bd: kernel_BUG_at_lib/list_debug.c
by kernel test robot
FYI, we noticed the following commit (built with gcc-6):
commit: 7ae76449bd30c850421db82844cfce9dc60a5bfe ("mm/vmalloc.c: keep track of free blocks for vmap allocation")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: trinity
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+------------+------------+
| | 7a866571a8 | 7ae76449bd |
+------------------------------------------+------------+------------+
| boot_successes | 12 | 0 |
| boot_failures | 0 | 12 |
| kernel_BUG_at_lib/list_debug.c | 0 | 12 |
| invalid_opcode:#[##] | 0 | 12 |
| RIP:__list_add_valid | 0 | 12 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 12 |
+------------------------------------------+------------+------------+
[ 0.391862] kernel BUG at lib/list_debug.c:28!
[ 0.392842] invalid opcode: 0000 [#1] PREEMPT PTI
[ 0.394813] CPU: 0 PID: 1 Comm: swapper Not tainted 5.1.0-rc2-00363-g7ae7644 #1
[ 0.395722] RIP: 0010:__list_add_valid+0x4a/0x70
[ 0.395722] Code: 00 00 00 c3 48 89 d1 48 c7 c7 20 b4 f6 81 4c 89 c2 e8 33 be e3 ff 0f 0b 4c 89 c1 48 89 c6 48 c7 c7 a0 b4 f6 81 e8 1f be e3 ff <0f> 0b 48 89 f2 48 89 c1 48 89 fe 48 c7 c7 f8 b4 f6 81 e8 08 be e3
[ 0.395722] RSP: 0000:ffff888079063bf0 EFLAGS: 00010086
[ 0.395722] RAX: 0000000000000075 RBX: ffff8880790f9f98 RCX: 0000000000000000
[ 0.395722] RDX: 0000000000000000 RSI: 000000001750044f RDI: 00000000ffffffff
[ 0.395722] RBP: 0000000000000068 R08: 0000000000000004 R09: 0000000000000000
[ 0.395722] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000dc0
[ 0.395722] R13: ffffffff82413b10 R14: ffffffff82413b10 R15: ffffea0001a7bb50
[ 0.395722] FS: 0000000000000000(0000) GS:ffffffff82231000(0000) knlGS:0000000000000000
[ 0.395722] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.395722] CR2: 0000000000000000 CR3: 0000000002220000 CR4: 00000000000406b0
[ 0.395722] Call Trace:
[ 0.395722] slob_alloc+0x1c9/0x240
[ 0.395722] kmem_cache_alloc+0x70/0x80
[ 0.395722] acpi_ps_alloc_op+0xc0/0xca
[ 0.395722] acpi_ps_get_next_arg+0x3fa/0x6ed
[ 0.395722] acpi_ps_parse_loop+0x45d/0x87c
[ 0.395722] acpi_ps_parse_aml+0x1a6/0x54a
[ 0.395722] acpi_ps_execute_table+0xc9/0x12a
[ 0.395722] acpi_ns_execute_table+0x251/0x2fc
[ 0.395722] ? set_debug_rodata+0xc/0xc
[ 0.395722] acpi_ns_parse_table+0x6e/0x9a
[ 0.395722] acpi_ns_load_table+0x8c/0x1b9
[ 0.395722] acpi_tb_load_namespace+0xc9/0x273
[ 0.395722] ? acpi_sleep_proc_init+0x1f/0x1f
[ 0.395722] ? set_debug_rodata+0xc/0xc
[ 0.395722] acpi_load_tables+0x65/0xc0
[ 0.395722] ? acpi_sleep_proc_init+0x1f/0x1f
[ 0.395722] acpi_init+0x7b/0x326
[ 0.395722] ? kset_register+0x2b/0x40
[ 0.395722] ? kset_create_and_add+0x63/0x90
[ 0.395722] ? pci_create_slot+0x270/0x270
[ 0.395722] ? acpi_sleep_proc_init+0x1f/0x1f
[ 0.395722] do_one_initcall+0x45/0x1b0
[ 0.395722] ? set_debug_rodata+0xc/0xc
[ 0.395722] kernel_init_freeable+0x123/0x1ab
[ 0.395722] ? rest_init+0x130/0x130
[ 0.395722] kernel_init+0x5/0x100
[ 0.395722] ret_from_fork+0x1f/0x30
[ 0.395722] Modules linked in:
[ 0.395722] ---[ end trace 83af5a28bbf5641b ]---
To reproduce:
# build kernel
cd linux
cp config-5.1.0-rc2-00363-g7ae7644 .config
make HOSTCC=gcc-6 CC=gcc-6 ARCH=x86_64 olddefconfig
make HOSTCC=gcc-6 CC=gcc-6 ARCH=x86_64 prepare
make HOSTCC=gcc-6 CC=gcc-6 ARCH=x86_64 modules_prepare
make HOSTCC=gcc-6 CC=gcc-6 ARCH=x86_64 SHELL=/bin/bash
make HOSTCC=gcc-6 CC=gcc-6 ARCH=x86_64 bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
lkp
3 years, 4 months
340d3d6178 ("mm/slob.c: respect list_head abstraction layer"): kernel BUG at lib/list_debug.c:31!
by kernel test robot
Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
commit 340d3d6178f8081abe79549aed9056bc2888952c
Author: Tobin C. Harding <tobin(a)kernel.org>
AuthorDate: Fri Mar 29 10:01:23 2019 +1100
Commit: Stephen Rothwell <sfr(a)canb.auug.org.au>
CommitDate: Fri Mar 29 10:01:23 2019 +1100
mm/slob.c: respect list_head abstraction layer
Currently we reach inside the list_head. This is a violation of the layer
of abstraction provided by the list_head. It makes the code fragile.
More importantly it makes the code wicked hard to understand.
The code logic is based on the page in which an allocation was made, we
want to modify the slob_list we are working on to have this page at the
front. We already have a function to check if an entry is at the front of
the list. Recently a function was added to list.h to do the list
rotation. We can use these two functions to reduce line count, reduce
code fragility, and reduce cognitive load required to read the code.
Use list_head functions to interact with lists thereby maintaining the
abstraction provided by the list_head structure.
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Tobin C. Harding <tobin(a)kernel.org>
Cc: Christoph Lameter <cl(a)linux.com>
Cc: David Rientjes <rientjes(a)google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com>
Cc: Pekka Enberg <penberg(a)kernel.org>
Cc: Roman Gushchin <guro(a)fb.com>
Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr(a)canb.auug.org.au>
5b605b7c0b include/linux/list.h: add list_rotate_to_front()
340d3d6178 mm/slob.c: respect list_head abstraction layer
e3ecb83ee7 Add linux-next specific files for 20190401
+----------------------------------------------------+------------+------------+---------------+
| | 5b605b7c0b | 340d3d6178 | next-20190401 |
+----------------------------------------------------+------------+------------+---------------+
| boot_successes | 27 | 0 | 0 |
| boot_failures | 9 | 12 | 3 |
| BUG:kernel_hang_in_boot-around-mounting-root_stage | 8 | | |
| Mem-Info | 1 | | |
| kernel_BUG_at_lib/list_debug.c | 0 | 12 | 1 |
| invalid_opcode:#[##] | 0 | 12 | 1 |
| RIP:__list_add_valid | 0 | 12 | 1 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 12 | 3 |
| Oops:#[##] | 0 | 0 | 2 |
| RIP:load_elf_binary | 0 | 0 | 2 |
| BUG:unable_to_handle_kernel | 0 | 0 | 1 |
+----------------------------------------------------+------------+------------+---------------+
[ 0.523850] cpuidle: using governor menu
[ 0.525102] ACPI: bus type PCI registered
[ 0.526012] PCI: Using configuration type 1 for base access
[ 0.529071] list_add corruption. prev->next should be next (ffffffff83184dd0), but was ffffea00007ac188. (prev=ffffea00007ab2c8).
[ 0.529696] ------------[ cut here ]------------
[ 0.529696] kernel BUG at lib/list_debug.c:31!
[ 0.529696] invalid opcode: 0000 [#1] SMP PTI
[ 0.529696] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.1.0-rc2-00288-g340d3d6 #2
[ 0.529696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 0.529696] RIP: 0010:__list_add_valid+0xee/0x110
[ 0.529696] Code: 4c 89 e1 4c 89 f6 48 c7 c7 d0 95 d0 82 e8 79 ad 97 ff 0f 0b 48 8b 55 00 48 89 e9 4c 89 e6 48 c7 c7 50 96 d0 82 e8 61 ad 97 ff <0f> 0b 4c 89 f1 48 89 ea 4c 89 ee 48 c7 c7 a8 96 d0 82 e8 4a ad 97
[ 0.529696] RSP: 0000:ffff88801e9cfca0 EFLAGS: 00010086
[ 0.529696] RAX: 0000000000000075 RBX: 0000000000000003 RCX: 0000000000000000
[ 0.529696] RDX: ffffffff830b2e78 RSI: 0000000000000000 RDI: ffffffff811c987b
[ 0.529696] RBP: ffffea00007ab2c8 R08: 0000000000000000 R09: 0000000000000001
[ 0.529696] R10: 00000000000000f8 R11: ffffffffffffff22 R12: ffffffff83184dd0
[ 0.529696] R13: ffffffff83184dd0 R14: ffffea00007ac188 R15: ffffea00007ab2c8
[ 0.529696] FS: 0000000000000000(0000) GS:ffff88801ee00000(0000) knlGS:0000000000000000
[ 0.529696] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.529696] CR2: 0000000000000000 CR3: 000000000305c001 CR4: 00000000001606f0
[ 0.529696] Call Trace:
[ 0.529696] slob_alloc+0x2f4/0x3b0
[ 0.529696] ? add_sysfs_param+0x90/0x2b0
[ 0.529696] __kmalloc_track_caller+0x2f4/0x4a0
[ 0.529696] krealloc+0xa1/0x180
[ 0.529696] add_sysfs_param+0x90/0x2b0
[ 0.529696] param_sysfs_init+0x218/0x2b0
[ 0.529696] ? file_caps_disable+0x15/0x15
[ 0.529696] ? locate_module_kobject+0x117/0x117
[ 0.529696] do_one_initcall+0x184/0x5b0
[ 0.529696] ? do_early_param+0xb9/0xb9
[ 0.529696] kernel_init_freeable+0x723/0x7ff
[ 0.529696] ? rest_init+0x2a0/0x2a0
[ 0.529696] kernel_init+0xa/0x180
[ 0.529696] ret_from_fork+0x24/0x30
[ 0.529696] Modules linked in:
[ 0.529696] random: get_random_bytes called from init_oops_id+0x45/0x50 with crng_init=0
[ 0.529696] ---[ end trace 869b9fe7b3a174b5 ]---
[ 0.529696] RIP: 0010:__list_add_valid+0xee/0x110
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 1baf02ec984b88b435e2fa065300179a3f48e7d2 8c2ffd9174779014c3fe1f96d9dc3641d9175f00 --
git bisect good df99e3d8a4f80c0c9310d56769f35476e3821697 # 13:50 G 11 0 8 8 Merge remote-tracking branch 'printk/for-next'
git bisect good a90861b7a4a58edf7e666b3add35f4d9a1b9e1c7 # 14:17 G 12 0 3 3 Merge remote-tracking branch 'spi/for-next'
git bisect good 9f21b7499a27030a1189f9a4a5d61ca8800dedfb # 17:30 G 11 0 11 11 Merge remote-tracking branch 'scsi/for-next'
git bisect good e99e72bceb949637fc5f5cdee0a7403498d7228e # 18:32 G 12 0 12 12 Merge remote-tracking branch 'rtc/rtc-next'
git bisect good a9dfd2f07c36500ae20a43adaf7cab85ea43a18a # 18:58 G 12 0 12 12 Merge remote-tracking branch 'nvmem/for-next'
git bisect good 2ed3a066995eb988c511dbac853da7d191d29b50 # 20:05 G 12 0 12 16 Merge remote-tracking branch 'devfreq/for-next'
git bisect bad c8ffae1657ab76cdd0c64236bee5eee7ed0ce6e5 # 20:33 B 0 5 22 2 Merge branch 'akpm-current/current'
git bisect bad a98778d9c7e355c2eaeccfac121917e5ff766d16 # 21:41 B 0 12 31 4 initramfs: fix a compilation error
git bisect bad 69b9e3e25724b51c295a95df61f851b52c7cbb19 # 22:25 B 0 11 26 0 mm/slub.c: add comments to endif pre-processor macros
git bisect good c0dfde872300dffdb72389bcee02ed3fb2b40c09 # 23:08 G 12 0 1 1 checkpatch: add %pt as a valid vsprintf extension
git bisect good e2a2be7656d99306969f43d472c5163ec50e54c4 # 11:56 G 12 0 2 8 mm/compaction.c: correct zone boundary handling when resetting pageblock skip hints
git bisect good bf1c2ed9686c247f4a73ac43dbf9e3ac4f23c6a5 # 12:53 G 12 0 6 6 ocfs2: wait for recovering done after direct unlock request
git bisect good 5b605b7c0b904df43d1f21f0ae7115f256cbb2f9 # 16:30 G 11 0 1 1 include/linux/list.h: add list_rotate_to_front()
git bisect bad f034a92650072fed6d4b2070c6eb1a8065d09985 # 17:39 B 0 4 19 0 mm/slob.c: use slab_list instead of lru
git bisect bad 340d3d6178f8081abe79549aed9056bc2888952c # 18:44 B 0 1 16 0 mm/slob.c: respect list_head abstraction layer
# first bad commit: [340d3d6178f8081abe79549aed9056bc2888952c] mm/slob.c: respect list_head abstraction layer
git bisect good 5b605b7c0b904df43d1f21f0ae7115f256cbb2f9 # 19:15 G 35 0 8 10 include/linux/list.h: add list_rotate_to_front()
# extra tests with debug options
git bisect bad 340d3d6178f8081abe79549aed9056bc2888952c # 19:40 B 0 2 17 0 mm/slob.c: respect list_head abstraction layer
# extra tests on HEAD of linux-next/master
git bisect bad 1baf02ec984b88b435e2fa065300179a3f48e7d2 # 19:40 B 0 12 39 5 Add linux-next specific files for 20190329
# extra tests on tree/branch linux-next/master
git bisect bad e3ecb83ee707a3b2a4d12e19509ecbda7f793cc2 # 20:15 B 0 3 18 0 Add linux-next specific files for 20190401
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
3 years, 4 months
Re: [LKP] [PATCH v2] kernfs: fix xattr name handling in LSM helpers
by Ondrej Mosnacek
On Fri, Mar 29, 2019 at 2:31 PM Paul Moore <paul(a)paul-moore.com> wrote:
> On Tue, Mar 26, 2019 at 8:12 AM Ondrej Mosnacek <omosnace(a)redhat.com> wrote:
> > The implementation of kernfs_security_xattr_*() helpers reuses the
> > kernfs_node_xattr_*() functions, which take the suffix of the xattr name
> > and extract full xattr name from it using xattr_full_name(). However,
> > this function relies on the fact that the suffix passed to xattr
> > handlers from VFS is always constructed from the full name by just
> > incerementing the pointer. This doesn't necessarily hold for the callers
> > of kernfs_security_xattr_*(), so their usage will easily lead to
> > out-of-bounds access.
> >
> > Fix this by converting the helpers to take the full xattr name instead
> > of just the suffix and moving the reconstruction to the xattr handlers.
> > We now need to check if the prefix is correct in the helpers, but it
> > saves us the difficulty of reconstructing the full name from just the
> > plain suffix.
> >
> > Reported-by: kernel test robot <rong.a.chen(a)intel.com>
> > Fixes: b230d5aba2d1 ("LSM: add new hook for kernfs node initialization")
> > Fixes: ec882da5cda9 ("selinux: implement the kernfs_init_security hook")
> > Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com>
> > ---
> >
> > v2: Rebase on current selinux/next.
> >
> > fs/kernfs/inode.c | 38 ++++++++++++++++++--------------------
> > include/linux/kernfs.h | 8 ++++----
> > security/selinux/hooks.c | 6 +++---
> > 3 files changed, 25 insertions(+), 27 deletions(-)
>
> Thanks for diagnosing this and providing a patch. I haven't seen any
> objections, but I do have some questions (below).
>
> > diff --git a/fs/kernfs/inode.c b/fs/kernfs/inode.c
> > index 673ef598d97d..1daa8aa9ec96 100644
> > --- a/fs/kernfs/inode.c
> > +++ b/fs/kernfs/inode.c
> > @@ -288,28 +288,20 @@ int kernfs_iop_permission(struct inode *inode, int mask)
> > return generic_permission(inode, mask);
> > }
> >
> > -static int kernfs_node_xattr_get(const struct xattr_handler *handler,
> > - struct kernfs_node *kn, const char *suffix,
> > +static int kernfs_node_xattr_get(struct kernfs_node *kn, const char *name,
> > void *value, size_t size)
> > {
> > - const char *name = xattr_full_name(handler, suffix);
> > - struct kernfs_iattrs *attrs;
> > -
> > - attrs = kernfs_iattrs_noalloc(kn);
> > + struct kernfs_iattrs *attrs = kernfs_iattrs_noalloc(kn);
> > if (!attrs)
> > return -ENODATA;
> >
> > return simple_xattr_get(&attrs->xattrs, name, value, size);
> > }
> >
> > -static int kernfs_node_xattr_set(const struct xattr_handler *handler,
> > - struct kernfs_node *kn, const char *suffix,
> > +static int kernfs_node_xattr_set(struct kernfs_node *kn, const char *name,
> > const void *value, size_t size, int flags)
> > {
> > - const char *name = xattr_full_name(handler, suffix);
> > - struct kernfs_iattrs *attrs;
> > -
> > - attrs = kernfs_iattrs(kn);
> > + struct kernfs_iattrs *attrs = kernfs_iattrs(kn);
> > if (!attrs)
> > return -ENOMEM;
> >
>
> ...
>
> > -int kernfs_security_xattr_get(struct kernfs_node *kn, const char *suffix,
> > +int kernfs_security_xattr_get(struct kernfs_node *kn, const char *name,
> > void *value, size_t size)
> > {
> > - return kernfs_node_xattr_get(&kernfs_security_xattr_handler,
> > - kn, suffix, value, size);
> > + if (WARN_ON_ONCE(!strstarts(name, XATTR_SECURITY_PREFIX)))
> > + return -EINVAL;
> > +
> > + return kernfs_node_xattr_get(kn, name, value, size);
> > }
> >
> > -int kernfs_security_xattr_set(struct kernfs_node *kn, const char *suffix,
> > +int kernfs_security_xattr_set(struct kernfs_node *kn, const char *name,
> > void *value, size_t size, int flags)
> > {
> > - return kernfs_node_xattr_set(&kernfs_security_xattr_handler,
> > - kn, suffix, value, size, flags);
> > + if (WARN_ON_ONCE(!strstarts(name, XATTR_SECURITY_PREFIX)))
> > + return -EINVAL;
> > +
> > + return kernfs_node_xattr_set(kn, name, value, size, flags);
> > }
>
> I think it is reasonable to ask if we even need
> kernfs_security_xattr_{set|get}()? Can we just call the respective
> kernfs_node_xattr*() functions instead? I can't imagine the
> WARN_ON_ONCE check being that important.
Indeed, it is now much more natural to just expose all xattrs in those
helpers... I concur that the encapsulation doesn't seem to be worth it
any more. Let me do a simplified respin...
--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.
3 years, 4 months