Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-linus
commit a5185607787e030fcb0009194d3b12f8bcca59d6
Author: Ming Lei <[email protected]>
AuthorDate: Wed Oct 31 16:40:50 2018 +0800
Commit: Jens Axboe <[email protected]>
CommitDate: Wed Oct 31 08:43:09 2018 -0600
block: brd: associate with queue until adding disk
brd_free() may be called in failure path on one brd instance without
the disk being added yet, so release handler of gendisk may free the
associated request_queue early and cause the following use-after-free[1].
This patch fixes this issue by associating gendisk with request_queue
just before adding disk.
[1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3
Linux agpgart interface v0.103
[drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0
usbcore: registered new interface driver udl
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
kernel/locking/lockdep.c:3218
Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283
blk_cleanup_queue+0x413/0x710 block/blk-core.c:809
brd_free+0x5d/0x71 drivers/block/brd.c:422
brd_init+0x2eb/0x393 drivers/block/brd.c:518
do_one_initcall+0x145/0x957 init/main.c:890
do_initcall_level init/main.c:958 [inline]
do_initcalls init/main.c:966 [inline]
do_basic_setup init/main.c:984 [inline]
kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148
kernel_init+0x11/0x1ae init/main.c:1068
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350
Reported-by: [email protected]
Signed-off-by: Ming Lei <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
c57cdf7a9e block: call rq_qos_exit() after queue is frozen
a518560778 block: brd: associate with queue until adding disk
+------------------------------------------------+------------+------------+
| | c57cdf7a9e | a518560778 |
+------------------------------------------------+------------+------------+
| boot_successes | 0 | 0 |
| boot_failures | 46 | 15 |
| BUG:kernel_hang_in_test_stage | 44 | |
| IP-Config:Auto-configuration_of_network_failed | 2 | |
| BUG:KASAN:null-ptr-deref_in_b | 0 | 15 |
| BUG:unable_to_handle_kernel | 0 | 15 |
| Oops:#[##] | 0 | 15 |
| RIP:brd_alloc | 0 | 15 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 15 |
+------------------------------------------------+------------+------------+
[ 16.119590] smapi::smapi_init, ERROR invalid usSmapiID
[ 16.120907] mwave: tp3780i::tp3780I_InitializeBoardData: Error: SMAPI is not available on this machine
[ 16.123300] mwave: mwavedd::mwave_init: Error: Failed to initialize board data
[ 16.125261] mwave: mwavedd::mwave_init: Error: Failed to initialize
[ 16.130478] ==================================================================
[ 16.132179] BUG: KASAN: null-ptr-deref in brd_alloc+0x20e/0x277
[ 16.132179] Read of size 8 at addr 0000000000000230 by task swapper/1
[ 16.132179]
[ 16.132179] CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-05614-ga518560 #1
[ 16.132179] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 16.132179] Call Trace:
[ 16.132179] kasan_report+0x231/0x279
[ 16.132179] brd_alloc+0x20e/0x277
[ 16.132179] brd_init+0x51/0x234
[ 16.132179] ? ramdisk_size+0x16/0x16
[ 16.132179] ? do_early_param+0xae/0xae
[ 16.132179] do_one_initcall+0xc0/0x1b3
[ 16.132179] ? rcu_read_lock+0x2c/0x2c
[ 16.132179] ? lock_downgrade+0x27d/0x27d
[ 16.132179] kernel_init_freeable+0x17c/0x227
[ 16.132179] ? rest_init+0xd5/0xd5
[ 16.132179] kernel_init+0x7/0xfe
[ 16.132179] ? rest_init+0xd5/0xd5
[ 16.132179] ret_from_fork+0x1f/0x30
[ 16.132179] ==================================================================
[ 16.132179] Disabling lock debugging due to kernel taint
[ 16.173689] BUG: unable to handle kernel NULL pointer dereference at 0000000000000230
[ 16.175701] PGD 0 P4D 0
[ 16.176497] Oops: 0000 [#1] PREEMPT KASAN PTI
[ 16.176972] CPU: 0 PID: 1 Comm: swapper Tainted: G B 4.19.0-05614-ga518560 #1
[ 16.176972] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 16.176972] RIP: 0010:brd_alloc+0x20e/0x277
[ 16.176972] Code: 50 4c 8d 24 00 e8 64 a8 b7 ff 4c 89 65 50 4c 89 ef e8 da a7 b7 ff 4c 8b a5 90 05 00 00 49 8d bc 24 30 02 00 00 e8 c6 a7 b7 ff <4d> 8b a4 24 30 02 00 00 49 8d 7c 24 3c e8 b1 a6 b7 ff 41 83 4c 24
[ 16.176972] RSP: 0000:ffff88001909fdd8 EFLAGS: 00010282
[ 16.176972] RAX: 0000000000000000 RBX: ffff880013473988 RCX: ffffffff810dffc0
[ 16.176972] RDX: ffffffff811e48ae RSI: 0000000000000003 RDI: ffffffff8290b200
[ 16.176972] RBP: ffff8800134c2ee8 R08: dffffc0000000000 R09: 0000000000000000
[ 16.176972] R10: 0000000000000001 R11: 073d073d073d073d R12: 0000000000000000
[ 16.176972] R13: ffff8800134c3478 R14: ffffffff83228050 R15: ffffffff82a8d960
[ 16.176972] FS: 0000000000000000(0000) GS:ffffffff8285c000(0000) knlGS:0000000000000000
[ 16.176972] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 16.176972] CR2: 0000000000000230 CR3: 0000000002824000 CR4: 00000000000006b0
[ 16.176972] Call Trace:
[ 16.176972] brd_init+0x51/0x234
[ 16.176972] ? ramdisk_size+0x16/0x16
[ 16.176972] ? do_early_param+0xae/0xae
[ 16.176972] do_one_initcall+0xc0/0x1b3
[ 16.176972] ? rcu_read_lock+0x2c/0x2c
[ 16.176972] ? lock_downgrade+0x27d/0x27d
[ 16.176972] kernel_init_freeable+0x17c/0x227
[ 16.176972] ? rest_init+0xd5/0xd5
[ 16.176972] kernel_init+0x7/0xfe
[ 16.176972] ? rest_init+0xd5/0xd5
[ 16.176972] ret_from_fork+0x1f/0x30
[ 16.176972] Modules linked in:
[ 16.176972] CR2: 0000000000000230
[ 16.176972] ---[ end trace 4c9c9e7a1ae58e68 ]---
[ 16.176972] RIP: 0010:brd_alloc+0x20e/0x277
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 5da169cafb99be34009584e06bde227d33727524 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d --
git bisect bad 94e203722538e1af1130debc1b4408b84d0a4ed4 # 17:26 B 0 11 26 0 Merge 'tip/x86/urgent' into devel-hourly-2018110113
git bisect good 2cd5e1c3bc1206e86c5e31651c4c77e179ddf4a8 # 19:03 G 11 0 11 12 Merge 'linux-review/Andreas-Puhm/fpga-altera_cvp-restrict-registration-to-CvP-enabled-devices/20181022-213417' into devel-hourly-2018110113
git bisect bad 6d0d7e4e782cc962b8a4fa7b65c695a1092f61ac # 19:19 B 0 1 16 0 Merge 'nf/master' into devel-hourly-2018110113
git bisect good bd5d37fd8f3f500f331161c816ce87c9427e9fc3 # 20:16 G 10 0 10 10 Merge 'linux-review/Florian-Fainelli/arm64-Get-rid-of-__early_init_dt_declare_initrd/20181030-075423' into devel-hourly-2018110113
git bisect bad a0e620bebd1ad34866b6646af5027c6c92784314 # 20:39 B 0 11 26 0 Merge 'block/for-linus' into devel-hourly-2018110113
git bisect good 2561c52cec3f710041e34a3737a866b565437e20 # 21:39 G 11 0 11 11 Merge 'jlayton/locks-4.21' into devel-hourly-2018110113
git bisect good 1bb9b0d1289f12f22a4145804b66aba7e22581c3 # 22:23 G 11 0 11 11 Merge 'superna9999/amlogic/v4.20/drm-overlay' into devel-hourly-2018110113
git bisect good 6bceec3a8988eb11f6f75db9254fc42a4782d88d # 23:16 G 10 0 10 10 Merge 'linux-review/Julia-Lawall/ASoC-AMD-constify-regulator_desc-structure/20181028-143635' into devel-hourly-2018110113
git bisect good d122007297044d28f8a285ea3a38f04a9065982d # 00:03 G 10 0 10 10 Merge 'gpio/fixes' into devel-hourly-2018110113
git bisect good 698b53b3119c45a59eef10b516d780b3e9a5402d # 00:56 G 11 0 11 13 mtip32xx: clean an indentation issue, remove extraneous tabs
git bisect bad a5185607787e030fcb0009194d3b12f8bcca59d6 # 01:11 B 0 1 16 0 block: brd: associate with queue until adding disk
git bisect good c57cdf7a9e51d97a43e29b8f4a04157875104000 # 02:01 G 11 0 11 11 block: call rq_qos_exit() after queue is frozen
# first bad commit: [a5185607787e030fcb0009194d3b12f8bcca59d6] block: brd: associate with queue until adding disk
git bisect good c57cdf7a9e51d97a43e29b8f4a04157875104000 # 02:43 G 33 0 33 46 block: call rq_qos_exit() after queue is frozen
# extra tests with debug options
git bisect bad a5185607787e030fcb0009194d3b12f8bcca59d6 # 02:56 B 0 5 20 0 block: brd: associate with queue until adding disk
# extra tests on HEAD of linux-devel/devel-hourly-2018110113
git bisect bad 5da169cafb99be34009584e06bde227d33727524 # 03:01 B 0 13 31 0 0day head guard for 'devel-hourly-2018110113'
# extra tests on tree/branch block/for-linus
git bisect bad a5185607787e030fcb0009194d3b12f8bcca59d6 # 03:06 B 0 15 30 0 block: brd: associate with queue until adding disk
# extra tests with first bad commit reverted
git bisect good 0d9bc20beb726cc13f58a44660e94ea0c4402314 # 04:54 G 10 0 10 10 Revert "block: brd: associate with queue until adding disk"
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
On Fri, Nov 02, 2018 at 08:19:57AM +0800, kernel test robot wrote:
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-linus
>
> commit a5185607787e030fcb0009194d3b12f8bcca59d6
> Author: Ming Lei <[email protected]>
> AuthorDate: Wed Oct 31 16:40:50 2018 +0800
> Commit: Jens Axboe <[email protected]>
> CommitDate: Wed Oct 31 08:43:09 2018 -0600
>
> block: brd: associate with queue until adding disk
>
> brd_free() may be called in failure path on one brd instance without
> the disk being added yet, so release handler of gendisk may free the
> associated request_queue early and cause the following use-after-free[1].
>
> This patch fixes this issue by associating gendisk with request_queue
> just before adding disk.
>
> [1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3
> Linux agpgart interface v0.103
> [drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0
> usbcore: registered new interface driver udl
> ==================================================================
> BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
> kernel/locking/lockdep.c:3218
> Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1
>
> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x244/0x39d lib/dump_stack.c:113
> print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
> kasan_report_error mm/kasan/report.c:354 [inline]
> kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
> __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
> __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
> lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
> del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283
> blk_cleanup_queue+0x413/0x710 block/blk-core.c:809
> brd_free+0x5d/0x71 drivers/block/brd.c:422
> brd_init+0x2eb/0x393 drivers/block/brd.c:518
> do_one_initcall+0x145/0x957 init/main.c:890
> do_initcall_level init/main.c:958 [inline]
> do_initcalls init/main.c:966 [inline]
> do_basic_setup init/main.c:984 [inline]
> kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148
> kernel_init+0x11/0x1ae init/main.c:1068
> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350
>
> Reported-by: [email protected]
> Signed-off-by: Ming Lei <[email protected]>
> Signed-off-by: Jens Axboe <[email protected]>
Sorry, my fault.
Jens, I just sent you V2 which fixes this issue, could you drop V1 from
your for-linus and apply V2 against it?
Thanks,
Ming
On 11/1/18 6:53 PM, Ming Lei wrote:
> On Fri, Nov 02, 2018 at 08:19:57AM +0800, kernel test robot wrote:
>> Greetings,
>>
>> 0day kernel testing robot got the below dmesg and the first bad commit is
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-linus
>>
>> commit a5185607787e030fcb0009194d3b12f8bcca59d6
>> Author: Ming Lei <[email protected]>
>> AuthorDate: Wed Oct 31 16:40:50 2018 +0800
>> Commit: Jens Axboe <[email protected]>
>> CommitDate: Wed Oct 31 08:43:09 2018 -0600
>>
>> block: brd: associate with queue until adding disk
>>
>> brd_free() may be called in failure path on one brd instance without
>> the disk being added yet, so release handler of gendisk may free the
>> associated request_queue early and cause the following use-after-free[1].
>>
>> This patch fixes this issue by associating gendisk with request_queue
>> just before adding disk.
>>
>> [1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3
>> Linux agpgart interface v0.103
>> [drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0
>> usbcore: registered new interface driver udl
>> ==================================================================
>> BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
>> kernel/locking/lockdep.c:3218
>> Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1
>>
>> CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>> __dump_stack lib/dump_stack.c:77 [inline]
>> dump_stack+0x244/0x39d lib/dump_stack.c:113
>> print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
>> kasan_report_error mm/kasan/report.c:354 [inline]
>> kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
>> __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
>> __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
>> lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
>> del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283
>> blk_cleanup_queue+0x413/0x710 block/blk-core.c:809
>> brd_free+0x5d/0x71 drivers/block/brd.c:422
>> brd_init+0x2eb/0x393 drivers/block/brd.c:518
>> do_one_initcall+0x145/0x957 init/main.c:890
>> do_initcall_level init/main.c:958 [inline]
>> do_initcalls init/main.c:966 [inline]
>> do_basic_setup init/main.c:984 [inline]
>> kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148
>> kernel_init+0x11/0x1ae init/main.c:1068
>> ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350
>>
>> Reported-by: [email protected]
>> Signed-off-by: Ming Lei <[email protected]>
>> Signed-off-by: Jens Axboe <[email protected]>
>
> Sorry, my fault.
>
> Jens, I just sent you V2 which fixes this issue, could you drop V1 from
> your for-linus and apply V2 against it?
Just did, dropped v1 and added v2 instead.
--
Jens Axboe