2022-01-22 00:31:02

by Ryan Cai

[permalink] [raw]
Subject: [PATCH] net: missing lock releases in ipmr_base.c

From: Ryan Cai <[email protected]>

In method mr_mfc_seq_idx, the lock it->lock and rcu_read_lock are not released when pos-- == 0 is true.

Signed-off-by: Ryan Cai <[email protected]>
---
net/ipv4/ipmr_base.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
index aa8738a91210..c4a247024c85 100644
--- a/net/ipv4/ipmr_base.c
+++ b/net/ipv4/ipmr_base.c
@@ -154,6 +154,7 @@ void *mr_mfc_seq_idx(struct net *net,
it->cache = &mrt->mfc_cache_list;
list_for_each_entry_rcu(mfc, &mrt->mfc_cache_list, list)
if (pos-- == 0)
+ rcu_read_unlock();
return mfc;
rcu_read_unlock();

@@ -161,6 +162,7 @@ void *mr_mfc_seq_idx(struct net *net,
it->cache = &mrt->mfc_unres_queue;
list_for_each_entry(mfc, it->cache, list)
if (pos-- == 0)
+ spin_unlock_bh(it->lock);
return mfc;
spin_unlock_bh(it->lock);

--
2.33.0


2022-01-22 00:39:34

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH] net: missing lock releases in ipmr_base.c

Hi ycaibb,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net-next/master]
[also build test WARNING on net/master horms-ipvs/master linus/master v5.16 next-20220121]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url: https://github.com/0day-ci/linux/commits/ycaibb/net-missing-lock-releases-in-ipmr_base-c/20220121-112603
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
config: powerpc-allyesconfig (https://download.01.org/0day-ci/archive/20220121/[email protected]/config)
compiler: powerpc-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/33b03feacaf2155323b031274d2d67dab0cf561c
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review ycaibb/net-missing-lock-releases-in-ipmr_base-c/20220121-112603
git checkout 33b03feacaf2155323b031274d2d67dab0cf561c
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=powerpc SHELL=/bin/bash net/ipv4/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>

All warnings (new ones prefixed by >>):

net/ipv4/ipmr_base.c: In function 'mr_mfc_seq_idx':
>> net/ipv4/ipmr_base.c:156:17: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
156 | if (pos-- == 0)
| ^~
net/ipv4/ipmr_base.c:158:25: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
158 | return mfc;
| ^~~~~~
net/ipv4/ipmr_base.c:164:17: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
164 | if (pos-- == 0)
| ^~
net/ipv4/ipmr_base.c:166:25: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
166 | return mfc;
| ^~~~~~


vim +/if +156 net/ipv4/ipmr_base.c

3feda6b46f7347 Yuval Mintz 2018-02-28 146
c8d61968032654 Yuval Mintz 2018-02-28 147 void *mr_mfc_seq_idx(struct net *net,
c8d61968032654 Yuval Mintz 2018-02-28 148 struct mr_mfc_iter *it, loff_t pos)
c8d61968032654 Yuval Mintz 2018-02-28 149 {
c8d61968032654 Yuval Mintz 2018-02-28 150 struct mr_table *mrt = it->mrt;
c8d61968032654 Yuval Mintz 2018-02-28 151 struct mr_mfc *mfc;
c8d61968032654 Yuval Mintz 2018-02-28 152
c8d61968032654 Yuval Mintz 2018-02-28 153 rcu_read_lock();
c8d61968032654 Yuval Mintz 2018-02-28 154 it->cache = &mrt->mfc_cache_list;
c8d61968032654 Yuval Mintz 2018-02-28 155 list_for_each_entry_rcu(mfc, &mrt->mfc_cache_list, list)
c8d61968032654 Yuval Mintz 2018-02-28 @156 if (pos-- == 0)
33b03feacaf215 Ryan Cai 2022-01-21 157 rcu_read_unlock();
c8d61968032654 Yuval Mintz 2018-02-28 158 return mfc;
c8d61968032654 Yuval Mintz 2018-02-28 159 rcu_read_unlock();
c8d61968032654 Yuval Mintz 2018-02-28 160
c8d61968032654 Yuval Mintz 2018-02-28 161 spin_lock_bh(it->lock);
c8d61968032654 Yuval Mintz 2018-02-28 162 it->cache = &mrt->mfc_unres_queue;
c8d61968032654 Yuval Mintz 2018-02-28 163 list_for_each_entry(mfc, it->cache, list)
c8d61968032654 Yuval Mintz 2018-02-28 164 if (pos-- == 0)
33b03feacaf215 Ryan Cai 2022-01-21 165 spin_unlock_bh(it->lock);
c8d61968032654 Yuval Mintz 2018-02-28 166 return mfc;
c8d61968032654 Yuval Mintz 2018-02-28 167 spin_unlock_bh(it->lock);
c8d61968032654 Yuval Mintz 2018-02-28 168
c8d61968032654 Yuval Mintz 2018-02-28 169 it->cache = NULL;
c8d61968032654 Yuval Mintz 2018-02-28 170 return NULL;
c8d61968032654 Yuval Mintz 2018-02-28 171 }
c8d61968032654 Yuval Mintz 2018-02-28 172 EXPORT_SYMBOL(mr_mfc_seq_idx);
c8d61968032654 Yuval Mintz 2018-02-28 173

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

2022-01-22 00:40:01

by kernel test robot

[permalink] [raw]
Subject: Re: [PATCH] net: missing lock releases in ipmr_base.c

Hi ycaibb,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net-next/master]
[also build test WARNING on net/master horms-ipvs/master linus/master v5.16 next-20220121]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url: https://github.com/0day-ci/linux/commits/ycaibb/net-missing-lock-releases-in-ipmr_base-c/20220121-112603
base: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
config: mips-bmips_stb_defconfig (https://download.01.org/0day-ci/archive/20220121/[email protected]/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project d4baf3b1322b84816aa623d8e8cb45a49cb68b84)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install mips cross compiling tool for clang build
# apt-get install binutils-mips-linux-gnu
# https://github.com/0day-ci/linux/commit/33b03feacaf2155323b031274d2d67dab0cf561c
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review ycaibb/net-missing-lock-releases-in-ipmr_base-c/20220121-112603
git checkout 33b03feacaf2155323b031274d2d67dab0cf561c
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=mips SHELL=/bin/bash net/ipv4/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>

All warnings (new ones prefixed by >>):

>> net/ipv4/ipmr_base.c:158:4: warning: misleading indentation; statement is not part of the previous 'if' [-Wmisleading-indentation]
return mfc;
^
net/ipv4/ipmr_base.c:156:3: note: previous statement is here
if (pos-- == 0)
^
net/ipv4/ipmr_base.c:166:4: warning: misleading indentation; statement is not part of the previous 'if' [-Wmisleading-indentation]
return mfc;
^
net/ipv4/ipmr_base.c:164:3: note: previous statement is here
if (pos-- == 0)
^
2 warnings generated.


vim +/if +158 net/ipv4/ipmr_base.c

3feda6b46f7347 Yuval Mintz 2018-02-28 146
c8d61968032654 Yuval Mintz 2018-02-28 147 void *mr_mfc_seq_idx(struct net *net,
c8d61968032654 Yuval Mintz 2018-02-28 148 struct mr_mfc_iter *it, loff_t pos)
c8d61968032654 Yuval Mintz 2018-02-28 149 {
c8d61968032654 Yuval Mintz 2018-02-28 150 struct mr_table *mrt = it->mrt;
c8d61968032654 Yuval Mintz 2018-02-28 151 struct mr_mfc *mfc;
c8d61968032654 Yuval Mintz 2018-02-28 152
c8d61968032654 Yuval Mintz 2018-02-28 153 rcu_read_lock();
c8d61968032654 Yuval Mintz 2018-02-28 154 it->cache = &mrt->mfc_cache_list;
c8d61968032654 Yuval Mintz 2018-02-28 155 list_for_each_entry_rcu(mfc, &mrt->mfc_cache_list, list)
c8d61968032654 Yuval Mintz 2018-02-28 156 if (pos-- == 0)
33b03feacaf215 Ryan Cai 2022-01-21 157 rcu_read_unlock();
c8d61968032654 Yuval Mintz 2018-02-28 @158 return mfc;
c8d61968032654 Yuval Mintz 2018-02-28 159 rcu_read_unlock();
c8d61968032654 Yuval Mintz 2018-02-28 160
c8d61968032654 Yuval Mintz 2018-02-28 161 spin_lock_bh(it->lock);
c8d61968032654 Yuval Mintz 2018-02-28 162 it->cache = &mrt->mfc_unres_queue;
c8d61968032654 Yuval Mintz 2018-02-28 163 list_for_each_entry(mfc, it->cache, list)
c8d61968032654 Yuval Mintz 2018-02-28 164 if (pos-- == 0)
33b03feacaf215 Ryan Cai 2022-01-21 165 spin_unlock_bh(it->lock);
c8d61968032654 Yuval Mintz 2018-02-28 166 return mfc;
c8d61968032654 Yuval Mintz 2018-02-28 167 spin_unlock_bh(it->lock);
c8d61968032654 Yuval Mintz 2018-02-28 168
c8d61968032654 Yuval Mintz 2018-02-28 169 it->cache = NULL;
c8d61968032654 Yuval Mintz 2018-02-28 170 return NULL;
c8d61968032654 Yuval Mintz 2018-02-28 171 }
c8d61968032654 Yuval Mintz 2018-02-28 172 EXPORT_SYMBOL(mr_mfc_seq_idx);
c8d61968032654 Yuval Mintz 2018-02-28 173

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]

2022-01-22 01:57:38

by Stephen Hemminger

[permalink] [raw]
Subject: Re: [PATCH] net: missing lock releases in ipmr_base.c

On Fri, 21 Jan 2022 11:22:10 +0800
ycaibb <[email protected]> wrote:

> From: Ryan Cai <[email protected]>
>
> In method mr_mfc_seq_idx, the lock it->lock and rcu_read_lock are not released when pos-- == 0 is true.
>
> Signed-off-by: Ryan Cai <[email protected]>
> ---
> net/ipv4/ipmr_base.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
> index aa8738a91210..c4a247024c85 100644
> --- a/net/ipv4/ipmr_base.c
> +++ b/net/ipv4/ipmr_base.c
> @@ -154,6 +154,7 @@ void *mr_mfc_seq_idx(struct net *net,
> it->cache = &mrt->mfc_cache_list;
> list_for_each_entry_rcu(mfc, &mrt->mfc_cache_list, list)
> if (pos-- == 0)
> + rcu_read_unlock();
> return mfc;
> rcu_read_unlock();
>
> @@ -161,6 +162,7 @@ void *mr_mfc_seq_idx(struct net *net,
> it->cache = &mrt->mfc_unres_queue;
> list_for_each_entry(mfc, it->cache, list)
> if (pos-- == 0)
> + spin_unlock_bh(it->lock);
> return mfc;
> spin_unlock_bh(it->lock);
>

Another buggy patch, perhaps you write python or research papers?

2022-01-27 14:31:46

by kernel test robot

[permalink] [raw]
Subject: [net] 33b03feaca: BUG:KASAN:slab-out-of-bounds_in_ip6_string



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 33b03feacaf2155323b031274d2d67dab0cf561c ("[PATCH] net: missing lock releases in ipmr_base.c")
url: https://github.com/0day-ci/linux/commits/ycaibb/net-missing-lock-releases-in-ipmr_base-c/20220121-112603
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
patch link: https://lore.kernel.org/netdev/[email protected]

in testcase: trinity
version: trinity-x86_64-608712d8-1_20220125
with following parameters:

runtime: 300s
group: group-02

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu Icelake-Server -smp 4 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------------+------------+------------+
| | 8aaaf2f3af | 33b03feaca |
+---------------------------------------------------+------------+------------+
| boot_successes | 59 | 12 |
| boot_failures | 0 | 48 |
| BUG:KASAN:slab-out-of-bounds_in_ipmr_mfc_seq_show | 0 | 23 |
| BUG:KASAN:slab-out-of-bounds_in_ip6_string | 0 | 25 |
+---------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 96.154425][ T3831] BUG: KASAN: slab-out-of-bounds in ip6_string (lib/vsprintf.c:1459)
[ 96.154447][ T3831] Read of size 1 at addr ffff888161f06e20 by task trinity-c7/3831
[ 96.154453][ T3831]
[ 96.154458][ T3831] CPU: 1 PID: 3831 Comm: trinity-c7 Not tainted 5.16.0-rc8-02291-g33b03feacaf2 #1
[ 96.154467][ T3831] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 96.154472][ T3831] Call Trace:
[ 96.154477][ T3831] <TASK>
[ 96.154498][ T3831] dump_stack_lvl (lib/dump_stack.c:107)
[ 96.154516][ T3831] print_address_description+0x21/0x140
[ 96.154532][ T3831] ? ip6_string (lib/vsprintf.c:1459)
[ 96.154541][ T3831] kasan_report.cold (mm/kasan/report.c:434 mm/kasan/report.c:450)
[ 96.154552][ T3831] ? stack_access_ok (arch/x86/include/asm/stacktrace.h:56 arch/x86/kernel/unwind_orc.c:342)
[ 96.154561][ T3831] ? ip6_string (lib/vsprintf.c:1459)
[ 96.154567][ T3831] ip6_string (lib/vsprintf.c:1459)
[ 96.154573][ T3831] ip6_addr_string (lib/vsprintf.c:1480)
[ 96.154580][ T3831] ? ip6_compressed_string (lib/vsprintf.c:1472)
[ 96.154586][ T3831] ? orc_find+0x300/0x300
[ 96.154594][ T3831] ? string_nocheck (lib/vsprintf.c:701)
[ 96.154600][ T3831] ? is_bpf_text_address (arch/x86/include/asm/preempt.h:85 include/linux/rcupdate.h:73 include/linux/rcupdate.h:720 kernel/bpf/core.c:717)
[ 96.154609][ T3831] ? kernel_text_address (kernel/extable.c:96 kernel/extable.c:93)
[ 96.154616][ T3831] ip_addr_string (lib/vsprintf.c:1602)
[ 96.154623][ T3831] ? ip6_addr_string_sa (lib/vsprintf.c:1594)
[ 96.154632][ T3831] pointer (lib/vsprintf.c:2429)
[ 96.154641][ T3831] ? time_and_date (lib/vsprintf.c:2395)
[ 96.154647][ T3831] ? chacha_permute (lib/crypto/chacha.c:77)
[ 96.154659][ T3831] vsnprintf (lib/vsprintf.c:2811)
[ 96.154667][ T3831] ? pointer (lib/vsprintf.c:2736)
[ 96.154672][ T3831] ? _extract_crng (drivers/char/random.c:1001)
[ 96.154682][ T3831] ? get_random_u32 (drivers/char/random.c:2208)
[ 96.154691][ T3831] seq_vprintf (fs/seq_file.c:392)
[ 96.154702][ T3831] seq_printf (fs/seq_file.c:402)
[ 96.154710][ T3831] ? seq_vprintf (fs/seq_file.c:402)
[ 96.154715][ T3831] ? __mod_memcg_lruvec_state (mm/memcontrol.c:635 mm/memcontrol.c:708)
[ 96.154725][ T3831] ? memcpy (mm/kasan/shadow.c:65 (discriminator 1))
[ 96.154733][ T3831] ? seq_puts (fs/seq_file.c:681)
[ 96.154742][ T3831] ipmr_mfc_seq_show (net/ipv4/ipmr.c:2968)
[ 96.154758][ T3831] seq_read_iter (fs/seq_file.c:272)
[ 96.154769][ T3831] seq_read (fs/seq_file.c:163)
[ 96.154778][ T3831] ? seq_read_iter (fs/seq_file.c:152)
[ 96.154785][ T3831] ? hrtimer_start_range_ns (kernel/time/hrtimer.c:1282)
[ 96.154795][ T3831] ? hrtimer_run_softirq (kernel/time/hrtimer.c:1282)
[ 96.154799][ T3831] ? _raw_spin_lock_irq (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:513 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:120 kernel/locking/spinlock.c:170)
[ 96.154810][ T3831] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323)
[ 96.154820][ T3831] vfs_read (fs/read_write.c:479)
[ 96.154830][ T3831] ksys_read (fs/read_write.c:619)
[ 96.154838][ T3831] ? vfs_write (fs/read_write.c:609)
[ 96.154847][ T3831] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 96.154861][ T3831] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
[ 96.154869][ T3831] RIP: 0033:0x7f1fca7a6f59
[ 96.154878][ T3831] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 07 6f 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 07 6f 0c 00 mov 0xc6f07(%rip),%rcx # 0xc6f41
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 07 6f 0c 00 mov 0xc6f07(%rip),%rcx # 0xc6f17
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 96.154885][ T3831] RSP: 002b:00007ffce82fd318 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 96.154896][ T3831] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1fca7a6f59
[ 96.154902][ T3831] RDX: 0000000000000303 RSI: 00007f1fc87c1000 RDI: 0000000000000066
[ 96.154907][ T3831] RBP: 0000000000000000 R08: 0000004a090d1a84 R09: 00000000bbbbbbbb
[ 96.154912][ T3831] R10: 000000000000005c R11: 0000000000000246 R12: 0000000000000002
[ 96.154917][ T3831] R13: 00007f1fc9102058 R14: 00007f1fca68f6c0 R15: 00007f1fc9102000
[ 96.154926][ T3831] </TASK>
[ 96.154929][ T3831]
[ 96.154933][ T3831] Allocated by task 1:
[ 96.154938][ T3831] kasan_save_stack (mm/kasan/common.c:38)
[ 96.154946][ T3831] __kasan_kmalloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:513 mm/kasan/common.c:522)
[ 96.154954][ T3831] mr_table_alloc (include/linux/slab.h:590 include/linux/slab.h:724 net/ipv4/ipmr_base.c:41)
[ 96.154965][ T3831] ip6mr_net_init (net/ipv6/ip6mr.c:232 net/ipv6/ip6mr.c:1306)
[ 96.154973][ T3831] ops_init (net/core/net_namespace.c:140)
[ 96.154981][ T3831] register_pernet_operations (net/core/net_namespace.c:1148 net/core/net_namespace.c:1217)
[ 96.154988][ T3831] register_pernet_subsys (net/core/net_namespace.c:1259)
[ 96.154993][ T3831] ip6_mr_init (net/ipv6/ip6mr.c:1359)
[ 96.155006][ T3831] inet6_init (net/ipv6/af_inet6.c:1109)
[ 96.155011][ T3831] do_one_initcall (init/main.c:1297)
[ 96.155018][ T3831] kernel_init_freeable (init/main.c:1369 init/main.c:1386 init/main.c:1405 init/main.c:1610)
[ 96.155027][ T3831] kernel_init (init/main.c:1501)
[ 96.155033][ T3831] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 96.155038][ T3831]
[ 96.155040][ T3831] The buggy address belongs to the object at ffff888161f06000
[ 96.155040][ T3831] which belongs to the cache kmalloc-4k of size 4096
[ 96.155046][ T3831] The buggy address is located 3616 bytes inside of
[ 96.155046][ T3831] 4096-byte region [ffff888161f06000, ffff888161f07000)
[ 96.155051][ T3831] The buggy address belongs to the page:
[ 96.155056][ T3831] page:0000000074fbc6e9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x161f00
[ 96.155064][ T3831] head:0000000074fbc6e9 order:3 compound_mapcount:0 compound_pincount:0
[ 96.155068][ T3831] flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
[ 96.155083][ T3831] raw: 0017ffffc0010200 0000000000000000 dead000000000122 ffff888100043040
[ 96.155090][ T3831] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
[ 96.155093][ T3831] page dumped because: kasan: bad access detected
[ 96.155097][ T3831] page_owner tracks the page as allocated
[ 96.155100][ T3831] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 29137094592, free_ts 0
[ 96.155112][ T3831] prep_new_page (include/linux/page_owner.h:31 mm/page_alloc.c:2412 mm/page_alloc.c:2418)
[ 96.155120][ T3831] get_page_from_freelist (mm/page_alloc.c:4155)
[ 96.155127][ T3831] __alloc_pages (mm/page_alloc.c:5370)
[ 96.155133][ T3831] alloc_page_interleave (arch/x86/include/asm/jump_label.h:27 mm/mempolicy.c:2038)
[ 96.155142][ T3831] allocate_slab (mm/slub.c:1793 mm/slub.c:1930)
[ 96.155149][ T3831] ___slab_alloc (mm/slub.c:3022)
[ 96.155155][ T3831] __slab_alloc+0x1c/0x40
[ 96.155161][ T3831] __kmalloc (mm/slub.c:3200 mm/slub.c:3242 mm/slub.c:4419)
[ 96.155167][ T3831] __register_sysctl_table (include/linux/slab.h:595 include/linux/slab.h:724 fs/proc/proc_sysctl.c:1318)
[ 96.155174][ T3831] ipv4_sysctl_init_net (net/ipv4/sysctl_net_ipv4.c:1418)
[ 96.155181][ T3831] ops_init (net/core/net_namespace.c:140)
[ 96.155185][ T3831] register_pernet_operations (net/core/net_namespace.c:1148 net/core/net_namespace.c:1217)
[ 96.155190][ T3831] register_pernet_subsys (net/core/net_namespace.c:1259)
[ 96.155196][ T3831] sysctl_ipv4_init (net/ipv4/sysctl_net_ipv4.c:1460)
[ 96.155202][ T3831] do_one_initcall (init/main.c:1297)
[ 96.155208][ T3831] kernel_init_freeable (init/main.c:1369 init/main.c:1386 init/main.c:1405 init/main.c:1610)
[ 96.155214][ T3831] page_owner free stack trace missing
[ 96.155218][ T3831]
[ 96.155220][ T3831] Memory state around the buggy address:
[ 96.155225][ T3831] ffff888161f06d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 96.155229][ T3831] ffff888161f06d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 96.155233][ T3831] >ffff888161f06e00: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 96.155236][ T3831] ^
[ 96.155240][ T3831] ffff888161f06e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 96.155244][ T3831] ffff888161f06f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 96.155247][ T3831] ==================================================================
[ 96.155250][ T3831] Disabling lock debugging due to kernel taint
[ 96.838551][ T292]
[ 96.847715][ T292] [main] vhangup is marked as AVOID. Skipping
[ 96.847746][ T292]
[ 96.910102][ T292] [main] Marking syscall vhangup (64bit:153 32bit:111) as to be enabled.
[ 96.910137][ T292]
[ 96.951132][ T292] [main] Marking syscall write (64bit:1 32bit:4) as to be enabled.
[ 96.951159][ T292]


To reproduce:

# build kernel
cd linux
cp config-5.16.0-rc8-02291-g33b03feacaf2 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation

Thanks,
Oliver Sang


Attachments:
(No filename) (12.74 kB)
config-5.16.0-rc8-02291-g33b03feacaf2 (180.54 kB)
job-script (4.79 kB)
dmesg.xz (18.48 kB)
trinity (6.69 kB)
Download all attachments