FYI, we noticed the following commit (built with gcc-7):
commit: 296ba26b6681b6e07ed419b3004647167cb17f61 ("ipc: drop ipc_lock()")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: ltp
with following parameters:
disk: 1HDD
fs: ext4
test: syscalls_part4
test-description: The LTP testsuite contains a collection of tools for testing the Linux kernel and related features.
test-url: http://linux-test-project.github.io/
on test machine: 8 threads Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz with 8G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+----------------+------------+------------+
| | fc76430e57 | 296ba26b66 |
+----------------+------------+------------+
| boot_successes | 8 | 4 |
+----------------+------------+------------+
user :notice: [ 37.876701] INFO: creating /lkp/benchmarks/ltp/output directory
user :notice: [ 37.885597] INFO: creating /lkp/benchmarks/ltp/results directory
user :notice: [ 37.894309] Checking for required user/group ids
user :notice: [ 37.903519] 'nobody' user id and group found.
user :notice: [ 37.910551] 'bin' user id and group found.
user :notice: [ 37.917365] 'daemon' user id and group found.
user :notice: [ 37.924247] Users group found.
user :notice: [ 37.929733] Sys group found.
user :notice: [ 37.935347] Required users/groups exist.
user :notice: [ 37.942497] If some fields are empty or look unusual you may have an old version.
user :notice: [ 37.953263] Compare to the current minimal requirements in Documentation/Changes.
user :notice: [ 37.965391] /etc/os-release
user :notice: [ 37.971089] PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
user :notice: [ 37.978838] NAME="Debian GNU/Linux"
user :notice: [ 37.984791] VERSION_ID="9"
user :notice: [ 37.990106] VERSION="9 (stretch)"
user :notice: [ 37.995828] ID=debian
kern :info : [ 37.999988] EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem
user :notice: [ 38.000882] HOME_URL="https://www.debian.org/"
user :notice: [ 38.015643] SUPPORT_URL="https://www.debian.org/support"
user :notice: [ 38.023965] BUG_REPORT_URL="https://bugs.debian.org/"
kern :info : [ 38.031316] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
user :notice: [ 38.041866] uname:
user :notice: [ 38.047747] Linux lkp-skl-d01 4.18.0-08438-g296ba26 #1 SMP Wed Aug 22 13:56:11 CST 2018 x86_64 GNU/Linux
user :notice: [ 38.061880] /proc/cmdline
kern :info : [ 38.465310] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null)
kern :notice: [ 38.780202] XFS (loop0): Mounting V5 Filesystem
kern :info : [ 38.786455] XFS (loop0): Ending clean mount
kern :notice: [ 38.857426] XFS (loop0): Unmounting Filesystem
kern :info : [ 39.082927] BTRFS: device fsid ccee36db-77b8-45a2-9c38-b786618a9508 devid 1 transid 5 /dev/loop0
kern :info : [ 39.093273] BTRFS info (device loop0): disk space caching is enabled
kern :info : [ 39.100593] BTRFS info (device loop0): has skinny extents
kern :info : [ 39.106892] BTRFS info (device loop0): flagging fs with big metadata feature
kern :info : [ 39.115680] BTRFS info (device loop0): creating UUID tree
user :warn : [ 39.323484] LTP: starting setxattr02
user :warn : [ 39.328764] LTP: starting setxattr03
user :warn : [ 39.333486] LTP: starting shmat01
kern :info : [ 39.338684] shmat01[2578]: segfault at 7f37d4811000 ip 000055e7f76018f2 sp 00007ffe6dfaf780 error 6 in shmat01[55e7f75fd000+18000]
kern :info : [ 39.351001] Code: 8d 3d f6 c2 00 00 31 d2 be 93 00 00 00 4d 8b 44 c6 10 31 c0 e8 5f 07 00 00 e9 72 fe ff ff 48 6b db 18 41 83 7c 1e 0c 0b 74 0e <c7> 45 00 0a 00 00 00 31 ff e8 80 fa ff ff 48 89 e6 bf 04 00 00 00
user :warn : [ 39.371404] LTP: starting shmat02
user :warn : [ 39.376519] LTP: starting cve-2017-5669
user :warn : [ 39.381748] LTP: starting shmctl01
user :warn : [ 40.467992] LTP: starting shmctl02
user :warn : [ 40.472844] LTP: starting shmctl03
user :warn : [ 40.477834] LTP: starting shmctl04
user :warn : [ 40.482464] LTP: starting shmctl05
kern :warn : [ 40.487041] mmap: shmctl05 (2598) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.rst.
kern :err : [ 40.536890] BUG: sleeping function called from invalid context at mm/memory.c:1449
kern :err : [ 40.546449] in_atomic(): 1, irqs_disabled(): 0, pid: 2598, name: shmctl05
kern :warn : [ 40.553820] CPU: 3 PID: 2598 Comm: shmctl05 Not tainted 4.18.0-08438-g296ba26 #1
kern :warn : [ 40.561801] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
kern :warn : [ 40.569781] Call Trace:
kern :warn : [ 40.572808] dump_stack+0x5c/0x7b
kern :warn : [ 40.576765] ___might_sleep+0xf1/0x110
kern :warn : [ 40.581099] unmap_page_range+0x284/0xa60
kern :warn : [ 40.585684] ? unlink_file_vma+0x3b/0x50
kern :warn : [ 40.590164] unmap_vmas+0x4c/0xa0
kern :warn : [ 40.594027] unmap_region+0xae/0x110
kern :warn : [ 40.598171] ? _cond_resched+0x19/0x30
kern :warn : [ 40.602472] mmap_region+0x4a1/0x660
kern :warn : [ 40.606638] do_mmap+0x3dd/0x5a0
kern :warn : [ 40.610431] __x64_sys_remap_file_pages+0x239/0x300
kern :warn : [ 40.615871] do_syscall_64+0x5b/0x180
kern :warn : [ 40.620146] entry_SYSCALL_64_after_hwframe+0x44/0xa9
kern :warn : [ 40.625774] RIP: 0033:0x7f28c1bf1229
kern :warn : [ 40.629923] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 4c 2b 00 f7 d8 64 89 01 48
kern :warn : [ 40.649948] RSP: 002b:00007ffd1aadbd88 EFLAGS: 00000246 ORIG_RAX: 00000000000000d8
kern :warn : [ 40.658150] RAX: ffffffffffffffda RBX: 00007f28c24e8698 RCX: 00007f28c1bf1229
kern :warn : [ 40.665920] RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007f28c24ef000
kern :warn : [ 40.673708] RBP: 00007f28c24ef000 R08: 0000000000000000 R09: 0000000000000007
kern :warn : [ 40.681517] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
kern :warn : [ 40.689309] R13: 0000000000000007 R14: 000055f8daf67210 R15: 0000000000000001
kern :err : [ 40.697083] BUG: scheduling while atomic: shmctl05/2598/0x7fffffff
kern :warn : [ 40.704419] Modules linked in: fuse vfat fat btrfs xor zstd_decompress zstd_compress xxhash raid6_pq xfs loop dm_mod sr_mod cdrom sd_mod sg snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel snd_hda_intel kvm snd_hda_codec irqbypass snd_hda_core crct10dif_pclmul snd_hwdep i915 crc32_pclmul crc32c_intel ghash_clmulni_intel snd_pcm pcbc aesni_intel snd_timer drm_kms_helper ahci syscopyarea sysfillrect crypto_simd wmi_bmof sysimgblt snd cryptd libahci dcdbas fb_sys_fops pcspkr serio_raw soundcore glue_helper libata intel_pch_thermal drm wmi video acpi_pad pcc_cpufreq ip_tables
kern :warn : [ 40.765830] CPU: 3 PID: 2598 Comm: shmctl05 Tainted: G W 4.18.0-08438-g296ba26 #1
kern :warn : [ 40.775353] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
kern :warn : [ 40.783478] Call Trace:
kern :warn : [ 40.786653] dump_stack+0x5c/0x7b
kern :warn : [ 40.790761] __schedule_bug+0x55/0x70
kern :warn : [ 40.795132] __schedule+0x65e/0x870
kern :warn : [ 40.799375] schedule+0x33/0x90
kern :warn : [ 40.803285] exit_to_usermode_loop+0x57/0xe0
kern :warn : [ 40.808269] do_syscall_64+0x16c/0x180
kern :warn : [ 40.812809] entry_SYSCALL_64_after_hwframe+0x44/0xa9
kern :warn : [ 40.818574] RIP: 0033:0x7f28c1bf1229
kern :warn : [ 40.822857] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 4c 2b 00 f7 d8 64 89 01 48
kern :warn : [ 40.843146] RSP: 002b:00007ffd1aadbd88 EFLAGS: 00000246 ORIG_RAX: 00000000000000d8
kern :warn : [ 40.851482] RAX: ffffffffffffffea RBX: 00007f28c24e8698 RCX: 00007f28c1bf1229
kern :warn : [ 40.859378] RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007f28c24ef000
kern :warn : [ 40.867294] RBP: 00007f28c24ef000 R08: 0000000000000000 R09: 0000000000000007
kern :warn : [ 40.875224] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
kern :warn : [ 40.883181] R13: 0000000000000007 R14: 000055f8daf67210 R15: 0000000000000001
kern :warn : [ 40.905913] WARNING: CPU: 3 PID: 2598 at lib/usercopy.c:26 _copy_to_user+0x60/0x70
kern :warn : [ 40.915672] Modules linked in: fuse vfat fat btrfs xor zstd_decompress zstd_compress xxhash raid6_pq xfs loop dm_mod sr_mod cdrom sd_mod sg snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel snd_hda_intel kvm snd_hda_codec irqbypass snd_hda_core crct10dif_pclmul snd_hwdep i915 crc32_pclmul crc32c_intel ghash_clmulni_intel snd_pcm pcbc aesni_intel snd_timer drm_kms_helper ahci syscopyarea sysfillrect crypto_simd wmi_bmof sysimgblt snd cryptd libahci dcdbas fb_sys_fops pcspkr serio_raw soundcore glue_helper libata intel_pch_thermal drm wmi video acpi_pad pcc_cpufreq ip_tables
kern :warn : [ 40.977669] CPU: 3 PID: 2598 Comm: shmctl05 Tainted: G W 4.18.0-08438-g296ba26 #1
kern :warn : [ 40.987299] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016
kern :warn : [ 40.995580] RIP: 0010:_copy_to_user+0x60/0x70
kern :warn : [ 41.000877] Code: 01 00 48 01 ea 48 8b 80 98 22 00 00 72 14 48 39 c2 77 0f 48 89 ef 4c 89 e6 89 da e8 9a 0e 56 00 89 c3 48 89 d8 5b 5d 41 5c c3 <0f> 0b eb c8 90 90 90 90 90 90 90 90 90 90 90 90 8b 07 ba 00 00 00
kern :warn : [ 41.021452] RSP: 0018:ffffc900018dfed0 EFLAGS: 00010206
kern :warn : [ 41.027554] RAX: 000000007ffffffe RBX: 0000000000000010 RCX: 0000000000000000
kern :warn : [ 41.035574] RDX: 00000000fffc01bb RSI: 0000000000000019 RDI: ffffffff8230ef18
kern :warn : [ 41.043610] RBP: 00007ffd1aadbd70 R08: 002ebecfd2fa2a00 R09: 0000000000000000
kern :warn : [ 41.051614] R10: 0000000000000000 R11: 0000000000000000 R12: ffffc900018dfef0
kern :warn : [ 41.059614] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
kern :warn : [ 41.067619] FS: 00007f28c24e8700(0000) GS:ffff880259cc0000(0000) knlGS:0000000000000000
kern :warn : [ 41.076673] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
kern :warn : [ 41.083284] CR2: 000055f8db171d70 CR3: 00000001c1b12002 CR4: 00000000003606e0
kern :warn : [ 41.091303] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
kern :warn : [ 41.099348] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
kern :warn : [ 41.107433] Call Trace:
kern :warn : [ 41.110876] put_timespec64+0x3c/0x70
kern :warn : [ 41.115453] __x64_sys_clock_gettime+0x85/0xb0
kern :warn : [ 41.120783] do_syscall_64+0x5b/0x180
kern :warn : [ 41.125333] entry_SYSCALL_64_after_hwframe+0x44/0xa9
kern :warn : [ 41.131324] RIP: 0033:0x7f28c1bf1229
kern :warn : [ 41.135803] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 4c 2b 00 f7 d8 64 89 01 48
kern :warn : [ 41.156543] RSP: 002b:00007ffd1aadbd58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e4
kern :warn : [ 41.165068] RAX: ffffffffffffffda RBX: 0000000000001388 RCX: 00007f28c1bf1229
kern :warn : [ 41.173158] RDX: ffffffffffffff98 RSI: 00007ffd1aadbd70 RDI: 0000000000000001
kern :warn : [ 41.181197] RBP: 00007f28c24ef000 R08: 0000000000000007 R09: 00007f28c24ef000
kern :warn : [ 41.189264] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
kern :warn : [ 41.197310] R13: 0000000000000007 R14: 000055f8daf67210 R15: 0000000000000001
kern :warn : [ 41.205365] ---[ end trace f327f239b0bdaef6 ]---
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp install job.yaml # job file is attached in this email
bin/lkp run job.yaml
Thanks,
lkp
On Thu, 23 Aug 2018, kernel test robot wrote:
>FYI, we noticed the following commit (built with gcc-7):
>
>commit: 296ba26b6681b6e07ed419b3004647167cb17f61 ("ipc: drop ipc_lock()")
>https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
I suspect this is because that commit forgot to set EIDRM for the
!ipc_valid_object() case. So the callers check IS_ERR(shm_lock()),
which won't fail the op as it did before the commit.
diff --git a/ipc/shm.c b/ipc/shm.c
index b0eb3757ab89..4cd402e4cfeb 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -199,6 +199,7 @@ static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
}
ipc_unlock_object(ipcp);
+ ipcp = ERR_PTR(-EIDRM);
err:
rcu_read_unlock();
/*
When getting rid of the general ipc_lock(), this was missed
furthermore, making the comment around the ipc object validity
check bogus. Under EIDRM conditions, callers will in turn not
see the error and continue with the operation.
Fixes: 82061c57ce9 (ipc: drop ipc_lock())
Signed-off-by: Davidlohr Bueso <[email protected]>
---
ipc/shm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipc/shm.c b/ipc/shm.c
index b0eb3757ab89..4cd402e4cfeb 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -199,6 +199,7 @@ static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
}
ipc_unlock_object(ipcp);
+ ipcp = ERR_PTR(-EIDRM);
err:
rcu_read_unlock();
/*
--
2.16.4
On Fri, Aug 24, 2018 at 5:09 AM Davidlohr Bueso <[email protected]> wrote:
>
> When getting rid of the general ipc_lock(), this was missed
> furthermore, making the comment around the ipc object validity
> check bogus. Under EIDRM conditions, callers will in turn not
> see the error and continue with the operation.
>
> Fixes: 82061c57ce9 (ipc: drop ipc_lock())
> Signed-off-by: Davidlohr Bueso <[email protected]>
> ---
Oddly, this change introduces a gcc warning in some configurations
(i.e. with randstruct enabled):
ipc/shm.c: In function 'shm_lock':
ipc/shm.c:209:9: note: randstruct: casting between randomized
structure pointer types (ssa): 'struct shmid_kernel' and 'struct
kern_ipc_perm'
return (void *)ipcp;
^~~~~~~~~~~~
Not sure why we didn't see that warning before, probably
it ended up making its own thing when the return code
was uninitialized.
The change below gets rid of the warning, but is a bit ugly.
Arnd
diff --git a/ipc/shm.c b/ipc/shm.c
index fe3c42e66a48..922012a745e5 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -180,10 +180,12 @@ static inline struct shmid_kernel
*shm_obtain_object_check(struct ipc_namespace
static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
{
struct kern_ipc_perm *ipcp;
+ int ret;
rcu_read_lock();
ipcp = ipc_obtain_object_idr(&shm_ids(ns), id);
- if (IS_ERR(ipcp))
+ ret = PTR_ERR_OR_ZERO(ipcp);
+ if (ret)
goto err;
ipc_lock_object(ipcp);
@@ -199,14 +201,14 @@ static inline struct shmid_kernel
*shm_lock(struct ipc_namespace *ns, int id)
}
ipc_unlock_object(ipcp);
- ipcp = ERR_PTR(-EIDRM);
+ ret = -EIDRM;
err:
rcu_read_unlock();
/*
* Callers of shm_lock() must validate the status of the returned ipc
* object pointer and error out as appropriate.
*/
- return (void *)ipcp;
+ return ERR_PTR(ret);
}
static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp)
On Tue, Sep 25, 2018 at 5:00 AM, Arnd Bergmann <[email protected]> wrote:
> On Fri, Aug 24, 2018 at 5:09 AM Davidlohr Bueso <[email protected]> wrote:
>>
>> When getting rid of the general ipc_lock(), this was missed
>> furthermore, making the comment around the ipc object validity
>> check bogus. Under EIDRM conditions, callers will in turn not
>> see the error and continue with the operation.
>>
>> Fixes: 82061c57ce9 (ipc: drop ipc_lock())
>> Signed-off-by: Davidlohr Bueso <[email protected]>
>> ---
>
> Oddly, this change introduces a gcc warning in some configurations
> (i.e. with randstruct enabled):
>
> ipc/shm.c: In function 'shm_lock':
> ipc/shm.c:209:9: note: randstruct: casting between randomized
> structure pointer types (ssa): 'struct shmid_kernel' and 'struct
> kern_ipc_perm'
> return (void *)ipcp;
> ^~~~~~~~~~~~
>
> Not sure why we didn't see that warning before, probably
> it ended up making its own thing when the return code
> was uninitialized.
The fix is already queued up in mmotm:
https://www.ozlabs.org/~akpm/mmotm/broken-out/ipc-shm-use-err_cast-for-shm_lock-error-return.patch
randstruct stays quiet about ERR_PTR-family casts since they're not
"real" casts to a functional struct.
-Kees
-Kees
--
Kees Cook
Pixel Security