Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: ddc97dfbb3f12c0a540104d41da1067ac9d38672 ("ucounts: Split rlimit and ucount values and max values")
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git ucount-rlimits-cleanups-for-v5.19
in testcase: trinity
version: trinity-x86_64-3f8670b2-1_20220411
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 36.843393][ T24] BUG: KASAN: use-after-free in dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256)
[ 36.844198][ T24] Write of size 8 at addr ffff88816bfce640 by task kworker/u4:1/24
[ 36.845191][ T24]
[ 36.845449][ T24] CPU: 1 PID: 24 Comm: kworker/u4:1 Not tainted 5.18.0-rc1-00001-gddc97dfbb3f1 #1
[ 36.846620][ T24] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 36.847917][ T24] Workqueue: netns cleanup_net
[ 36.848527][ T24] Call Trace:
[ 36.848948][ T24] <TASK>
[ 36.849331][ T24] ? dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256)
[ 36.849848][ T24] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 36.850391][ T24] print_address_description+0x1f/0x200
[ 36.851198][ T24] ? dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256)
[ 36.851756][ T24] print_report.cold (mm/kasan/report.c:430)
[ 36.852418][ T24] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202 include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82 include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
[ 36.853104][ T24] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 36.853660][ T24] ? dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256)
[ 36.854248][ T24] kasan_check_range (mm/kasan/generic.c:190)
[ 36.854859][ T24] dec_ucount (arch/x86/include/asm/atomic64_64.h:22 include/linux/atomic/atomic-arch-fallback.h:2375 include/linux/atomic/atomic-long.h:515 include/linux/atomic/atomic-instrumented.h:1878 kernel/ucount.c:256)
[ 36.855349][ T24] cleanup_net (net/core/net_namespace.c:612)
[ 36.855808][ T24] ? rtnl_valid_dump_net_req+0x580/0x580
[ 36.856609][ T24] process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/workqueue.h:108 kernel/workqueue.c:2294)
[ 36.857219][ T24] worker_thread (include/linux/list.h:292 kernel/workqueue.c:2437)
[ 36.859714][ T24] ? process_one_work (kernel/workqueue.c:2379)
[ 36.860350][ T24] kthread (kernel/kthread.c:376)
[ 36.860849][ T24] ? kthread_complete_and_exit (kernel/kthread.c:331)
[ 36.861535][ T24] ret_from_fork (arch/x86/entry/entry_64.S:304)
[ 36.862113][ T24] </TASK>
[ 36.864730][ T24]
[ 36.867151][ T24] Allocated by task 715:
[ 36.869978][ T24] kasan_save_stack (mm/kasan/common.c:39)
[ 36.872939][ T24] __kasan_kmalloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515 mm/kasan/common.c:524)
[ 36.875369][ T24] alloc_ucounts (kernel/ucount.c:176)
[ 36.877899][ T24] inc_ucount (kernel/ucount.c:234)
[ 36.880495][ T24] alloc_mnt_ns (fs/namespace.c:3390 fs/namespace.c:3422)
[ 36.883163][ T24] copy_mnt_ns (fs/namespace.c:3471)
[ 36.885812][ T24] create_new_namespaces (kernel/nsproxy.c:78)
[ 36.888580][ T24] unshare_nsproxy_namespaces (kernel/nsproxy.c:226 (discriminator 4))
[ 36.891337][ T24] ksys_unshare (kernel/fork.c:3132)
[ 36.893682][ T24] __ia32_sys_unshare (kernel/fork.c:3201)
[ 36.896155][ T24] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 36.899100][ T24] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419)
[ 36.901532][ T24]
[ 36.903311][ T24] Freed by task 746:
[ 36.905192][ T24] kasan_save_stack (mm/kasan/common.c:39)
[ 36.907098][ T24] kasan_set_track (mm/kasan/common.c:45)
[ 36.908924][ T24] kasan_set_free_info (mm/kasan/generic.c:372)
[ 36.910758][ T24] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 36.912918][ T24] kfree (mm/slub.c:1754 mm/slub.c:3510 mm/slub.c:4552)
[ 36.915052][ T24] put_ucounts (kernel/ucount.c:204)
[ 36.917096][ T24] put_cred_rcu (kernel/cred.c:125)
[ 36.919155][ T24] rcu_do_batch (arch/x86/include/asm/preempt.h:27 kernel/rcu/tree.c:2542)
[ 36.921116][ T24] rcu_core (kernel/rcu/tree.c:2788)
[ 36.923065][ T24] __do_softirq (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 include/trace/events/irq.h:142 kernel/softirq.c:559)
[ 36.925008][ T24]
[ 36.926517][ T24] The buggy address belongs to the object at ffff88816bfce600
[ 36.926517][ T24] which belongs to the cache kmalloc-192 of size 192
[ 36.930826][ T24] The buggy address is located 64 bytes inside of
[ 36.930826][ T24] 192-byte region [ffff88816bfce600, ffff88816bfce6c0)
[ 36.935420][ T24]
[ 36.937090][ T24] The buggy address belongs to the physical page:
[ 36.939221][ T24] page:0000000000dfd912 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16bfce
[ 36.941604][ T24] flags: 0x17ffffc0000200(slab|node=0|zone=2|lastcpupid=0x1fffff)
[ 36.943685][ T24] raw: 0017ffffc0000200 ffffea0005aff680 dead000000000004 ffff888100041a00
[ 36.945718][ T24] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 36.947908][ T24] page dumped because: kasan: bad access detected
[ 36.949905][ T24] page_owner tracks the page as allocated
[ 36.951784][ T24] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 169, tgid 169 (udevadm), ts 20403518274, free_ts 0
[ 36.956103][ T24] get_page_from_freelist (mm/page_alloc.c:2452 mm/page_alloc.c:4182)
[ 36.958207][ T24] __alloc_pages (mm/page_alloc.c:5408)
[ 36.960331][ T24] allocate_slab (mm/slub.c:1799 mm/slub.c:1944)
[ 36.962405][ T24] ___slab_alloc (mm/slub.c:3005)
[ 36.964428][ T24] kmem_cache_alloc_trace (mm/slub.c:3092 mm/slub.c:3183 mm/slub.c:3225 mm/slub.c:3256)
[ 36.966569][ T24] kernfs_fop_open (include/linux/slab.h:581 include/linux/slab.h:714 fs/kernfs/file.c:623)
[ 36.968649][ T24] do_dentry_open (fs/open.c:825)
[ 36.970687][ T24] do_open (fs/namei.c:3477)
[ 36.972629][ T24] path_openat (fs/namei.c:3609)
[ 36.974515][ T24] do_filp_open (fs/namei.c:3636)
[ 36.976282][ T24] do_sys_openat2 (fs/open.c:1213)
[ 36.978071][ T24] __x64_sys_openat (fs/open.c:1240)
[ 36.979981][ T24] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 36.981852][ T24] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 36.983829][ T24] page_owner free stack trace missing
[ 36.985592][ T24]
[ 36.987060][ T24] Memory state around the buggy address:
[ 36.988818][ T24] ffff88816bfce500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 36.990894][ T24] ffff88816bfce580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 36.992890][ T24] >ffff88816bfce600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.994928][ T24] ^
[ 36.996702][ T24] ffff88816bfce680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 36.998765][ T24] ffff88816bfce700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.000806][ T24] ==================================================================
[ 37.003027][ T24] Disabling lock debugging due to kernel taint
[ 39.233643][ T270] LKP: stdout: 257: HOSTNAME vm-snb-90, MAC 52:54:00:12:34:56, kernel 5.18.0-rc1-00001-gddc97dfbb3f1 1
[ 39.233664][ T270]
[ 39.485271][ T270] install debs round one: dpkg -i --force-confdef --force-depends /opt/deb/gawk_1%3a4.2.1+dfsg-1_amd64.deb
[ 39.485681][ T270]
[ 39.498197][ T270] Selecting previously unselected package gawk.
[ 39.498216][ T270]
[ 39.508832][ T270] (Reading database ... 16553 files and directories currently installed.)
[ 39.508850][ T270]
[ 39.517994][ T270] Preparing to unpack .../gawk_1%3a4.2.1+dfsg-1_amd64.deb ...
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc1-00001-gddc97dfbb3f1 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp