2022-08-07 06:43:35

by kernel test robot

[permalink] [raw]
Subject: [random] 99a314f603: kernel_BUG_at_mm/usercopy.c



Greeting,

FYI, we noticed the following commit (built with clang-16):

commit: 99a314f603c9cd173e6db2e3776eb76477283e1a ("random: batch getrandom() output per-task")
https://github.com/ammarfaizi2/linux-block crng/random/jd/getrandom-batch

in testcase: boot

on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------+------------+------------+
| | 9c8358be41 | 99a314f603 |
+------------------------------------------+------------+------------+
| boot_successes | 10 | 0 |
| boot_failures | 0 | 6 |
| kernel_BUG_at_mm/usercopy.c | 0 | 6 |
| invalid_opcode:#[##] | 0 | 6 |
| EIP:usercopy_abort | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 50.563555][ T156] usercopy: Kernel memory exposure attempt detected from SLUB object 'task_struct' (offset 1436, size 4)!
[ 50.571899][ T37] rcu-scale: 0 writer-duration: 13 12292663
[ 50.595826][ T156] ------------[ cut here ]------------
[ 50.602886][ T37] rcu-scale: 0 writer-duration: 14 15706237
[ 50.604708][ T156] kernel BUG at mm/usercopy.c:101!
[ 50.606688][ T37] rcu-scale: 0 writer-duration: 15 116401087
[ 50.607952][ T156] invalid opcode: 0000 [#1] SMP
[ 50.609436][ T37] rcu-scale: 0 writer-duration: 16 119806774
[ 50.610519][ T156] CPU: 1 PID: 156 Comm: ubusd Tainted: G T 5.19.0-rc6-00375-g99a314f603c9 #3
[ 50.610529][ T156] EIP: usercopy_abort+0x6a/0x70
[ 50.610544][ T156] Code: 44 d0 b8 9e b8 08 42 bb 7a 88 05 42 0f 44 c3 ff 75 0c ff 75 08 50 52 51 57 56 ff 75 f0 68 59 b1 05 42 e8 b5 bd 8e 00 83 c4
24 <0f> 0b 90 90 90 90 55 89 e5 53 57 56 83 ec 0c 89 4d ec 3e 8d 74 26
[ 50.610549][ T156] EAX: 00000067 EBX: 4205887a ECX: ecb8f76b EDX: 4110fc3f
[ 50.610554][ T156] ESI: 420cd5fe EDI: 42003135 EBP: 44eb7e14 ESP: 44eb7e04
[ 50.610558][ T156] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010202
[ 50.610564][ T156] CR0: 80050033 CR2: 37ef9844 CR3: 002371a0 CR4: 000006b0
[ 50.611858][ T37] rcu-scale: 0 writer-duration: 17 75994492
[ 50.613521][ T156] Call Trace:
[ 50.614518][ T37] rcu-scale: 0 writer-duration: 18 39719609
[ 50.617791][ T156] ? __check_heap_object+0x8e/0xd0
[ 50.619151][ T37] rcu-scale: 0 writer-duration: 19 24013177
[ 50.620149][ T156] ? __check_object_size+0x23e/0x360
[ 50.621640][ T37] rcu-scale: 0 writer-duration: 20 116012906
[ 50.622921][ T156] ? get_random_bytes_user+0x234/0x500
[ 50.622941][ T156] ? urandom_read_iter+0x11/0x90
[ 50.622947][ T156] ? new_sync_read+0xe5/0x140
[ 50.622960][ T156] ? vfs_read+0x12a/0x1c0
[ 50.624109][ T37] rcu-scale: 0 writer-duration: 21 19988271
[ 50.624742][ T156] ? ksys_read+0x66/0xd0
[ 50.625908][ T37] rcu-scale: 0 writer-duration: 22 15974944
[ 50.626912][ T156] ? do_int80_syscall_32+0xf/0x70
[ 50.626928][ T156] ? syscall_enter_from_user_mode+0x163/0x340
[ 50.626939][ T156] ? __ia32_sys_read+0x13/0x20
[ 50.626947][ T156] ? do_int80_syscall_32+0x4a/0x70
[ 50.626953][ T156] ? entry_INT80_32+0x108/0x108
[ 50.626969][ T156] Modules linked in:
[ 50.628191][ T37] rcu-scale: 0 writer-duration: 23 20001203
[ 50.629181][ T156]
[ 50.629269][ T156] ---[ end trace 0000000000000000 ]---
[ 50.630349][ T37] rcu-scale: 0 writer-duration: 24 16019833
[ 50.631417][ T156] EIP: usercopy_abort+0x6a/0x70
[ 50.632329][ T37] rcu-scale: 0 writer-duration: 25 15978147
[ 50.633237][ T156] Code: 44 d0 b8 9e b8 08 42 bb 7a 88 05 42 0f 44 c3 ff 75 0c ff 75 08 50 52 51 57 56 ff 75 f0 68 59 b1 05 42 e8 b5 bd 8e 00 83 c4 24 <0f> 0b 90 90 90 90 55 89 e5 53 57 56 83 ec 0c 89 4d ec 3e 8d 74 26
[ 50.634027][ T37] rcu-scale: 0 writer-duration: 26 16011746
[ 50.635232][ T156] EAX: 00000067 EBX: 4205887a ECX: ecb8f76b EDX: 4110fc3f
[ 50.636030][ T37] rcu-scale: 0 writer-duration: 27 15988856
[ 50.637108][ T156] ESI: 420cd5fe EDI: 42003135 EBP: 44eb7e14 ESP: 44eb7e04
[ 50.638101][ T37] rcu-scale: 0 writer-duration: 28 18472275
[ 50.639245][ T156] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010202
[ 50.639252][ T156] CR0: 80050033 CR2: 37ef9844 CR3: 002371a0 CR4: 000006b0
[ 50.639264][ T156] Kernel panic - not syncing: Fatal exception
[ 50.640223][ T156] Kernel Offset: disabled



To reproduce:

# build kernel
cd linux
cp config-5.19.0-rc6-00375-g99a314f603c9 .config
make HOSTCC=clang-16 CC=clang-16 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=clang-16 CC=clang-16 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (5.63 kB)
config-5.19.0-rc6-00375-g99a314f603c9 (149.07 kB)
job-script (4.86 kB)
dmesg.xz (12.86 kB)
Download all attachments