Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Jan 2021 14:33:18 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Alexey Gladkov <gladkov.alexey@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
	lkp@...ts.01.org,
	Linux Containers <containers@...ts.linux-foundation.org>,
	Kernel Hardening <kernel-hardening@...ts.openwall.com>,
	Alexey Gladkov <legion@...nel.org>,
	"Eric W . Biederman" <ebiederm@...ssion.com>,
	Kees Cook <keescook@...omium.org>,
	Christian Brauner <christian@...uner.io>,
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: 59ebc79722: kernel_BUG_at_kernel/cred.c


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 59ebc797229e679f2c87fc13f6859ba7c0f2bdc3 ("[RFC PATCH v2 2/8] Add a reference to ucounts for each user")
url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210111-014938
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 2ff90100ace886895e4fbb2850b8d5e49d931ed6

in testcase: trinity
version: trinity-i386
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------+------------+------------+
|                                          | e58c759c87 | 59ebc79722 |
+------------------------------------------+------------+------------+
| boot_successes                           | 10         | 0          |
| boot_failures                            | 0          | 12         |
| kernel_BUG_at_kernel/cred.c              | 0          | 7          |
| invalid_opcode:#[##]                     | 0          | 7          |
| RIP:__put_cred                           | 0          | 7          |
| Kernel_panic-not_syncing:Fatal_exception | 0          | 7          |
| WARNING:at_kernel/ucount.c:#dec_ucount   | 0          | 5          |
| RIP:dec_ucount                           | 0          | 5          |
+------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   16.291000] kernel BUG at kernel/cred.c:148!
[   16.292585] invalid opcode: 0000 [#1] SMP PTI
[   16.295176] CPU: 0 PID: 581 Comm: trinity-c1 Not tainted 5.11.0-rc2-00426-g59ebc797229e #1
[   16.300880] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   16.304261] RIP: 0010:__put_cred (kbuild/src/consumer/kernel/cred.c:148 (discriminator 1)) 
[ 16.308047] Code: 00 00 4c 8d 87 a0 00 00 00 85 c0 74 08 4c 89 c7 e9 1d ff ff ff 48 c7 c6 20 c3 28 a9 4c 89 c7 e9 ce 79 04 00 0f 0b 0f 0b 0f 0b <0f> 0b 0f 0b 0f 1f 40 00 e9 5b 6b 2f 00 66 66 2e 0f 1f 84 00 00 00
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	4c 8d 87 a0 00 00 00 	lea    0xa0(%rdi),%r8
   9:	85 c0                	test   %eax,%eax
   b:	74 08                	je     0x15
   d:	4c 89 c7             	mov    %r8,%rdi
  10:	e9 1d ff ff ff       	jmpq   0xffffffffffffff32
  15:	48 c7 c6 20 c3 28 a9 	mov    $0xffffffffa928c320,%rsi
  1c:	4c 89 c7             	mov    %r8,%rdi
  1f:	e9 ce 79 04 00       	jmpq   0x479f2
  24:	0f 0b                	ud2    
  26:	0f 0b                	ud2    
  28:	0f 0b                	ud2    
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	0f 0b                	ud2    
  2e:	0f 1f 40 00          	nopl   0x0(%rax)
  32:	e9 5b 6b 2f 00       	jmpq   0x2f6b92
  37:	66                   	data16
  38:	66                   	data16
  39:	2e                   	cs
  3a:	0f                   	.byte 0xf
  3b:	1f                   	(bad)  
  3c:	84 00                	test   %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	0f 0b                	ud2    
   4:	0f 1f 40 00          	nopl   0x0(%rax)
   8:	e9 5b 6b 2f 00       	jmpq   0x2f6b68
   d:	66                   	data16
   e:	66                   	data16
   f:	2e                   	cs
  10:	0f                   	.byte 0xf
  11:	1f                   	(bad)  
  12:	84 00                	test   %al,(%rax)
	...
[   16.314607] RSP: 0018:ffffa9090080bee8 EFLAGS: 00010246
[   16.316319] RAX: 0000000000000000 RBX: ffff97ecc5ba8d80 RCX: 000000000000fffe
[   16.318408] RDX: ffff97ecc6316d80 RSI: 0000000000000000 RDI: ffff97ecc6316cc0
[   16.320545] RBP: ffff97ecc6316cc0 R08: 00000000000000c0 R09: ffff97ecc6316cc0
[   16.322689] R10: 0000000000000004 R11: 0000000000003433 R12: ffffffffffffffff
[   16.326628] R13: ffff97ecc6316d60 R14: 0000000000000000 R15: ffff97ecc5be4380
[   16.332744] FS:  0000000000000000(0000) GS:ffff97edf7c00000(0063) knlGS:000000000a305880
[   16.335685] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[   16.337531] CR2: 00000000f7971de0 CR3: 0000000105a34000 CR4: 00000000000006f0
[   16.339776] Call Trace:
[   16.343257] keyctl_session_to_parent (kbuild/src/consumer/security/keys/keyctl.c:1711) 
[   16.344926] __do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:78 kbuild/src/consumer/arch/x86/entry/common.c:137) 
[   16.346403] do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:160) 
[   16.347724] entry_SYSENTER_compat_after_hwframe (kbuild/src/consumer/arch/x86/entry/entry_64_compat.S:141) 
[   16.352881] RIP: 0023:0xf7f71549
[ 16.354461] Code: Unable to access opcode bytes at RIP 0xf7f7151f.

Code starting with the faulting instruction
===========================================
[   16.359740] RSP: 002b:00000000ffbc55dc EFLAGS: 00000206 ORIG_RAX: 0000000000000120
[   16.362299] RAX: ffffffffffffffda RBX: 0000000000000012 RCX: 000000007818a343
[   16.364587] RDX: 0000000002000000 RSI: 000000000000fffc RDI: 000000003e3e3e3e
[   16.366789] RBP: 00000000fffffffd R08: 0000000000000000 R09: 0000000000000000
[   16.369117] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   16.372090] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   16.377777] Modules linked in:
[   16.378939] ---[ end trace 6eb09af71dd8bf1b ]---
[   16.380446] RIP: 0010:__put_cred (kbuild/src/consumer/kernel/cred.c:148 (discriminator 1)) 
[ 16.381914] Code: 00 00 4c 8d 87 a0 00 00 00 85 c0 74 08 4c 89 c7 e9 1d ff ff ff 48 c7 c6 20 c3 28 a9 4c 89 c7 e9 ce 79 04 00 0f 0b 0f 0b 0f 0b <0f> 0b 0f 0b 0f 1f 40 00 e9 5b 6b 2f 00 66 66 2e 0f 1f 84 00 00 00
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	4c 8d 87 a0 00 00 00 	lea    0xa0(%rdi),%r8
   9:	85 c0                	test   %eax,%eax
   b:	74 08                	je     0x15
   d:	4c 89 c7             	mov    %r8,%rdi
  10:	e9 1d ff ff ff       	jmpq   0xffffffffffffff32
  15:	48 c7 c6 20 c3 28 a9 	mov    $0xffffffffa928c320,%rsi
  1c:	4c 89 c7             	mov    %r8,%rdi
  1f:	e9 ce 79 04 00       	jmpq   0x479f2
  24:	0f 0b                	ud2    
  26:	0f 0b                	ud2    
  28:	0f 0b                	ud2    
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	0f 0b                	ud2    
  2e:	0f 1f 40 00          	nopl   0x0(%rax)
  32:	e9 5b 6b 2f 00       	jmpq   0x2f6b92
  37:	66                   	data16
  38:	66                   	data16
  39:	2e                   	cs
  3a:	0f                   	.byte 0xf
  3b:	1f                   	(bad)  
  3c:	84 00                	test   %al,(%rax)
	...

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	0f 0b                	ud2    
   4:	0f 1f 40 00          	nopl   0x0(%rax)
   8:	e9 5b 6b 2f 00       	jmpq   0x2f6b68
   d:	66                   	data16
   e:	66                   	data16
   f:	2e                   	cs
  10:	0f                   	.byte 0xf
  11:	1f                   	(bad)  
  12:	84 00                	test   %al,(%rax)


To reproduce:

        # build kernel
	cd linux
	cp config-5.11.0-rc2-00426-g59ebc797229e .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.11.0-rc2-00426-g59ebc797229e" of type "text/plain" (126055 bytes)

View attachment "job-script" of type "text/plain" (4078 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (11976 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.