Re: [linux-next:master] [alloc_tag] 0f9b685626: BUG:KASAN:vmalloc-out-of-bounds_in_move_module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Nov 13, 2024 at 1:34 PM Suren Baghdasaryan <surenb@xxxxxxxxxx> wrote:
>
> On Wed, Nov 13, 2024 at 2:07 PM kernel test robot <oliver.sang@xxxxxxxxx> wrote:
> >
> >
> >
> > Hello,
> >
> >
> > we reported
> > "[linux-next:master] [alloc_tag]  a9c60bb0d0: BUG:KASAN:vmalloc-out-of-bounds_in_load_module"
> > in
> > https://lore.kernel.org/all/202410281441.216670ac-lkp@xxxxxxxxx/
> >
> > we noticed it seems there is following patch.
> >
> > we made below report just FYI that the commit still cause similar issue on
> > linux-next/master and not fixed on tip of linux-next/master when this bisect
> > is done.
> >
> >
> > kernel test robot noticed "BUG:KASAN:vmalloc-out-of-bounds_in_move_module" on:
> >
> > commit: 0f9b685626daa2f8e19a9788625c9b624c223e45 ("alloc_tag: populate memory for module tags as needed")
> > https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
> >
> > [test failed on linux-next/master 929beafbe7acce3267c06115e13e03ff6e50548a]
> >
> > in testcase: rcuscale
> > version:
> > with following parameters:
> >
> >         runtime: 300s
> >         scale_type: srcu
> >
> >
> >
> > config: x86_64-randconfig-014-20241107
> > compiler: gcc-12
> > test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
> >
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> >
> >
> > +------------------------------------------------+------------+------------+
> > |                                                | 0db6f8d782 | 0f9b685626 |
> > +------------------------------------------------+------------+------------+
> > | boot_successes                                 | 18         | 0          |
> > | boot_failures                                  | 0          | 18         |
> > | BUG:KASAN:vmalloc-out-of-bounds_in_move_module | 0          | 18         |
> > | BUG:unable_to_handle_page_fault_for_address    | 0          | 18         |
> > | Oops                                           | 0          | 18         |
> > | RIP:kasan_metadata_fetch_row                   | 0          | 18         |
> > | Kernel_panic-not_syncing:Fatal_exception       | 0          | 18         |
> > +------------------------------------------------+------------+------------+
> >
> >
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> > | Closes: https://lore.kernel.org/oe-lkp/202411132111.6a221562-lkp@xxxxxxxxx
>
>
> Thanks for the report! I'm looking into this but so far could not find
> an obvious issue. Will try to reproduce.

For some reason I'm getting this panic when trying to follow the repro steps:

# bin/lkp qemu -k /home/suren/linux-next/arch/x86_64/boot/bzImage -m
/home/suren/linux-next/out/modules.cgz job-script
...
[   22.813623][    T1] Kernel panic - not syncing: VFS: Unable to
mount root fs on unknown-block(0,0)
[   22.815461][    T1] CPU: 0 UID: 0 PID: 1 Comm: swapper Not tainted
6.12.0-rc7-next-20241113 #1 060e60d2378c08a3d0121faf43856b671a45697c
[   22.817822][    T1] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[   22.819655][    T1] Call Trace:
[   22.820399][    T1]  <TASK>
[   22.821077][    T1]  panic+0x243/0x486
[   22.821965][    T1]  ? crash_smp_send_stop+0x1c/0x1c
[   22.823019][    T1]  ? lock_release+0x17c/0x1b1
[   22.824006][    T1]  mount_root_generic+0x31d/0x3d0
[   22.825064][    T1]  ? init_rootfs+0x4c/0x4c
[   22.826011][    T1]  ? init_stat+0xd8/0xd8
[   22.826920][    T1]  ? __asan_memcpy+0x3c/0x65
[   22.827880][    T1]  ? getname_kernel+0x3dc/0x41e
[   22.828887][    T1]  prepare_namespace+0x21e/0x289
[   22.829895][    T1]  ? mount_root+0xc6/0xc6
[   22.830819][    T1]  ? fput+0x1b/0x194
[   22.831682][    T1]  ? rest_init+0x183/0x183
[   22.832624][    T1]  kernel_init+0x17/0x138
[   22.833535][    T1]  ? rest_init+0x183/0x183
[   22.834490][    T1]  ret_from_fork+0x20/0x54
[   22.835419][    T1]  ? rest_init+0x183/0x183
[   22.836343][    T1]  ret_from_fork_asm+0x11/0x20
[   22.837335][    T1]  </TASK>
[   22.838082][    T1] Kernel Offset: disabled

I see that PeterZ had the same issue back in September:
https://lore.kernel.org/lkml/20240909091531.GA4723@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
, so might this be a known issue? If anyone has an idea what I'm doing
wrong I would appreciate your help.
Thanks,
Suren.


>
> >
> >
> > [ 153.897376][ T402] BUG: KASAN: vmalloc-out-of-bounds in move_module (kernel/module/main.c:2357)
> > [  153.899141][  T402] Write of size 40 at addr ffffffffa0000000 by task modprobe/402
> > [  153.900837][  T402]
> > [  153.901496][  T402] CPU: 0 UID: 0 PID: 402 Comm: modprobe Tainted: G                T  6.12.0-rc6-00146-g0f9b685626da #1 87c8486a909ba2f90eff061a4c9c1fa5c9cd90ea
> > [  153.904537][  T402] Tainted: [T]=RANDSTRUCT
> > [  153.905500][  T402] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > [  153.907702][  T402] Call Trace:
> > [  153.908510][  T402]  <TASK>
> > [ 153.909241][ T402] print_address_description+0x65/0x2fa
> > [ 153.910663][ T402] print_report (mm/kasan/report.c:489)
> > [ 153.911771][ T402] ? move_module (kernel/module/main.c:2357)
> > [ 153.912825][ T402] kasan_report (mm/kasan/report.c:603)
> > [ 153.913821][ T402] ? move_module (kernel/module/main.c:2357)
> > [ 153.914904][ T402] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
> > [ 153.916029][ T402] __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 1))
> > [ 153.917057][ T402] move_module (kernel/module/main.c:2357)
> > [ 153.918071][ T402] layout_and_allocate+0x446/0x523
> > [ 153.919459][ T402] load_module (kernel/module/main.c:2985)
> > [ 153.920457][ T402] ? mode_strip_umask (fs/namei.c:3248)
> > [ 153.921557][ T402] init_module_from_file (kernel/module/main.c:3266)
> > [ 153.922825][ T402] ? __ia32_sys_init_module (kernel/module/main.c:3266)
> > [ 153.923992][ T402] ? __lock_release+0x106/0x38c
> > [ 153.925173][ T402] ? idempotent_init_module (kernel/module/main.c:3301)
> > [ 153.926364][ T402] ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)
> > [ 153.944053][ T402] idempotent_init_module (kernel/module/main.c:3302)
> > [ 153.945164][ T402] ? init_module_from_file (kernel/module/main.c:3294)
> > [ 153.946268][ T402] ? security_capable (security/security.c:1143)
> > [ 153.947421][ T402] __do_sys_finit_module (include/linux/file.h:68 kernel/module/main.c:3330)
> > [ 153.948495][ T402] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
> > [ 153.949540][ T402] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> > [  153.950855][  T402] RIP: 0033:0x7f0f37df7719
> > [ 153.951869][ T402] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
> > All code
> > ========
> >    0:   08 89 e8 5b 5d c3       or     %cl,-0x3ca2a418(%rcx)
> >    6:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
> >    d:   00 00 00
> >   10:   90                      nop
> >   11:   48 89 f8                mov    %rdi,%rax
> >   14:   48 89 f7                mov    %rsi,%rdi
> >   17:   48 89 d6                mov    %rdx,%rsi
> >   1a:   48 89 ca                mov    %rcx,%rdx
> >   1d:   4d 89 c2                mov    %r8,%r10
> >   20:   4d 89 c8                mov    %r9,%r8
> >   23:   4c 8b 4c 24 08          mov    0x8(%rsp),%r9
> >   28:   0f 05                   syscall
> >   2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction
> >   30:   73 01                   jae    0x33
> >   32:   c3                      ret
> >   33:   48 8b 0d b7 06 0d 00    mov    0xd06b7(%rip),%rcx        # 0xd06f1
> >   3a:   f7 d8                   neg    %eax
> >   3c:   64 89 01                mov    %eax,%fs:(%rcx)
> >   3f:   48                      rex.W
> >
> > Code starting with the faulting instruction
> > ===========================================
> >    0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
> >    6:   73 01                   jae    0x9
> >    8:   c3                      ret
> >    9:   48 8b 0d b7 06 0d 00    mov    0xd06b7(%rip),%rcx        # 0xd06c7
> >   10:   f7 d8                   neg    %eax
> >   12:   64 89 01                mov    %eax,%fs:(%rcx)
> >   15:   48                      rex.W
> > [  153.955810][  T402] RSP: 002b:00007ffccd7f7198 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> > [  153.957666][  T402] RAX: ffffffffffffffda RBX: 000055cc9f9fddd0 RCX: 00007f0f37df7719
> > [  153.959411][  T402] RDX: 0000000000000000 RSI: 000055cc9f9f24a0 RDI: 0000000000000004
> > [  153.961142][  T402] RBP: 000055cc9f9f24a0 R08: 0000000000000000 R09: 000055cc9f9ff250
> > [  153.962910][  T402] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000040000
> > [  153.964665][  T402] R13: 0000000000000000 R14: 000055cc9f9fdd80 R15: 0000000000000000
> > [  153.966393][  T402]  </TASK>
> > [  153.967209][  T402]
> > [  153.967856][  T402] Memory state around the buggy address:
> > [  153.969123][  T402] BUG: unable to handle page fault for address: fffffbfff3ffffe0
> > [  153.970807][  T402] #PF: supervisor read access in kernel mode
> > [  153.972036][  T402] #PF: error_code(0x0000) - not-present page
> > [  153.973220][  T402] PGD 417fdb067 P4D 417fdb067 PUD 417fd7067 PMD 0
> > [  153.974560][  T402] Oops: Oops: 0000 [#1] PREEMPT KASAN
> > [  153.975758][  T402] CPU: 0 UID: 0 PID: 402 Comm: modprobe Tainted: G                T  6.12.0-rc6-00146-g0f9b685626da #1 87c8486a909ba2f90eff061a4c9c1fa5c9cd90ea
> > [  153.978853][  T402] Tainted: [T]=RANDSTRUCT
> > [  153.979851][  T402] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > [ 153.982008][ T402] RIP: 0010:kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
> > [ 153.983368][ T402] Code: 40 08 48 89 43 58 5b 31 c0 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc 66 0f 1f 00 b8 ff ff 37 00 48 c1 ee 03 48 c1 e0 2a 48 01 c6 <48> 8b 06 48 89 07 48 8b 46 08 48 89 47 08 31 c0 31 f6 31 ff c3 cc
> > All code
> > ========
> >    0:   40 08 48 89             rex or %cl,-0x77(%rax)
> >    4:   43 58                   rex.XB pop %r8
> >    6:   5b                      pop    %rbx
> >    7:   31 c0                   xor    %eax,%eax
> >    9:   31 d2                   xor    %edx,%edx
> >    b:   31 c9                   xor    %ecx,%ecx
> >    d:   31 f6                   xor    %esi,%esi
> >    f:   31 ff                   xor    %edi,%edi
> >   11:   c3                      ret
> >   12:   cc                      int3
> >   13:   cc                      int3
> >   14:   cc                      int3
> >   15:   cc                      int3
> >   16:   66 0f 1f 00             nopw   (%rax)
> >   1a:   b8 ff ff 37 00          mov    $0x37ffff,%eax
> >   1f:   48 c1 ee 03             shr    $0x3,%rsi
> >   23:   48 c1 e0 2a             shl    $0x2a,%rax
> >   27:   48 01 c6                add    %rax,%rsi
> >   2a:*  48 8b 06                mov    (%rsi),%rax              <-- trapping instruction
> >   2d:   48 89 07                mov    %rax,(%rdi)
> >   30:   48 8b 46 08             mov    0x8(%rsi),%rax
> >   34:   48 89 47 08             mov    %rax,0x8(%rdi)
> >   38:   31 c0                   xor    %eax,%eax
> >   3a:   31 f6                   xor    %esi,%esi
> >   3c:   31 ff                   xor    %edi,%edi
> >   3e:   c3                      ret
> >   3f:   cc                      int3
> >
> > Code starting with the faulting instruction
> > ===========================================
> >    0:   48 8b 06                mov    (%rsi),%rax
> >    3:   48 89 07                mov    %rax,(%rdi)
> >    6:   48 8b 46 08             mov    0x8(%rsi),%rax
> >    a:   48 89 47 08             mov    %rax,0x8(%rdi)
> >    e:   31 c0                   xor    %eax,%eax
> >   10:   31 f6                   xor    %esi,%esi
> >   12:   31 ff                   xor    %edi,%edi
> >   14:   c3                      ret
> >   15:   cc                      int3
> > [  153.987254][  T402] RSP: 0018:ffffc9000218f9f8 EFLAGS: 00010082
> > [  153.988595][  T402] RAX: dffffc0000000000 RBX: ffffffff9fffff00 RCX: 0000000000000000
> > [  153.990325][  T402] RDX: 0000000000000000 RSI: fffffbfff3ffffe0 RDI: ffffc9000218fa04
> > [  153.992086][  T402] RBP: 00000000fffffffe R08: 0000000000000000 R09: 0000000000000000
> > [  153.993786][  T402] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0000000
> > [  153.995554][  T402] R13: ffffffff864b4994 R14: ffffffff9fffff80 R15: 0000000000000028
> > [  153.997305][  T402] FS:  00007f0f37cf5040(0000) GS:ffffffff86989000(0000) knlGS:0000000000000000
> > [  153.999133][  T402] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [  154.000578][  T402] CR2: fffffbfff3ffffe0 CR3: 0000000128853000 CR4: 00000000000006b0
> > [  154.002367][  T402] Call Trace:
> > [  154.003318][  T402]  <TASK>
> > [ 154.004087][ T402] ? __die_body (arch/x86/kernel/dumpstack.c:421)
> > [ 154.005074][ T402] ? page_fault_oops (arch/x86/mm/fault.c:710)
> > [ 154.006242][ T402] ? show_fault_oops (arch/x86/mm/fault.c:643)
> > [ 154.007368][ T402] ? search_module_extables (kernel/module/main.c:3369)
> > [ 154.008525][ T402] ? fixup_exception (arch/x86/mm/extable.c:321)
> > [ 154.009629][ T402] ? exc_page_fault (arch/x86/mm/fault.c:1479 arch/x86/mm/fault.c:1539)
> > [ 154.010771][ T402] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623)
> > [ 154.011853][ T402] ? kasan_metadata_fetch_row (mm/kasan/report_generic.c:186)
> > [ 154.013072][ T402] print_report (mm/kasan/report.c:466 mm/kasan/report.c:489)
> > [ 154.014122][ T402] ? move_module (kernel/module/main.c:2357)
> > [ 154.015238][ T402] kasan_report (mm/kasan/report.c:603)
> > [ 154.016231][ T402] ? move_module (kernel/module/main.c:2357)
> > [ 154.017255][ T402] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189)
> > [ 154.018379][ T402] __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 1))
> > [ 154.019400][ T402] move_module (kernel/module/main.c:2357)
> > [ 154.020435][ T402] layout_and_allocate+0x446/0x523
> > [ 154.021792][ T402] load_module (kernel/module/main.c:2985)
> > [ 154.022822][ T402] ? mode_strip_umask (fs/namei.c:3248)
> > [ 154.023928][ T402] init_module_from_file (kernel/module/main.c:3266)
> > [ 154.025069][ T402] ? __ia32_sys_init_module (kernel/module/main.c:3266)
> > [ 154.026265][ T402] ? __lock_release+0x106/0x38c
> > [ 154.027496][ T402] ? idempotent_init_module (kernel/module/main.c:3301)
> > [ 154.028688][ T402] ? lock_release (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5848)
> > [ 154.029766][ T402] idempotent_init_module (kernel/module/main.c:3302)
> > [ 154.030985][ T402] ? init_module_from_file (kernel/module/main.c:3294)
> > [ 154.032192][ T402] ? security_capable (security/security.c:1143)
> > [ 154.033310][ T402] __do_sys_finit_module (include/linux/file.h:68 kernel/module/main.c:3330)
> > [ 154.034478][ T402] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
> > [ 154.035532][ T402] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> > [  154.036819][  T402] RIP: 0033:0x7f0f37df7719
> > [ 154.037865][ T402] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
> > All code
> > ========
> >    0:   08 89 e8 5b 5d c3       or     %cl,-0x3ca2a418(%rcx)
> >    6:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
> >    d:   00 00 00
> >   10:   90                      nop
> >   11:   48 89 f8                mov    %rdi,%rax
> >   14:   48 89 f7                mov    %rsi,%rdi
> >   17:   48 89 d6                mov    %rdx,%rsi
> >   1a:   48 89 ca                mov    %rcx,%rdx
> >   1d:   4d 89 c2                mov    %r8,%r10
> >   20:   4d 89 c8                mov    %r9,%r8
> >   23:   4c 8b 4c 24 08          mov    0x8(%rsp),%r9
> >   28:   0f 05                   syscall
> >   2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction
> >   30:   73 01                   jae    0x33
> >   32:   c3                      ret
> >   33:   48 8b 0d b7 06 0d 00    mov    0xd06b7(%rip),%rcx        # 0xd06f1
> >   3a:   f7 d8                   neg    %eax
> >   3c:   64 89 01                mov    %eax,%fs:(%rcx)
> >   3f:   48                      rex.W
> >
> > Code starting with the faulting instruction
> > ===========================================
> >    0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
> >    6:   73 01                   jae    0x9
> >    8:   c3                      ret
> >    9:   48 8b 0d b7 06 0d 00    mov    0xd06b7(%rip),%rcx        # 0xd06c7
> >   10:   f7 d8                   neg    %eax
> >   12:   64 89 01                mov    %eax,%fs:(%rcx)
> >   15:   48                      rex.W
> >
> >
> > The kernel config and materials to reproduce are available at:
> > https://download.01.org/0day-ci/archive/20241113/202411132111.6a221562-lkp@xxxxxxxxx
> >
> >
> >
> > --
> > 0-DAY CI Kernel Test Service
> > https://github.com/intel/lkp-tests/wiki
> >





[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux