4:33 a.m.
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 0d4df6ae86e123057cb18eeb5ba1b1eff2641fe4 ("[PATCH v34 11/29] LSM: Use lsmblob
in security_current_getsecid")
url:
https://github.com/intel-lab-lkp/linux/commits/Casey-Schaufler/integrity-...
base: https://git.kernel.org/cgit/linux/kernel/git/pcmoore/selinux.git next
patch link:
https://lore.kernel.org/linux-security-module/20220407212230.12893-12-cas...
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang(a)intel.com>
[ 2.199476][ T1] BUG: KASAN: stack-out-of-bounds in netlbl_unlabel_defconf
(net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] Read of size 4 at addr ffffc9000001fca0 by task swapper/0/1
[ 2.199476][ T1]
[ 2.199476][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.18.0-rc1-00014-g0d4df6ae86e1 #1
[ 2.199476][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.12.0-1 04/01/2014
[ 2.199476][ T1] Call Trace:
[ 2.199476][ T1] <TASK>
[ 2.199476][ T1] ? netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 2.199476][ T1] print_address_description+0x1f/0x200
[ 2.199476][ T1] ? netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] print_report.cold (mm/kasan/report.c:430)
[ 2.199476][ T1] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:202
include/linux/atomic/atomic-instrumented.h:543 include/asm-generic/qspinlock.h:82
include/linux/spinlock.h:185 include/linux/spinlock_api_smp.h:111
kernel/locking/spinlock.c:162)
[ 2.199476][ T1] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 2.199476][ T1] ? netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1572)
[ 2.199476][ T1] ? netlbl_unlabel_init (net/netlabel/netlabel_unlabeled.c:1561)
[ 2.199476][ T1] ? register_netdevice_notifier (net/core/dev.c:1743)
[ 2.199476][ T1] ? netlbl_netlink_init (net/netlabel/netlabel_kapi.c:1494)
[ 2.199476][ T1] netlbl_init (net/netlabel/netlabel_kapi.c:1514)
[ 2.199476][ T1] do_one_initcall (init/main.c:1298)
[ 2.199476][ T1] ? trace_event_raw_event_initcall_level (init/main.c:1289)
[ 2.199476][ T1] ? parse_one (kernel/params.c:170)
[ 2.199476][ T1] ? sysvec_call_function_single (arch/x86/kernel/smp.c:243 (discriminator
14))
[ 2.199476][ T1] ? kasan_unpoison (mm/kasan/shadow.c:108 mm/kasan/shadow.c:142)
[ 2.199476][ T1] do_initcalls (init/main.c:1370 init/main.c:1387)
[ 2.199476][ T1] kernel_init_freeable (init/main.c:1617)
[ 2.199476][ T1] ? console_on_rootfs (init/main.c:1584)
[ 2.199476][ T1] ? usleep_range_state (kernel/time/timer.c:1843)
[ 2.199476][ T1] ? _raw_spin_lock_bh (kernel/locking/spinlock.c:169)
[ 2.199476][ T1] ? rest_init (init/main.c:1494)
[ 2.199476][ T1] kernel_init (init/main.c:1504)
[ 2.199476][ T1] ret_from_fork (arch/x86/entry/entry_64.S:304)
[ 2.199476][ T1] </TASK>
[ 2.199476][ T1]
[ 2.199476][ T1] The buggy address belongs to stack of task swapper/0/1
[ 2.199476][ T1] and is located at offset 64 in frame:
[ 2.199476][ T1] netlbl_unlabel_defconf (net/netlabel/netlabel_unlabeled.c:1561)
[ 2.199476][ T1]
[ 2.199476][ T1] This frame has 2 objects:
[ 2.199476][ T1] [32, 44) 'audit_info'
[ 2.199476][ T1] [64, 65) 'blob'
[ 2.199476][ T1]
[ 2.199476][ T1] The buggy address belongs to the virtual mapping at
[ 2.199476][ T1] [ffffc90000018000, ffffc90000021000) created by:
[ 2.199476][ T1] dup_task_struct (kernel/fork.c:979)
[ 2.199476][ T1]
[ 2.199476][ T1] Memory state around the buggy address:
[ 2.199476][ T1] ffffc9000001fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.199476][ T1] ffffc9000001fc00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 2.199476][ T1] >ffffc9000001fc80: 00 04 f2 f2 01 f3 f3 f3 00 00 00 00 00 00 00
00
[ 2.199476][ T1] ^
[ 2.199476][ T1] ffffc9000001fd00: 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 f3
[ 2.199476][ T1] ffffc9000001fd80: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 2.199476][ T1] ==================================================================
[ 2.199494][ T1] Disabling lock debugging due to kernel taint
[ 2.200283][ T1] NetLabel: unlabeled traffic allowed by default
[ 2.200485][ T1] PCI: Using ACPI for IRQ routing
[ 2.201121][ T1] PCI: pci_cache_line_size set to 64 bytes
[ 2.201558][ T1] e820: reserve RAM buffer [mem 0x0009fc00-0x0009ffff]
[ 2.202409][ T1] e820: reserve RAM buffer [mem 0xbffe0000-0xbfffffff]
[ 2.202667][ T1] pci 0000:00:02.0: vgaarb: setting as boot VGA device
[ 2.203405][ T1] pci 0000:00:02.0: vgaarb: bridge control possible
[ 2.203476][ T1] pci 0000:00:02.0: vgaarb: VGA device added:
decodes=io+mem,owns=io+mem,locks=none
[ 2.203493][ T1] vgaarb: loaded
[ 2.204802][ T1] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[ 2.205484][ T1] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[ 2.209625][ T1] clocksource: Switched to clocksource kvm-clock
[ 2.434510][ T1] VFS: Disk quotas dquot_6.6.0
[ 2.435843][ T1] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 2.438323][ T1] pnp: PnP ACPI init
[ 2.440593][ T1] pnp 00:03: [dma 2]
[ 2.446897][ T1] pnp: PnP ACPI: found 7 devices
[ 2.470334][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff,
max_idle_ns: 2085701024 ns
[ 2.471970][ T1] NET: Registered PF_INET protocol family
[ 2.473702][ T1] IP idents hash table entries: 262144 (order: 9, 2097152 bytes,
linear)
[ 2.479786][ T1] tcp_listen_portaddr_hash hash table entries: 8192 (order: 5, 131072
bytes, linear)
[ 2.481650][ T1] TCP established hash table entries: 131072 (order: 8, 1048576
bytes, linear)
[ 2.483134][ T1] TCP bind hash table entries: 65536 (order: 8, 1048576 bytes,
linear)
[ 2.484812][ T1] TCP: Hash tables configured (established 131072 bind 65536)
[ 2.485964][ T1] UDP hash table entries: 8192 (order: 6, 262144 bytes, linear)
[ 2.487066][ T1] UDP-Lite hash table entries: 8192 (order: 6, 262144 bytes, linear)
[ 2.488433][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 2.490263][ T1] RPC: Registered named UNIX socket transport module.
[ 2.491166][ T1] RPC: Registered udp transport module.
[ 2.492286][ T1] RPC: Registered tcp transport module.
[ 2.493335][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 2.494370][ T1] NET: Registered PF_XDP protocol family
[ 2.495404][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 2.496291][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 2.497200][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 2.498213][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfffff window]
[ 2.499296][ T1] pci_bus 0000:00: resource 8 [mem 0x440000000-0x4bfffffff window]
[ 2.500830][ T1] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 2.501688][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 2.502577][ T1] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[ 2.503535][ T1] PCI: CLS 0 bytes, default 64
[ 2.504618][ T8] Trying to unpack rootfs image as initramfs...
[ 10.282566][ T8] Freeing initrd memory: 122800K
[ 10.283858][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 10.285337][ T1] software IO TLB: mapped [mem 0x00000000bbfe0000-0x00000000bffe0000]
(64MB)
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc1-00014-g0d4df6ae86e1 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir>
modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached
in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp