Re: [PATCH 2/2] openat2: add OA2_INHERIT_CRED flag
From: kernel test robot
Date: Thu Apr 25 2024 - 09:50:45 EST
Hello,
kernel test robot noticed "BUG:KASAN:wild-memory-access_in_terminate_walk" on:
commit: 97bb54b42b1d6150e9ae11a7bf7833ed9f8c471d ("[PATCH 2/2] openat2: add OA2_INHERIT_CRED flag")
url: https://github.com/intel-lab-lkp/linux/commits/Stas-Sergeev/fs-reorganize-path_openat/20240424-185527
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 9d1ddab261f3e2af7c384dc02238784ce0cf9f98
patch link: https://lore.kernel.org/all/20240424105248.189032-3-stsp2@xxxxxxxxx/
patch subject: [PATCH 2/2] openat2: add OA2_INHERIT_CRED flag
in testcase: boot
compiler: clang-17
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+---------------------------------------------------------------------------------------+------------+------------+
| | 831d3c6cc6 | 97bb54b42b |
+---------------------------------------------------------------------------------------+------------+------------+
| BUG:KASAN:wild-memory-access_in_terminate_walk | 0 | 12 |
| canonical_address#:#[##] | 0 | 12 |
| RIP:terminate_walk | 0 | 12 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 12 |
+---------------------------------------------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202404252107.3c18eed2-lkp@xxxxxxxxx
[ 2.555857][ T16] BUG: KASAN: wild-memory-access in terminate_walk (include/linux/instrumented.h:? include/linux/atomic/atomic-instrumented.h:400 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.556181][ T16] Write of size 4 at addr aaaaaaaaaaaaaaaa by task kdevtmpfs/16
[ 2.556181][ T16]
[ 2.556181][ T16] CPU: 0 PID: 16 Comm: kdevtmpfs Tainted: G T 6.9.0-rc5-00038-g97bb54b42b1d #1 c90cc2d91176f38ca16e85ead0a72934082854cd
[ 2.556181][ T16] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 2.556181][ T16] Call Trace:
[ 2.556181][ T16] <TASK>
[ 2.556181][ T16] dump_stack_lvl (lib/dump_stack.c:116)
[ 2.556181][ T16] print_report (mm/kasan/report.c:?)
[ 2.556181][ T16] ? kasan_report (mm/kasan/report.c:214 mm/kasan/report.c:590)
[ 2.556181][ T16] ? terminate_walk (include/linux/instrumented.h:? include/linux/atomic/atomic-instrumented.h:400 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.556181][ T16] kasan_report (mm/kasan/report.c:603)
[ 2.556181][ T16] ? terminate_walk (include/linux/instrumented.h:? include/linux/atomic/atomic-instrumented.h:400 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.556181][ T16] kasan_check_range (mm/kasan/generic.c:?)
[ 2.556181][ T16] terminate_walk (include/linux/instrumented.h:? include/linux/atomic/atomic-instrumented.h:400 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.556181][ T16] path_lookupat (fs/namei.c:2515)
[ 2.556181][ T16] filename_lookup (fs/namei.c:2526)
[ 2.556181][ T16] kern_path (fs/namei.c:2634)
[ 2.556181][ T16] init_mount (fs/init.c:22)
[ 2.556181][ T16] devtmpfs_setup (drivers/base/devtmpfs.c:419)
[ 2.556181][ T16] devtmpfsd (drivers/base/devtmpfs.c:436)
[ 2.556181][ T16] kthread (kernel/kthread.c:390)
[ 2.556181][ T16] ? vclkdev_alloc (drivers/base/devtmpfs.c:435)
[ 2.556181][ T16] ? kthread_unuse_mm (kernel/kthread.c:341)
[ 2.556181][ T16] ret_from_fork (arch/x86/kernel/process.c:153)
[ 2.556181][ T16] ? kthread_unuse_mm (kernel/kthread.c:341)
[ 2.556181][ T16] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 2.556181][ T16] </TASK>
[ 2.556181][ T16] ==================================================================
[ 2.556184][ T16] Disabling lock debugging due to kernel taint
[ 2.556901][ T16] general protection fault, probably for non-canonical address 0xaaaaaaaaaaaaaaaa: 0000 [#1] KASAN PTI
[ 2.558131][ T16] CPU: 0 PID: 16 Comm: kdevtmpfs Tainted: G B T 6.9.0-rc5-00038-g97bb54b42b1d #1 c90cc2d91176f38ca16e85ead0a72934082854cd
[ 2.559653][ T16] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 2.560181][ T16] RIP: 0010:terminate_walk (arch/x86/include/asm/atomic.h:103 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.560181][ T16] Code: 03 43 80 3c 2e 00 74 08 4c 89 ff e8 01 61 f4 ff 49 8b 1f 48 85 db 74 41 48 89 df be 04 00 00 00 e8 dc 61 f4 ff b8 ff ff ff ff <0f> c1 03 83 f8 01 75 25 43 80 3c 2e 00 74 08 4c 89 ff e8 d0 60 f4
All code
========
0: 03 43 80 add -0x80(%rbx),%eax
3: 3c 2e cmp $0x2e,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 01 61 f4 ff call 0xfffffffffff46111
10: 49 8b 1f mov (%r15),%rbx
13: 48 85 db test %rbx,%rbx
16: 74 41 je 0x59
18: 48 89 df mov %rbx,%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 dc 61 f4 ff call 0xfffffffffff46201
25: b8 ff ff ff ff mov $0xffffffff,%eax
2a:* 0f c1 03 xadd %eax,(%rbx) <-- trapping instruction
2d: 83 f8 01 cmp $0x1,%eax
30: 75 25 jne 0x57
32: 43 80 3c 2e 00 cmpb $0x0,(%r14,%r13,1)
37: 74 08 je 0x41
39: 4c 89 ff mov %r15,%rdi
3c: e8 .byte 0xe8
3d: d0 60 f4 shlb -0xc(%rax)
Code starting with the faulting instruction
===========================================
0: 0f c1 03 xadd %eax,(%rbx)
3: 83 f8 01 cmp $0x1,%eax
6: 75 25 jne 0x2d
8: 43 80 3c 2e 00 cmpb $0x0,(%r14,%r13,1)
d: 74 08 je 0x17
f: 4c 89 ff mov %r15,%rdi
12: e8 .byte 0xe8
13: d0 60 f4 shlb -0xc(%rax)
[ 2.560181][ T16] RSP: 0000:ffffc9000010fc40 EFLAGS: 00010246
[ 2.560181][ T16] RAX: 00000000ffffffff RBX: aaaaaaaaaaaaaaaa RCX: ffffffff811e4a0f
[ 2.560181][ T16] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff8792adc0
[ 2.560181][ T16] RBP: 0000000000000011 R08: ffffffff8792adc7 R09: 1ffffffff0f255b8
[ 2.560181][ T16] R10: dffffc0000000000 R11: fffffbfff0f255b9 R12: 1ffff92000021fc4
[ 2.560181][ T16] R13: dffffc0000000000 R14: 1ffff92000021fc1 R15: ffffc9000010fe08
[ 2.560181][ T16] FS: 0000000000000000(0000) GS:ffffffff878dc000(0000) knlGS:0000000000000000
[ 2.560181][ T16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.560181][ T16] CR2: ffff88843ffff000 CR3: 000000000789c000 CR4: 00000000000406f0
[ 2.560181][ T16] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2.560181][ T16] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2.560181][ T16] Call Trace:
[ 2.560181][ T16] <TASK>
[ 2.560181][ T16] ? __die_body (arch/x86/kernel/dumpstack.c:421)
[ 2.560181][ T16] ? die_addr (arch/x86/kernel/dumpstack.c:?)
[ 2.560181][ T16] ? exc_general_protection (arch/x86/kernel/traps.c:?)
[ 2.560181][ T16] ? end_report (arch/x86/include/asm/current.h:49 mm/kasan/report.c:240)
[ 2.560181][ T16] ? asm_exc_general_protection (arch/x86/include/asm/idtentry.h:617)
[ 2.560181][ T16] ? add_taint (arch/x86/include/asm/bitops.h:60 include/asm-generic/bitops/instrumented-atomic.h:29 kernel/panic.c:555)
[ 2.560181][ T16] ? terminate_walk (arch/x86/include/asm/atomic.h:103 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.560181][ T16] path_lookupat (fs/namei.c:2515)
[ 2.560181][ T16] filename_lookup (fs/namei.c:2526)
[ 2.560181][ T16] kern_path (fs/namei.c:2634)
[ 2.560181][ T16] init_mount (fs/init.c:22)
[ 2.560181][ T16] devtmpfs_setup (drivers/base/devtmpfs.c:419)
[ 2.560181][ T16] devtmpfsd (drivers/base/devtmpfs.c:436)
[ 2.560181][ T16] kthread (kernel/kthread.c:390)
[ 2.560181][ T16] ? vclkdev_alloc (drivers/base/devtmpfs.c:435)
[ 2.560181][ T16] ? kthread_unuse_mm (kernel/kthread.c:341)
[ 2.560181][ T16] ret_from_fork (arch/x86/kernel/process.c:153)
[ 2.560181][ T16] ? kthread_unuse_mm (kernel/kthread.c:341)
[ 2.560181][ T16] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
[ 2.560181][ T16] </TASK>
[ 2.560181][ T16] Modules linked in:
[ 2.560183][ T16] ---[ end trace 0000000000000000 ]---
[ 2.560820][ T16] RIP: 0010:terminate_walk (arch/x86/include/asm/atomic.h:103 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/namei.c:702)
[ 2.561462][ T16] Code: 03 43 80 3c 2e 00 74 08 4c 89 ff e8 01 61 f4 ff 49 8b 1f 48 85 db 74 41 48 89 df be 04 00 00 00 e8 dc 61 f4 ff b8 ff ff ff ff <0f> c1 03 83 f8 01 75 25 43 80 3c 2e 00 74 08 4c 89 ff e8 d0 60 f4
All code
========
0: 03 43 80 add -0x80(%rbx),%eax
3: 3c 2e cmp $0x2e,%al
5: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
9: 89 ff mov %edi,%edi
b: e8 01 61 f4 ff call 0xfffffffffff46111
10: 49 8b 1f mov (%r15),%rbx
13: 48 85 db test %rbx,%rbx
16: 74 41 je 0x59
18: 48 89 df mov %rbx,%rdi
1b: be 04 00 00 00 mov $0x4,%esi
20: e8 dc 61 f4 ff call 0xfffffffffff46201
25: b8 ff ff ff ff mov $0xffffffff,%eax
2a:* 0f c1 03 xadd %eax,(%rbx) <-- trapping instruction
2d: 83 f8 01 cmp $0x1,%eax
30: 75 25 jne 0x57
32: 43 80 3c 2e 00 cmpb $0x0,(%r14,%r13,1)
37: 74 08 je 0x41
39: 4c 89 ff mov %r15,%rdi
3c: e8 .byte 0xe8
3d: d0 60 f4 shlb -0xc(%rax)
Code starting with the faulting instruction
===========================================
0: 0f c1 03 xadd %eax,(%rbx)
3: 83 f8 01 cmp $0x1,%eax
6: 75 25 jne 0x2d
8: 43 80 3c 2e 00 cmpb $0x0,(%r14,%r13,1)
d: 74 08 je 0x17
f: 4c 89 ff mov %r15,%rdi
12: e8 .byte 0xe8
13: d0 60 f4 shlb -0xc(%rax)
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240425/202404252107.3c18eed2-lkp@xxxxxxxxx
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki