On Mon, Mar 25, 2019 at 4:17 PM Paul Moore wrote: > Ondrej, please look into this. > > You've looked at this code more recently than I have, but it looks > like there might be an issue with __kernfs_iattrs() returning a > pointer to a kernfs_iattrs object without taking a kernfs reference > (kernfs_get(kn)). Although I would be a little surprised if this was > the problem as I think it would cause a number of issues beyond just > this one ... ? I think this is actually because of how xattr_full_name() reconstructs the full name from the xattr suffix. It assumes that the suffix was obtained from the full name by just taking a pointer inside it, but in kernfs_security_xattr_get/set() I pass the suffix directly... I'm surprised that this didn't fail spectacularly earlier during testing. Maybe the newer GCC does some clever merging of the string constants, so that XATTR_SELINUX_SUFFIX actually ends up as a substring of XATTR_NAME_SELINUX? (That would be one hell of a "lucky" coincidence :) I'll post a patch that converts kernfs_security_xattr_get/set() to take the full name and hopefully that will fix the problem. I'll see if I can run the reproducer locally tomorrow... > > On Mon, Mar 25, 2019 at 10:50 AM kernel test robot > wrote: > > > > FYI, we noticed the following commit (built with gcc-7): > > > > commit: e19dfdc83b60f196e0653d683499f7bc5548128f ("kernfs: initialize security of newly created nodes") > > https://git.kernel.org/cgit/linux/kernel/git/pcmoore/selinux.git next > > > > in testcase: locktorture > > with following parameters: > > > > runtime: 300s > > test: default > > > > test-description: This torture test consists of creating a number of kernel threads which acquire the lock and hold it for specific amount of time, thus simulating different critical region behaviors. > > test-url: https://www.kernel.org/doc/Documentation/locking/locktorture.txt > > > > > > on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 2G > > > > caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): > > > > > > +-------------------------------------------------+------------+------------+ > > | | ec882da5cd | e19dfdc83b | > > +-------------------------------------------------+------------+------------+ > > | boot_successes | 0 | 0 | > > | boot_failures | 8 | 8 | > > | BUG:kernel_reboot-without-warning_in_test_stage | 8 | | > > | BUG:KASAN:global-out-of-bounds_in_s | 0 | 8 | > > +-------------------------------------------------+------------+------------+ > > > > > > > > [ 27.938038] BUG: KASAN: global-out-of-bounds in strcmp+0x97/0xa0 > > [ 27.940755] Read of size 1 at addr ffffffff946a83d7 by task systemd/1 > > [ 27.943554] > > [ 27.944603] CPU: 0 PID: 1 Comm: systemd Not tainted 5.1.0-rc1-00010-ge19dfdc #1 > > [ 27.948091] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 > > [ 27.951946] Call Trace: > > [ 27.953353] ? strcmp+0x97/0xa0 > > [ 27.955026] print_address_description+0x22/0x270 > > [ 27.957203] ? strcmp+0x97/0xa0 > > [ 27.958841] kasan_report+0x13b/0x1d0 > > [ 27.960759] ? strcmp+0x97/0xa0 > > [ 27.962378] ? strcmp+0x97/0xa0 > > [ 27.963976] strcmp+0x97/0xa0 > > [ 27.965846] simple_xattr_get+0x7b/0x120 > > [ 27.967473] selinux_kernfs_init_security+0x108/0x440 > > [ 27.969360] ? __radix_tree_replace+0x9a/0x230 > > [ 27.971200] ? selinux_secctx_to_secid+0x20/0x20 > > [ 27.973011] ? __fprop_inc_percpu_max+0x190/0x190 > > [ 27.975563] ? kvm_sched_clock_read+0x12/0x20 > > [ 27.977907] ? sched_clock+0x5/0x10 > > [ 27.979867] ? sched_clock_cpu+0x24/0xb0 > > [ 27.982048] ? idr_alloc_cyclic+0xcb/0x190 > > [ 27.984229] ? lock_downgrade+0x620/0x620 > > [ 27.986388] security_kernfs_init_security+0x3c/0x70 > > [ 27.989012] __kernfs_new_node+0x403/0x5e0 > > [ 27.991195] ? kernfs_dop_revalidate+0x330/0x330 > > [ 27.993589] ? css_next_child+0xec/0x260 > > [ 27.995685] ? css_next_descendant_pre+0x36/0x110 > > [ 27.998115] ? cgroup_propagate_control+0x2d6/0x460 > > [ 28.000662] kernfs_new_node+0x72/0x140 > > [ 28.002818] ? lockdep_hardirqs_on+0x379/0x560 > > [ 28.005171] ? cgroup_idr_replace+0x35/0x40 > > [ 28.007417] kernfs_create_dir_ns+0x26/0x130 > > [ 28.009690] cgroup_mkdir+0x3b9/0xef0 > > [ 28.011764] ? cgroup_destroy_locked+0x5e0/0x5e0 > > [ 28.014196] kernfs_iop_mkdir+0x12f/0x1b0 > > [ 28.016396] vfs_mkdir+0x2e6/0x510 > > [ 28.018317] do_mkdirat+0x19b/0x1f0 > > [ 28.020284] ? __x64_sys_mknod+0xb0/0xb0 > > [ 28.022437] do_syscall_64+0xe5/0x10d0 > > [ 28.024408] ? syscall_return_slowpath+0x790/0x790 > > [ 28.026874] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe > > [ 28.029504] ? trace_hardirqs_off_caller+0x58/0x200 > > [ 28.031993] ? trace_hardirqs_off_thunk+0x1a/0x1c > > [ 28.034438] entry_SYSCALL_64_after_hwframe+0x49/0xbe > > [ 28.036748] RIP: 0033:0x7f38cab6f447 > > [ 28.038825] Code: 00 b8 ff ff ff ff c3 0f 1f 40 00 48 8b 05 49 da 2b 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 21 da 2b 00 f7 d8 64 89 01 48 > > [ 28.047736] RSP: 002b:00007ffeef143d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000053 > > [ 28.051776] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f38cab6f447 > > [ 28.055117] RDX: 00007ffeef143c30 RSI: 00000000000001ed RDI: 000055a7b0458560 > > [ 28.058533] RBP: 0000000000000040 R08: 0000000000000000 R09: 2f73662f7379732f > > [ 28.062031] R10: 732f70756f726763 R11: 0000000000000246 R12: 000055a7b04b30a0 > > [ 28.065528] R13: 0000000000000000 R14: 000055a7b046bb88 R15: 000055a7b046b540 > > [ 28.068977] > > [ 28.070240] The buggy address belongs to the variable: > > [ 28.072491] securityfs_super_operations+0x4917/0x6220 > > [ 28.075171] > > [ 28.076286] Memory state around the buggy address: > > [ 28.078861] ffffffff946a8280: fa fa fa fa 00 01 fa fa fa fa fa fa 00 02 fa fa > > [ 28.082610] ffffffff946a8300: fa fa fa fa 00 02 fa fa fa fa fa fa 00 01 fa fa > > [ 28.086669] >ffffffff946a8380: fa fa fa fa 00 03 fa fa fa fa fa fa 00 fa fa fa > > [ 28.090587] ^ > > [ 28.093576] ffffffff946a8400: fa fa fa fa 00 00 00 00 00 00 05 fa fa fa fa fa > > [ 28.097599] ffffffff946a8480: 00 00 01 fa fa fa fa fa 00 00 00 00 00 00 00 00 > > [ 28.101453] ================================================================== > > [ 28.105478] Disabling lock debugging due to kernel taint > > Starting Load Kernel Modules... > > Mounting Debug File System... > > ] Listening on RPCbind Server Activation Socket. > > Starting Remount Root and Kernel File Systems... > > Starting Journal Service... > > Mounting RPC Pipe File System... > > [ 28.508319] _warn_unseeded_randomness: 131 callbacks suppressed > > [ 28.508335] random: get_random_u64 called from copy_process+0x596/0x6450 with crng_init=1 > > Starting Create Static Device Nodes in /dev... > > [ 28.552988] random: get_random_u64 called from arch_pick_mmap_layout+0x4a1/0x600 with crng_init=1 > > [ 28.556785] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1 > > Starting Load/Save Random Seed... > > Starting udev Coldplug all Devices... > > Mounting FUSE Control File System... > > Starting Apply Kernel Variables... > > Mounting Configuration File System... > > Starting Raise network interfaces... > > Starting Preprocess NFS configuration... > > Starting udev Kernel Device Manager... > > Starting Flush Journal to Persistent Storage... > > Starting Create Volatile Files and Directories... > > [ 29.523554] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1 > > [ 29.527262] random: get_random_u64 called from load_elf_binary+0x1281/0x2f30 with crng_init=1 > > > > Starting RPC bind portmap service... > > Starting Network Time Synchronization... > > Starting Update UTMP about System Boot/Shutdown... > > [ 30.574449] _warn_unseeded_randomness: 154 callbacks suppressed > > [ 30.574479] random: get_random_u32 called from bucket_table_alloc+0x149/0x370 with crng_init=1 > > [ 32.628754] random: get_random_u64 called from arch_pick_mmap_layout+0x4a1/0x600 with crng_init=1 > > [ 32.632973] random: get_random_u64 called from arch_pick_mmap_layout+0x446/0x600 with crng_init=1 > > [ 32.637364] random: get_random_u64 called from load_elf_binary+0x1281/0x2f30 with crng_init=1 > > Starting Login Service... > > Starting LSB: Start and stop bmc-watchdog... > > Starting LSB: Execute the kexec -e command to reboot system... > > > > > > To reproduce: > > > > # build kernel > > cd linux > > cp config-5.1.0-rc1-00010-ge19dfdc .config > > make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig > > make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 prepare > > make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 modules_prepare > > make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 SHELL=/bin/bash > > make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 bzImage > > > > > > git clone https://github.com/intel/lkp-tests.git > > cd lkp-tests > > find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz > > bin/lkp qemu -k -m modules.cgz job-script # job-script is attached in this email > > > > > > > > > > Thanks, > > Rong Chen > > > > > -- > paul moore > www.paul-moore.com -- Ondrej Mosnacek Software Engineer, Security Technologies Red Hat, Inc.