Re: f7dd250789 ("gcc-plugins: structleak: add option to init all .."): kmodloader/112 is trying to release lock (module_mutex) at:

From: Kees Cook
Date: Tue Aug 08 2017 - 03:14:45 EST


This appears to be something related to randstruct, not structleak
(which is entirely disabled for this build):

CONFIG_GCC_PLUGINS=y
# CONFIG_GCC_PLUGIN_CYC_COMPLEXITY is not set
# CONFIG_GCC_PLUGIN_LATENT_ENTROPY is not set
# CONFIG_GCC_PLUGIN_STRUCTLEAK is not set
CONFIG_GCC_PLUGIN_RANDSTRUCT=y
CONFIG_GCC_PLUGIN_RANDSTRUCT_PERFORMANCE=y

-Kees


On Mon, Aug 7, 2017 at 8:20 PM, kernel test robot
<fengguang.wu@xxxxxxxxx> wrote:
> Greetings,
>
> 0day kernel testing robot got the below dmesg and the first bad commit is
>
> https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/gcc-plugin/structleak
>
> commit f7dd2507893cc3425d3ffc2369559619960befb0
> Author: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> AuthorDate: Sun Aug 6 12:06:27 2017 +0100
> Commit: Kees Cook <keescook@xxxxxxxxxxxx>
> CommitDate: Mon Aug 7 11:20:57 2017 -0700
>
> gcc-plugins: structleak: add option to init all vars used as byref args
>
> In the Linux kernel, struct type variables are rarely passed by-value,
> and so functions that initialize such variables typically take an input
> reference to the variable rather than returning a value that can
> subsequently be used in an assignment.
>
> If the initalization function is not part of the same compilation unit,
> the lack of an assignment operation defeats any analysis the compiler
> can perform as to whether the variable may be used before having been
> initialized. This means we may end up passing on such variables
> uninitialized, resulting in potential information leaks.
>
> So extend the existing structleak GCC plugin so it will [optionally]
> apply to all struct type variables that have their address taken at any
> point, rather than only to variables of struct types that have a __user
> annotation.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
>
> 520eccdfe1 Linux 4.13-rc2
> f7dd250789 gcc-plugins: structleak: add option to init all vars used as byref args
> f7dd250789 gcc-plugins: structleak: add option to init all vars used as byref args
> +-------------------------------------------+-----------+------------+------------+
> | | v4.13-rc2 | f7dd250789 | f7dd250789 |
> +-------------------------------------------+-----------+------------+------------+
> | boot_successes | 163 | 0 | 0 |
> | boot_failures | 0 | 32 | 32 |
> | is_trying_to_release_lock(module_mutex)at | 0 | 32 | 32 |
> | BUG:unable_to_handle_kernel | 0 | 32 | 32 |
> | Oops:#[##] | 0 | 32 | 32 |
> | EIP:m_start | 0 | 32 | 32 |
> | Kernel_panic-not_syncing:Fatal_exception | 0 | 32 | 32 |
> +-------------------------------------------+-----------+------------+------------+
>
> [ 7.063335]
> [ 7.063494] =====================================
> [ 7.063922] WARNING: bad unlock balance detected!
> [ 7.064351] 4.13.0-rc2-00001-gf7dd2507 #191 Not tainted
> [ 7.064830] -------------------------------------
> [ 7.065259] kmodloader/112 is trying to release lock (module_mutex) at:
> [ 7.065865] [<7909ed9a>] m_stop+0xd/0xf
> [ 7.066216] but there are no more locks to release!
> [ 7.066663]
> [ 7.066663] other info that might help us debug this:
> [ 7.066663]
> [ 7.066663] other info that might help us debug this:
> [ 7.067257] 1 lock held by kmodloader/112:
> [ 7.067635] #0: (&p->lock){+.+.+.}, at: [<791311b2>] seq_read+0x27/0x368
> [ 7.068264]
> [ 7.068264] stack backtrace:
> [ 7.068264]
> [ 7.068264] stack backtrace:
> [ 7.068668] CPU: 0 PID: 112 Comm: kmodloader Not tainted 4.13.0-rc2-00001-gf7dd2507 #191
> [ 7.069408] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
> [ 7.070338] Call Trace:
> [ 7.070569] dump_stack+0x74/0xa7
> [ 7.070874] ? m_stop+0xd/0xf
> [ 7.071149] print_unlock_imbalance_bug+0xb1/0xbe
> [ 7.071582] ? m_stop+0xd/0xf
> [ 7.071855] ? m_stop+0xd/0xf
> [ 7.072128] lock_release+0x11c/0x24d
> [ 7.072464] ? m_stop+0xd/0xf
> [ 7.072747] __mutex_unlock_slowpath+0x27/0x1bf
> [ 7.073163] ? __kmalloc+0x5e/0x66
> [ 7.073477] mutex_unlock+0xb/0xd
> [ 7.073786] m_stop+0xd/0xf
> [ 7.074044] seq_read+0x187/0x368
> [ 7.074349] ? seq_lseek+0x13f/0x13f
> [ 7.074681] proc_reg_read+0x47/0x64
> [ 7.075011] ? proc_reg_mmap+0x54/0x54
> [ 7.075356] __vfs_read+0x22/0x109
> [ 7.075673] ? find_held_lock+0x29/0x6c
> [ 7.076027] ? __do_page_fault+0x302/0x378
> [ 7.076402] vfs_read+0x83/0xf4
> [ 7.076694] SyS_read+0x3d/0x82
> [ 7.076984] do_int80_syscall_32+0x4c/0xd9
> [ 7.077359] entry_INT80_32+0x2c/0x2c
> [ 7.077697] EIP: 0x6ff5fd0e
> [ 7.077954] EFLAGS: 00000246 CPU: 0
> [ 7.078274] EAX: ffffffda EBX: 00000003 ECX: 094a4088 EDX: 00001000
> [ 7.078846] ESI: 094a4028 EDI: 00001000 EBP: 094a5090 ESP: 77d69f4c
> [ 7.079415] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
> [ 7.079925] BUG: unable to handle kernel NULL pointer dereference at (null)
> [ 7.080581] IP: m_start+0x12/0x24
> [ 7.080884] *pde = 00000000
> [ 7.080885]
> [ 7.081288] Oops: 0000 [#1] SMP
> [ 7.081579] Modules linked in:
> [ 7.081861] CPU: 0 PID: 112 Comm: kmodloader Not tainted 4.13.0-rc2-00001-gf7dd2507 #191
> [ 7.082593] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
> [ 7.083513] task: 86cb4000 task.stack: 86cb6000
> [ 7.083926] EIP: m_start+0x12/0x24
> [ 7.084237] EFLAGS: 00010246 CPU: 0
> [ 7.084560] EAX: 00000000 EBX: 00000000 ECX: 7990e72c EDX: 7909f0bc
> [ 7.085126] ESI: 00000000 EDI: 00000000 EBP: 86cb7e94 ESP: 86cb7e90
> [ 7.085695] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> [ 7.086185] CR0: 80050033 CR2: 00000000 CR3: 0ecba000 CR4: 001406d0
> [ 7.086759] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> [ 7.087327] DR6: fffe0ff0 DR7: 00000400
> [ 7.087679] Call Trace:
> [ 7.087906] seq_read+0x258/0x368
> [ 7.088210] ? seq_lseek+0x13f/0x13f
> [ 7.088541] proc_reg_read+0x47/0x64
> [ 7.088868] ? proc_reg_mmap+0x54/0x54
> [ 7.089214] __vfs_read+0x22/0x109
> [ 7.089528] ? find_held_lock+0x29/0x6c
> [ 7.089879] ? __do_page_fault+0x302/0x378
> [ 7.090252] vfs_read+0x83/0xf4
> [ 7.090545] SyS_read+0x3d/0x82
> [ 7.090833] do_int80_syscall_32+0x4c/0xd9
> [ 7.091206] entry_INT80_32+0x2c/0x2c
> [ 7.091543] EIP: 0x6ff5fd0e
> [ 7.091800] EFLAGS: 00000246 CPU: 0
> [ 7.092118] EAX: ffffffda EBX: 00000003 ECX: 094a4088 EDX: 00001000
> [ 7.092689] ESI: 094a4028 EDI: 00001000 EBP: 094a5090 ESP: 77d69f4c
> [ 7.093257] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b
> [ 7.093752] Code: 79 e8 61 1d 09 00 5d c3 55 89 d0 89 e5 ba e8 e6 90 79 e8 01 1d 09 00 5d c3 55 b8 f0 e6 90 79 89 e5 53 89 d3 31 d2 e8 54 74 56 00 <8b> 13 b8 e8 e6 90 79 8b 4b 04 e8 b3 1c 09 00 5b 5d c3 55 85 d2
> [ 7.095477] EIP: m_start+0x12/0x24 SS:ESP: 0068:86cb7e90
> [ 7.095963] CR2: 0000000000000000
> [ 7.096276] ---[ end trace 5d7df7bc417c7ad9 ]---
> [ 7.096710] Kernel panic - not syncing: Fatal exception
>
> # HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
> git bisect start f7dd2507893cc3425d3ffc2369559619960befb0 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9 --
> # first bad commit: [f7dd2507893cc3425d3ffc2369559619960befb0] gcc-plugins: structleak: add option to init all vars used as byref args
> git bisect good 520eccdfe187591a51ea9ab4c1a024ae4d0f68d9 # 11:15 G 31 0 0 0 Linux 4.13-rc2
> # extra tests on HEAD of kees/for-next/gcc-plugin/structleak
> git bisect bad f7dd2507893cc3425d3ffc2369559619960befb0 # 11:15 B 0 32 51 0 gcc-plugins: structleak: add option to init all vars used as byref args
> # extra tests on tree/branch kees/for-next/gcc-plugin/structleak
> git bisect bad f7dd2507893cc3425d3ffc2369559619960befb0 # 11:15 B 0 32 51 0 gcc-plugins: structleak: add option to init all vars used as byref args
> # extra tests with first bad commit reverted
> git bisect good 39cfbbd528552f0d5733b33b52f1f2fc3ec2e117 # 11:20 G 11 0 0 0 Revert "gcc-plugins: structleak: add option to init all vars used as byref args"
>
> ---
> 0-DAY kernel test infrastructure Open Source Technology Center
> https://lists.01.org/pipermail/lkp Intel Corporation



--
Kees Cook
Pixel Security