| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Feb 2020 19:44:13 +0800
From: kernel test robot <rong.a.chen@...el.com>
To: Matthew Wilcox <willy@...radead.org>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org
Subject: [fs] 2b7884f8b7: BUG:KASAN:null-ptr-deref_in_m
FYI, we noticed the following commit (built with gcc-7):
commit: 2b7884f8b7273e88f23ed394edfea03fae508023 ("fs: Convert mpage_readpages to mpage_readahead")
https://github.com/0day-ci/linux/commits/Matthew-Wilcox/Change-readahead-API/20200203-114219
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | 91db051048 | 2b7884f8b7 |
+---------------------------------------------+------------+------------+
| boot_successes | 24 | 0 |
| boot_failures | 4 | 24 |
| BUG:kernel_hang_in_boot_stage | 4 | 3 |
| BUG:KASAN:null-ptr-deref_in_m | 0 | 21 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 21 |
| Oops:#[##] | 0 | 21 |
| RIP:mpage_readahead | 0 | 21 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 21 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>
[ 114.125212] BUG: KASAN: null-ptr-deref in mpage_readahead+0xb6/0x210
[ 114.125964] Read of size 8 at addr 0000000000000008 by task systemd-udevd/341
[ 114.126795]
[ 114.126997] CPU: 0 PID: 341 Comm: systemd-udevd Not tainted 5.5.0-08731-g2b7884f8b7273 #1
[ 114.127955] Call Trace:
[ 114.128299] ? mpage_readahead+0xb6/0x210
[ 114.128785] __kasan_report+0x15c/0x173
[ 114.129268] ? mpage_readahead+0xb6/0x210
[ 114.129938] ? blkdev_direct_IO+0x880/0x880
[ 114.130455] mpage_readahead+0xb6/0x210
[ 114.130923] ? do_mpage_readpage+0xce0/0xce0
[ 114.131452] ? blkdev_direct_IO+0x880/0x880
[ 114.131952] ? __add_to_page_cache_locked+0x2b4/0x4c0
[ 114.132556] read_pages+0xeb/0x380
[ 114.132972] ? file_ra_state_init+0xb0/0xb0
[ 114.133498] ? __lru_cache_add+0xd7/0x100
[ 114.133933] ? tcp_ack+0x1590/0x22d0
[ 114.134261] ? add_to_page_cache_locked+0x30/0x30
[ 114.134694] ? __do_page_cache_readahead+0x371/0x3d0
[ 114.135119] __do_page_cache_readahead+0x371/0x3d0
[ 114.135538] ? read_cache_pages+0x270/0x270
[ 114.135910] force_page_cache_readahead+0x116/0x160
[ 114.136330] generic_file_read_iter+0xaba/0x1320
[ 114.136746] ? filemap_write_and_wait_range+0x80/0x80
[ 114.137216] ? iov_iter_init+0x8c/0xc0
[ 114.137548] new_sync_read+0x245/0x340
[ 114.137876] ? vfs_dedupe_file_range+0x2d0/0x2d0
[ 114.138275] ? __fsnotify_parent+0x8f/0x230
[ 114.138637] ? fsnotify+0x66a/0x690
[ 114.138964] ? security_file_permission+0xd7/0x170
[ 114.139381] vfs_read+0xbf/0x1a0
[ 114.139669] ksys_read+0x10a/0x150
[ 114.139969] ? kernel_write+0xb0/0xb0
[ 114.140300] do_syscall_64+0xa7/0x7a0
[ 114.140619] ? syscall_return_slowpath+0x3c0/0x3c0
[ 114.141204] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 114.141701] RIP: 0033:0x7f08f77e36e0
[ 114.142015] Code: 73 01 c3 48 8b 0d c8 88 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 09 cd 20 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fc ff ff 48 89 04 24
[ 114.143557] RSP: 002b:00007fff8ca47a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 114.144346] RAX: ffffffffffffffda RBX: 0000003e7fff0000 RCX: 00007f08f77e36e0
[ 114.144947] RDX: 0000000000000040 RSI: 000055d489d54958 RDI: 0000000000000009
[ 114.145561] RBP: 000055d489d54930 R08: 0000000000000005 R09: 0000000000000068
[ 114.146164] R10: 00007fff8ca474a0 R11: 0000000000000246 R12: 000055d489d60480
[ 114.146763] R13: 0000000000000040 R14: 000055d489d604d0 R15: 000055d489d54948
[ 114.147499] ==================================================================
[ 114.148104] Disabling lock debugging due to kernel taint
[ 114.148754] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 114.149363] #PF: supervisor read access in kernel mode
[ 114.149805] #PF: error_code(0x0000) - not-present page
[ 114.150240] PGD 0 P4D 0
[ 114.150468] Oops: 0000 [#1] KASAN PTI
[ 114.150784] CPU: 0 PID: 341 Comm: systemd-udevd Tainted: G B 5.5.0-08731-g2b7884f8b7273 #1
[ 114.151578] RIP: 0010:mpage_readahead+0xb6/0x210
[ 114.151969] Code: 44 24 44 01 0f 84 cf 00 00 00 48 8b 04 24 4c 8d 76 01 48 8d 78 08 e8 99 98 e2 00 4c 8d 60 08 49 89 c7 4c 89 e7 e8 fa 88 f7 ff <49> 8b 47 08 be 08 00 00 00 48 8d 58 ff a8 01 49 0f 44 df 48 89 df
[ 114.153661] RSP: 0018:ffff88819808f728 EFLAGS: 00010286
[ 114.154142] RAX: ffff8881add30c00 RBX: ffffffffab375260 RCX: ffffffffab1323c6
[ 114.154737] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffad337200
[ 114.155328] RBP: 0000000000000000 R08: fffffbfff5b296b6 R09: 0000000000000000
[ 114.155921] R10: ffffffffad94b5ab R11: fffffbfff5b296b6 R12: 0000000000000008
[ 114.156514] R13: 1ffff11033011ee7 R14: 0000000003e7fff0 R15: 0000000000000000
[ 114.157108] FS: 00007f08f88a88c0(0000) GS:ffffffffad076000(0000) knlGS:0000000000000000
[ 114.157791] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 114.158275] CR2: 0000000000000008 CR3: 00000001c5fd6000 CR4: 00000000000406f0
[ 114.158871] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 114.159510] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 114.160212] Call Trace:
[ 114.160432] ? do_mpage_readpage+0xce0/0xce0
[ 114.160799] ? blkdev_direct_IO+0x880/0x880
[ 114.161164] ? __add_to_page_cache_locked+0x2b4/0x4c0
[ 114.161594] read_pages+0xeb/0x380
[ 114.161888] ? file_ra_state_init+0xb0/0xb0
[ 114.162253] ? __lru_cache_add+0xd7/0x100
[ 114.162601] ? tcp_ack+0x1590/0x22d0
[ 114.162909] ? add_to_page_cache_locked+0x30/0x30
[ 114.163310] ? __do_page_cache_readahead+0x371/0x3d0
[ 114.163727] __do_page_cache_readahead+0x371/0x3d0
[ 114.164132] ? read_cache_pages+0x270/0x270
[ 114.164490] force_page_cache_readahead+0x116/0x160
[ 114.164904] generic_file_read_iter+0xaba/0x1320
[ 114.165315] ? filemap_write_and_wait_range+0x80/0x80
[ 114.165744] ? iov_iter_init+0x8c/0xc0
[ 114.166097] new_sync_read+0x245/0x340
[ 114.166543] ? vfs_dedupe_file_range+0x2d0/0x2d0
[ 114.166977] ? __fsnotify_parent+0x8f/0x230
[ 114.167334] ? fsnotify+0x66a/0x690
[ 114.167638] ? security_file_permission+0xd7/0x170
[ 114.168044] vfs_read+0xbf/0x1a0
[ 114.168324] ksys_read+0x10a/0x150
[ 114.168649] ? kernel_write+0xb0/0xb0
[ 114.169209] do_syscall_64+0xa7/0x7a0
[ 114.169725] ? syscall_return_slowpath+0x3c0/0x3c0
[ 114.170404] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 114.171095] RIP: 0033:0x7f08f77e36e0
[ 114.171584] Code: 73 01 c3 48 8b 0d c8 88 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 09 cd 20 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ee fc ff ff 48 89 04 24
[ 114.186260] RSP: 002b:00007fff8ca47a38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 114.187297] RAX: ffffffffffffffda RBX: 0000003e7fff0000 RCX: 00007f08f77e36e0
[ 114.188281] RDX: 0000000000000040 RSI: 000055d489d54958 RDI: 0000000000000009
[ 114.189278] RBP: 000055d489d54930 R08: 0000000000000005 R09: 0000000000000068
[ 114.190234] R10: 00007fff8ca474a0 R11: 0000000000000246 R12: 000055d489d60480
[ 114.191219] R13: 0000000000000040 R14: 000055d489d604d0 R15: 000055d489d54948
[ 114.192205] Modules linked in: crc32_pclmul crc32c_intel ata_piix input_leds serio_raw qemu_fw_cfg intel_agp intel_gtt evbug agpgart piix i2c_piix4 autofs4
[ 114.194114] CR2: 0000000000000008
[ 114.194679] ---[ end trace d7003214cba57fd2 ]---
To reproduce:
# build kernel
cd linux
cp config-5.5.0-08731-g2b7884f8b7273 .config
make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
Thanks,
Rong Chen
View attachment "config-5.5.0-08731-g2b7884f8b7273" of type "text/plain" (153964 bytes)
View attachment "job-script" of type "text/plain" (4869 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14384 bytes)
Powered by blists - more mailing lists