lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20200507113041.GQ5770@shao2-debian>
Date:   Thu, 7 May 2020 19:30:41 +0800
From:   kernel test robot <rong.a.chen@...el.com>
To:     Luis Chamberlain <mcgrof@...nel.org>
Cc:     axboe@...nel.dk, viro@...iv.linux.org.uk, bvanassche@....org,
        gregkh@...uxfoundation.org, rostedt@...dmis.org, mingo@...hat.com,
        jack@...e.cz, ming.lei@...hat.com, nstange@...e.de,
        akpm@...ux-foundation.org, mhocko@...e.com, yukuai3@...wei.com,
        linux-block@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        Luis Chamberlain <mcgrof@...nel.org>,
        Omar Sandoval <osandov@...com>,
        Hannes Reinecke <hare@...e.com>,
        Michal Hocko <mhocko@...nel.org>,
        syzbot+603294af2d01acfdd6da@...kaller.appspotmail.com,
        lkp@...ts.01.org
Subject: [blktrace] d106a3fdba: BUG:kernel_NULL_pointer_dereference,address

Greeting,

FYI, we noticed the following commit (built with gcc-7):

commit: d106a3fdbac9d93aec07a533059439de56c0216b ("[PATCH v3 4/6] blktrace: fix debugfs use after free")
url: https://github.com/0day-ci/linux/commits/Luis-Chamberlain/block-fix-blktrace-debugfs-use-after-free/20200429-175619
base: https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git for-next

in testcase: blktests
with following parameters:

	disk: 1SSD
	test: block-group1



on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):




If you fix the issue, kindly add following tag
Reported-by: kernel test robot <rong.a.chen@...el.com>


[   24.328966] BUG: kernel NULL pointer dereference, address: 00000000000000a0
[   24.330808] #PF: supervisor write access in kernel mode
[   24.332468] #PF: error_code(0x0002) - not-present page
[   24.334138] PGD 8000000117ff4067 P4D 8000000117ff4067 PUD 1bc789067 PMD 0 
[   24.336046] Oops: 0002 [#1] SMP PTI
[   24.341721] CPU: 0 PID: 1019 Comm: check Not tainted 5.7.0-rc2-00034-gd106a3fdbac9d #1
[   24.343858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   24.346026] RIP: 0010:down_write+0x28/0x50
[   24.347665] Code: 5d ff 66 66 66 66 90 53 31 d2 be fa 05 00 00 48 89 fb 48 c7 c7 b0 fe 73 ad e8 04 41 60 ff e8 9f d6 ff ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 0f 65 48 8b 04 25 c0 8b 01 00 48 89 43 08 5b c3
[   24.352502] RSP: 0000:ffffa03100877d58 EFLAGS: 00010246
[   24.354357] RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000
[   24.356428] RDX: 0000000000000001 RSI: 00000000000005fa RDI: ffffffffad73feb0
[   24.358407] RBP: ffffa03100877db8 R08: 0000000000000064 R09: 0000000000000001
[   24.360462] R10: ffffa03100877e18 R11: 0000000000000335 R12: 0000000000000000
[   24.364395] R13: ffff8be7bc5480a8 R14: 0000000000000001 R15: ffff8be7cec98e60
[   24.366404] FS:  00007f23b0625740(0000) GS:ffff8be83fc00000(0000) knlGS:0000000000000000
[   24.368469] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   24.370360] CR2: 00000000000000a0 CR3: 00000001bff04000 CR4: 00000000000406f0
[   24.372338] Call Trace:
[   24.377936]  simple_recursive_removal+0x4f/0x2d0
[   24.379620]  ? debugfs_remove+0x60/0x60
[   24.381070]  debugfs_remove+0x40/0x60
[   24.382528]  blk_mq_debugfs_unregister_hctx+0x15/0x30
[   24.384095]  blk_mq_exit_queue+0xd0/0x110
[   24.385561]  blk_cleanup_queue+0x94/0xe0
[   24.386958]  __scsi_remove_device+0x66/0x150
[   24.388384]  scsi_remove_device+0x21/0x30
[   24.389788]  sdev_store_delete+0x4f/0x90
[   24.391127]  kernfs_fop_write+0x124/0x1b0
[   24.392485]  vfs_write+0xbe/0x1d0
[   24.393732]  ksys_write+0xa1/0xe0
[   24.395028]  do_syscall_64+0x5b/0x1f0
[   24.396341]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   24.418166] RIP: 0033:0x7f23b0716643
[   24.419487] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18
[   24.423748] RSP: 002b:00007ffd535d5cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   24.425787] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f23b0716643
[   24.427710] RDX: 0000000000000002 RSI: 0000000001aa6a08 RDI: 0000000000000001
[   24.429674] RBP: 0000000001aa6a08 R08: 000000000000000a R09: 0000000000000001
[   24.431601] R10: 0000000001b7d5e8 R11: 0000000000000246 R12: 0000000000000002
[   24.433531] R13: 00007f23b07e56a0 R14: 0000000000000002 R15: 00007f23b07e58a0
[   24.435466] Modules linked in: scsi_debug loop dm_multipath dm_mod intel_rapl_msr intel_rapl_common crct10dif_pclmul bochs_drm crc32_pclmul drm_vram_helper crc32c_intel drm_ttm_helper ghash_clmulni_intel ttm sd_mod t10_pi sg ppdev drm_kms_helper snd_pcm ata_generic pata_acpi syscopyarea sysfillrect snd_timer sysimgblt fb_sys_fops snd aesni_intel crypto_simd drm cryptd glue_helper ata_piix soundcore libata pcspkr joydev serio_raw parport_pc virtio_scsi i2c_piix4 parport floppy ip_tables
[   24.445381] CR2: 00000000000000a0
[   24.447202] ---[ end trace 83e08183a0d38f71 ]---


To reproduce:

        # build kernel
	cd linux
	cp config-5.7.0-rc2-00034-gd106a3fdbac9d .config
	make HOSTCC=gcc-7 CC=gcc-7 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Rong Chen


View attachment "config-5.7.0-rc2-00034-gd106a3fdbac9d" of type "text/plain" (206529 bytes)

View attachment "job-script" of type "text/plain" (5477 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (15968 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ