lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 12 Jan 2021 21:27:51 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Roman Gushchin <guro@...com>
Cc:     Alexei Starovoitov <ast@...nel.org>,
        Song Liu <songliubraving@...com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: [bpf]  755e5d5536: BUG:Bad_page_map_in_process


Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 755e5d55367af5ff75a4db9b6cf439416878e2c7 ("bpf: Eliminate rlimit-based memory accounting for hashtab maps")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master


in testcase: trinity
version: trinity-i386-4d2343bd-1_20200320
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+------------------------------------------------------------+------------+------------+
|                                                            | 844f157f6c | 755e5d5536 |
+------------------------------------------------------------+------------+------------+
| BUG:Bad_page_map_in_process                                | 0          | 9          |
| BUG:Bad_page_state_in_process                              | 0          | 9          |
| BUG:Bad_rss-counter_state_mm:(ptrval)type:MM_FILEPAGES_val | 0          | 1          |
| BUG:Bad_rss-counter_state_mm:#type:MM_FILEPAGES_val        | 0          | 8          |
| WARNING:at_mm/vmalloc.c:#vmap_pte_range                    | 0          | 3          |
| EIP:vmap_pte_range                                         | 0          | 3          |
| BUG:unable_to_handle_page_fault_for_address                | 0          | 1          |
| Oops:#[##]                                                 | 0          | 1          |
| EIP:free_percpu                                            | 0          | 1          |
| EIP:__rb_reserve_next                                      | 0          | 1          |
| WARNING:at_mm/percpu-vm.c:#__pcpu_balance_workfn           | 0          | 1          |
| EIP:__pcpu_balance_workfn                                  | 0          | 1          |
| WARNING:at_mm/vmalloc.c:#unmap_kernel_range_noflush        | 0          | 1          |
| EIP:unmap_kernel_range_noflush                             | 0          | 1          |
+------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  193.546506] BUG: Bad page map in process date  pte:5cc5c067 pmd:5ce4a067
[  193.547646] page:fe1464e0 refcount:1 mapcount:-1 mapping:00000000 index:0x0 pfn:0x5cc5c
[  193.548942] flags: 0x480000a(referenced|dirty)
[  193.549777] raw: 0480000a 00000100 00000122 00000000 00000000 00000000 fffffffe 00000001
[  193.551064] page dumped because: bad pte
[  193.551725] addr:77df4000 vm_flags:00000075 anon_vma:00000000 mapping:83e52410 index:1f
[  193.553041] file:libc-2.24.so fault:filemap_fault mmap:generic_file_mmap readpage:simple_readpage
[  193.554585] CPU: 0 PID: 4021 Comm: date Not tainted 5.10.0-rc3-g755e5d55367a #1
[  193.555718] Call Trace:
[  193.556133]  dump_stack+0xa6/0xe0
[  193.556721]  ? simple_link+0x96/0x96
[  193.557331]  print_bad_pte.cold+0x3e/0x9b
[  193.558008]  ? read_cache_page_gfp+0x1f/0x1f
[  193.558721]  ? page_cache_next_miss+0x102/0x102
[  193.559483]  ? simple_link+0x96/0x96
[  193.560061]  zap_pte_range+0x9e0/0xe66
[  193.560701]  unmap_page_range+0x251/0x2b8
[  193.561360]  unmap_single_vma+0xf9/0x19c
[  193.562030]  unmap_vmas+0x30/0x46
[  193.562539]  exit_mmap+0x98/0x1a4
[  193.563066]  ? static_obj+0x24/0x5b
[  193.563638]  mmput+0x76/0x14d
[  193.564141]  exit_mm+0x243/0x2ff
[  193.564686]  do_exit+0x1e4/0x8ce
[  193.565222]  ? syscall_trace_enter+0x86/0x352
[  193.566045]  ? __might_sleep+0x69/0x119
[  193.566722]  do_group_exit+0x66/0xe1
[  193.567325]  __ia32_sys_exit_group+0x15/0x15
[  193.568051]  __do_fast_syscall_32+0x82/0xb6
[  193.568893]  do_fast_syscall_32+0x32/0x8c
[  193.569582]  do_SYSENTER_32+0x15/0x17
[  193.570207]  entry_SYSENTER_32+0x98/0xe7
[  193.570879] EIP: 0x77f9a549
[  193.571364] Code: Unable to access opcode bytes at RIP 0x77f9a51f.
[  193.572449] EAX: ffffffda EBX: 00000000 ECX: 77f8a1d8 EDX: 00000000
[  193.573526] ESI: 00000000 EDI: 77f872f0 EBP: 77f8a1e0 ESP: 7ffd5c8c
[  193.574569] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 007b EFLAGS: 00000212
[  193.575760] Disabling lock debugging due to kernel taint
[  193.576716] BUG: Bad page state in process date  pfn:5cc5c
[  193.577636] page:fe1464e0 refcount:0 mapcount:-1 mapping:00000000 index:0x0 pfn:0x5cc5c
[  193.578966] flags: 0x480000a(referenced|dirty)
[  193.579711] raw: 0480000a d5e7e804 da867d30 00000000 00000000 00000000 fffffffe 00000000
[  193.581017] page dumped because: nonzero mapcount
[  193.581750] Modules linked in:
[  193.582199] CPU: 0 PID: 4021 Comm: date Tainted: G    B             5.10.0-rc3-g755e5d55367a #1
[  193.583319] Call Trace:
[  193.583662]  dump_stack+0xa6/0xe0
[  193.584124]  bad_page.cold+0xc3/0x12d
[  193.584701]  free_unref_page_prepare+0x2f0/0x4d8
[  193.585402]  free_unref_page_list+0x71/0x2ef
[  193.586101]  release_pages+0x268/0xb37
[  193.586720]  free_pages_and_swap_cache+0x186/0x201
[  193.587477]  tlb_flush_mmu+0x38/0x147
[  193.588094]  zap_pte_range+0x805/0xe66
[  193.593544]  unmap_page_range+0x251/0x2b8
[  193.594978]  unmap_single_vma+0xf9/0x19c
[  193.596685]  unmap_vmas+0x30/0x46
[  193.598001]  exit_mmap+0x98/0x1a4
[  193.599206]  ? static_obj+0x1c/0x5b
[  193.600631]  mmput+0x76/0x14d
[  193.601672]  exit_mm+0x243/0x2ff
[  193.603151]  do_exit+0x1e4/0x8ce
[  193.604220]  ? syscall_trace_enter+0x86/0x352
[  193.606647]  ? __might_sleep+0x69/0x119
[  193.608021]  do_group_exit+0x66/0xe1
[  193.609423]  __ia32_sys_exit_group+0x15/0x15
[  193.610842]  __do_fast_syscall_32+0x82/0xb6
[  193.612185]  do_fast_syscall_32+0x32/0x8c
[  193.613385]  do_SYSENTER_32+0x15/0x17
[  193.614834]  entry_SYSENTER_32+0x98/0xe7
[  193.616367] EIP: 0x77f9a549
[  193.617616] Code: Unable to access opcode bytes at RIP 0x77f9a51f.
[  193.619740] EAX: ffffffda EBX: 00000000 ECX: 77f8a1d8 EDX: 00000000
[  193.622017] ESI: 00000000 EDI: 77f872f0 EBP: 77f8a1e0 ESP: 7ffd5c8c
[  193.624487] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 007b EFLAGS: 00000212
[  193.634118] [main] kernel became tainted! (32/0) Last seed was 2108326312
[  193.634129] 
[  193.647457] trinity: Detected kernel tainting. Last seed was 2108326312
[  193.647468] 
[  193.655333] [main] 234371 iterations. [F:173434 S:59743 HI:4141]
[  193.655347] 
[  193.659151] [main] exit_reason=7, but 7 children still running.
[  193.659163] 
[  193.660632] BUG: Bad rss-counter state mm:00531b01 type:MM_FILEPAGES val:-1
[  195.673042] [main] Bailing main loop because kernel became tainted..
[  195.673054] 
[  196.129654] [main] Ran 234371 syscalls. Successes: 59743  Failures: 173434
[  196.129665] 

Kboot worker: lkp-worker26
Elapsed time: 240

kvm=(
	qemu-system-i386
	-enable-kvm
	-cpu SandyBridge
	-kernel $kernel
	-initrd initrd-vm-snb-i386-74.cgz
	-m 8192
	-smp 2
	-device e1000,netdev=net0
	-netdev user,id=net0,hostfwd=tcp::32032-:22
	-boot order=nc
	-no-reboot
	-watchdog i6300esb
	-watchdog-action debug
	-rtc base=localtime
	-serial stdio
	-display none
	-monitor null
)

append=(
	ip=::::vm-snb-i386-74::dhcp
	root=/dev/ram0
	user=lkp
	job=/job-script
	ARCH=i386
	kconfig=i386-randconfig-f003-20200323
	branch=linus/master
	commit=755e5d55367af5ff75a4db9b6cf439416878e2c7
	BOOT_IMAGE=/pkg/linux/i386-randconfig-f003-20200323/gcc-9/755e5d55367af5ff75a4db9b6cf439416878e2c7/vmlinuz-5.10.0-rc3-g755e5d55367a
	vmalloc=512M
	max_uptime=2100
	RESULT_ROOT=/result/trinity/300s/vm-snb-i386/debian-i386-20191205.cgz/i386-randconfig-f003-20200323/gcc-9/755e5d55367af5ff75a4db9b6cf439416878e2c7/147
	result_service=tmpfs
	selinux=0
	debug
	apic=debug
	sysrq_always_enabled
	rcupdate.rcu_cpu_stall_timeout=100
	net.ifnames=0
	printk.devkmsg=on
	panic=-1
	softlockup_panic=1
	nmi_watchdog=panic
	oops=panic
	load_ramdisk=2
	prompt_ramdisk=0
	drbd.minor_count=8
	systemd.log_level=err
	ignore_loglevel
	console=tty0
	earlyprintk=ttyS0,115200
	console=ttyS0,115200
	vga=normal
	rw
	rcuperf.shutdown=0
	watchdog_thresh=240
)

"${kvm[@]}" -append "${append[*]}"


To reproduce:

        # build kernel
	cd linux
	cp config-5.10.0-rc3-g755e5d55367a .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
Oliver Sang


View attachment "config-5.10.0-rc3-g755e5d55367a" of type "text/plain" (124257 bytes)

View attachment "job-script" of type "text/plain" (4173 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (21216 bytes)

Powered by blists - more mailing lists