| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210406045528.GA7352@xsang-OptiPlex-9020>
Date: Tue, 6 Apr 2021 12:55:28 +0800
From: kernel test robot <oliver.sang@...el.com>
To: "Rafael J. Wysocki" <rafael.j.wysocki@...el.com>
Cc: George Kennedy <george.kennedy@...cle.com>,
Mike Rapoport <rppt@...ux.ibm.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [ACPI] 1a1c130ab7: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 1a1c130ab7575498eed5bcf7220037ae09cd1f8a ("ACPI: tables: x86: Reserve memory occupied by ACPI tables")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
version: trinity-i386-4d2343bd-1_20200320
with following parameters:
number: 99999
group: group-00
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------------------+-----------+------------+
| | v5.12-rc5 | 1a1c130ab7 |
+---------------------------------------------------------+-----------+------------+
| boot_successes | 16 | 0 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 24 |
| Oops:#[##] | 0 | 24 |
| EIP:get_pfnblock_flags_mask | 0 | 24 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 24 |
+---------------------------------------------------------+-----------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 0.136065] BUG: kernel NULL pointer dereference, address: 00000004
[ 0.136596] #PF: supervisor read access in kernel mode
[ 0.137003] #PF: error_code(0x0000) - not-present page
[ 0.137431] *pde = 00000000
[ 0.137671] Oops: 0000 [#1]
[ 0.137908] CPU: 0 PID: 0 Comm: swapper Not tainted 5.12.0-rc5-00001-g1a1c130ab757 #2
[ 0.138567] EIP: get_pfnblock_flags_mask (kbuild/src/consumer/mm/page_alloc.c:490 kbuild/src/consumer/mm/page_alloc.c:504)
[ 0.138971] Code: 55 89 e5 83 ec 08 89 5d f8 89 cb 89 d1 89 75 fc c1 ea 0e c1 e2 04 8b 82 84 77 95 c2 c1 e9 08 83 e1 3c 89 ce 83 e1 1f c1 ee 05 <8b> 04 b0 8b 75 fc d3 e8 21 d8 8b 5d f8 89 ec 5d c3 e8 27 dc e4 ff
All code
========
0: 55 push %rbp
1: 89 e5 mov %esp,%ebp
3: 83 ec 08 sub $0x8,%esp
6: 89 5d f8 mov %ebx,-0x8(%rbp)
9: 89 cb mov %ecx,%ebx
b: 89 d1 mov %edx,%ecx
d: 89 75 fc mov %esi,-0x4(%rbp)
10: c1 ea 0e shr $0xe,%edx
13: c1 e2 04 shl $0x4,%edx
16: 8b 82 84 77 95 c2 mov -0x3d6a887c(%rdx),%eax
1c: c1 e9 08 shr $0x8,%ecx
1f: 83 e1 3c and $0x3c,%ecx
22: 89 ce mov %ecx,%esi
24: 83 e1 1f and $0x1f,%ecx
27: c1 ee 05 shr $0x5,%esi
2a:* 8b 04 b0 mov (%rax,%rsi,4),%eax <-- trapping instruction
2d: 8b 75 fc mov -0x4(%rbp),%esi
30: d3 e8 shr %cl,%eax
32: 21 d8 and %ebx,%eax
34: 8b 5d f8 mov -0x8(%rbp),%ebx
37: 89 ec mov %ebp,%esp
39: 5d pop %rbp
3a: c3 retq
3b: e8 27 dc e4 ff callq 0xffffffffffe4dc67
Code starting with the faulting instruction
===========================================
0: 8b 04 b0 mov (%rax,%rsi,4),%eax
3: 8b 75 fc mov -0x4(%rbp),%esi
6: d3 e8 shr %cl,%eax
8: 21 d8 and %ebx,%eax
a: 8b 5d f8 mov -0x8(%rbp),%ebx
d: 89 ec mov %ebp,%esp
f: 5d pop %rbp
10: c3 retq
11: e8 27 dc e4 ff callq 0xffffffffffe4dc3d
[ 0.140504] EAX: 00000000 EBX: 00000007 ECX: 0000001c EDX: 003faaa0
[ 0.141025] ESI: 00000001 EDI: ffffffff EBP: c1c29e18 ESP: c1c29e10
[ 0.141544] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00210003
[ 0.142096] CR0: 80050033 CR2: 00000004 CR3: 02226000 CR4: 00040690
[ 0.142620] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 0.143146] DR6: fffe0ff0 DR7: 00000400
[ 0.143473] Call Trace:
[ 0.143698] __dump_page (kbuild/src/consumer/mm/debug.c:66)
[ 0.143984] ? find_held_lock (kbuild/src/consumer/kernel/locking/lockdep.c:5003)
[ 0.144300] ? _raw_spin_unlock (kbuild/src/consumer/kernel/locking/spinlock.c:184)
[ 0.144633] ? console_unlock (kbuild/src/consumer/kernel/printk/printk.c:2561)
[ 0.144960] ? __next_mem_range_rev (kbuild/src/consumer/mm/memblock.c:1106)
[ 0.145339] ? memblock_insert_region+0x2a/0x45
[ 0.145762] ? memblock_add_range+0x12d/0x137
[ 0.146242] ? memblock_reserve (kbuild/src/consumer/mm/memblock.c:818 (discriminator 3))
[ 0.146570] ? should_skip_region (kbuild/src/consumer/mm/memblock.c:935)
[ 0.146905] ? __next_mem_range (kbuild/src/consumer/mm/memblock.c:1002)
[ 0.147245] dump_page (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/page_owner.h:51 kbuild/src/consumer/mm/debug.c:193)
[ 0.147536] reserve_bootmem_region (kbuild/src/consumer/include/linux/page-flags.h:356 kbuild/src/consumer/mm/page_alloc.c:1528)
[ 0.147953] memblock_free_all (kbuild/src/consumer/mm/memblock.c:2013 kbuild/src/consumer/mm/memblock.c:2061)
[ 0.148376] ? memblock_alloc_try_nid (kbuild/src/consumer/mm/memblock.c:1567 (discriminator 3))
[ 0.148857] mem_init (kbuild/src/consumer/arch/x86/mm/init_32.c:756)
[ 0.149119] start_kernel (kbuild/src/consumer/init/main.c:835 kbuild/src/consumer/init/main.c:908)
[ 0.149421] i386_start_kernel (kbuild/src/consumer/arch/x86/kernel/head32.c:57)
[ 0.149744] startup_32_smp (kbuild/src/consumer/arch/x86/kernel/head_32.S:328)
[ 0.150071] Modules linked in:
[ 0.150330] CR2: 0000000000000004
[ 0.150589] random: get_random_bytes called from print_oops_end_marker+0x2f/0x50 with crng_init=0
[ 0.150596] ---[ end trace 0000000000000000 ]---
[ 0.151694] EIP: get_pfnblock_flags_mask (kbuild/src/consumer/mm/page_alloc.c:490 kbuild/src/consumer/mm/page_alloc.c:504)
[ 0.152069] Code: 55 89 e5 83 ec 08 89 5d f8 89 cb 89 d1 89 75 fc c1 ea 0e c1 e2 04 8b 82 84 77 95 c2 c1 e9 08 83 e1 3c 89 ce 83 e1 1f c1 ee 05 <8b> 04 b0 8b 75 fc d3 e8 21 d8 8b 5d f8 89 ec 5d c3 e8 27 dc e4 ff
All code
========
0: 55 push %rbp
1: 89 e5 mov %esp,%ebp
3: 83 ec 08 sub $0x8,%esp
6: 89 5d f8 mov %ebx,-0x8(%rbp)
9: 89 cb mov %ecx,%ebx
b: 89 d1 mov %edx,%ecx
d: 89 75 fc mov %esi,-0x4(%rbp)
10: c1 ea 0e shr $0xe,%edx
13: c1 e2 04 shl $0x4,%edx
16: 8b 82 84 77 95 c2 mov -0x3d6a887c(%rdx),%eax
1c: c1 e9 08 shr $0x8,%ecx
1f: 83 e1 3c and $0x3c,%ecx
22: 89 ce mov %ecx,%esi
24: 83 e1 1f and $0x1f,%ecx
27: c1 ee 05 shr $0x5,%esi
2a:* 8b 04 b0 mov (%rax,%rsi,4),%eax <-- trapping instruction
2d: 8b 75 fc mov -0x4(%rbp),%esi
30: d3 e8 shr %cl,%eax
32: 21 d8 and %ebx,%eax
34: 8b 5d f8 mov -0x8(%rbp),%ebx
37: 89 ec mov %ebp,%esp
39: 5d pop %rbp
3a: c3 retq
3b: e8 27 dc e4 ff callq 0xffffffffffe4dc67
Code starting with the faulting instruction
===========================================
0: 8b 04 b0 mov (%rax,%rsi,4),%eax
3: 8b 75 fc mov -0x4(%rbp),%esi
6: d3 e8 shr %cl,%eax
8: 21 d8 and %ebx,%eax
a: 8b 5d f8 mov -0x8(%rbp),%ebx
d: 89 ec mov %ebp,%esp
f: 5d pop %rbp
10: c3 retq
11: e8 27 dc e4 ff callq 0xffffffffffe4dc3d
To reproduce:
# build kernel
cd linux
cp config-5.12.0-rc5-00001-g1a1c130ab757 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.12.0-rc5-00001-g1a1c130ab757" of type "text/plain" (129808 bytes)
View attachment "job-script" of type "text/plain" (4219 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (4600 bytes)
Powered by blists - more mailing lists