| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210425022039.GC5251@xsang-OptiPlex-9020>
Date: Sun, 25 Apr 2021 10:20:39 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Changheun Lee <nanich.lee@...sung.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, bvanassche@....org, Johannes.Thumshirn@....com,
asml.silence@...il.com, axboe@...nel.dk, damien.lemoal@....com,
gregkh@...uxfoundation.org, hch@...radead.org,
linux-block@...r.kernel.org, ming.lei@...hat.com, osandov@...com,
patchwork-bot@...nel.org, tj@...nel.org, tom.leiming@...il.com,
jisoo2146.oh@...sung.com, junho89.kim@...sung.com,
mj0123.lee@...sung.com, seunghwan.hyun@...sung.com,
sookwan7.kim@...sung.com, woosung2.lee@...sung.com,
yt0928.kim@...sung.com, Changheun Lee <nanich.lee@...sung.com>
Subject: [bio] 803f54ef52: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 803f54ef52fc0eec23aa58fa64f2b6fcf67dd466 ("[PATCH v8] bio: limit bio max size")
url: https://github.com/0day-ci/linux/commits/Changheun-Lee/bio-limit-bio-max-size/20210421-180805
base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 1fe5501ba1abf2b7e78295df73675423bd6899a0
in testcase: kernel-builtin
version:
with following parameters:
sleep: 10
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | 1fe5501ba1 | 803f54ef52 |
+---------------------------------------------+------------+------------+
| boot_successes | 7 | 0 |
| boot_failures | 0 | 10 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 10 |
| Oops:#[##] | 0 | 10 |
| RIP:bio_add_hw_page | 0 | 10 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 10 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 7.411064] BUG: kernel NULL pointer dereference, address: 0000000000000368
[ 7.411687] #PF: supervisor read access in kernel mode
[ 7.412167] #PF: error_code(0x0000) - not-present page
[ 7.412649] PGD 0 P4D 0
[ 7.412930] Oops: 0000 [#1] SMP PTI
[ 7.413278] CPU: 0 PID: 173 Comm: kworker/u4:2 Not tainted 5.12.0-rc8-00005-g803f54ef52fc #1
[ 7.414041] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 7.414791] Workqueue: events_unbound async_run_entry_fn
[ 7.415280] RIP: 0010:bio_add_hw_page (kbuild/src/consumer/block/bio.c:260 kbuild/src/consumer/include/linux/bio.h:124 kbuild/src/consumer/include/linux/bio.h:119 kbuild/src/consumer/block/bio.c:778 kbuild/src/consumer/block/bio.c:753)
[ 7.415717] Code: 09 44 39 c8 0f 87 f5 00 00 00 0f b7 46 60 49 89 fc 49 89 d6 45 89 c5 66 85 c0 75 60 66 39 43 62 0f 86 d9 00 00 00 48 8b 53 08 <48> 8b 92 68 03 00 00 48 8b 52 50 8b 92 08 04 00 00 29 ea 39 53 28
All code
========
0: 09 44 39 c8 or %eax,-0x38(%rcx,%rdi,1)
4: 0f 87 f5 00 00 00 ja 0xff
a: 0f b7 46 60 movzwl 0x60(%rsi),%eax
e: 49 89 fc mov %rdi,%r12
11: 49 89 d6 mov %rdx,%r14
14: 45 89 c5 mov %r8d,%r13d
17: 66 85 c0 test %ax,%ax
1a: 75 60 jne 0x7c
1c: 66 39 43 62 cmp %ax,0x62(%rbx)
20: 0f 86 d9 00 00 00 jbe 0xff
26: 48 8b 53 08 mov 0x8(%rbx),%rdx
2a:* 48 8b 92 68 03 00 00 mov 0x368(%rdx),%rdx <-- trapping instruction
31: 48 8b 52 50 mov 0x50(%rdx),%rdx
35: 8b 92 08 04 00 00 mov 0x408(%rdx),%edx
3b: 29 ea sub %ebp,%edx
3d: 39 53 28 cmp %edx,0x28(%rbx)
Code starting with the faulting instruction
===========================================
0: 48 8b 92 68 03 00 00 mov 0x368(%rdx),%rdx
7: 48 8b 52 50 mov 0x50(%rdx),%rdx
b: 8b 92 08 04 00 00 mov 0x408(%rdx),%edx
11: 29 ea sub %ebp,%edx
13: 39 53 28 cmp %edx,0x28(%rbx)
[ 7.417280] RSP: 0000:ffffaef600247c00 EFLAGS: 00010202
[ 7.417757] RAX: 0000000000000000 RBX: ffff9144f8624cc0 RCX: 0000000000000024
[ 7.418378] RDX: 0000000000000000 RSI: ffff9144f8624cc0 RDI: ffff9144af936d60
[ 7.418998] RBP: 0000000000000024 R08: 0000000000000200 R09: 0000000000000200
[ 7.419615] R10: 0000000000000002 R11: ffff9144f8619c77 R12: ffff9144af936d60
[ 7.420233] R13: 0000000000000200 R14: ffffdf6144d7ab40 R15: 0000000000000024
[ 7.420861] FS: 0000000000000000(0000) GS:ffff9147afc00000(0000) knlGS:0000000000000000
[ 7.421595] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 7.422108] CR2: 0000000000000368 CR3: 0000000135e8a000 CR4: 00000000000406f0
[ 7.422728] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 7.423350] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 7.423971] Call Trace:
[ 7.424256] bio_add_pc_page (kbuild/src/consumer/block/bio.c:812)
[ 7.424633] blk_rq_map_kern (kbuild/src/consumer/block/blk-map.c:414 kbuild/src/consumer/block/blk-map.c:698)
[ 7.425017] __scsi_execute (kbuild/src/consumer/drivers/scsi/scsi_lib.c:258 (discriminator 1))
[ 7.425395] scsi_probe_and_add_lun (kbuild/src/consumer/include/scsi/scsi_device.h:461 kbuild/src/consumer/drivers/scsi/scsi_scan.c:592 kbuild/src/consumer/drivers/scsi/scsi_scan.c:1086)
[ 7.425821] ? __pm_runtime_resume (kbuild/src/consumer/drivers/base/power/runtime.c:1114)
[ 7.426229] __scsi_add_device (kbuild/src/consumer/drivers/scsi/scsi_scan.c:1480)
[ 7.426619] ata_scsi_scan_host (kbuild/src/consumer/drivers/ata/libata-scsi.c:4336) libata
[ 7.427087] async_run_entry_fn (kbuild/src/consumer/kernel/async.c:124)
[ 7.427485] process_one_work (kbuild/src/consumer/arch/x86/include/asm/jump_label.h:25 kbuild/src/consumer/include/linux/jump_label.h:200 kbuild/src/consumer/include/trace/events/workqueue.h:108 kbuild/src/consumer/kernel/workqueue.c:2280)
[ 7.427872] ? process_one_work (kbuild/src/consumer/kernel/workqueue.c:2364)
[ 7.428274] worker_thread (kbuild/src/consumer/include/linux/list.h:282 kbuild/src/consumer/kernel/workqueue.c:2422)
[ 7.428644] ? process_one_work (kbuild/src/consumer/kernel/workqueue.c:2364)
[ 7.429047] kthread (kbuild/src/consumer/kernel/kthread.c:292)
[ 7.429376] ? kthread_park (kbuild/src/consumer/kernel/kthread.c:245)
[ 7.429738] ret_from_fork (kbuild/src/consumer/arch/x86/entry/entry_64.S:300)
[ 7.430097] Modules linked in: syscopyarea sysfillrect sysimgblt fb_sys_fops drm intel_rapl_msr ppdev intel_rapl_common crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel rapl joydev ata_piix libata serio_raw i2c_piix4 ipmi_devintf ipmi_msghandler parport_pc parport ip_tables
[ 7.432217] CR2: 0000000000000368
[ 7.432563] ---[ end trace da8ba044c8e60dc6 ]---
[ 7.432992] RIP: 0010:bio_add_hw_page (kbuild/src/consumer/block/bio.c:260 kbuild/src/consumer/include/linux/bio.h:124 kbuild/src/consumer/include/linux/bio.h:119 kbuild/src/consumer/block/bio.c:778 kbuild/src/consumer/block/bio.c:753)
[ 7.433424] Code: 09 44 39 c8 0f 87 f5 00 00 00 0f b7 46 60 49 89 fc 49 89 d6 45 89 c5 66 85 c0 75 60 66 39 43 62 0f 86 d9 00 00 00 48 8b 53 08 <48> 8b 92 68 03 00 00 48 8b 52 50 8b 92 08 04 00 00 29 ea 39 53 28
All code
========
0: 09 44 39 c8 or %eax,-0x38(%rcx,%rdi,1)
4: 0f 87 f5 00 00 00 ja 0xff
a: 0f b7 46 60 movzwl 0x60(%rsi),%eax
e: 49 89 fc mov %rdi,%r12
11: 49 89 d6 mov %rdx,%r14
14: 45 89 c5 mov %r8d,%r13d
17: 66 85 c0 test %ax,%ax
1a: 75 60 jne 0x7c
1c: 66 39 43 62 cmp %ax,0x62(%rbx)
20: 0f 86 d9 00 00 00 jbe 0xff
26: 48 8b 53 08 mov 0x8(%rbx),%rdx
2a:* 48 8b 92 68 03 00 00 mov 0x368(%rdx),%rdx <-- trapping instruction
31: 48 8b 52 50 mov 0x50(%rdx),%rdx
35: 8b 92 08 04 00 00 mov 0x408(%rdx),%edx
3b: 29 ea sub %ebp,%edx
3d: 39 53 28 cmp %edx,0x28(%rbx)
Code starting with the faulting instruction
===========================================
0: 48 8b 92 68 03 00 00 mov 0x368(%rdx),%rdx
7: 48 8b 52 50 mov 0x50(%rdx),%rdx
b: 8b 92 08 04 00 00 mov 0x408(%rdx),%edx
11: 29 ea sub %ebp,%edx
13: 39 53 28 cmp %edx,0x28(%rbx)
To reproduce:
# build kernel
cd linux
cp config-5.12.0-rc8-00005-g803f54ef52fc .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.12.0-rc8-00005-g803f54ef52fc" of type "text/plain" (170175 bytes)
View attachment "job-script" of type "text/plain" (4486 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14260 bytes)
Powered by blists - more mailing lists