| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210704150025.GC21572@xsang-OptiPlex-9020>
Date: Sun, 4 Jul 2021 23:00:25 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Christoph Hellwig <hch@....de>
Cc: Jens Axboe <axboe@...nel.dk>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, lkp@...el.com
Subject: [ide] b7fb14d3ac: EIP:ioread32_rep
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: b7fb14d3ac63117e0e8beabe75f4ea52051fbe3a ("ide: remove the legacy ide driver")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:
number: 99999
group: group-00
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------------------------------------------+------------+------------+
| | b90257bfdd | b7fb14d3ac |
+-------------------------------------------------------------------------------------+------------+------------+
| EIP:ioread32_rep | 0 | 110 |
+-------------------------------------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 76.215832] BUG: unable to handle page fault for address: fffba000
[ 76.216542] #PF: supervisor write access in kernel mode
[ 76.216542] #PF: error_code(0x0002) - not-present page
[ 76.216542] *pde = 1c5cc067 *pte = 00000000
[ 76.216542] Oops: 0002 [#1] SMP
[ 76.216542] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G S W 5.13.0-rc2-00028-gb7fb14d3ac63 #1
[ 76.216542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 76.216542] Workqueue: ata_sff ata_sff_pio_task
[ 76.216542] EIP: ioread32_rep (arch/x86/include/asm/io.h:336 (discriminator 4) lib/iomap.c:338 (discriminator 4))
[ 76.216542] Code: 78 15 8d b6 00 00 00 00 8b 10 83 e9 01 89 17 83 c7 04 83 f9 ff 75 f1 8b 7d fc c9 c3 8d 74 26 00 3d 00 00 01 00 76 11 0f b7 d0 <f3> 6d 8b 7d fc c9 c3 8d b4 26 00 00 00 00 8b 15 fc ec ea da 85 d2
All code
========
0: 78 15 js 0x17
2: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
8: 8b 10 mov (%rax),%edx
a: 83 e9 01 sub $0x1,%ecx
d: 89 17 mov %edx,(%rdi)
f: 83 c7 04 add $0x4,%edi
12: 83 f9 ff cmp $0xffffffff,%ecx
15: 75 f1 jne 0x8
17: 8b 7d fc mov -0x4(%rbp),%edi
1a: c9 leaveq
1b: c3 retq
1c: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
20: 3d 00 00 01 00 cmp $0x10000,%eax
25: 76 11 jbe 0x38
27: 0f b7 d0 movzwl %ax,%edx
2a:* f3 6d rep insl (%dx),%es:(%rdi) <-- trapping instruction
2c: 8b 7d fc mov -0x4(%rbp),%edi
2f: c9 leaveq
30: c3 retq
31: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
38: 8b 15 fc ec ea da mov -0x25151304(%rip),%edx # 0xffffffffdaeaed3a
3e: 85 d2 test %edx,%edx
Code starting with the faulting instruction
===========================================
0: f3 6d rep insl (%dx),%es:(%rdi)
2: 8b 7d fc mov -0x4(%rbp),%edi
5: c9 leaveq
6: c3 retq
7: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
e: 8b 15 fc ec ea da mov -0x25151304(%rip),%edx # 0xffffffffdaeaed10
14: 85 d2 test %edx,%edx
[ 76.216542] EAX: 00010170 EBX: 00000200 ECX: 00000080 EDX: 00000170
[ 76.216542] ESI: fffb9ec0 EDI: fffb9ec0 EBP: c1c9be58 ESP: c1c9be54
[ 76.216542] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010002
[ 76.216542] CR0: 80050033 CR2: fffba000 CR3: 1bb3e000 CR4: 000406d0
[ 76.216542] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 76.216542] DR6: fffe0ff0 DR7: 00000400
[ 76.216542] Call Trace:
[ 76.216542] ata_sff_data_xfer32 (drivers/ata/libata-sff.c:612)
[ 76.216542] ? ata_sff_data_xfer (drivers/ata/libata-sff.c:595)
[ 76.216542] ata_pio_sector (include/linux/highmem-internal.h:112 drivers/ata/libata-sff.c:676)
[ 76.216542] ata_pio_sectors (drivers/ata/libata-sff.c:717)
[ 76.216542] ata_sff_hsm_move (drivers/ata/libata-sff.c:1169)
[ 76.216542] ? lock_acquired (kernel/locking/lockdep.c:5705 kernel/locking/lockdep.c:5765)
[ 76.216542] ? ata_sff_pio_task (drivers/ata/libata-sff.c:1279)
[ 76.216542] ata_sff_pio_task (drivers/ata/libata-sff.c:1321)
[ 76.216542] process_one_work (arch/x86/include/asm/jump_label.h:19 include/linux/jump_label.h:200 include/trace/events/workqueue.h:108 kernel/workqueue.c:2280)
[ 76.216542] worker_thread (include/linux/list.h:282 kernel/workqueue.c:2422)
[ 76.216542] kthread (kernel/kthread.c:313)
[ 76.216542] ? process_one_work (kernel/workqueue.c:2364)
[ 76.216542] ? kthread_insert_work_sanity_check (kernel/kthread.c:266)
[ 76.216542] ret_from_fork (arch/x86/entry/entry_32.S:775)
[ 76.216542] Modules linked in:
[ 76.216542] CR2: 00000000fffba000
[ 76.216542] ---[ end trace c380b1d7998675ad ]---
[ 76.216542] EIP: ioread32_rep (arch/x86/include/asm/io.h:336 (discriminator 4) lib/iomap.c:338 (discriminator 4))
[ 76.216542] Code: 78 15 8d b6 00 00 00 00 8b 10 83 e9 01 89 17 83 c7 04 83 f9 ff 75 f1 8b 7d fc c9 c3 8d 74 26 00 3d 00 00 01 00 76 11 0f b7 d0 <f3> 6d 8b 7d fc c9 c3 8d b4 26 00 00 00 00 8b 15 fc ec ea da 85 d2
All code
========
0: 78 15 js 0x17
2: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
8: 8b 10 mov (%rax),%edx
a: 83 e9 01 sub $0x1,%ecx
d: 89 17 mov %edx,(%rdi)
f: 83 c7 04 add $0x4,%edi
12: 83 f9 ff cmp $0xffffffff,%ecx
15: 75 f1 jne 0x8
17: 8b 7d fc mov -0x4(%rbp),%edi
1a: c9 leaveq
1b: c3 retq
1c: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
20: 3d 00 00 01 00 cmp $0x10000,%eax
25: 76 11 jbe 0x38
27: 0f b7 d0 movzwl %ax,%edx
2a:* f3 6d rep insl (%dx),%es:(%rdi) <-- trapping instruction
2c: 8b 7d fc mov -0x4(%rbp),%edi
2f: c9 leaveq
30: c3 retq
31: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
38: 8b 15 fc ec ea da mov -0x25151304(%rip),%edx # 0xffffffffdaeaed3a
3e: 85 d2 test %edx,%edx
Code starting with the faulting instruction
===========================================
0: f3 6d rep insl (%dx),%es:(%rdi)
2: 8b 7d fc mov -0x4(%rbp),%edi
5: c9 leaveq
6: c3 retq
7: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
e: 8b 15 fc ec ea da mov -0x25151304(%rip),%edx # 0xffffffffdaeaed10
14: 85 d2 test %edx,%edx
To reproduce:
# build kernel
cd linux
cp config-5.13.0-rc2-00028-gb7fb14d3ac63 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.13.0-rc2-00028-gb7fb14d3ac63" of type "text/plain" (268633 bytes)
View attachment "job-script" of type "text/plain" (4191 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (22016 bytes)
Powered by blists - more mailing lists