| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Aug 2021 21:30:25 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Valentin Schneider <valentin.schneider@....com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...nel.org>,
Vincent Guittot <vincent.guittot@...aro.org>,
Dietmar Eggemann <dietmar.eggemann@....com>,
aubrey.li@...ux.intel.com, yu.c.chen@...el.com
Subject: [sched/fair] cbd87e97ca: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: cbd87e97caf59c1a9d06d35e5a59404e4d7c8660 ("[PATCH] sched/fair: Update nohz.next_balance for newly NOHZ-idle CPUs")
url: https://github.com/0day-ci/linux/commits/Valentin-Schneider/sched-fair-Update-nohz-next_balance-for-newly-NOHZ-idle-CPUs/20210714-194021
base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 031e3bd8986fffe31e1ddbf5264cccfe30c9abd7
in testcase: trinity
version: trinity-x86_64-da65f0aa-1_20210719
with following parameters:
number: 99999
group: group-03
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 11.102934][ C1] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 11.104253][ C1] #PF: supervisor write access in kernel mode
[ 11.105209][ C1] #PF: error_code(0x0002) - not-present page
[ 11.106215][ C1] PGD 0 P4D 0
[ 11.106848][ C1] Oops: 0002 [#1] SMP PTI
[ 11.106919][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.13.0-rc6-00081-gcbd87e97caf5 #1
[ 11.106919][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 11.106919][ C1] RIP: 0010:__memcpy (arch/x86/lib/memcpy_64.S:39)
[ 11.106919][ C1] Code: 74 be 0f 1f 44 00 00 c7 05 97 29 d1 03 0f 00 00 00 eb ad cc cc cc cc cc 0f 1f 44 00 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
All code
========
0: 74 be je 0xffffffffffffffc0
2: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
7: c7 05 97 29 d1 03 0f movl $0xf,0x3d12997(%rip) # 0x3d129a8
e: 00 00 00
11: eb ad jmp 0xffffffffffffffc0
13: cc int3
14: cc int3
15: cc int3
16: cc int3
17: cc int3
18: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1d: 48 89 f8 mov %rdi,%rax
20: 48 89 d1 mov %rdx,%rcx
23: 48 c1 e9 03 shr $0x3,%rcx
27: 83 e2 07 and $0x7,%edx
2a:* f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2d: 89 d1 mov %edx,%ecx
2f: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
31: c3 retq
32: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
38: 48 89 f8 mov %rdi,%rax
3b: 48 89 d1 mov %rdx,%rcx
3e: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
Code starting with the faulting instruction
===========================================
0: f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi)
3: 89 d1 mov %edx,%ecx
5: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
7: c3 retq
8: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
e: 48 89 f8 mov %rdi,%rax
11: 48 89 d1 mov %rdx,%rcx
14: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
[ 11.106919][ C1] RSP: 0000:ffffa8f280120f18 EFLAGS: 00010246
[ 11.106919][ C1] RAX: 0000000000000000 RBX: 00000000ffff1d2f RCX: 0000000000000001
[ 11.106919][ C1] RDX: 0000000000000000 RSI: ffff8b4d002b6ed0 RDI: 0000000000000000
[ 11.106919][ C1] RBP: ffffa8f280120f80 R08: 0000000000000001 R09: 0000000000000001
[ 11.106919][ C1] R10: ffffffffacc07000 R11: ffff8b4d01589dc0 R12: 0000000000000000
[ 11.106919][ C1] R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000007
[ 11.106919][ C1] FS: 0000000000000000(0000) GS:ffff8b502fa00000(0000) knlGS:0000000000000000
[ 11.106919][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.106919][ C1] CR2: 0000000000000000 CR3: 00000002e58b6000 CR4: 00000000000406e0
[ 11.106919][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 11.106919][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 11.106919][ C1] Call Trace:
[ 11.106919][ C1] <IRQ>
[ 11.106919][ C1] _nohz_idle_balance+0x7a/0x400
[ 11.106919][ C1] ? lock_is_held_type (arch/x86/include/asm/irqflags.h:140 kernel/locking/lockdep.c:5557)
[ 11.106919][ C1] __do_softirq (arch/x86/include/asm/jump_label.h:19 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:559)
[ 11.106919][ C1] irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636 kernel/softirq.c:648)
[ 11.106919][ C1] sysvec_call_function_single (arch/x86/kernel/smp.c:243 (discriminator 14))
[ 11.106919][ C1] </IRQ>
[ 11.106919][ C1] asm_sysvec_call_function_single (arch/x86/include/asm/idtentry.h:655)
[ 11.106919][ C1] RIP: 0010:native_safe_halt (arch/x86/include/asm/irqflags.h:52)
[ 11.106919][ C1] Code: 00 0f 00 2d 16 e1 45 00 f4 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 e9 07 00 00 00 0f 00 2d f6 e0 45 00 fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00
All code
========
0: 00 0f add %cl,(%rdi)
2: 00 2d 16 e1 45 00 add %ch,0x45e116(%rip) # 0x45e11e
8: f4 hlt
9: c3 retq
a: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
11: 00 00 00 00
15: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
1c: e9 07 00 00 00 jmpq 0x28
21: 0f 00 2d f6 e0 45 00 verw 0x45e0f6(%rip) # 0x45e11e
28: fb sti
29: f4 hlt
2a:* c3 retq <-- trapping instruction
2b: cc int3
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: cc int3
3a: cc int3
3b: cc int3
3c: 0f .byte 0xf
3d: 1f (bad)
3e: 44 rex.R
...
Code starting with the faulting instruction
===========================================
0: c3 retq
1: cc int3
2: cc int3
3: cc int3
4: cc int3
5: cc int3
6: cc int3
7: cc int3
8: cc int3
9: cc int3
a: cc int3
b: cc int3
c: cc int3
d: cc int3
e: cc int3
f: cc int3
10: cc int3
11: cc int3
12: 0f .byte 0xf
13: 1f (bad)
14: 44 rex.R
To reproduce:
# build kernel
cd linux
cp config-5.13.0-rc6-00081-gcbd87e97caf5 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.13.0-rc6-00081-gcbd87e97caf5" of type "text/plain" (272445 bytes)
View attachment "job-script" of type "text/plain" (4434 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (12072 bytes)
Powered by blists - more mailing lists