lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20210808133025.GB27482@xsang-OptiPlex-9020>
Date:   Sun, 8 Aug 2021 21:30:25 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Valentin Schneider <valentin.schneider@....com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        lkp@...ts.01.org, Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...nel.org>,
        Vincent Guittot <vincent.guittot@...aro.org>,
        Dietmar Eggemann <dietmar.eggemann@....com>,
        aubrey.li@...ux.intel.com, yu.c.chen@...el.com
Subject: [sched/fair]  cbd87e97ca: BUG:kernel_NULL_pointer_dereference,address



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: cbd87e97caf59c1a9d06d35e5a59404e4d7c8660 ("[PATCH] sched/fair: Update nohz.next_balance for newly NOHZ-idle CPUs")
url: https://github.com/0day-ci/linux/commits/Valentin-Schneider/sched-fair-Update-nohz-next_balance-for-newly-NOHZ-idle-CPUs/20210714-194021
base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 031e3bd8986fffe31e1ddbf5264cccfe30c9abd7

in testcase: trinity
version: trinity-x86_64-da65f0aa-1_20210719
with following parameters:

	number: 99999
	group: group-03

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   11.102934][    C1] BUG: kernel NULL pointer dereference, address: 0000000000000000
[   11.104253][    C1] #PF: supervisor write access in kernel mode
[   11.105209][    C1] #PF: error_code(0x0002) - not-present page
[   11.106215][    C1] PGD 0 P4D 0
[   11.106848][    C1] Oops: 0002 [#1] SMP PTI
[   11.106919][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.13.0-rc6-00081-gcbd87e97caf5 #1
[   11.106919][    C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 11.106919][ C1] RIP: 0010:__memcpy (arch/x86/lib/memcpy_64.S:39) 
[ 11.106919][ C1] Code: 74 be 0f 1f 44 00 00 c7 05 97 29 d1 03 0f 00 00 00 eb ad cc cc cc cc cc 0f 1f 44 00 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
All code
========
   0:	74 be                	je     0xffffffffffffffc0
   2:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   7:	c7 05 97 29 d1 03 0f 	movl   $0xf,0x3d12997(%rip)        # 0x3d129a8
   e:	00 00 00 
  11:	eb ad                	jmp    0xffffffffffffffc0
  13:	cc                   	int3   
  14:	cc                   	int3   
  15:	cc                   	int3   
  16:	cc                   	int3   
  17:	cc                   	int3   
  18:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1d:	48 89 f8             	mov    %rdi,%rax
  20:	48 89 d1             	mov    %rdx,%rcx
  23:	48 c1 e9 03          	shr    $0x3,%rcx
  27:	83 e2 07             	and    $0x7,%edx
  2a:*	f3 48 a5             	rep movsq %ds:(%rsi),%es:(%rdi)		<-- trapping instruction
  2d:	89 d1                	mov    %edx,%ecx
  2f:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
  31:	c3                   	retq   
  32:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  38:	48 89 f8             	mov    %rdi,%rax
  3b:	48 89 d1             	mov    %rdx,%rcx
  3e:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)

Code starting with the faulting instruction
===========================================
   0:	f3 48 a5             	rep movsq %ds:(%rsi),%es:(%rdi)
   3:	89 d1                	mov    %edx,%ecx
   5:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
   7:	c3                   	retq   
   8:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
   e:	48 89 f8             	mov    %rdi,%rax
  11:	48 89 d1             	mov    %rdx,%rcx
  14:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
[   11.106919][    C1] RSP: 0000:ffffa8f280120f18 EFLAGS: 00010246
[   11.106919][    C1] RAX: 0000000000000000 RBX: 00000000ffff1d2f RCX: 0000000000000001
[   11.106919][    C1] RDX: 0000000000000000 RSI: ffff8b4d002b6ed0 RDI: 0000000000000000
[   11.106919][    C1] RBP: ffffa8f280120f80 R08: 0000000000000001 R09: 0000000000000001
[   11.106919][    C1] R10: ffffffffacc07000 R11: ffff8b4d01589dc0 R12: 0000000000000000
[   11.106919][    C1] R13: 0000000000000001 R14: 0000000000000002 R15: 0000000000000007
[   11.106919][    C1] FS:  0000000000000000(0000) GS:ffff8b502fa00000(0000) knlGS:0000000000000000
[   11.106919][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   11.106919][    C1] CR2: 0000000000000000 CR3: 00000002e58b6000 CR4: 00000000000406e0
[   11.106919][    C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   11.106919][    C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   11.106919][    C1] Call Trace:
[   11.106919][    C1]  <IRQ>
[ 11.106919][ C1] _nohz_idle_balance+0x7a/0x400 
[ 11.106919][ C1] ? lock_is_held_type (arch/x86/include/asm/irqflags.h:140 kernel/locking/lockdep.c:5557) 
[ 11.106919][ C1] __do_softirq (arch/x86/include/asm/jump_label.h:19 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:559) 
[ 11.106919][ C1] irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636 kernel/softirq.c:648) 
[ 11.106919][ C1] sysvec_call_function_single (arch/x86/kernel/smp.c:243 (discriminator 14)) 
[   11.106919][    C1]  </IRQ>
[ 11.106919][ C1] asm_sysvec_call_function_single (arch/x86/include/asm/idtentry.h:655) 
[ 11.106919][ C1] RIP: 0010:native_safe_halt (arch/x86/include/asm/irqflags.h:52) 
[ 11.106919][ C1] Code: 00 0f 00 2d 16 e1 45 00 f4 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 e9 07 00 00 00 0f 00 2d f6 e0 45 00 fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00
All code
========
   0:	00 0f                	add    %cl,(%rdi)
   2:	00 2d 16 e1 45 00    	add    %ch,0x45e116(%rip)        # 0x45e11e
   8:	f4                   	hlt    
   9:	c3                   	retq   
   a:	66 66 2e 0f 1f 84 00 	data16 nopw %cs:0x0(%rax,%rax,1)
  11:	00 00 00 00 
  15:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  1c:	e9 07 00 00 00       	jmpq   0x28
  21:	0f 00 2d f6 e0 45 00 	verw   0x45e0f6(%rip)        # 0x45e11e
  28:	fb                   	sti    
  29:	f4                   	hlt    
  2a:*	c3                   	retq   		<-- trapping instruction
  2b:	cc                   	int3   
  2c:	cc                   	int3   
  2d:	cc                   	int3   
  2e:	cc                   	int3   
  2f:	cc                   	int3   
  30:	cc                   	int3   
  31:	cc                   	int3   
  32:	cc                   	int3   
  33:	cc                   	int3   
  34:	cc                   	int3   
  35:	cc                   	int3   
  36:	cc                   	int3   
  37:	cc                   	int3   
  38:	cc                   	int3   
  39:	cc                   	int3   
  3a:	cc                   	int3   
  3b:	cc                   	int3   
  3c:	0f                   	.byte 0xf
  3d:	1f                   	(bad)  
  3e:	44                   	rex.R
	...

Code starting with the faulting instruction
===========================================
   0:	c3                   	retq   
   1:	cc                   	int3   
   2:	cc                   	int3   
   3:	cc                   	int3   
   4:	cc                   	int3   
   5:	cc                   	int3   
   6:	cc                   	int3   
   7:	cc                   	int3   
   8:	cc                   	int3   
   9:	cc                   	int3   
   a:	cc                   	int3   
   b:	cc                   	int3   
   c:	cc                   	int3   
   d:	cc                   	int3   
   e:	cc                   	int3   
   f:	cc                   	int3   
  10:	cc                   	int3   
  11:	cc                   	int3   
  12:	0f                   	.byte 0xf
  13:	1f                   	(bad)  
  14:	44                   	rex.R


To reproduce:

        # build kernel
	cd linux
	cp config-5.13.0-rc6-00081-gcbd87e97caf5 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.13.0-rc6-00081-gcbd87e97caf5" of type "text/plain" (272445 bytes)

View attachment "job-script" of type "text/plain" (4434 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (12072 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ