lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20210813031136.GA6652@xsang-OptiPlex-9020>
Date:   Fri, 13 Aug 2021 11:11:36 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Christoph Hellwig <hch@....de>
Cc:     Jens Axboe <axboe@...nel.dk>,
        Johannes Thumshirn <johannes.thumshirn@....com>,
        LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
        lkp@...el.com
Subject: [block]  edb0872f44: BUG:kernel_NULL_pointer_dereference,address



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: edb0872f44ec9976ea6d052cb4b93cd2d23ac2ba ("block: move the bdi from the request_queue to the gendisk")
https://git.kernel.org/cgit/linux/kernel/git/axboe/linux-block.git for-5.15/block


in testcase: stress-ng
version: stress-ng-x86_64-0.11-06_20210811
with following parameters:

	nr_threads: 10%
	disk: 1HDD
	testtime: 60s
	fs: ext4
	class: os
	test: loop
	cpufreq_governor: performance
	ucode: 0x5003006



on test machine: 96 threads 2 sockets Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz with 192G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[   50.333977][   C51] BUG: kernel NULL pointer dereference, address: 00000000000002f8
[   50.342132][   C51] #PF: supervisor read access in kernel mode
[   50.348459][   C51] #PF: error_code(0x0000) - not-present page
[   50.354784][   C51] PGD 0 P4D 0
[   50.358514][   C51] Oops: 0000 [#1] SMP NOPTI
[   50.363385][   C51] CPU: 51 PID: 0 Comm: swapper/51 Not tainted 5.14.0-rc4-00051-gedb0872f44ec #1
[   50.372786][   C51] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[ 50.384465][ C51] RIP: 0010:wb_timer_fn (block/blk-wbt.c:237 block/blk-wbt.c:360) 
[ 50.389993][ C51] Code: 60 4c 8b 67 50 8b 9d 98 00 00 00 8b 95 b8 00 00 00 8b 85 d8 00 00 00 4c 8b 6d 28 01 d3 01 c3 48 8b 45 60 48 8b 80 90 00 00 00 <48> 8b 80 f8 02 00 00 4c 8b b0 98 00 00 00 4d 85 ed 0f 84 ca 00 00
All code
========
   0:	60                   	(bad)  
   1:	4c 8b 67 50          	mov    0x50(%rdi),%r12
   5:	8b 9d 98 00 00 00    	mov    0x98(%rbp),%ebx
   b:	8b 95 b8 00 00 00    	mov    0xb8(%rbp),%edx
  11:	8b 85 d8 00 00 00    	mov    0xd8(%rbp),%eax
  17:	4c 8b 6d 28          	mov    0x28(%rbp),%r13
  1b:	01 d3                	add    %edx,%ebx
  1d:	01 c3                	add    %eax,%ebx
  1f:	48 8b 45 60          	mov    0x60(%rbp),%rax
  23:	48 8b 80 90 00 00 00 	mov    0x90(%rax),%rax
  2a:*	48 8b 80 f8 02 00 00 	mov    0x2f8(%rax),%rax		<-- trapping instruction
  31:	4c 8b b0 98 00 00 00 	mov    0x98(%rax),%r14
  38:	4d 85 ed             	test   %r13,%r13
  3b:	0f                   	.byte 0xf
  3c:	84 ca                	test   %cl,%dl
	...

Code starting with the faulting instruction
===========================================
   0:	48 8b 80 f8 02 00 00 	mov    0x2f8(%rax),%rax
   7:	4c 8b b0 98 00 00 00 	mov    0x98(%rax),%r14
   e:	4d 85 ed             	test   %r13,%r13
  11:	0f                   	.byte 0xf
  12:	84 ca                	test   %cl,%dl
	...
[   50.410596][   C51] RSP: 0018:ffffc9000d530eb8 EFLAGS: 00010246
[   50.417103][   C51] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000060
[   50.425532][   C51] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88810f6ae100
[   50.433951][   C51] RBP: ffff888140c4eb00 R08: 0000000000000060 R09: 0000000000000000
[   50.442389][   C51] R10: ffffffff82df9be0 R11: 000000000000002c R12: ffff8881e01d7540
[   50.450824][   C51] R13: 0000000000000000 R14: ffff88810f6ae110 R15: ffff8897e0cdc030
[   50.459278][   C51] FS:  0000000000000000(0000) GS:ffff8897e0cc0000(0000) knlGS:0000000000000000
[   50.468695][   C51] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   50.475775][   C51] CR2: 00000000000002f8 CR3: 000000303ec10004 CR4: 00000000007706e0
[   50.484268][   C51] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   50.492754][   C51] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   50.501248][   C51] PKRU: 55555554
[   50.505323][   C51] Call Trace:
[   50.509133][   C51]  <IRQ>
[ 50.512511][ C51] ? blk_stat_free_callback_rcu (block/blk-stat.c:81) 
[ 50.518762][ C51] call_timer_fn (kernel/time/timer.c:1419) 
[ 50.523797][ C51] run_timer_softirq (kernel/time/timer.c:1465 kernel/time/timer.c:1732 kernel/time/timer.c:1708 kernel/time/timer.c:1745) 
[ 50.529273][ C51] ? enqueue_hrtimer (kernel/time/hrtimer.c:990) 
[ 50.534567][ C51] ? ktime_get (kernel/time/timekeeping.c:193 kernel/time/timekeeping.c:287 kernel/time/timekeeping.c:386 kernel/time/timekeeping.c:829 kernel/time/timekeeping.c:817) 
[ 50.539325][ C51] __do_softirq (kernel/softirq.c:558) 
[ 50.544252][ C51] irq_exit_rcu (kernel/softirq.c:432 kernel/softirq.c:636 kernel/softirq.c:648) 
[ 50.549158][ C51] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1100 (discriminator 14)) 
[   50.555275][   C51]  </IRQ>
[ 50.558692][ C51] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:638) 
[ 50.565149][ C51] RIP: 0010:cpuidle_enter_state (drivers/cpuidle/cpuidle.c:259) 
[ 50.571437][ C51] Code: 49 89 c5 0f 1f 44 00 00 31 ff e8 89 28 70 ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 62 02 00 00 31 ff e8 f2 6b 77 ff fb 45 85 f6 <0f> 88 fb 00 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d 14 90 49
All code
========
   0:	49 89 c5             	mov    %rax,%r13
   3:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   8:	31 ff                	xor    %edi,%edi
   a:	e8 89 28 70 ff       	callq  0xffffffffff702898
   f:	45 84 ff             	test   %r15b,%r15b
  12:	74 12                	je     0x26
  14:	9c                   	pushfq 
  15:	58                   	pop    %rax
  16:	f6 c4 02             	test   $0x2,%ah
  19:	0f 85 62 02 00 00    	jne    0x281
  1f:	31 ff                	xor    %edi,%edi
  21:	e8 f2 6b 77 ff       	callq  0xffffffffff776c18
  26:	fb                   	sti    
  27:	45 85 f6             	test   %r14d,%r14d
  2a:*	0f 88 fb 00 00 00    	js     0x12b		<-- trapping instruction
  30:	49 63 c6             	movslq %r14d,%rax
  33:	4c 2b 2c 24          	sub    (%rsp),%r13
  37:	48 8d 14 40          	lea    (%rax,%rax,2),%rdx
  3b:	48 8d 14 90          	lea    (%rax,%rdx,4),%rdx
  3f:	49                   	rex.WB

Code starting with the faulting instruction
===========================================
   0:	0f 88 fb 00 00 00    	js     0x101
   6:	49 63 c6             	movslq %r14d,%rax
   9:	4c 2b 2c 24          	sub    (%rsp),%r13
   d:	48 8d 14 40          	lea    (%rax,%rax,2),%rdx
  11:	48 8d 14 90          	lea    (%rax,%rdx,4),%rdx
  15:	49                   	rex.WB
[   50.592195][   C51] RSP: 0018:ffffc9000cb03e80 EFLAGS: 00000206
[   50.598770][   C51] RAX: ffff8897e0cebd00 RBX: 0000000000000003 RCX: 000000000000001f
[   50.607277][   C51] RDX: 0000000000000000 RSI: 000000003d18701d RDI: 0000000000000000
[   50.615775][   C51] RBP: ffff8897e0cf6730 R08: 0000000bb82342cb R09: 00000000000002d1
[   50.624275][   C51] R10: 00000000000002d9 R11: ffff8897e0ceaa44 R12: ffffffff82ce4880
[   50.632778][   C51] R13: 0000000bb82342cb R14: 0000000000000003 R15: 0000000000000000
[ 50.641286][ C51] cpuidle_enter (drivers/cpuidle/cpuidle.c:353) 
[ 50.646235][ C51] do_idle (kernel/sched/idle.c:243 kernel/sched/idle.c:306) 
[ 50.650831][ C51] cpu_startup_entry (kernel/sched/idle.c:402 (discriminator 1)) 
[ 50.656119][ C51] start_secondary (arch/x86/kernel/smpboot.c:271) 
[ 50.661395][ C51] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:283) 
[   50.667791][   C51] Modules linked in: loop dm_mod binfmt_misc btrfs blake2b_generic xor zstd_compress raid6_pq libcrc32c intel_rapl_msr intel_rapl_common sd_mod t10_pi sg skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass ipmi_ssif crct10dif_pclmul ast crc32_pclmul drm_vram_helper crc32c_intel drm_ttm_helper ghash_clmulni_intel ttm rapl drm_kms_helper intel_cstate syscopyarea sysfillrect sysimgblt ahci fb_sys_fops libahci acpi_ipmi mei_me intel_uncore drm ipmi_si ioatdma ipmi_devintf libata mei joydev intel_pch_thermal wmi dca ipmi_msghandler acpi_pad acpi_power_meter ip_tables
[   50.726361][   C51] CR2: 00000000000002f8
[   50.731146][   C51] ---[ end trace a8a75fcc0a216b4e ]---
[ 50.749073][ C51] RIP: 0010:wb_timer_fn (block/blk-wbt.c:237 block/blk-wbt.c:360) 
[ 50.754746][ C51] Code: 60 4c 8b 67 50 8b 9d 98 00 00 00 8b 95 b8 00 00 00 8b 85 d8 00 00 00 4c 8b 6d 28 01 d3 01 c3 48 8b 45 60 48 8b 80 90 00 00 00 <48> 8b 80 f8 02 00 00 4c 8b b0 98 00 00 00 4d 85 ed 0f 84 ca 00 00
All code
========
   0:	60                   	(bad)  
   1:	4c 8b 67 50          	mov    0x50(%rdi),%r12
   5:	8b 9d 98 00 00 00    	mov    0x98(%rbp),%ebx
   b:	8b 95 b8 00 00 00    	mov    0xb8(%rbp),%edx
  11:	8b 85 d8 00 00 00    	mov    0xd8(%rbp),%eax
  17:	4c 8b 6d 28          	mov    0x28(%rbp),%r13
  1b:	01 d3                	add    %edx,%ebx
  1d:	01 c3                	add    %eax,%ebx
  1f:	48 8b 45 60          	mov    0x60(%rbp),%rax
  23:	48 8b 80 90 00 00 00 	mov    0x90(%rax),%rax
  2a:*	48 8b 80 f8 02 00 00 	mov    0x2f8(%rax),%rax		<-- trapping instruction
  31:	4c 8b b0 98 00 00 00 	mov    0x98(%rax),%r14
  38:	4d 85 ed             	test   %r13,%r13
  3b:	0f                   	.byte 0xf
  3c:	84 ca                	test   %cl,%dl
	...

Code starting with the faulting instruction
===========================================
   0:	48 8b 80 f8 02 00 00 	mov    0x2f8(%rax),%rax
   7:	4c 8b b0 98 00 00 00 	mov    0x98(%rax),%r14
   e:	4d 85 ed             	test   %r13,%r13
  11:	0f                   	.byte 0xf
  12:	84 ca                	test   %cl,%dl


To reproduce:

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp install                job.yaml  # job file is attached in this email
        bin/lkp split-job --compatible job.yaml  # generate the yaml file for lkp run
        bin/lkp run                    generated-yaml-file



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.14.0-rc4-00051-gedb0872f44ec" of type "text/plain" (175468 bytes)

View attachment "job-script" of type "text/plain" (8246 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (37296 bytes)

View attachment "job.yaml" of type "text/plain" (5445 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ