| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211128142015.GB5295@xsang-OptiPlex-9020>
Date: Sun, 28 Nov 2021 22:20:15 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Claudio Suarez <cssk@...-c.es>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, dri-devel@...ts.freedesktop.org,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Maxime Ripard <mripard@...nel.org>,
Thomas Zimmermann <tzimmermann@...e.de>,
David Airlie <airlied@...ux.ie>,
Daniel Vetter <daniel@...ll.ch>
Subject: [drm] d1af5cd869: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: d1af5cd86997d53c140a5abdced40c5e45d68e34 ("[PATCH] drm: get rid of DRM_DEBUG_* log calls in drm core, files drm_a*.c")
url: https://github.com/0day-ci/linux/commits/Claudio-Suarez/drm-get-rid-of-DRM_DEBUG_-log-calls-in-drm-core-files-drm_a-c/20211126-185054
base: git://anongit.freedesktop.org/drm/drm drm-next
patch link: https://lore.kernel.org/dri-devel/YaC7zXW119tlzfVh@gineta.localdomain
in testcase: boot
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | c18c889111 | d1af5cd869 |
+---------------------------------------------+------------+------------+
| boot_successes | 13 | 0 |
| boot_failures | 0 | 15 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 15 |
| Oops:#[##] | 0 | 15 |
| EIP:drm_atomic_helper_check_plane_state | 0 | 15 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 15 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 125.561383][ T1] BUG: kernel NULL pointer dereference, address: 00000010
[ 125.562724][ T1] #PF: supervisor read access in kernel mode
[ 125.563784][ T1] #PF: error_code(0x0000) - not-present page
[ 125.564418][ T1] *pde = 00000000
[ 125.564418][ T1] Oops: 0000 [#1] PREEMPT SMP
[ 125.564418][ T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.16.0-rc2-00259-gd1af5cd86997 #1
[ 125.564418][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 125.564418][ T1] EIP: drm_atomic_helper_check_plane_state (drivers/gpu/drm/drm_atomic_helper.c:867)
[ 125.564418][ T1] Code: 45 d4 50 89 f0 e8 c6 8a 00 00 5a 80 7b 6c 00 74 6f 80 7d cc 00 75 69 8b 45 e4 39 43 5c 75 08 8b 45 ec 39 43 64 74 49 8b 43 04 <8b> 00 85 c0 74 03 8b 40 08 68 d3 54 71 c2 6a 04 50 e8 50 0d 04 00
All code
========
0: 45 d4 rex.RB (bad)
2: 50 push %rax
3: 89 f0 mov %esi,%eax
5: e8 c6 8a 00 00 callq 0x8ad0
a: 5a pop %rdx
b: 80 7b 6c 00 cmpb $0x0,0x6c(%rbx)
f: 74 6f je 0x80
11: 80 7d cc 00 cmpb $0x0,-0x34(%rbp)
15: 75 69 jne 0x80
17: 8b 45 e4 mov -0x1c(%rbp),%eax
1a: 39 43 5c cmp %eax,0x5c(%rbx)
1d: 75 08 jne 0x27
1f: 8b 45 ec mov -0x14(%rbp),%eax
22: 39 43 64 cmp %eax,0x64(%rbx)
25: 74 49 je 0x70
27: 8b 43 04 mov 0x4(%rbx),%eax
2a:* 8b 00 mov (%rax),%eax <-- trapping instruction
2c: 85 c0 test %eax,%eax
2e: 74 03 je 0x33
30: 8b 40 08 mov 0x8(%rax),%eax
33: 68 d3 54 71 c2 pushq $0xffffffffc27154d3
38: 6a 04 pushq $0x4
3a: 50 push %rax
3b: e8 50 0d 04 00 callq 0x40d90
Code starting with the faulting instruction
===========================================
0: 8b 00 mov (%rax),%eax
2: 85 c0 test %eax,%eax
4: 74 03 je 0x9
6: 8b 40 08 mov 0x8(%rax),%eax
9: 68 d3 54 71 c2 pushq $0xffffffffc27154d3
e: 6a 04 pushq $0x4
10: 50 push %rax
11: e8 50 0d 04 00 callq 0x40d66
[ 125.564418][ T1] EAX: 00000010 EBX: c036fce8 ECX: 08000000 EDX: 00000001
[ 125.564418][ T1] ESI: c036fd34 EDI: 00010000 EBP: c036fcd4 ESP: c036fca0
[ 125.564418][ T1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010287
[ 125.564418][ T1] CR0: 80050033 CR2: 00000010 CR3: 02f31000 CR4: 000406d0
[ 125.564418][ T1] Call Trace:
[ 125.564418][ T1] igt_check_plane_state (drivers/gpu/drm/selftests/test-drm_plane_helper.c:131 (discriminator 2))
[ 125.564418][ T1] ? test_drm_mm_init (drivers/gpu/drm/selftests/test-drm_modeset_common.c:16)
[ 125.564418][ T1] test_drm_modeset_init (drivers/gpu/drm/selftests/drm_selftest.c:77 drivers/gpu/drm/selftests/test-drm_modeset_common.c:19)
[ 125.564418][ T1] do_one_initcall (init/main.c:1297)
[ 125.564418][ T1] ? __this_cpu_preempt_check (lib/smp_processor_id.c:67)
[ 125.564418][ T1] ? lock_is_held_type (kernel/locking/lockdep.c:438 kernel/locking/lockdep.c:5681)
[ 125.564418][ T1] kernel_init_freeable (init/main.c:1369 init/main.c:1386 init/main.c:1405 init/main.c:1610)
[ 125.564418][ T1] ? rest_init (init/main.c:1491)
[ 125.564418][ T1] kernel_init (init/main.c:1501)
[ 125.564418][ T1] ret_from_fork (arch/x86/entry/entry_32.S:775)
[ 125.564418][ T1] Modules linked in:
[ 125.564418][ T1] CR2: 0000000000000010
[ 125.564418][ T1] random: get_random_bytes called from print_oops_end_marker+0x2c/0x80 with crng_init=0
[ 125.564418][ T1] ---[ end trace 9f868d4c92c9c57f ]---
[ 125.564418][ T1] EIP: drm_atomic_helper_check_plane_state (drivers/gpu/drm/drm_atomic_helper.c:867)
[ 125.564418][ T1] Code: 45 d4 50 89 f0 e8 c6 8a 00 00 5a 80 7b 6c 00 74 6f 80 7d cc 00 75 69 8b 45 e4 39 43 5c 75 08 8b 45 ec 39 43 64 74 49 8b 43 04 <8b> 00 85 c0 74 03 8b 40 08 68 d3 54 71 c2 6a 04 50 e8 50 0d 04 00
All code
========
0: 45 d4 rex.RB (bad)
2: 50 push %rax
3: 89 f0 mov %esi,%eax
5: e8 c6 8a 00 00 callq 0x8ad0
a: 5a pop %rdx
b: 80 7b 6c 00 cmpb $0x0,0x6c(%rbx)
f: 74 6f je 0x80
11: 80 7d cc 00 cmpb $0x0,-0x34(%rbp)
15: 75 69 jne 0x80
17: 8b 45 e4 mov -0x1c(%rbp),%eax
1a: 39 43 5c cmp %eax,0x5c(%rbx)
1d: 75 08 jne 0x27
1f: 8b 45 ec mov -0x14(%rbp),%eax
22: 39 43 64 cmp %eax,0x64(%rbx)
25: 74 49 je 0x70
27: 8b 43 04 mov 0x4(%rbx),%eax
2a:* 8b 00 mov (%rax),%eax <-- trapping instruction
2c: 85 c0 test %eax,%eax
2e: 74 03 je 0x33
30: 8b 40 08 mov 0x8(%rax),%eax
33: 68 d3 54 71 c2 pushq $0xffffffffc27154d3
38: 6a 04 pushq $0x4
3a: 50 push %rax
3b: e8 50 0d 04 00 callq 0x40d90
Code starting with the faulting instruction
===========================================
0: 8b 00 mov (%rax),%eax
2: 85 c0 test %eax,%eax
4: 74 03 je 0x9
6: 8b 40 08 mov 0x8(%rax),%eax
9: 68 d3 54 71 c2 pushq $0xffffffffc27154d3
e: 6a 04 pushq $0x4
10: 50 push %rax
11: e8 50 0d 04 00 callq 0x40d66
To reproduce:
# build kernel
cd linux
cp config-5.16.0-rc2-00259-gd1af5cd86997 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.16.0-rc2-00259-gd1af5cd86997" of type "text/plain" (149773 bytes)
View attachment "job-script" of type "text/plain" (4946 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (10584 bytes)
Powered by blists - more mailing lists