lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20211213083018.GD1334@xsang-OptiPlex-9020>
Date:   Mon, 13 Dec 2021 16:30:18 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Matthew Wilcox <willy@...radead.org>
Cc:     Vlastimil Babka <vbabka@...e.cz>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Memory Management List <linux-mm@...ck.org>,
        lkp@...ts.01.org, lkp@...el.com
Subject: [mm/slob]  fa5ba4107c: BUG:kernel_NULL_pointer_dereference,address



Greeting,

FYI, we noticed the following commit (built with clang-14):

commit: fa5ba4107ce2034e7f02531a64278a0fd8a731cd ("mm/slob: Convert SLOB to use struct slab")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[    0.449600][    T0] BUG: kernel NULL pointer dereference, address: 0000000000000008
[    0.451148][    T0] #PF: supervisor read access in kernel mode
[    0.452345][    T0] #PF: error_code(0x0000) - not-present page
[    0.453512][    T0] PGD 0 P4D 0
[    0.454183][    T0] Oops: 0000 [#1]
[    0.454847][    T0] CPU: 0 PID: 0 Comm: swapper Not tainted 5.16.0-rc3-00024-gfa5ba4107ce2 #1
[ 0.456717][ T0] RIP: 0010:slob_alloc (include/linux/page-flags.h:198 include/linux/page-flags.h:431 mm/slob.c:362) 
[ 0.457839][ T0] Code: 00 00 00 e8 d4 e4 f0 ff 48 89 df e8 0c 0a f1 ff 4c 8b 2b 49 c1 e5 36 49 c1 fd 3f 49 21 dd 49 8d 5d 08 48 89 df e8 f2 09 f1 ff <49> 8b 6d 08 40 f6 c5 01 0f 85 7b 01 00 00 4c 89 ed be 08 00 00 00
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	00 e8                	add    %ch,%al
   4:	d4                   	(bad)  
   5:	e4 f0                	in     $0xf0,%al
   7:	ff 48 89             	decl   -0x77(%rax)
   a:	df e8                	fucomip %st(0),%st
   c:	0c 0a                	or     $0xa,%al
   e:	f1                   	icebp  
   f:	ff 4c 8b 2b          	decl   0x2b(%rbx,%rcx,4)
  13:	49 c1 e5 36          	shl    $0x36,%r13
  17:	49 c1 fd 3f          	sar    $0x3f,%r13
  1b:	49 21 dd             	and    %rbx,%r13
  1e:	49 8d 5d 08          	lea    0x8(%r13),%rbx
  22:	48 89 df             	mov    %rbx,%rdi
  25:	e8 f2 09 f1 ff       	callq  0xfffffffffff10a1c
  2a:*	49 8b 6d 08          	mov    0x8(%r13),%rbp		<-- trapping instruction
  2e:	40 f6 c5 01          	test   $0x1,%bpl
  32:	0f 85 7b 01 00 00    	jne    0x1b3
  38:	4c 89 ed             	mov    %r13,%rbp
  3b:	be 08 00 00 00       	mov    $0x8,%esi

Code starting with the faulting instruction
===========================================
   0:	49 8b 6d 08          	mov    0x8(%r13),%rbp
   4:	40 f6 c5 01          	test   $0x1,%bpl
   8:	0f 85 7b 01 00 00    	jne    0x189
   e:	4c 89 ed             	mov    %r13,%rbp
  11:	be 08 00 00 00       	mov    $0x8,%esi
[    0.462094][    T0] RSP: 0000:ffffffff9d203dc8 EFLAGS: 00010046
[    0.463363][    T0] RAX: ffffffff9d22fe68 RBX: 0000000000000008 RCX: ffffffff9b80c2ce
[    0.465369][    T0] RDX: 0000000000000004 RSI: 0000000000000001 RDI: 0000000000000008
[    0.467042][    T0] RBP: 0000000004001040 R08: 0001ffffffffffff R09: 0000000000000000
[    0.468631][    T0] R10: 000000000000000f R11: 0001ba4644001047 R12: ffffffff9d7d7110
[    0.470141][    T0] R13: 0000000000000000 R14: ffff89a080041000 R15: 0000000000000040
[    0.471633][    T0] FS:  0000000000000000(0000) GS:ffffffff9d246000(0000) knlGS:0000000000000000
[    0.473507][    T0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    0.474878][    T0] CR2: 0000000000000008 CR3: 0000000430e26000 CR4: 00000000000406b0
[    0.476605][    T0] Call Trace:
[    0.477333][    T0]  <TASK>
[ 0.477969][ T0] kmem_cache_alloc (mm/slob.c:? mm/slob.c:632) 
[ 0.478981][ T0] ? _printk (kernel/printk/printk.c:2269) 
[ 0.479826][ T0] kmem_cache_create_usercopy (mm/slab_common.c:247 mm/slab_common.c:359) 
[ 0.481036][ T0] kmem_cache_create (mm/slab_common.c:414) 
[ 0.482024][ T0] vmalloc_init (mm/vmalloc.c:2347) 
[ 0.483000][ T0] mm_init (init/main.c:851) 
[ 0.483870][ T0] start_kernel (init/main.c:987) 
[ 0.484833][ T0] secondary_startup_64_no_verify (??:?) 
[    0.486139][    T0]  </TASK>
[    0.486837][    T0] Modules linked in:
[    0.487712][    T0] CR2: 0000000000000008
[ 0.488612][ T0] random: get_random_bytes called from oops_exit+0x39/0xc0 with crng_init=0 
[    0.488646][    T0] ---[ end trace 0000000000000000 ]---
[ 0.494333][ T0] RIP: 0010:slob_alloc (include/linux/page-flags.h:198 include/linux/page-flags.h:431 mm/slob.c:362) 
[ 0.495462][ T0] Code: 00 00 00 e8 d4 e4 f0 ff 48 89 df e8 0c 0a f1 ff 4c 8b 2b 49 c1 e5 36 49 c1 fd 3f 49 21 dd 49 8d 5d 08 48 89 df e8 f2 09 f1 ff <49> 8b 6d 08 40 f6 c5 01 0f 85 7b 01 00 00 4c 89 ed be 08 00 00 00
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	00 e8                	add    %ch,%al
   4:	d4                   	(bad)  
   5:	e4 f0                	in     $0xf0,%al
   7:	ff 48 89             	decl   -0x77(%rax)
   a:	df e8                	fucomip %st(0),%st
   c:	0c 0a                	or     $0xa,%al
   e:	f1                   	icebp  
   f:	ff 4c 8b 2b          	decl   0x2b(%rbx,%rcx,4)
  13:	49 c1 e5 36          	shl    $0x36,%r13
  17:	49 c1 fd 3f          	sar    $0x3f,%r13
  1b:	49 21 dd             	and    %rbx,%r13
  1e:	49 8d 5d 08          	lea    0x8(%r13),%rbx
  22:	48 89 df             	mov    %rbx,%rdi
  25:	e8 f2 09 f1 ff       	callq  0xfffffffffff10a1c
  2a:*	49 8b 6d 08          	mov    0x8(%r13),%rbp		<-- trapping instruction
  2e:	40 f6 c5 01          	test   $0x1,%bpl
  32:	0f 85 7b 01 00 00    	jne    0x1b3
  38:	4c 89 ed             	mov    %r13,%rbp
  3b:	be 08 00 00 00       	mov    $0x8,%esi

Code starting with the faulting instruction
===========================================
   0:	49 8b 6d 08          	mov    0x8(%r13),%rbp
   4:	40 f6 c5 01          	test   $0x1,%bpl
   8:	0f 85 7b 01 00 00    	jne    0x189
   e:	4c 89 ed             	mov    %r13,%rbp
  11:	be 08 00 00 00       	mov    $0x8,%esi


To reproduce:

        # build kernel
	cd linux
	cp config-5.16.0-rc3-00024-gfa5ba4107ce2 .config
	make HOSTCC=clang-14 CC=clang-14 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=clang-14 CC=clang-14 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang


View attachment "config-5.16.0-rc3-00024-gfa5ba4107ce2" of type "text/plain" (123227 bytes)

View attachment "job-script" of type "text/plain" (4739 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (4548 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ