| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Jan 2022 14:34:45 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Claudio Suarez <cssk@...-c.es>
Cc: Daniel Vetter <daniel.vetter@...ll.ch>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [drm] 6e22dc3583: BUG:kernel_NULL_pointer_dereference,address
(please be noted this was reported as
https://lists.01.org/hyperkitty/list/lkp@lists.01.org/thread/ZPSFPRCI2J6F6GQID4S74GULQYFRHNQT/
at first, and we noticed there are some discussion about the fix,
but we cannot search out the fix commit and still reproduce the issue
on HEAD, if we missed something, please kindly let us know, Thanks!)
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 6e22dc35837790a84fc040f08e5094b2d5d91477 ("drm: get rid of DRM_DEBUG_* log calls in drm core, files drm_a*.c")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu Icelake-Server -smp 4 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | 11632d4aa2 | 6e22dc3583 |
+---------------------------------------------+------------+------------+
| boot_successes | 14 | 0 |
| boot_failures | 0 | 12 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 12 |
| Oops:#[##] | 0 | 12 |
| RIP:drm_atomic_helper_check_plane_state | 0 | 12 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 12 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 243.435094][ T1] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 243.436828][ T1] #PF: supervisor read access in kernel mode
[ 243.437976][ T1] #PF: error_code(0x0000) - not-present page
[ 243.438416][ T1] PGD 0 P4D 0
[ 243.438416][ T1] Oops: 0000 [#1] SMP
[ 243.438416][ T1] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.16.0-rc1-00265-g6e22dc358377 #1
[ 243.438416][ T1] RIP: 0010:drm_atomic_helper_check_plane_state (drivers/gpu/drm/drm_atomic_helper.c:867)
[ 243.438416][ T1] Code: 78 75 1e e8 33 01 6d ff 8b 45 cc 39 43 74 75 11 e8 26 01 6d ff 8b 45 d4 39 43 7c 0f 84 17 ff ff ff e8 15 01 6d ff 48 8b 43 08 <4c> 8b 20 4d 85 e4 74 0a e8 04 01 6d ff 4d 8b 64 24 08 e8 fa 00 6d
All code
========
0: 78 75 js 0x77
2: 1e (bad)
3: e8 33 01 6d ff callq 0xffffffffff6d013b
8: 8b 45 cc mov -0x34(%rbp),%eax
b: 39 43 74 cmp %eax,0x74(%rbx)
e: 75 11 jne 0x21
10: e8 26 01 6d ff callq 0xffffffffff6d013b
15: 8b 45 d4 mov -0x2c(%rbp),%eax
18: 39 43 7c cmp %eax,0x7c(%rbx)
1b: 0f 84 17 ff ff ff je 0xffffffffffffff38
21: e8 15 01 6d ff callq 0xffffffffff6d013b
26: 48 8b 43 08 mov 0x8(%rbx),%rax
2a:* 4c 8b 20 mov (%rax),%r12 <-- trapping instruction
2d: 4d 85 e4 test %r12,%r12
30: 74 0a je 0x3c
32: e8 04 01 6d ff callq 0xffffffffff6d013b
37: 4d 8b 64 24 08 mov 0x8(%r12),%r12
3c: e8 .byte 0xe8
3d: fa cli
3e: 00 .byte 0x0
3f: 6d insl (%dx),%es:(%rdi)
Code starting with the faulting instruction
===========================================
0: 4c 8b 20 mov (%rax),%r12
3: 4d 85 e4 test %r12,%r12
6: 74 0a je 0x12
8: e8 04 01 6d ff callq 0xffffffffff6d0111
d: 4d 8b 64 24 08 mov 0x8(%r12),%r12
12: e8 .byte 0xe8
13: fa cli
14: 00 .byte 0x0
15: 6d insl (%dx),%es:(%rdi)
[ 243.438416][ T1] RSP: 0000:ffff888100d6fb38 EFLAGS: 00010293
[ 243.438416][ T1] RAX: 0000000000000010 RBX: ffff888100d6fb98 RCX: 0000000000000000
[ 243.438416][ T1] RDX: ffff888100d68040 RSI: ffffffff81b32ca2 RDI: ffff888100d6fbf8
[ 243.438416][ T1] RBP: ffff888100d6fb88 R08: 0000000000010000 R09: 0000000000000000
[ 243.438416][ T1] R10: ffffffff844c6758 R11: 0000000000000001 R12: ffff888100d6fcf8
[ 243.438416][ T1] R13: ffff888100d6fbf8 R14: ffff888100d6fc30 R15: ffff888100d6fc08
[ 243.438416][ T1] FS: 0000000000000000(0000) GS:ffff88842fa00000(0000) knlGS:0000000000000000
[ 243.438416][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 243.438416][ T1] CR2: 0000000000000010 CR3: 0000000004012001 CR4: 00000000001706e0
[ 243.438416][ T1] Call Trace:
[ 243.438416][ T1] <TASK>
[ 243.438416][ T1] igt_check_plane_state (drivers/gpu/drm/selftests/test-drm_plane_helper.c:131 (discriminator 2))
[ 243.438416][ T1] test_drm_modeset_init (drivers/gpu/drm/selftests/drm_selftest.c:76 drivers/gpu/drm/selftests/test-drm_modeset_common.c:19)
[ 243.438416][ T1] ? test_drm_mm_init (drivers/gpu/drm/selftests/test-drm_modeset_common.c:16)
[ 243.438416][ T1] do_one_initcall (init/main.c:1297)
[ 243.438416][ T1] ? rcu_read_lock_sched_held (include/linux/lockdep.h:283 kernel/rcu/update.c:125)
[ 243.438416][ T1] kernel_init_freeable (init/main.c:1369 init/main.c:1386 init/main.c:1405 init/main.c:1610)
[ 243.438416][ T1] ? rest_init (init/main.c:1491)
[ 243.438416][ T1] kernel_init (init/main.c:1501)
[ 243.438416][ T1] ret_from_fork (arch/x86/entry/entry_64.S:301)
[ 243.438416][ T1] </TASK>
[ 243.438416][ T1] Modules linked in:
[ 243.438416][ T1] CR2: 0000000000000010
[ 243.438416][ T1] ---[ end trace 511c29efb061b69f ]---
[ 243.438416][ T1] RIP: 0010:drm_atomic_helper_check_plane_state (drivers/gpu/drm/drm_atomic_helper.c:867)
[ 243.438416][ T1] Code: 78 75 1e e8 33 01 6d ff 8b 45 cc 39 43 74 75 11 e8 26 01 6d ff 8b 45 d4 39 43 7c 0f 84 17 ff ff ff e8 15 01 6d ff 48 8b 43 08 <4c> 8b 20 4d 85 e4 74 0a e8 04 01 6d ff 4d 8b 64 24 08 e8 fa 00 6d
All code
========
0: 78 75 js 0x77
2: 1e (bad)
3: e8 33 01 6d ff callq 0xffffffffff6d013b
8: 8b 45 cc mov -0x34(%rbp),%eax
b: 39 43 74 cmp %eax,0x74(%rbx)
e: 75 11 jne 0x21
10: e8 26 01 6d ff callq 0xffffffffff6d013b
15: 8b 45 d4 mov -0x2c(%rbp),%eax
18: 39 43 7c cmp %eax,0x7c(%rbx)
1b: 0f 84 17 ff ff ff je 0xffffffffffffff38
21: e8 15 01 6d ff callq 0xffffffffff6d013b
26: 48 8b 43 08 mov 0x8(%rbx),%rax
2a:* 4c 8b 20 mov (%rax),%r12 <-- trapping instruction
2d: 4d 85 e4 test %r12,%r12
30: 74 0a je 0x3c
32: e8 04 01 6d ff callq 0xffffffffff6d013b
37: 4d 8b 64 24 08 mov 0x8(%r12),%r12
3c: e8 .byte 0xe8
3d: fa cli
3e: 00 .byte 0x0
3f: 6d insl (%dx),%es:(%rdi)
Code starting with the faulting instruction
===========================================
0: 4c 8b 20 mov (%rax),%r12
3: 4d 85 e4 test %r12,%r12
6: 74 0a je 0x12
8: e8 04 01 6d ff callq 0xffffffffff6d0111
d: 4d 8b 64 24 08 mov 0x8(%r12),%r12
12: e8 .byte 0xe8
13: fa cli
14: 00 .byte 0x0
15: 6d insl (%dx),%es:(%rdi)
To reproduce:
# build kernel
cd linux
cp config-5.16.0-rc1-00265-g6e22dc358377 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.16.0-rc1-00265-g6e22dc358377" of type "text/plain" (170753 bytes)
View attachment "job-script" of type "text/plain" (4680 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (12420 bytes)
Powered by blists - more mailing lists