| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Jan 2022 15:09:34 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Andreas Gruenbacher <agruenba@...hat.com>
Cc: LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [gup] bb523b406c: kernel_BUG_at_mm/page_alloc.c
Greeting,
FYI, we noticed the following commit (built with clang-14):
commit: bb523b406c849eef8f265a07cd7f320f1f177743 ("gup: Turn fault_in_pages_{readable,writeable} into fault_in_{readable,writeable}")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
version: trinity-static-i386-x86_64-1c734c75-1_2020-01-06
with following parameters:
runtime: 300s
group: group-02
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+------------------------------------------+------------+------------+
| | 0c8eb2884a | bb523b406c |
+------------------------------------------+------------+------------+
| boot_failures | 0 | 7 |
| kernel_BUG_at_mm/page_alloc.c | 0 | 7 |
| invalid_opcode:#[##] | 0 | 7 |
| EIP:free_unref_page_prepare | 0 | 7 |
| EIP:__get_user_nocheck_1 | 0 | 7 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 7 |
+------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 160.571891][ T3738] kernel BUG at mm/page_alloc.c:1290!
[ 160.576853][ T3738] invalid opcode: 0000 [#1] SMP
[ 160.577603][ T3738] CPU: 1 PID: 3738 Comm: trinity-c2 Not tainted 5.15.0-rc5-00003-gbb523b406c84 #1
[ 160.578911][ T3738] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 160.580258][ T3738] EIP: free_unref_page_prepare (page_alloc.c:?)
[ 160.581134][ T3738] Code: 89 7d f0 89 d7 e8 4d 7a 00 00 89 fa 8b 7d f0 b8 ff ff ff ff 39 c7 0f 84 57 fe ff ff eb d3 89 f0 ba 57 bd 08 c2 e8 6d e5 fd ff <0f> 0b 68 a8 5d 6c c2 e8 91 5f 32 00 f7 06 00 00 01 00 75 0e b0 01
All code
========
0: 89 7d f0 mov %edi,-0x10(%rbp)
3: 89 d7 mov %edx,%edi
5: e8 4d 7a 00 00 callq 0x7a57
a: 89 fa mov %edi,%edx
c: 8b 7d f0 mov -0x10(%rbp),%edi
f: b8 ff ff ff ff mov $0xffffffff,%eax
14: 39 c7 cmp %eax,%edi
16: 0f 84 57 fe ff ff je 0xfffffffffffffe73
1c: eb d3 jmp 0xfffffffffffffff1
1e: 89 f0 mov %esi,%eax
20: ba 57 bd 08 c2 mov $0xc208bd57,%edx
25: e8 6d e5 fd ff callq 0xfffffffffffde597
2a:* 0f 0b ud2 <-- trapping instruction
2c: 68 a8 5d 6c c2 pushq $0xffffffffc26c5da8
31: e8 91 5f 32 00 callq 0x325fc7
36: f7 06 00 00 01 00 testl $0x10000,(%rsi)
3c: 75 0e jne 0x4c
3e: b0 01 mov $0x1,%al
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 68 a8 5d 6c c2 pushq $0xffffffffc26c5da8
7: e8 91 5f 32 00 callq 0x325f9d
c: f7 06 00 00 01 00 testl $0x10000,(%rsi)
12: 75 0e jne 0x22
14: b0 01 mov $0x1,%al
[ 160.583809][ T3738] EAX: 00000019 EBX: ef07cc44 ECX: 00000000 EDX: 00000000
[ 160.584862][ T3738] ESI: ef07cc40 EDI: 000696e2 EBP: f3fdbafb ESP: f3fdbad7
[ 160.585630][ T3738] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010296
[ 160.586699][ T3738] CR0: 80050033 CR2: b6ede000 CR3: 33cdc000 CR4: 000406d0
[ 160.587385][ T3738] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 160.588052][ T3738] DR6: fffe0ff0 DR7: 00000400
[ 160.588677][ T3738] Call Trace:
[ 160.589204][ T3738] free_unref_page_list (amd_bus.c:?)
[ 160.589931][ T3738] release_pages (amd_bus.c:?)
[ 160.590585][ T3738] __pagevec_lru_add (amd_bus.c:?)
[ 160.591322][ T3738] lru_cache_add (amd_bus.c:?)
[ 160.592020][ T3738] shmem_getpage_gfp (shmem.c:?)
[ 160.598249][ T3738] ? lock_release (amd_bus.c:?)
[ 160.598964][ T3738] shmem_fault.llvm.5707627789443021191 (amd_bus.c:?)
[ 160.599890][ T3738] __do_fault (memory.c:?)
[ 160.600587][ T3738] handle_mm_fault (amd_bus.c:?)
[ 160.601334][ T3738] ? lock_is_held_type (amd_bus.c:?)
[ 160.602076][ T3738] ? filemap_read_page (amd_bus.c:?)
[ 160.602832][ T3738] do_user_addr_fault (fault.c:?)
[ 160.603573][ T3738] exc_page_fault (amd_bus.c:?)
[ 160.604250][ T3738] ? sysvec_kvm_asyncpf_interrupt (amd_bus.c:?)
[ 160.605088][ T3738] handle_exception (??:?)
[ 160.605812][ T3738] EIP: __get_user_nocheck_1 (??:?)
[ 160.606629][ T3738] Code: 8b 10 31 c0 8d 76 00 c3 ba f9 ff ff bf 39 d0 73 66 19 d2 21 d0 8d 76 00 8b 10 8b 48 04 31 c0 8d 76 00 c3 90 8d 76 00 0f ae e8 <0f> b6 10 31 c0 8d 76 00 c3 90 8d 76 00 0f ae e8 0f b7 10 31 c0 8d
All code
========
0: 8b 10 mov (%rax),%edx
2: 31 c0 xor %eax,%eax
4: 8d 76 00 lea 0x0(%rsi),%esi
7: c3 retq
8: ba f9 ff ff bf mov $0xbffffff9,%edx
d: 39 d0 cmp %edx,%eax
f: 73 66 jae 0x77
11: 19 d2 sbb %edx,%edx
13: 21 d0 and %edx,%eax
15: 8d 76 00 lea 0x0(%rsi),%esi
18: 8b 10 mov (%rax),%edx
1a: 8b 48 04 mov 0x4(%rax),%ecx
1d: 31 c0 xor %eax,%eax
1f: 8d 76 00 lea 0x0(%rsi),%esi
22: c3 retq
23: 90 nop
24: 8d 76 00 lea 0x0(%rsi),%esi
27: 0f ae e8 lfence
2a:* 0f b6 10 movzbl (%rax),%edx <-- trapping instruction
2d: 31 c0 xor %eax,%eax
2f: 8d 76 00 lea 0x0(%rsi),%esi
32: c3 retq
33: 90 nop
34: 8d 76 00 lea 0x0(%rsi),%esi
37: 0f ae e8 lfence
3a: 0f b7 10 movzwl (%rax),%edx
3d: 31 c0 xor %eax,%eax
3f: 8d .byte 0x8d
Code starting with the faulting instruction
===========================================
0: 0f b6 10 movzbl (%rax),%edx
3: 31 c0 xor %eax,%eax
5: 8d 76 00 lea 0x0(%rsi),%esi
8: c3 retq
9: 90 nop
a: 8d 76 00 lea 0x0(%rsi),%esi
d: 0f ae e8 lfence
10: 0f b7 10 movzwl (%rax),%edx
13: 31 c0 xor %eax,%eax
15: 8d .byte 0x8d
[ 160.609358][ T3738] EAX: b6ede000 EBX: b6edf000 ECX: 00001000 EDX: 00000000
[ 160.610379][ T3738] ESI: b6eddbb6 EDI: b6ede000 EBP: f3fdbd84 ESP: f3fdbd73
[ 160.611350][ T3738] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010287
[ 160.612444][ T3738] ? sysvec_kvm_asyncpf_interrupt (amd_bus.c:?)
[ 160.613226][ T3738] ? sysvec_kvm_asyncpf_interrupt (amd_bus.c:?)
[ 160.614052][ T3738] ? __get_user_nocheck_1 (??:?)
[ 160.614730][ T3738] ? fault_in_readable (amd_bus.c:?)
[ 160.615445][ T3738] Modules linked in: sd_mod t10_pi evbug serio_raw
[ 160.616440][ T3738] ---[ end trace 9bfb0cd82200e1c8 ]---
[ 160.636355][ T3738] EIP: free_unref_page_prepare (page_alloc.c:?)
[ 160.637238][ T3738] Code: 89 7d f0 89 d7 e8 4d 7a 00 00 89 fa 8b 7d f0 b8 ff ff ff ff 39 c7 0f 84 57 fe ff ff eb d3 89 f0 ba 57 bd 08 c2 e8 6d e5 fd ff <0f> 0b 68 a8 5d 6c c2 e8 91 5f 32 00 f7 06 00 00 01 00 75 0e b0 01
All code
========
0: 89 7d f0 mov %edi,-0x10(%rbp)
3: 89 d7 mov %edx,%edi
5: e8 4d 7a 00 00 callq 0x7a57
a: 89 fa mov %edi,%edx
c: 8b 7d f0 mov -0x10(%rbp),%edi
f: b8 ff ff ff ff mov $0xffffffff,%eax
14: 39 c7 cmp %eax,%edi
16: 0f 84 57 fe ff ff je 0xfffffffffffffe73
1c: eb d3 jmp 0xfffffffffffffff1
1e: 89 f0 mov %esi,%eax
20: ba 57 bd 08 c2 mov $0xc208bd57,%edx
25: e8 6d e5 fd ff callq 0xfffffffffffde597
2a:* 0f 0b ud2 <-- trapping instruction
2c: 68 a8 5d 6c c2 pushq $0xffffffffc26c5da8
31: e8 91 5f 32 00 callq 0x325fc7
36: f7 06 00 00 01 00 testl $0x10000,(%rsi)
3c: 75 0e jne 0x4c
3e: b0 01 mov $0x1,%al
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 68 a8 5d 6c c2 pushq $0xffffffffc26c5da8
7: e8 91 5f 32 00 callq 0x325f9d
c: f7 06 00 00 01 00 testl $0x10000,(%rsi)
12: 75 0e jne 0x22
14: b0 01 mov $0x1,%al
To reproduce:
# build kernel
cd linux
cp config-5.15.0-rc5-00003-gbb523b406c84 .config
make HOSTCC=clang-14 CC=clang-14 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=clang-14 CC=clang-14 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org Intel Corporation
Thanks,
Oliver Sang
View attachment "config-5.15.0-rc5-00003-gbb523b406c84" of type "text/plain" (130762 bytes)
View attachment "job-script" of type "text/plain" (4491 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (13968 bytes)
Powered by blists - more mailing lists