lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 May 2022 15:07:00 +0800 From: kernel test robot <oliver.sang@...el.com> To: "Liam R. Howlett" <Liam.Howlett@...cle.com> Cc: Johannes Weiner <hannes@...xchg.org>, Matthew Wilcox <willy@...radead.org>, Catalin Marinas <catalin.marinas@....com>, David Howells <dhowells@...hat.com>, Vlastimil Babka <vbabka@...e.cz>, Will Deacon <will@...nel.org>, Yu Zhao <yuzhao@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org, lkp@...el.com Subject: [mm] f90a08f5f1: BUG:kernel_NULL_pointer_dereference,address Greeting, FYI, we noticed the following commit (built with clang-15): commit: f90a08f5f1a50299dea25257052279c662938c2f ("mm: start tracking VMAs with maple tree") https://github.com/hnaz/linux-mm master in testcase: trinity version: trinity-static-i386-x86_64-f93256fb_2019-08-28 with following parameters: runtime: 300s group: group-01 test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): If you fix the issue, kindly add following tag Reported-by: kernel test robot <oliver.sang@...el.com> [ 63.176703][ T4628] BUG: kernel NULL pointer dereference, address: 00000000 [ 63.177376][ T4628] #PF: supervisor read access in kernel mode [ 63.177882][ T4628] #PF: error_code(0x0000) - not-present page [ 63.178387][ T4628] *pde = 00000000 [ 63.178731][ T4628] Oops: 0000 [#1] SMP [ 63.179091][ T4628] CPU: 1 PID: 4628 Comm: trinity-c1 Tainted: G W 5.18.0-rc4-mm1-00282-gf90a08f5f1a5 #1 [ 63.180001][ T4628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 63.180775][ T4628] EIP: mas_update_gap (maple_tree.c:?) [ 63.181205][ T4628] Code: 41 28 83 e0 01 f7 d8 81 c7 a8 00 00 00 21 f8 39 34 90 74 0e eb 26 39 35 00 00 00 00 0f 85 f3 01 00 00 83 c4 24 5e 5f 5b 5d c3 <39> 34 95 00 00 00 00 74 ef 8b 45 f0 8d b8 a8 00 00 00 8b 45 ec 01 All code ======== 0: 41 28 83 e0 01 f7 d8 sub %al,-0x2708fe20(%r11) 7: 81 c7 a8 00 00 00 add $0xa8,%edi d: 21 f8 and %edi,%eax f: 39 34 90 cmp %esi,(%rax,%rdx,4) 12: 74 0e je 0x22 14: eb 26 jmp 0x3c 16: 39 35 00 00 00 00 cmp %esi,0x0(%rip) # 0x1c 1c: 0f 85 f3 01 00 00 jne 0x215 22: 83 c4 24 add $0x24,%esp 25: 5e pop %rsi 26: 5f pop %rdi 27: 5b pop %rbx 28: 5d pop %rbp 29: c3 retq 2a:* 39 34 95 00 00 00 00 cmp %esi,0x0(,%rdx,4) <-- trapping instruction 31: 74 ef je 0x22 33: 8b 45 f0 mov -0x10(%rbp),%eax 36: 8d b8 a8 00 00 00 lea 0xa8(%rax),%edi 3c: 8b 45 ec mov -0x14(%rbp),%eax 3f: 01 .byte 0x1 Code starting with the faulting instruction =========================================== 0: 39 34 95 00 00 00 00 cmp %esi,0x0(,%rdx,4) 7: 74 ef je 0xfffffffffffffff8 9: 8b 45 f0 mov -0x10(%rbp),%eax c: 8d b8 a8 00 00 00 lea 0xa8(%rax),%edi 12: 8b 45 ec mov -0x14(%rbp),%eax 15: 01 .byte 0x1 [ 63.184481][ T4628] EAX: 00000086 EBX: f49e5f86 ECX: f4da9244 EDX: 00000000 [ 63.185067][ T4628] ESI: 00100000 EDI: f49e5f00 EBP: f4f83938 ESP: f4f83908 [ 63.185648][ T4628] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010282 [ 63.186310][ T4628] CR0: 80050033 CR2: 00000000 CR3: 34895000 CR4: 00040690 [ 63.186898][ T4628] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 63.187490][ T4628] DR6: fffe0ff0 DR7: 00000400 [ 63.187900][ T4628] Call Trace: [ 63.188211][ T4628] mas_wr_modify (maple_tree.c:?) [ 63.188632][ T4628] ? mas_wr_modify (maple_tree.c:?) [ 63.189062][ T4628] ? __lock_acquire (lockdep.c:?) [ 63.189495][ T4628] ? __lock_acquire (lockdep.c:?) [ 63.189924][ T4628] ? update_stack_state (unwind_frame.c:?) [ 63.190371][ T4628] ? update_stack_state (unwind_frame.c:?) [ 63.190819][ T4628] ? update_stack_state (unwind_frame.c:?) [ 63.191274][ T4628] ? is_module_text_address (??:?) [ 63.191736][ T4628] ? __kernel_text_address (??:?) [ 63.192191][ T4628] mas_wr_store_entry (maple_tree.c:?) [ 63.192627][ T4628] ? trace_ma_write (maple_tree.c:?) [ 63.193039][ T4628] mas_store_prealloc (??:?) [ 63.193463][ T4628] __vma_adjust (??:?) [ 63.193862][ T4628] ? rcu_read_lock_sched_held (??:?) [ 63.194333][ T4628] __split_vma (??:?) [ 63.194719][ T4628] split_vma (??:?) [ 63.195087][ T4628] mprotect_fixup (??:?) [ 63.195505][ T4628] __ia32_sys_mprotect (??:?) [ 63.195951][ T4628] __do_fast_syscall_32 (common.c:?) [ 63.196406][ T4628] ? irqentry_exit (??:?) [ 63.196813][ T4628] ? irqentry_exit_to_user_mode (??:?) [ 63.197301][ T4628] do_fast_syscall_32 (??:?) [ 63.197724][ T4628] do_SYSENTER_32 (??:?) [ 63.198121][ T4628] entry_SYSENTER_32 (??:?) [ 63.198548][ T4628] EIP: 0xb7f6f509 [ 63.198886][ T4628] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 0f 1f 00 58 b8 77 00 00 00 cd 80 90 0f 1f All code ======== 0: b8 01 10 06 03 mov $0x3061001,%eax 5: 74 b4 je 0xffffffffffffffbb 7: 01 10 add %edx,(%rax) 9: 07 (bad) a: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi e: 10 08 adc %cl,(%rax) 10: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi ... 20: 00 51 52 add %dl,0x52(%rcx) 23: 55 push %rbp 24: 89 e5 mov %esp,%ebp 26: 0f 34 sysenter 28: cd 80 int $0x80 2a:* 5d pop %rbp <-- trapping instruction 2b: 5a pop %rdx 2c: 59 pop %rcx 2d: c3 retq 2e: 90 nop 2f: 90 nop 30: 90 nop 31: 90 nop 32: 0f 1f 00 nopl (%rax) 35: 58 pop %rax 36: b8 77 00 00 00 mov $0x77,%eax 3b: cd 80 int $0x80 3d: 90 nop 3e: 0f .byte 0xf 3f: 1f (bad) Code starting with the faulting instruction =========================================== 0: 5d pop %rbp 1: 5a pop %rdx 2: 59 pop %rcx 3: c3 retq 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 0f 1f 00 nopl (%rax) b: 58 pop %rax c: b8 77 00 00 00 mov $0x77,%eax 11: cd 80 int $0x80 13: 90 nop 14: 0f .byte 0xf 15: 1f (bad) To reproduce: # build kernel cd linux cp config-5.18.0-rc4-mm1-00282-gf90a08f5f1a5 .config make HOSTCC=clang-15 CC=clang-15 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules make HOSTCC=clang-15 CC=clang-15 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install cd <mod-install-dir> find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email # if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state. -- 0-DAY CI Kernel Test Service https://01.org/lkp View attachment "config-5.18.0-rc4-mm1-00282-gf90a08f5f1a5" of type "text/plain" (169605 bytes) View attachment "job-script" of type "text/plain" (4514 bytes) Download attachment "dmesg.xz" of type "application/x-xz" (146216 bytes)
Powered by blists - more mailing lists