| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 May 2022 15:07:00 +0800
From: kernel test robot <oliver.sang@...el.com>
To: "Liam R. Howlett" <Liam.Howlett@...cle.com>
Cc: Johannes Weiner <hannes@...xchg.org>,
Matthew Wilcox <willy@...radead.org>,
Catalin Marinas <catalin.marinas@....com>,
David Howells <dhowells@...hat.com>,
Vlastimil Babka <vbabka@...e.cz>,
Will Deacon <will@...nel.org>, Yu Zhao <yuzhao@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
lkp@...el.com
Subject: [mm] f90a08f5f1: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with clang-15):
commit: f90a08f5f1a50299dea25257052279c662938c2f ("mm: start tracking VMAs with maple tree")
https://github.com/hnaz/linux-mm master
in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:
runtime: 300s
group: group-01
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 63.176703][ T4628] BUG: kernel NULL pointer dereference, address: 00000000
[ 63.177376][ T4628] #PF: supervisor read access in kernel mode
[ 63.177882][ T4628] #PF: error_code(0x0000) - not-present page
[ 63.178387][ T4628] *pde = 00000000
[ 63.178731][ T4628] Oops: 0000 [#1] SMP
[ 63.179091][ T4628] CPU: 1 PID: 4628 Comm: trinity-c1 Tainted: G W 5.18.0-rc4-mm1-00282-gf90a08f5f1a5 #1
[ 63.180001][ T4628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 63.180775][ T4628] EIP: mas_update_gap (maple_tree.c:?)
[ 63.181205][ T4628] Code: 41 28 83 e0 01 f7 d8 81 c7 a8 00 00 00 21 f8 39 34 90 74 0e eb 26 39 35 00 00 00 00 0f 85 f3 01 00 00 83 c4 24 5e 5f 5b 5d c3 <39> 34 95 00 00 00 00 74 ef 8b 45 f0 8d b8 a8 00 00 00 8b 45 ec 01
All code
========
0: 41 28 83 e0 01 f7 d8 sub %al,-0x2708fe20(%r11)
7: 81 c7 a8 00 00 00 add $0xa8,%edi
d: 21 f8 and %edi,%eax
f: 39 34 90 cmp %esi,(%rax,%rdx,4)
12: 74 0e je 0x22
14: eb 26 jmp 0x3c
16: 39 35 00 00 00 00 cmp %esi,0x0(%rip) # 0x1c
1c: 0f 85 f3 01 00 00 jne 0x215
22: 83 c4 24 add $0x24,%esp
25: 5e pop %rsi
26: 5f pop %rdi
27: 5b pop %rbx
28: 5d pop %rbp
29: c3 retq
2a:* 39 34 95 00 00 00 00 cmp %esi,0x0(,%rdx,4) <-- trapping instruction
31: 74 ef je 0x22
33: 8b 45 f0 mov -0x10(%rbp),%eax
36: 8d b8 a8 00 00 00 lea 0xa8(%rax),%edi
3c: 8b 45 ec mov -0x14(%rbp),%eax
3f: 01 .byte 0x1
Code starting with the faulting instruction
===========================================
0: 39 34 95 00 00 00 00 cmp %esi,0x0(,%rdx,4)
7: 74 ef je 0xfffffffffffffff8
9: 8b 45 f0 mov -0x10(%rbp),%eax
c: 8d b8 a8 00 00 00 lea 0xa8(%rax),%edi
12: 8b 45 ec mov -0x14(%rbp),%eax
15: 01 .byte 0x1
[ 63.184481][ T4628] EAX: 00000086 EBX: f49e5f86 ECX: f4da9244 EDX: 00000000
[ 63.185067][ T4628] ESI: 00100000 EDI: f49e5f00 EBP: f4f83938 ESP: f4f83908
[ 63.185648][ T4628] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010282
[ 63.186310][ T4628] CR0: 80050033 CR2: 00000000 CR3: 34895000 CR4: 00040690
[ 63.186898][ T4628] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 63.187490][ T4628] DR6: fffe0ff0 DR7: 00000400
[ 63.187900][ T4628] Call Trace:
[ 63.188211][ T4628] mas_wr_modify (maple_tree.c:?)
[ 63.188632][ T4628] ? mas_wr_modify (maple_tree.c:?)
[ 63.189062][ T4628] ? __lock_acquire (lockdep.c:?)
[ 63.189495][ T4628] ? __lock_acquire (lockdep.c:?)
[ 63.189924][ T4628] ? update_stack_state (unwind_frame.c:?)
[ 63.190371][ T4628] ? update_stack_state (unwind_frame.c:?)
[ 63.190819][ T4628] ? update_stack_state (unwind_frame.c:?)
[ 63.191274][ T4628] ? is_module_text_address (??:?)
[ 63.191736][ T4628] ? __kernel_text_address (??:?)
[ 63.192191][ T4628] mas_wr_store_entry (maple_tree.c:?)
[ 63.192627][ T4628] ? trace_ma_write (maple_tree.c:?)
[ 63.193039][ T4628] mas_store_prealloc (??:?)
[ 63.193463][ T4628] __vma_adjust (??:?)
[ 63.193862][ T4628] ? rcu_read_lock_sched_held (??:?)
[ 63.194333][ T4628] __split_vma (??:?)
[ 63.194719][ T4628] split_vma (??:?)
[ 63.195087][ T4628] mprotect_fixup (??:?)
[ 63.195505][ T4628] __ia32_sys_mprotect (??:?)
[ 63.195951][ T4628] __do_fast_syscall_32 (common.c:?)
[ 63.196406][ T4628] ? irqentry_exit (??:?)
[ 63.196813][ T4628] ? irqentry_exit_to_user_mode (??:?)
[ 63.197301][ T4628] do_fast_syscall_32 (??:?)
[ 63.197724][ T4628] do_SYSENTER_32 (??:?)
[ 63.198121][ T4628] entry_SYSENTER_32 (??:?)
[ 63.198548][ T4628] EIP: 0xb7f6f509
[ 63.198886][ T4628] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 0f 1f 00 58 b8 77 00 00 00 cd 80 90 0f 1f
All code
========
0: b8 01 10 06 03 mov $0x3061001,%eax
5: 74 b4 je 0xffffffffffffffbb
7: 01 10 add %edx,(%rax)
9: 07 (bad)
a: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
e: 10 08 adc %cl,(%rax)
10: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 0f 1f 00 nopl (%rax)
35: 58 pop %rax
36: b8 77 00 00 00 mov $0x77,%eax
3b: cd 80 int $0x80
3d: 90 nop
3e: 0f .byte 0xf
3f: 1f (bad)
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 0f 1f 00 nopl (%rax)
b: 58 pop %rax
c: b8 77 00 00 00 mov $0x77,%eax
11: cd 80 int $0x80
13: 90 nop
14: 0f .byte 0xf
15: 1f (bad)
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc4-mm1-00282-gf90a08f5f1a5 .config
make HOSTCC=clang-15 CC=clang-15 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=clang-15 CC=clang-15 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc4-mm1-00282-gf90a08f5f1a5" of type "text/plain" (169605 bytes)
View attachment "job-script" of type "text/plain" (4514 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (146216 bytes)
Powered by blists - more mailing lists