lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20220519080136.GB34017@xsang-OptiPlex-9020>
Date:   Thu, 19 May 2022 16:01:37 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Jakub Matěna <matenajakub@...il.com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        lkp@...ts.01.org, linux-mm@...ck.org, patches@...ts.linux.dev,
        vbabka@...e.cz, mhocko@...nel.org, mgorman@...hsingularity.net,
        willy@...radead.org, liam.howlett@...cle.com, hughd@...gle.com,
        kirill@...temov.name, riel@...riel.com, rostedt@...dmis.org,
        peterz@...radead.org, david@...hat.com,
        Jakub Matěna <matenajakub@...il.com>
Subject: [mm]  d0a63efe2f: WARNING:at_mm/rmap.c:#reconnect_page_pte



Greeting,

FYI, we noticed the following commit (built with clang-15):

commit: d0a63efe2faccada7d878ed990e446aab96ec964 ("[RFC PATCH v3 5/6] [PATCH 5/6] mm: enable merging of VMAs with different anon_vmas")
url: https://github.com/intel-lab-lkp/linux/commits/Jakub-Mat-na/Removing-limitations-of-merging-anonymous-VMAs/20220516-205637
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/execve
patch link: https://lore.kernel.org/linux-mm/20220516125405.1675-6-matenajakub@gmail.com

in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:

	runtime: 300s
	group: group-03

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[ 89.161564][ T3735] WARNING: CPU: 0 PID: 3735 at mm/rmap.c:416 reconnect_page_pte (rmap.c:?) 
[   89.162266][ T3735] Modules linked in: i2c_piix4
[   89.162664][ T3735] CPU: 0 PID: 3735 Comm: trinity-c1 Not tainted 5.18.0-rc2-00008-gd0a63efe2fac #1 fe7dc62a49119a172a4e1ee5fa133e62ef344742
[ 89.163746][ T3735] EIP: reconnect_page_pte (rmap.c:?) 
[ 89.164209][ T3735] Code: ff 0f 0b b8 10 84 64 c7 e8 b7 dc 15 00 48 83 78 1c 00 75 c4 ba 83 87 f9 c6 e8 86 af fe ff 0f 0b b8 10 84 64 c7 e8 9a dc 15 00 <0f> 0b 8b 47 44 3b 42 44 0f 85 48 ff ff ff 0f 0b e9 41 ff ff ff 00
All code
========
   0:	ff 0f                	decl   (%rdi)
   2:	0b b8 10 84 64 c7    	or     -0x389b7bf0(%rax),%edi
   8:	e8 b7 dc 15 00       	callq  0x15dcc4
   d:	48 83 78 1c 00       	cmpq   $0x0,0x1c(%rax)
  12:	75 c4                	jne    0xffffffffffffffd8
  14:	ba 83 87 f9 c6       	mov    $0xc6f98783,%edx
  19:	e8 86 af fe ff       	callq  0xfffffffffffeafa4
  1e:	0f 0b                	ud2    
  20:	b8 10 84 64 c7       	mov    $0xc7648410,%eax
  25:	e8 9a dc 15 00       	callq  0x15dcc4
  2a:*	0f 0b                	ud2    		<-- trapping instruction
  2c:	8b 47 44             	mov    0x44(%rdi),%eax
  2f:	3b 42 44             	cmp    0x44(%rdx),%eax
  32:	0f 85 48 ff ff ff    	jne    0xffffffffffffff80
  38:	0f 0b                	ud2    
  3a:	e9 41 ff ff ff       	jmpq   0xffffffffffffff80
	...

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2    
   2:	8b 47 44             	mov    0x44(%rdi),%eax
   5:	3b 42 44             	cmp    0x44(%rdx),%eax
   8:	0f 85 48 ff ff ff    	jne    0xffffffffffffff56
   e:	0f 0b                	ud2    
  10:	e9 41 ff ff ff       	jmpq   0xffffffffffffff56
	...
[   89.165822][ T3735] EAX: ebe211ef EBX: ee4c1df4 ECX: 00000081 EDX: ebf0f810
[   89.166440][ T3735] ESI: e69cd260 EDI: ecbd5c30 EBP: ee4c1d50 ESP: ee4c1d44
[   89.167002][ T3735] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010217
[   89.167600][ T3735] CR0: 80050033 CR2: 00000001 CR3: 2be82000 CR4: 00040690
[   89.168176][ T3735] Call Trace:
[ 89.168448][ T3735] ? reconnect_pages_range (rmap.c:?) 
[ 89.168898][ T3735] walk_pte_range (fbdev.c:?) 
[ 89.169289][ T3735] __walk_page_range (fbdev.c:?) 
[ 89.169681][ T3735] reconnect_pages_range (fbdev.c:?) 
[ 89.170096][ T3735] ? reconnect_pages_range (rmap.c:?) 
[ 89.170528][ T3735] __vma_adjust (fbdev.c:?) 
[ 89.170880][ T3735] ? lock_release (fbdev.c:?) 
[ 89.171243][ T3735] vma_merge (fbdev.c:?) 
[ 89.171593][ T3735] mprotect_fixup (fbdev.c:?) 
[ 89.171984][ T3735] ? lock_is_held_type (fbdev.c:?) 
[ 89.172421][ T3735] do_mprotect_pkey (mprotect.c:?) 
[ 89.172833][ T3735] __ia32_sys_mprotect (fbdev.c:?) 
[ 89.173251][ T3735] __do_fast_syscall_32 (common.c:?) 
[ 89.173681][ T3735] ? irqentry_exit (fbdev.c:?) 
[ 89.174079][ T3735] ? irqentry_exit_to_user_mode (fbdev.c:?) 
[ 89.174559][ T3735] do_fast_syscall_32 (fbdev.c:?) 
[ 89.174982][ T3735] do_SYSENTER_32 (fbdev.c:?) 
[ 89.175364][ T3735] entry_SYSENTER_32 (??:?) 
[   89.175772][ T3735] EIP: 0xb7f7b509
[ 89.176080][ T3735] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
All code
========
   0:	b8 01 10 06 03       	mov    $0x3061001,%eax
   5:	74 b4                	je     0xffffffffffffffbb
   7:	01 10                	add    %edx,(%rax)
   9:	07                   	(bad)  
   a:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
   e:	10 08                	adc    %cl,(%rax)
  10:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
	...
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	89 e5                	mov    %esp,%ebp
  26:	0f 34                	sysenter 
  28:	cd 80                	int    $0x80
  2a:*	5d                   	pop    %rbp		<-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq   
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  39:	00 00 00 
  3c:	0f                   	.byte 0xf
  3d:	1f                   	(bad)  
  3e:	44                   	rex.R
	...

Code starting with the faulting instruction
===========================================
   0:	5d                   	pop    %rbp
   1:	5a                   	pop    %rdx
   2:	59                   	pop    %rcx
   3:	c3                   	retq   
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   f:	00 00 00 
  12:	0f                   	.byte 0xf
  13:	1f                   	(bad)  
  14:	44                   	rex.R
	...
[   89.177743][ T3735] EAX: ffffffda EBX: b3a00000 ECX: 00200000 EDX: 00000003
[   89.178339][ T3735] ESI: b3a00000 EDI: 00200000 EBP: b7502000 ESP: bfea2918
[   89.178937][ T3735] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[   89.179571][ T3735] irq event stamp: 1828581
[ 89.179940][ T3735] hardirqs last enabled at (1828589): __up_console_sem (printk.c:?) 
[ 89.180705][ T3735] hardirqs last disabled at (1828596): __up_console_sem (printk.c:?) 
[ 89.181450][ T3735] softirqs last enabled at (1822860): release_sock (fbdev.c:?) 
[ 89.182112][ T3735] softirqs last disabled at (1822858): release_sock (fbdev.c:?) 
[   89.182805][ T3735] ---[ end trace 0000000000000000 ]---
[   89.183277][ T3735] ------------[ cut here ]------------


To reproduce:

        # build kernel
	cd linux
	cp config-5.18.0-rc2-00008-gd0a63efe2fac .config
	make HOSTCC=clang-15 CC=clang-15 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=clang-15 CC=clang-15 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.18.0-rc2-00008-gd0a63efe2fac" of type "text/plain" (138174 bytes)

View attachment "job-script" of type "text/plain" (4729 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (40516 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ