| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 16:01:37 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Jakub Matěna <matenajakub@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, linux-mm@...ck.org, patches@...ts.linux.dev,
vbabka@...e.cz, mhocko@...nel.org, mgorman@...hsingularity.net,
willy@...radead.org, liam.howlett@...cle.com, hughd@...gle.com,
kirill@...temov.name, riel@...riel.com, rostedt@...dmis.org,
peterz@...radead.org, david@...hat.com,
Jakub Matěna <matenajakub@...il.com>
Subject: [mm] d0a63efe2f: WARNING:at_mm/rmap.c:#reconnect_page_pte
Greeting,
FYI, we noticed the following commit (built with clang-15):
commit: d0a63efe2faccada7d878ed990e446aab96ec964 ("[RFC PATCH v3 5/6] [PATCH 5/6] mm: enable merging of VMAs with different anon_vmas")
url: https://github.com/intel-lab-lkp/linux/commits/Jakub-Mat-na/Removing-limitations-of-merging-anonymous-VMAs/20220516-205637
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/execve
patch link: https://lore.kernel.org/linux-mm/20220516125405.1675-6-matenajakub@gmail.com
in testcase: trinity
version: trinity-static-i386-x86_64-f93256fb_2019-08-28
with following parameters:
runtime: 300s
group: group-03
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 89.161564][ T3735] WARNING: CPU: 0 PID: 3735 at mm/rmap.c:416 reconnect_page_pte (rmap.c:?)
[ 89.162266][ T3735] Modules linked in: i2c_piix4
[ 89.162664][ T3735] CPU: 0 PID: 3735 Comm: trinity-c1 Not tainted 5.18.0-rc2-00008-gd0a63efe2fac #1 fe7dc62a49119a172a4e1ee5fa133e62ef344742
[ 89.163746][ T3735] EIP: reconnect_page_pte (rmap.c:?)
[ 89.164209][ T3735] Code: ff 0f 0b b8 10 84 64 c7 e8 b7 dc 15 00 48 83 78 1c 00 75 c4 ba 83 87 f9 c6 e8 86 af fe ff 0f 0b b8 10 84 64 c7 e8 9a dc 15 00 <0f> 0b 8b 47 44 3b 42 44 0f 85 48 ff ff ff 0f 0b e9 41 ff ff ff 00
All code
========
0: ff 0f decl (%rdi)
2: 0b b8 10 84 64 c7 or -0x389b7bf0(%rax),%edi
8: e8 b7 dc 15 00 callq 0x15dcc4
d: 48 83 78 1c 00 cmpq $0x0,0x1c(%rax)
12: 75 c4 jne 0xffffffffffffffd8
14: ba 83 87 f9 c6 mov $0xc6f98783,%edx
19: e8 86 af fe ff callq 0xfffffffffffeafa4
1e: 0f 0b ud2
20: b8 10 84 64 c7 mov $0xc7648410,%eax
25: e8 9a dc 15 00 callq 0x15dcc4
2a:* 0f 0b ud2 <-- trapping instruction
2c: 8b 47 44 mov 0x44(%rdi),%eax
2f: 3b 42 44 cmp 0x44(%rdx),%eax
32: 0f 85 48 ff ff ff jne 0xffffffffffffff80
38: 0f 0b ud2
3a: e9 41 ff ff ff jmpq 0xffffffffffffff80
...
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 8b 47 44 mov 0x44(%rdi),%eax
5: 3b 42 44 cmp 0x44(%rdx),%eax
8: 0f 85 48 ff ff ff jne 0xffffffffffffff56
e: 0f 0b ud2
10: e9 41 ff ff ff jmpq 0xffffffffffffff56
...
[ 89.165822][ T3735] EAX: ebe211ef EBX: ee4c1df4 ECX: 00000081 EDX: ebf0f810
[ 89.166440][ T3735] ESI: e69cd260 EDI: ecbd5c30 EBP: ee4c1d50 ESP: ee4c1d44
[ 89.167002][ T3735] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010217
[ 89.167600][ T3735] CR0: 80050033 CR2: 00000001 CR3: 2be82000 CR4: 00040690
[ 89.168176][ T3735] Call Trace:
[ 89.168448][ T3735] ? reconnect_pages_range (rmap.c:?)
[ 89.168898][ T3735] walk_pte_range (fbdev.c:?)
[ 89.169289][ T3735] __walk_page_range (fbdev.c:?)
[ 89.169681][ T3735] reconnect_pages_range (fbdev.c:?)
[ 89.170096][ T3735] ? reconnect_pages_range (rmap.c:?)
[ 89.170528][ T3735] __vma_adjust (fbdev.c:?)
[ 89.170880][ T3735] ? lock_release (fbdev.c:?)
[ 89.171243][ T3735] vma_merge (fbdev.c:?)
[ 89.171593][ T3735] mprotect_fixup (fbdev.c:?)
[ 89.171984][ T3735] ? lock_is_held_type (fbdev.c:?)
[ 89.172421][ T3735] do_mprotect_pkey (mprotect.c:?)
[ 89.172833][ T3735] __ia32_sys_mprotect (fbdev.c:?)
[ 89.173251][ T3735] __do_fast_syscall_32 (common.c:?)
[ 89.173681][ T3735] ? irqentry_exit (fbdev.c:?)
[ 89.174079][ T3735] ? irqentry_exit_to_user_mode (fbdev.c:?)
[ 89.174559][ T3735] do_fast_syscall_32 (fbdev.c:?)
[ 89.174982][ T3735] do_SYSENTER_32 (fbdev.c:?)
[ 89.175364][ T3735] entry_SYSENTER_32 (??:?)
[ 89.175772][ T3735] EIP: 0xb7f7b509
[ 89.176080][ T3735] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00
All code
========
0: b8 01 10 06 03 mov $0x3061001,%eax
5: 74 b4 je 0xffffffffffffffbb
7: 01 10 add %edx,(%rax)
9: 07 (bad)
a: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
e: 10 08 adc %cl,(%rax)
10: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
39: 00 00 00
3c: 0f .byte 0xf
3d: 1f (bad)
3e: 44 rex.R
...
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
f: 00 00 00
12: 0f .byte 0xf
13: 1f (bad)
14: 44 rex.R
...
[ 89.177743][ T3735] EAX: ffffffda EBX: b3a00000 ECX: 00200000 EDX: 00000003
[ 89.178339][ T3735] ESI: b3a00000 EDI: 00200000 EBP: b7502000 ESP: bfea2918
[ 89.178937][ T3735] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 89.179571][ T3735] irq event stamp: 1828581
[ 89.179940][ T3735] hardirqs last enabled at (1828589): __up_console_sem (printk.c:?)
[ 89.180705][ T3735] hardirqs last disabled at (1828596): __up_console_sem (printk.c:?)
[ 89.181450][ T3735] softirqs last enabled at (1822860): release_sock (fbdev.c:?)
[ 89.182112][ T3735] softirqs last disabled at (1822858): release_sock (fbdev.c:?)
[ 89.182805][ T3735] ---[ end trace 0000000000000000 ]---
[ 89.183277][ T3735] ------------[ cut here ]------------
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc2-00008-gd0a63efe2fac .config
make HOSTCC=clang-15 CC=clang-15 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=clang-15 CC=clang-15 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc2-00008-gd0a63efe2fac" of type "text/plain" (138174 bytes)
View attachment "job-script" of type "text/plain" (4729 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (40516 bytes)
Powered by blists - more mailing lists