| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 16:12:10 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Kees Cook <keescook@...omium.org>
Cc: 0day robot <lkp@...el.com>,
Christophe de Dinechin <dinechin@...hat.com>,
Ingo Molnar <mingo@...hat.com>,
Juri Lelli <juri.lelli@...hat.com>,
Vincent Guittot <vincent.guittot@...aro.org>,
Dietmar Eggemann <dietmar.eggemann@....com>,
Steven Rostedt <rostedt@...dmis.org>,
Ben Segall <bsegall@...gle.com>, Mel Gorman <mgorman@...e.de>,
Daniel Bristot de Oliveira <bristot@...hat.com>,
LKML <linux-kernel@...r.kernel.org>, lkp@...ts.01.org,
Peter Zijlstra <peterz@...radead.org>,
Kees Cook <keescook@...omium.org>,
Davidlohr Bueso <dave@...olabs.net>,
linux-hardening@...r.kernel.org, aubrey.li@...ux.intel.com,
yu.c.chen@...el.com
Subject: [sched/core] 4eb47d360b: BUG:unable_to_handle_page_fault_for_address
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 4eb47d360bbd379fc8f51fb5a00281bcb6e83e5a ("[PATCH] sched/core: Do not treat class list boundary markers as arrays")
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/sched-core-Do-not-treat-class-list-boundary-markers-as-arrays/20220517-035158
base: https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git 734387ec2f9d77b00276042b1fa7c95f48ee879d
patch link: https://lore.kernel.org/lkml/20220516194241.3064242-1-keescook@chromium.org
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------+------------+------------+
| | 734387ec2f | 4eb47d360b |
+---------------------------------------------+------------+------------+
| boot_successes | 102 | 0 |
| boot_failures | 0 | 104 |
| BUG:unable_to_handle_page_fault_for_address | 0 | 104 |
| Oops:#[##] | 0 | 104 |
| RIP:set_rq_online | 0 | 104 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 104 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 0.236912][ T0] BUG: unable to handle page fault for address: ffffcd3a3fffffa0
[ 0.237849][ T0] #PF: supervisor read access in kernel mode
[ 0.238589][ T0] #PF: error_code(0x0000) - not-present page
[ 0.239306][ T0] PGD 43ffc1067 P4D 43ffc1067 PUD 0
[ 0.239970][ T0] Oops: 0000 [#1] SMP PTI
[ 0.240499][ T0] CPU: 0 PID: 0 Comm: swapper Not tainted 5.18.0-rc5-00021-g4eb47d360bbd #1
[ 0.241574][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 0.242854][ T0] RIP: 0010:set_rq_online (kernel/sched/core.c:9139)
[ 0.243582][ T0] Code: 23 51 01 48 8b 15 30 1f 51 01 c7 87 64 0a 00 00 01 00 00 00 48 8d 98 30 ff ff ff 48 8d 82 30 ff ff ff 48 39 c3 74 2e 49 89 fc <48> 8b 43 70 48 85 c0 74 0f 4c 89 e7 e8 9f 1e ef 00 48 8b 15 f8 1e
All code
========
0: 23 51 01 and 0x1(%rcx),%edx
3: 48 8b 15 30 1f 51 01 mov 0x1511f30(%rip),%rdx # 0x1511f3a
a: c7 87 64 0a 00 00 01 movl $0x1,0xa64(%rdi)
11: 00 00 00
14: 48 8d 98 30 ff ff ff lea -0xd0(%rax),%rbx
1b: 48 8d 82 30 ff ff ff lea -0xd0(%rdx),%rax
22: 48 39 c3 cmp %rax,%rbx
25: 74 2e je 0x55
27: 49 89 fc mov %rdi,%r12
2a:* 48 8b 43 70 mov 0x70(%rbx),%rax <-- trapping instruction
2e: 48 85 c0 test %rax,%rax
31: 74 0f je 0x42
33: 4c 89 e7 mov %r12,%rdi
36: e8 9f 1e ef 00 callq 0xef1eda
3b: 48 rex.W
3c: 8b .byte 0x8b
3d: 15 .byte 0x15
3e: f8 clc
3f: 1e (bad)
Code starting with the faulting instruction
===========================================
0: 48 8b 43 70 mov 0x70(%rbx),%rax
4: 48 85 c0 test %rax,%rax
7: 74 0f je 0x18
9: 4c 89 e7 mov %r12,%rdi
c: e8 9f 1e ef 00 callq 0xef1eb0
11: 48 rex.W
12: 8b .byte 0x8b
13: 15 .byte 0x15
14: f8 clc
15: 1e (bad)
[ 0.246022][ T0] RSP: 0000:ffffffffa5203e98 EFLAGS: 00010087
[ 0.246764][ T0] RAX: ffffffffffffff30 RBX: ffffcd3a3fffff30 RCX: 00000000fffb6c20
[ 0.247655][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff89f6afc2b540
[ 0.248642][ T0] RBP: ffffffffa5203ea8 R08: 0000000000000000 R09: ffff89f380058770
[ 0.249633][ T0] R10: 0000000000000000 R11: 000000000000009c R12: ffff89f6afc2b540
[ 0.250639][ T0] R13: 0000000000000046 R14: 000000000002b540 R15: ffff89f6afc2b780
[ 0.251602][ T0] FS: 0000000000000000(0000) GS:ffff89f6afc00000(0000) knlGS:0000000000000000
[ 0.252698][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.253505][ T0] CR2: ffffcd3a3fffffa0 CR3: 000000010560a000 CR4: 00000000000406b0
[ 0.254483][ T0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 0.255421][ T0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 0.256369][ T0] Call Trace:
[ 0.256763][ T0] <TASK>
[ 0.257113][ T0] rq_attach_root (kernel/sched/topology.c:493)
[ 0.257677][ T0] sched_init (kernel/sched/core.c:9601)
[ 0.258210][ T0] start_kernel (arch/x86/include/asm/irqflags.h:29 arch/x86/include/asm/irqflags.h:70 init/main.c:1000)
[ 0.258737][ T0] secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:303)
[ 0.259432][ T0] </TASK>
[ 0.259783][ T0] Modules linked in:
[ 0.260245][ T0] CR2: ffffcd3a3fffffa0
[ 0.260732][ T0] ---[ end trace 0000000000000000 ]---
[ 0.261373][ T0] RIP: 0010:set_rq_online (kernel/sched/core.c:9139)
[ 0.262072][ T0] Code: 23 51 01 48 8b 15 30 1f 51 01 c7 87 64 0a 00 00 01 00 00 00 48 8d 98 30 ff ff ff 48 8d 82 30 ff ff ff 48 39 c3 74 2e 49 89 fc <48> 8b 43 70 48 85 c0 74 0f 4c 89 e7 e8 9f 1e ef 00 48 8b 15 f8 1e
All code
========
0: 23 51 01 and 0x1(%rcx),%edx
3: 48 8b 15 30 1f 51 01 mov 0x1511f30(%rip),%rdx # 0x1511f3a
a: c7 87 64 0a 00 00 01 movl $0x1,0xa64(%rdi)
11: 00 00 00
14: 48 8d 98 30 ff ff ff lea -0xd0(%rax),%rbx
1b: 48 8d 82 30 ff ff ff lea -0xd0(%rdx),%rax
22: 48 39 c3 cmp %rax,%rbx
25: 74 2e je 0x55
27: 49 89 fc mov %rdi,%r12
2a:* 48 8b 43 70 mov 0x70(%rbx),%rax <-- trapping instruction
2e: 48 85 c0 test %rax,%rax
31: 74 0f je 0x42
33: 4c 89 e7 mov %r12,%rdi
36: e8 9f 1e ef 00 callq 0xef1eda
3b: 48 rex.W
3c: 8b .byte 0x8b
3d: 15 .byte 0x15
3e: f8 clc
3f: 1e (bad)
Code starting with the faulting instruction
===========================================
0: 48 8b 43 70 mov 0x70(%rbx),%rax
4: 48 85 c0 test %rax,%rax
7: 74 0f je 0x18
9: 4c 89 e7 mov %r12,%rdi
c: e8 9f 1e ef 00 callq 0xef1eb0
11: 48 rex.W
12: 8b .byte 0x8b
13: 15 .byte 0x15
14: f8 clc
15: 1e (bad)
To reproduce:
# build kernel
cd linux
cp config-5.18.0-rc5-00021-g4eb47d360bbd .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc5-00021-g4eb47d360bbd" of type "text/plain" (162679 bytes)
View attachment "job-script" of type "text/plain" (4949 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (4984 bytes)
Powered by blists - more mailing lists