| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 16:39:15 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Jakub Matěna <matenajakub@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
lkp@...ts.01.org, linux-mm@...ck.org, patches@...ts.linux.dev,
vbabka@...e.cz, mhocko@...nel.org, mgorman@...hsingularity.net,
willy@...radead.org, liam.howlett@...cle.com, hughd@...gle.com,
kirill@...temov.name, riel@...riel.com, rostedt@...dmis.org,
peterz@...radead.org, david@...hat.com,
Jakub Matěna <matenajakub@...il.com>
Subject: [mm] df8ef36a21: kernel_BUG_at_lib/list_debug.c
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: df8ef36a21db281bc4932e3d5c933d5bbb9a4217 ("[RFC PATCH v3 4/6] [PATCH 4/6] mm: adjust page offset in mremap")
url: https://github.com/intel-lab-lkp/linux/commits/Jakub-Mat-na/Removing-limitations-of-merging-anonymous-VMAs/20220516-205637
base: https://git.kernel.org/cgit/linux/kernel/git/kees/linux.git for-next/execve
patch link: https://lore.kernel.org/linux-mm/20220516125405.1675-5-matenajakub@gmail.com
in testcase: stress-ng
version: stress-ng-x86_64-0.11-06_20220516
with following parameters:
nr_threads: 10%
disk: 1HDD
testtime: 60s
fs: ext4
class: vm
test: mremap
cpufreq_governor: performance
ucode: 0xb000280
on test machine: 96 threads 2 sockets Ice Lake with 256G memory
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 75.109565][ T5714] kernel BUG at lib/list_debug.c:54!
[ 75.114893][ T5714] invalid opcode: 0000 [#1] SMP NOPTI
[ 75.120309][ T5714] CPU: 76 PID: 5714 Comm: stress-ng Not tainted 5.18.0-rc2-00007-gdf8ef36a21db #1
[ 75.129545][ T5714] RIP: 0010:__list_del_entry_valid.cold (lib/list_debug.c:54 (discriminator 3))
[ 75.136019][ T5714] Code: e8 e7 b5 fe ff 0f 0b 48 89 fe 48 c7 c7 80 80 59 82 e8 d6 b5 fe ff 0f 0b 48 89 d1 48 c7 c7 40 81 59 82 4c 89 c2 e8 c2 b5 fe ff <0f> 0b 48 89 f2 48 89 fe 48 c7 c7 f0 80 59 82 e8 ae b5 fe ff 0f 0b
All code
========
0: e8 e7 b5 fe ff callq 0xfffffffffffeb5ec
5: 0f 0b ud2
7: 48 89 fe mov %rdi,%rsi
a: 48 c7 c7 80 80 59 82 mov $0xffffffff82598080,%rdi
11: e8 d6 b5 fe ff callq 0xfffffffffffeb5ec
16: 0f 0b ud2
18: 48 89 d1 mov %rdx,%rcx
1b: 48 c7 c7 40 81 59 82 mov $0xffffffff82598140,%rdi
22: 4c 89 c2 mov %r8,%rdx
25: e8 c2 b5 fe ff callq 0xfffffffffffeb5ec
2a:* 0f 0b ud2 <-- trapping instruction
2c: 48 89 f2 mov %rsi,%rdx
2f: 48 89 fe mov %rdi,%rsi
32: 48 c7 c7 f0 80 59 82 mov $0xffffffff825980f0,%rdi
39: e8 ae b5 fe ff callq 0xfffffffffffeb5ec
3e: 0f 0b ud2
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 48 89 f2 mov %rsi,%rdx
5: 48 89 fe mov %rdi,%rsi
8: 48 c7 c7 f0 80 59 82 mov $0xffffffff825980f0,%rdi
f: e8 ae b5 fe ff callq 0xfffffffffffeb5c2
14: 0f 0b ud2
[ 75.155902][ T5714] RSP: 0018:ffa000002439bc60 EFLAGS: 00010046
[ 75.162055][ T5714] RAX: 000000000000006d RBX: ff1100407ce65000 RCX: 0000000000000000
[ 75.170120][ T5714] RDX: 0000000000000000 RSI: ff11003fc891b740 RDI: ff11003fc891b740
[ 75.178188][ T5714] RBP: ffd4000084068000 R08: 0000000000000000 R09: 00000000ffff7fff
[ 75.186257][ T5714] R10: ffa000002439ba98 R11: ffffffff82bd8368 R12: ff11000108c13018
[ 75.194328][ T5714] R13: 0000000000000286 R14: 00007f0434110000 R15: ff1100407ce658c8
[ 75.202398][ T5714] FS: 00007f0437ca9740(0000) GS:ff11003fc8900000(0000) knlGS:0000000000000000
[ 75.211432][ T5714] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 75.218126][ T5714] CR2: 00007f0437f4f6dd CR3: 000000407c358002 CR4: 0000000000771ee0
[ 75.226214][ T5714] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 75.234289][ T5714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 75.242364][ T5714] PKRU: 55555554
[ 75.246010][ T5714] Call Trace:
[ 75.249402][ T5714] <TASK>
[ 75.252448][ T5714] free_transhuge_page (include/linux/list.h:134 include/linux/list.h:148 mm/huge_memory.c:2634)
[ 75.257577][ T5714] release_pages (include/linux/mm.h:898 mm/swap.c:119 mm/swap.c:946)
[ 75.262277][ T5714] ? free_p4d_range (mm/memory.c:318)
[ 75.267150][ T5714] ? native_flush_tlb_local (arch/x86/include/asm/special_insns.h:48 (discriminator 9) arch/x86/mm/tlb.c:1165 (discriminator 9))
[ 75.272636][ T5714] ? flush_tlb_func (arch/x86/include/asm/paravirt.h:71 arch/x86/mm/tlb.c:1170 arch/x86/mm/tlb.c:842)
[ 75.277517][ T5714] tlb_finish_mmu (mm/mmu_gather.c:51 mm/mmu_gather.c:243 mm/mmu_gather.c:250 mm/mmu_gather.c:341)
[ 75.282228][ T5714] unmap_region (mm/mmap.c:2651 (discriminator 8))
[ 75.286765][ T5714] __do_munmap (include/linux/mm.h:2075 mm/mmap.c:2619 mm/mmap.c:2864)
[ 75.291294][ T5714] mremap_to (mm/mremap.c:898)
[ 75.295655][ T5714] __do_sys_mremap (mm/mremap.c:1042)
[ 75.300535][ T5714] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 75.305069][ T5714] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 75.311082][ T5714] RIP: 0033:0x7f0438036a4a
[ 75.315618][ T5714] Code: 73 01 c3 48 8b 0d 46 04 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 19 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 16 04 0c 00 f7 d8 64 89 01 48
All code
========
0: 73 01 jae 0x3
2: c3 retq
3: 48 8b 0d 46 04 0c 00 mov 0xc0446(%rip),%rcx # 0xc0450
a: f7 d8 neg %eax
c: 64 89 01 mov %eax,%fs:(%rcx)
f: 48 83 c8 ff or $0xffffffffffffffff,%rax
13: c3 retq
14: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
1b: 00 00 00
1e: 66 90 xchg %ax,%ax
20: 49 89 ca mov %rcx,%r10
23: b8 19 00 00 00 mov $0x19,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 retq
33: 48 8b 0d 16 04 0c 00 mov 0xc0416(%rip),%rcx # 0xc0450
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 retq
9: 48 8b 0d 16 04 0c 00 mov 0xc0416(%rip),%rcx # 0xc0426
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 75.335612][ T5714] RSP: 002b:00007fffa46364f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
[ 75.344156][ T5714] RAX: ffffffffffffffda RBX: 0000000000000064 RCX: 00007f0438036a4a
[ 75.352262][ T5714] RDX: 000000000071c400 RSI: 0000000000e38800 RDI: 00007f04339f3000
[ 75.360364][ T5714] RBP: 000000000071c400 R08: 00007f0434f46000 R09: 0000000000000000
[ 75.368466][ T5714] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000003
[ 75.376558][ T5714] R13: 00007fffa4636580 R14: 000000000071d400 R15: 00007f0434f46000
[ 75.384650][ T5714] </TASK>
[ 75.387783][ T5714] Modules linked in: kmem dm_mod binfmt_misc device_dax nd_pmem nd_btt dax_pmem ipmi_ssif btrfs ast blake2b_generic drm_vram_helper xor drm_ttm_helper ttm raid6_pq zstd_compress drm_kms_helper libcrc32c syscopyarea nvme sysfillrect sd_mod sysimgblt nvme_core fb_sys_fops intel_rapl_msr intel_rapl_common sg x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm t10_pi irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel crc64_rocksoft_generic rapl ahci intel_cstate libahci crc64_rocksoft intel_uncore crc64 drm ioatdma libata joydev dca wmi acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler nfit libnvdimm acpi_pad acpi_power_meter ip_tables
[ 75.449256][ T5714] ---[ end trace 0000000000000000 ]---
[ 75.466176][ T5714] RIP: 0010:__list_del_entry_valid.cold (lib/list_debug.c:54 (discriminator 3))
[ 75.472732][ T5714] Code: e8 e7 b5 fe ff 0f 0b 48 89 fe 48 c7 c7 80 80 59 82 e8 d6 b5 fe ff 0f 0b 48 89 d1 48 c7 c7 40 81 59 82 4c 89 c2 e8 c2 b5 fe ff <0f> 0b 48 89 f2 48 89 fe 48 c7 c7 f0 80 59 82 e8 ae b5 fe ff 0f 0b
All code
========
0: e8 e7 b5 fe ff callq 0xfffffffffffeb5ec
5: 0f 0b ud2
7: 48 89 fe mov %rdi,%rsi
a: 48 c7 c7 80 80 59 82 mov $0xffffffff82598080,%rdi
11: e8 d6 b5 fe ff callq 0xfffffffffffeb5ec
16: 0f 0b ud2
18: 48 89 d1 mov %rdx,%rcx
1b: 48 c7 c7 40 81 59 82 mov $0xffffffff82598140,%rdi
22: 4c 89 c2 mov %r8,%rdx
25: e8 c2 b5 fe ff callq 0xfffffffffffeb5ec
2a:* 0f 0b ud2 <-- trapping instruction
2c: 48 89 f2 mov %rsi,%rdx
2f: 48 89 fe mov %rdi,%rsi
32: 48 c7 c7 f0 80 59 82 mov $0xffffffff825980f0,%rdi
39: e8 ae b5 fe ff callq 0xfffffffffffeb5ec
3e: 0f 0b ud2
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 48 89 f2 mov %rsi,%rdx
5: 48 89 fe mov %rdi,%rsi
8: 48 c7 c7 f0 80 59 82 mov $0xffffffff825980f0,%rdi
f: e8 ae b5 fe ff callq 0xfffffffffffeb5c2
14: 0f 0b ud2
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.18.0-rc2-00007-gdf8ef36a21db" of type "text/plain" (162709 bytes)
View attachment "job-script" of type "text/plain" (8676 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (36400 bytes)
View attachment "job.yaml" of type "text/plain" (5593 bytes)
Powered by blists - more mailing lists