| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Yt/oonNim732exkh@xsang-OptiPlex-9020>
Date: Tue, 26 Jul 2022 21:14:10 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
CC: Jeff Layton <jlayton@...nel.org>,
LKML <linux-kernel@...r.kernel.org>,
Linux Memory Management List <linux-mm@...ck.org>,
<linux-fsdevel@...r.kernel.org>, <lkp@...ts.01.org>,
<lkp@...el.com>
Subject: [fs/lock] 0064b3d9f9: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with clang-15):
commit: 0064b3d9f96f3dc466e44a6fc716910cea56dbbf ("fs/lock: Rearrange ops in flock syscall.")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
in testcase: boot
on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 3.564403][ T1] BUG: kernel NULL pointer dereference, address: 00000b2c
[ 3.565351][ T1] #PF: supervisor read access in kernel mode
[ 3.565351][ T1] #PF: error_code(0x0000) - not-present page
[ 3.565351][ T1] *pde = 00000000
[ 3.565351][ T1] Oops: 0000 [#1]
[ 3.565351][ T1] CPU: 0 PID: 1 Comm: swapper Tainted: G T 5.19.0-rc6-00004-g0064b3d9f96f #1
[ 3.565351][ T1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 3.565351][ T1] EIP: drm_atomic_helper_setup_commit (??:?)
[ 3.565351][ T1] Code: 45 ec eb b5 89 d8 83 c4 0c 5e 5f 5b 5d 31 c9 31 d2 c3 90 90 90 90 90 90 90 55 89 e5 53 57 56 83 ec 38 89 55 d4 89 c2 8b 40 04 <8b> 88 2c 07 00 00 89 4d c4 83 b8 30 05 00 00 00 89 55 ec 0f 8e fa
All code
========
0: 45 ec rex.RB in (%dx),%al
2: eb b5 jmp 0xffffffffffffffb9
4: 89 d8 mov %ebx,%eax
6: 83 c4 0c add $0xc,%esp
9: 5e pop %rsi
a: 5f pop %rdi
b: 5b pop %rbx
c: 5d pop %rbp
d: 31 c9 xor %ecx,%ecx
f: 31 d2 xor %edx,%edx
11: c3 retq
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 55 push %rbp
1a: 89 e5 mov %esp,%ebp
1c: 53 push %rbx
1d: 57 push %rdi
1e: 56 push %rsi
1f: 83 ec 38 sub $0x38,%esp
22: 89 55 d4 mov %edx,-0x2c(%rbp)
25: 89 c2 mov %eax,%edx
27: 8b 40 04 mov 0x4(%rax),%eax
2a:* 8b 88 2c 07 00 00 mov 0x72c(%rax),%ecx <-- trapping instruction
30: 89 4d c4 mov %ecx,-0x3c(%rbp)
33: 83 b8 30 05 00 00 00 cmpl $0x0,0x530(%rax)
3a: 89 55 ec mov %edx,-0x14(%rbp)
3d: 0f .byte 0xf
3e: 8e fa mov %edx,%?
Code starting with the faulting instruction
===========================================
0: 8b 88 2c 07 00 00 mov 0x72c(%rax),%ecx
6: 89 4d c4 mov %ecx,-0x3c(%rbp)
9: 83 b8 30 05 00 00 00 cmpl $0x0,0x530(%rax)
10: 89 55 ec mov %edx,-0x14(%rbp)
13: 0f .byte 0xf
14: 8e fa mov %edx,%?
[ 3.565351][ T1] EAX: 00000400 EBX: 401ebc64 ECX: 414f8750 EDX: 401ebc64
[ 3.565351][ T1] ESI: 401ebc64 EDI: 414f8750 EBP: 401ebbc8 ESP: 401ebb84
[ 3.565351][ T1] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010206
[ 3.565351][ T1] CR0: 80050033 CR2: 00000b2c CR3: 02e5b000 CR4: 000406d0
[ 3.565351][ T1] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 3.565351][ T1] DR6: fffe0ff0 DR7: 00000400
[ 3.565351][ T1] Call Trace:
[ 3.565351][ T1] ? __lock_acquire (lockdep.c:?)
[ 3.565351][ T1] ? drm_atomic_helper_async_commit (??:?)
[ 3.565351][ T1] ? drm_atomic_helper_commit (??:?)
[ 3.565351][ T1] ? drm_get_format_info (??:?)
[ 3.565351][ T1] ? drm_internal_framebuffer_create (??:?)
[ 3.565351][ T1] ? lock_is_held_type (??:?)
[ 3.565351][ T1] ? drm_mode_addfb2 (??:?)
[ 3.565351][ T1] ? sched_clock (??:?)
[ 3.565351][ T1] ? drm_mode_addfb (??:?)
[ 3.565351][ T1] ? drm_client_framebuffer_create (??:?)
[ 3.565351][ T1] ? drm_fb_helper_generic_probe (drm_fb_helper.c:?)
[ 3.565351][ T1] ? __drm_fb_helper_initial_config_and_unlock (drm_fb_helper.c:?)
[ 3.565351][ T1] ? drm_fbdev_client_hotplug (drm_fb_helper.c:?)
[ 3.565351][ T1] ? drm_fbdev_generic_setup (??:?)
[ 3.565351][ T1] ? vkms_init (vkms_drv.c:?)
[ 3.565351][ T1] ? drm_sched_fence_slab_init (vkms_drv.c:?)
[ 3.565351][ T1] ? do_one_initcall (??:?)
[ 3.565351][ T1] ? drm_sched_fence_slab_init (vkms_drv.c:?)
[ 3.565351][ T1] ? tick_program_event (??:?)
[ 3.565351][ T1] ? error_context (??:?)
[ 3.565351][ T1] ? trace_hardirqs_on (??:?)
[ 3.565351][ T1] ? irqentry_exit (??:?)
[ 3.565351][ T1] ? sysvec_apic_timer_interrupt (??:?)
[ 3.565351][ T1] ? handle_exception (init_task.c:?)
[ 3.565351][ T1] ? parse_args (??:?)
[ 3.565351][ T1] ? error_context (??:?)
[ 3.565351][ T1] ? parse_args (??:?)
[ 3.565351][ T1] ? do_initcall_level (main.c:?)
[ 3.565351][ T1] ? rest_init (main.c:?)
[ 3.565351][ T1] ? do_initcalls (main.c:?)
[ 3.565351][ T1] ? do_basic_setup (main.c:?)
[ 3.565351][ T1] ? kernel_init_freeable (main.c:?)
[ 3.565351][ T1] ? kernel_init (main.c:?)
[ 3.565351][ T1] ? ret_from_fork (??:?)
[ 3.565351][ T1] Modules linked in:
[ 3.565351][ T1] CR2: 0000000000000b2c
[ 3.565351][ T1] ---[ end trace 0000000000000000 ]---
[ 3.565351][ T1] EIP: drm_atomic_helper_setup_commit (??:?)
[ 3.565351][ T1] Code: 45 ec eb b5 89 d8 83 c4 0c 5e 5f 5b 5d 31 c9 31 d2 c3 90 90 90 90 90 90 90 55 89 e5 53 57 56 83 ec 38 89 55 d4 89 c2 8b 40 04 <8b> 88 2c 07 00 00 89 4d c4 83 b8 30 05 00 00 00 89 55 ec 0f 8e fa
All code
========
0: 45 ec rex.RB in (%dx),%al
2: eb b5 jmp 0xffffffffffffffb9
4: 89 d8 mov %ebx,%eax
6: 83 c4 0c add $0xc,%esp
9: 5e pop %rsi
a: 5f pop %rdi
b: 5b pop %rbx
c: 5d pop %rbp
d: 31 c9 xor %ecx,%ecx
f: 31 d2 xor %edx,%edx
11: c3 retq
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 55 push %rbp
1a: 89 e5 mov %esp,%ebp
1c: 53 push %rbx
1d: 57 push %rdi
1e: 56 push %rsi
1f: 83 ec 38 sub $0x38,%esp
22: 89 55 d4 mov %edx,-0x2c(%rbp)
25: 89 c2 mov %eax,%edx
27: 8b 40 04 mov 0x4(%rax),%eax
2a:* 8b 88 2c 07 00 00 mov 0x72c(%rax),%ecx <-- trapping instruction
30: 89 4d c4 mov %ecx,-0x3c(%rbp)
33: 83 b8 30 05 00 00 00 cmpl $0x0,0x530(%rax)
3a: 89 55 ec mov %edx,-0x14(%rbp)
3d: 0f .byte 0xf
3e: 8e fa mov %edx,%?
Code starting with the faulting instruction
===========================================
0: 8b 88 2c 07 00 00 mov 0x72c(%rax),%ecx
6: 89 4d c4 mov %ecx,-0x3c(%rbp)
9: 83 b8 30 05 00 00 00 cmpl $0x0,0x530(%rax)
10: 89 55 ec mov %edx,-0x14(%rbp)
13: 0f .byte 0xf
14: 8e fa mov %edx,%?
To reproduce:
# build kernel
cd linux
cp config-5.19.0-rc6-00004-g0064b3d9f96f .config
make HOSTCC=clang-15 CC=clang-15 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=clang-15 CC=clang-15 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.19.0-rc6-00004-g0064b3d9f96f" of type "text/plain" (145412 bytes)
View attachment "job-script" of type "text/plain" (4672 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (11636 bytes)
Powered by blists - more mailing lists