| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202302252122.38b2139-oliver.sang@intel.com>
Date: Mon, 27 Feb 2023 09:32:53 +0800
From: kernel test robot <oliver.sang@...el.com>
To: "Liam R. Howlett" <Liam.Howlett@...cle.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
<linux-kernel@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>,
<linux-perf-users@...r.kernel.org>,
<linux-fsdevel@...r.kernel.org>, <linux-mm@...ck.org>
Subject: [linus:master] [mm/mmap] 0503ea8f5b: kernel_BUG_at_mm/filemap.c
Greeting,
FYI, we noticed kernel_BUG_at_mm/filemap.c due to commit (built with gcc-11):
commit: 0503ea8f5ba73eb3ab13a81c1eefbaf51405385a ("mm/mmap: remove __vma_adjust()")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
[test failed on linux-next/master 0222aa9800b25ff171d6dcabcabcd5c42c6ffc3f]
in testcase: trinity
version: trinity-static-i386-x86_64-1c734c75-1_2020-01-06
with following parameters:
runtime: 300s
group: group-04
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
please be noted, as below table, parent also has other type issues, and we
found they happen almost at same position of kernel_BUG_at_mm/filemap.c for
this commit if looking into dmesg (attached two parent dmesgs as well)
we don't have knowledge if this commit fixes some problem in parent then
run further until further issues, but since this commit touches
mm/filemap.c, we just made out this report FYI
BTW, we also noticed there is a fix commit
07dc4b1862035 (" mm/mremap: fix dup_anon_vma() in vma_merge() case 4")
by further testing, BUG_at_mm/filemap.c is still existing there.
+---------------------------------------------+------------+------------+
| | 287051b185 | 0503ea8f5b |
+---------------------------------------------+------------+------------+
| BUG:kernel_NULL_pointer_dereference,address | 11 | |
| Oops:#[##] | 11 | |
| RIP:dup_anon_vma | 11 | |
| Kernel_panic-not_syncing:Fatal_exception | 20 | 9 |
| canonical_address#:#[##] | 9 | |
| RIP:anon_vma_clone | 9 | |
| kernel_BUG_at_mm/filemap.c | 0 | 9 |
| invalid_opcode:#[##] | 0 | 9 |
| RIP:filemap_unaccount_folio | 0 | 9 |
+---------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Link: https://lore.kernel.org/oe-lkp/202302252122.38b2139-oliver.sang@intel.com
[ 28.065728][ T4983] ------------[ cut here ]------------
[ 28.066480][ T4983] kernel BUG at mm/filemap.c:153!
[ 28.067153][ T4983] invalid opcode: 0000 [#1] SMP PTI
[ 28.067868][ T4983] CPU: 0 PID: 4983 Comm: trinity-c3 Not tainted 6.2.0-rc4-00443-g0503ea8f5ba7 #1
[ 28.069001][ T4983] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
[ 28.072145][ T4983] RIP: 0010:filemap_unaccount_folio (filemap.c:?)
[ 28.072927][ T4983] Code: 89 fb 0f ba e0 10 72 05 8b 46 30 eb 0a 8b 46 58 85 c0 7f 07 8b 46 54 85 c0 78 11 48 c7 c6 a0 aa 24 82 48 89 ef e8 0b d2 02 00 <0f> 0b 48 89 ef e8 01 e7 ff ff be 13 00 00 00 48 89 ef 41 89 c4 41
All code
========
0: 89 fb mov %edi,%ebx
2: 0f ba e0 10 bt $0x10,%eax
6: 72 05 jb 0xd
8: 8b 46 30 mov 0x30(%rsi),%eax
b: eb 0a jmp 0x17
d: 8b 46 58 mov 0x58(%rsi),%eax
10: 85 c0 test %eax,%eax
12: 7f 07 jg 0x1b
14: 8b 46 54 mov 0x54(%rsi),%eax
17: 85 c0 test %eax,%eax
19: 78 11 js 0x2c
1b: 48 c7 c6 a0 aa 24 82 mov $0xffffffff8224aaa0,%rsi
22: 48 89 ef mov %rbp,%rdi
25: e8 0b d2 02 00 callq 0x2d235
2a:* 0f 0b ud2 <-- trapping instruction
2c: 48 89 ef mov %rbp,%rdi
2f: e8 01 e7 ff ff callq 0xffffffffffffe735
34: be 13 00 00 00 mov $0x13,%esi
39: 48 89 ef mov %rbp,%rdi
3c: 41 89 c4 mov %eax,%r12d
3f: 41 rex.B
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 48 89 ef mov %rbp,%rdi
5: e8 01 e7 ff ff callq 0xffffffffffffe70b
a: be 13 00 00 00 mov $0x13,%esi
f: 48 89 ef mov %rbp,%rdi
12: 41 89 c4 mov %eax,%r12d
15: 41 rex.B
[ 28.075337][ T4983] RSP: 0000:ffffc90000223b08 EFLAGS: 00010046
[ 28.076117][ T4983] RAX: 0000000000000039 RBX: ffff8881195e4dd8 RCX: 0000000000000027
[ 28.077144][ T4983] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88842fc1c680
[ 28.078211][ T4983] RBP: ffffea0005fa0b00 R08: 0000000000000000 R09: 0000000000000019
[ 28.079264][ T4983] R10: 0000000000000000 R11: 6d75642065676170 R12: ffffea0005fa0b00
[ 28.080312][ T4983] R13: 0000000000000000 R14: ffff8881195e4dd8 R15: 000000000000000c
[ 28.081380][ T4983] FS: 0000000000000000(0000) GS:ffff88842fc00000(0063) knlGS:0000000008acb840
[ 28.082525][ T4983] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 28.083399][ T4983] CR2: 0000000000200000 CR3: 0000000118c36000 CR4: 00000000000406f0
[ 28.084497][ T4983] DR0: fffffffff68cc000 DR1: 0000000000000000 DR2: 0000000000000000
[ 28.085589][ T4983] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[ 28.086685][ T4983] Call Trace:
[ 28.087222][ T4983] <TASK>
[ 28.087701][ T4983] __filemap_remove_folio (??:?)
[ 28.088418][ T4983] ? unmap_mapping_range_tree (memory.c:?)
[ 28.089168][ T4983] ? mapping_can_writeback+0x5/0xc
[ 28.089940][ T4983] filemap_remove_folio (??:?)
[ 28.090627][ T4983] truncate_inode_folio (??:?)
[ 28.091342][ T4983] shmem_undo_range (shmem.c:?)
[ 28.092036][ T4983] shmem_truncate_range (??:?)
[ 28.092753][ T4983] shmem_fallocate (shmem.c:?)
[ 28.093444][ T4983] vfs_fallocate (??:?)
[ 28.094128][ T4983] madvise_vma_behavior (madvise.c:?)
[ 28.094874][ T4983] do_madvise (??:?)
[ 28.095491][ T4983] __ia32_sys_madvise (??:?)
[ 28.096166][ T4983] do_int80_syscall_32 (??:?)
[ 28.096885][ T4983] entry_INT80_compat (??:?)
[ 28.097538][ T4983] RIP: 0023:0x80a3392
[ 28.098133][ T4983] Code: 89 c8 c3 90 8d 74 26 00 85 c0 c7 01 01 00 00 00 75 d8 a1 c8 a9 ac 08 eb d1 66 90 66 90 66 90 66 90 66 90 66 90 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 10 a3 f0 a9 ac 08 85
All code
========
0: 89 c8 mov %ecx,%eax
2: c3 retq
3: 90 nop
4: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
8: 85 c0 test %eax,%eax
a: c7 01 01 00 00 00 movl $0x1,(%rcx)
10: 75 d8 jne 0xffffffffffffffea
12: a1 c8 a9 ac 08 eb d1 movabs 0x9066d1eb08aca9c8,%eax
19: 66 90
1b: 66 90 xchg %ax,%ax
1d: 66 90 xchg %ax,%ax
1f: 66 90 xchg %ax,%ax
21: 66 90 xchg %ax,%ax
23: 66 90 xchg %ax,%ax
25: 66 90 xchg %ax,%ax
27: 90 nop
28: cd 80 int $0x80
2a:* c3 retq <-- trapping instruction
2b: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
31: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
38: 8b 10 mov (%rax),%edx
3a: a3 .byte 0xa3
3b: f0 lock
3c: a9 .byte 0xa9
3d: ac lods %ds:(%rsi),%al
3e: 08 .byte 0x8
3f: 85 .byte 0x85
Code starting with the faulting instruction
===========================================
0: c3 retq
1: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
7: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
e: 8b 10 mov (%rax),%edx
10: a3 .byte 0xa3
11: f0 lock
12: a9 .byte 0xa9
13: ac lods %ds:(%rsi),%al
14: 08 .byte 0x8
15: 85 .byte 0x85
[ 28.100541][ T4983] RSP: 002b:00000000ffa5c9b8 EFLAGS: 00000292 ORIG_RAX: 00000000000000db
[ 28.101693][ T4983] RAX: ffffffffffffffda RBX: 00000000f500d000 RCX: 000000000014c000
[ 28.102812][ T4983] RDX: 0000000000000009 RSI: 0000000000200000 RDI: 0000000000000002
[ 28.103946][ T4983] RBP: 00000000000000ff R08: 0000000000000000 R09: 0000000000000000
[ 28.105054][ T4983] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 28.106161][ T4983] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 28.107273][ T4983] </TASK>
[ 28.107785][ T4983] Modules linked in: can_bcm can_raw can cn scsi_transport_iscsi sr_mod cdrom ata_generic
[ 28.109085][ T4983] ---[ end trace 0000000000000000 ]---
[ 28.109822][ T4983] RIP: 0010:filemap_unaccount_folio (filemap.c:?)
[ 28.110662][ T4983] Code: 89 fb 0f ba e0 10 72 05 8b 46 30 eb 0a 8b 46 58 85 c0 7f 07 8b 46 54 85 c0 78 11 48 c7 c6 a0 aa 24 82 48 89 ef e8 0b d2 02 00 <0f> 0b 48 89 ef e8 01 e7 ff ff be 13 00 00 00 48 89 ef 41 89 c4 41
All code
========
0: 89 fb mov %edi,%ebx
2: 0f ba e0 10 bt $0x10,%eax
6: 72 05 jb 0xd
8: 8b 46 30 mov 0x30(%rsi),%eax
b: eb 0a jmp 0x17
d: 8b 46 58 mov 0x58(%rsi),%eax
10: 85 c0 test %eax,%eax
12: 7f 07 jg 0x1b
14: 8b 46 54 mov 0x54(%rsi),%eax
17: 85 c0 test %eax,%eax
19: 78 11 js 0x2c
1b: 48 c7 c6 a0 aa 24 82 mov $0xffffffff8224aaa0,%rsi
22: 48 89 ef mov %rbp,%rdi
25: e8 0b d2 02 00 callq 0x2d235
2a:* 0f 0b ud2 <-- trapping instruction
2c: 48 89 ef mov %rbp,%rdi
2f: e8 01 e7 ff ff callq 0xffffffffffffe735
34: be 13 00 00 00 mov $0x13,%esi
39: 48 89 ef mov %rbp,%rdi
3c: 41 89 c4 mov %eax,%r12d
3f: 41 rex.B
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: 48 89 ef mov %rbp,%rdi
5: e8 01 e7 ff ff callq 0xffffffffffffe70b
a: be 13 00 00 00 mov $0x13,%esi
f: 48 89 ef mov %rbp,%rdi
12: 41 89 c4 mov %eax,%r12d
15: 41 rex.B
To reproduce:
# build kernel
cd linux
cp config-6.2.0-rc4-00443-g0503ea8f5ba7 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
View attachment "config-6.2.0-rc4-00443-g0503ea8f5ba7" of type "text/plain" (130958 bytes)
View attachment "job-script" of type "text/plain" (4449 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (28276 bytes)
Download attachment "dmesg-parent-1.xz" of type "application/x-xz" (27724 bytes)
Download attachment "dmesg-parent-2.xz" of type "application/x-xz" (28052 bytes)
Powered by blists - more mailing lists