lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Zp8h/ZZTQ0lwmcJa@xsang-OptiPlex-9020>
Date: Tue, 23 Jul 2024 11:22:37 +0800
From: Oliver Sang <oliver.sang@...el.com>
To: Alex Shi <seakeel@...il.com>
CC: Alex Shi <alexs@...nel.org>, <oe-lkp@...ts.linux.dev>, <lkp@...el.com>,
	<linux-kernel@...r.kernel.org>, <linux-mm@...ck.org>, <oliver.sang@...el.com>
Subject: Re: [alexshi:mmunstable2] 934c05f8c5:
 BUG:unable_to_handle_page_fault_for_address

hi, Alex,

On Tue, Jul 23, 2024 at 09:58:25AM +0800, Alex Shi wrote:
> 
> 
> On 7/23/24 9:05 AM, kernel test robot wrote:
> > 
> > hi, Alex Shi,
> > 
> > we noticed there is a mmunstable3 branch now, but there is no same title patch
> > there. not sure if this report is still useful, below report just FYI.
> 
> Hi Oliver,
> 
> Thanks a lot for your testing and founding on my unreleased code branch!
> The problem should be resolved on my latest code yesterday.
> But multiple archs maybe still are fragile in the branch. Are there bootable in virtual machine, like arm, s390, etc?

we did boot test in vm, but only for x86_64 or i386.

you may notice we also send another report
"[alexshi:mmunstable3] [mm/memory]  f6ba7ce983: kernel_BUG_at_mm/page_alloc.c"

for both commit, we made some further check and cofirmed they cannot boot
successfully on both vm/bm, again, we only test x86_64/i386 for now.

> 
> Thanks again for your great work!
> 
> Alex
> 
> > 
> > 
> > 
> > Hello,
> > 
> > kernel test robot noticed "BUG:unable_to_handle_page_fault_for_address" on:
> > 
> > commit: 934c05f8c50fed91942a8aa9db46a0feae38594c ("use ptdesc in free_pte_range and pte_free_tlb series functions")
> > https://github.com/alexshi/linux.git mmunstable2
> > 
> > in testcase: boot
> > 
> > compiler: gcc-11
> > test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G
> > 
> > (please refer to attached dmesg/kmsg for entire log/backtrace)
> > 
> > 
> > +---------------------------------------------+------------+------------+
> > |                                             | 5977eb9785 | 934c05f8c5 |
> > +---------------------------------------------+------------+------------+
> > | BUG:unable_to_handle_page_fault_for_address | 0          | 6          |
> > | EIP:clear_user                              | 0          | 6          |
> > +---------------------------------------------+------------+------------+
> > 
> > 
> > If you fix the issue in a separate patch/commit (i.e. not just a new version of
> > the same patch/commit), kindly add following tags
> > | Reported-by: kernel test robot <oliver.sang@...el.com>
> > | Closes: https://lore.kernel.org/oe-lkp/202407221607.49138a71-oliver.sang@intel.com
> > 
> > 
> > [    3.645340][    T1] BUG: unable to handle page fault for address: 00100016
> > [    3.645713][    T1] #PF: supervisor read access in kernel mode
> > [    3.646020][    T1] #PF: error_code(0x0000) - not-present page
> > [    3.646326][    T1] *pdpt = 000000002e992001 *pde = 0000000000000000
> > [    3.646663][    T1] Oops: Oops: 0000 [#1] PREEMPT SMP
> > [    3.646933][    T1] CPU: 0 PID: 1 Comm: init Not tainted 6.10.0-rc6-00481-g934c05f8c50f #1 c5190225c17d1f7c5bcc60b13088ed2c9e32ac25
> > [ 3.647536][ T1] EIP: __lock_acquire (kernel/locking/lockdep.c:5006 (discriminator 1)) 
> > [ 3.647797][ T1] Code: 8b 75 d0 e8 d8 9b 3c 00 85 c0 0f 85 a0 01 00 00 31 db 83 c4 38 89 d8 5b 5e 5f 5d 31 d2 31 c9 e9 60 6d be 01 8d 74 26 00 31 c0 <81> 3b a0 cb 44 c4 0f 45 45 0c 83 fa 01 89 45 f0 0f 87 10 fb ff ff
> > All code
> > ========
> >    0:	8b 75 d0             	mov    -0x30(%rbp),%esi
> >    3:	e8 d8 9b 3c 00       	call   0x3c9be0
> >    8:	85 c0                	test   %eax,%eax
> >    a:	0f 85 a0 01 00 00    	jne    0x1b0
> >   10:	31 db                	xor    %ebx,%ebx
> >   12:	83 c4 38             	add    $0x38,%esp
> >   15:	89 d8                	mov    %ebx,%eax
> >   17:	5b                   	pop    %rbx
> >   18:	5e                   	pop    %rsi
> >   19:	5f                   	pop    %rdi
> >   1a:	5d                   	pop    %rbp
> >   1b:	31 d2                	xor    %edx,%edx
> >   1d:	31 c9                	xor    %ecx,%ecx
> >   1f:	e9 60 6d be 01       	jmp    0x1be6d84
> >   24:	8d 74 26 00          	lea    0x0(%rsi,%riz,1),%esi
> >   28:	31 c0                	xor    %eax,%eax
> >   2a:*	81 3b a0 cb 44 c4    	cmpl   $0xc444cba0,(%rbx)		<-- trapping instruction
> >   30:	0f 45 45 0c          	cmovne 0xc(%rbp),%eax
> >   34:	83 fa 01             	cmp    $0x1,%edx
> >   37:	89 45 f0             	mov    %eax,-0x10(%rbp)
> >   3a:	0f 87 10 fb ff ff    	ja     0xfffffffffffffb50
> > 
> > Code starting with the faulting instruction
> > ===========================================
> >    0:	81 3b a0 cb 44 c4    	cmpl   $0xc444cba0,(%rbx)
> >    6:	0f 45 45 0c          	cmovne 0xc(%rbp),%eax
> >    a:	83 fa 01             	cmp    $0x1,%edx
> >    d:	89 45 f0             	mov    %eax,-0x10(%rbp)
> >   10:	0f 87 10 fb ff ff    	ja     0xfffffffffffffb26
> > [    3.648776][    T1] EAX: 00000000 EBX: 00100016 ECX: 00000000 EDX: 00000000
> > [    3.649136][    T1] ESI: 00100016 EDI: 00000000 EBP: c01f1b7c ESP: c01f1b38
> > [    3.649504][    T1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010046
> > [    3.649890][    T1] CR0: 80050033 CR2: 00100016 CR3: 0054bd80 CR4: 000406b0
> > [    3.650252][    T1] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> > [    3.650611][    T1] DR6: fffe0ff0 DR7: 00000400
> > [    3.650863][    T1] Call Trace:
> > [ 3.651036][ T1] ? show_regs (arch/x86/kernel/dumpstack.c:479) 
> > [ 3.651256][ T1] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) 
> > [ 3.651457][ T1] ? oops_enter (kernel/panic.c:642) 
> > [ 3.651680][ T1] ? page_fault_oops (arch/x86/mm/fault.c:715) 
> > [ 3.651927][ T1] ? __lock_acquire (kernel/locking/lockdep.c:5137) 
> > [ 3.652177][ T1] ? kernelmode_fixup_or_oops+0x68/0x8c 
> > [ 3.652513][ T1] ? __bad_area_nosemaphore+0x133/0x238 
> > [ 3.652850][ T1] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835) 
> > [ 3.653116][ T1] ? do_user_addr_fault (arch/x86/mm/fault.c:1452) 
> > [ 3.653389][ T1] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4300 kernel/locking/lockdep.c:4359) 
> > [ 3.653693][ T1] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:67 arch/x86/include/asm/irqflags.h:127 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) 
> > [ 3.653952][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
> > [ 3.654265][ T1] ? handle_exception (arch/x86/entry/entry_32.S:1054) 
> > [ 3.654524][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
> > [ 3.654838][ T1] ? __lock_acquire (kernel/locking/lockdep.c:5006 (discriminator 1)) 
> > [ 3.655087][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
> > [ 3.655400][ T1] ? __lock_acquire (kernel/locking/lockdep.c:5006 (discriminator 1)) 
> > [ 3.655650][ T1] ? register_lock_class (kernel/locking/lockdep.c:1285 (discriminator 13)) 
> > [ 3.655916][ T1] ? filemap_get_entry (include/linux/rcupdate.h:339 include/linux/rcupdate.h:812 mm/filemap.c:1858) 
> > [ 3.656179][ T1] lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5756) 
> > [ 3.656408][ T1] ? pmd_install (mm/memory.c:424) 
> > [ 3.656638][ T1] ? slow_virt_to_phys (arch/x86/mm/pat/set_memory.c:811) 
> > [ 3.656896][ T1] _raw_spin_lock (include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
> > [ 3.657130][ T1] ? pmd_install (mm/memory.c:424) 
> > [ 3.657451][ T1] pmd_install (mm/memory.c:424) 
> > [ 3.657669][ T1] finish_fault (mm/memory.c:4870) 
> > [ 3.657902][ T1] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:63 (discriminator 13)) 
> > [ 3.658156][ T1] do_pte_missing (mm/memory.c:5100 mm/memory.c:5193 mm/memory.c:3947) 
> > [ 3.658398][ T1] handle_pte_fault (mm/memory.c:5522) 
> > [ 3.658647][ T1] ? __lock_release+0x4f/0x17c 
> > [ 3.658921][ T1] __handle_mm_fault (mm/memory.c:5666) 
> > [ 3.659174][ T1] ? mt_find (lib/maple_tree.c:6952) 
> > [ 3.659394][ T1] ? __handle_mm_fault (mm/memory.c:5800) 
> > [ 3.659656][ T1] handle_mm_fault (mm/memory.c:5745 mm/memory.c:5832) 
> > [ 3.659897][ T1] ? lock_mm_and_find_vma (mm/memory.c:5921) 
> > [ 3.660167][ T1] do_user_addr_fault (include/linux/sched/signal.h:425 arch/x86/mm/fault.c:1391) 
> > [ 3.660426][ T1] exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:67 arch/x86/include/asm/irqflags.h:127 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) 
> > [ 3.660663][ T1] ? find_held_lock (kernel/locking/lockdep.c:5244) 
> > [ 3.660905][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) 
> > [ 3.661221][ T1] handle_exception (arch/x86/entry/entry_32.S:1054) 
> > [ 3.661478][ T1] EIP: clear_user (arch/x86/lib/usercopy_32.c:66) 
> > [ 3.661712][ T1] Code: 34 b8 00 00 00 c0 29 d8 39 c7 77 29 ba 42 00 00 00 b8 63 1d 95 c3 e8 fe 6f 5c fe 89 da 31 c0 c1 eb 02 83 e2 03 89 d9 8d 76 00 <f3> ab 89 d1 f3 aa 8d 76 00 89 cb 89 d8 5b 5f 5d 31 d2 31 c9 e9 4a
> > All code
> > ========
> >    0:	34 b8                	xor    $0xb8,%al
> >    2:	00 00                	add    %al,(%rax)
> >    4:	00 c0                	add    %al,%al
> >    6:	29 d8                	sub    %ebx,%eax
> >    8:	39 c7                	cmp    %eax,%edi
> >    a:	77 29                	ja     0x35
> >    c:	ba 42 00 00 00       	mov    $0x42,%edx
> >   11:	b8 63 1d 95 c3       	mov    $0xc3951d63,%eax
> >   16:	e8 fe 6f 5c fe       	call   0xfffffffffe5c7019
> >   1b:	89 da                	mov    %ebx,%edx
> >   1d:	31 c0                	xor    %eax,%eax
> >   1f:	c1 eb 02             	shr    $0x2,%ebx
> >   22:	83 e2 03             	and    $0x3,%edx
> >   25:	89 d9                	mov    %ebx,%ecx
> >   27:	8d 76 00             	lea    0x0(%rsi),%esi
> >   2a:*	f3 ab                	rep stos %eax,%es:(%rdi)		<-- trapping instruction
> >   2c:	89 d1                	mov    %edx,%ecx
> >   2e:	f3 aa                	rep stos %al,%es:(%rdi)
> >   30:	8d 76 00             	lea    0x0(%rsi),%esi
> >   33:	89 cb                	mov    %ecx,%ebx
> >   35:	89 d8                	mov    %ebx,%eax
> >   37:	5b                   	pop    %rbx
> >   38:	5f                   	pop    %rdi
> >   39:	5d                   	pop    %rbp
> >   3a:	31 d2                	xor    %edx,%edx
> >   3c:	31 c9                	xor    %ecx,%ecx
> >   3e:	e9                   	.byte 0xe9
> >   3f:	4a                   	rex.WX
> > 
> > Code starting with the faulting instruction
> > ===========================================
> >    0:	f3 ab                	rep stos %eax,%es:(%rdi)
> >    2:	89 d1                	mov    %edx,%ecx
> >    4:	f3 aa                	rep stos %al,%es:(%rdi)
> >    6:	8d 76 00             	lea    0x0(%rsi),%esi
> >    9:	89 cb                	mov    %ecx,%ebx
> >    b:	89 d8                	mov    %ebx,%eax
> >    d:	5b                   	pop    %rbx
> >    e:	5f                   	pop    %rdi
> >    f:	5d                   	pop    %rbp
> >   10:	31 d2                	xor    %edx,%edx
> >   12:	31 c9                	xor    %ecx,%ecx
> >   14:	e9                   	.byte 0xe9
> >   15:	4a                   	rex.WX
> > 
> > 
> > The kernel config and materials to reproduce are available at:
> > https://download.01.org/0day-ci/archive/20240722/202407221607.49138a71-oliver.sang@intel.com
> > 
> > 
> > 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ