| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJuCfpGeKgOgqq69OD-TMoQLhyy+HuTKK=cQPHMY2DgNcJf5Xg@mail.gmail.com>
Date: Sun, 8 Dec 2024 18:09:05 -0800
From: Suren Baghdasaryan <surenb@...gle.com>
To: kernel test robot <oliver.sang@...el.com>
Cc: oe-lkp@...ts.linux.dev, lkp@...el.com,
Andrew Morton <akpm@...ux-foundation.org>, Christian Brauner <brauner@...nel.org>,
David Hildenbrand <david@...hat.com>, David Howells <dhowells@...hat.com>,
Davidlohr Bueso <dave@...olabs.net>, Hillf Danton <hdanton@...a.com>, Hugh Dickins <hughd@...gle.com>,
Jann Horn <jannh@...gle.com>, Johannes Weiner <hannes@...xchg.org>, Jonathan Corbet <corbet@....net>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>, Lorenzo Stoakes <lorenzo.stoakes@...cle.com>,
Mateusz Guzik <mjguzik@...il.com>, Matthew Wilcox <willy@...radead.org>,
Mel Gorman <mgorman@...hsingularity.net>, Michal Hocko <mhocko@...e.com>,
Minchan Kim <minchan@...gle.com>, Oleg Nesterov <oleg@...hat.com>,
Pasha Tatashin <pasha.tatashin@...een.com>, "Paul E. McKenney" <paulmck@...nel.org>,
Peter Xu <peterx@...hat.com>, Peter Zijlstra <peterz@...radead.org>,
Shakeel Butt <shakeel.butt@...ux.dev>, Sourav Panda <souravpanda@...gle.com>,
Vlastimil Babka <vbabka@...e.cz>, Wei Yang <richard.weiyang@...il.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org
Subject: Re: [akpm-mm:mm-unstable] [mm] 85ad413389: BUG:kernel_NULL_pointer_dereference,address
On Sun, Dec 8, 2024 at 7:26 AM kernel test robot <oliver.sang@...el.com> wrote:
>
>
>
> Hello,
>
> kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
>
> commit: 85ad413389aec04cfaaba043caa8128b76c6e491 ("mm: make vma cache SLAB_TYPESAFE_BY_RCU")
> https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-unstable
>
> in testcase: boot
>
> config: i386-randconfig-141-20241208
> compiler: gcc-11
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
> +------------------------------------------------+------------+------------+
> | | 98d5eefb97 | 85ad413389 |
> +------------------------------------------------+------------+------------+
> | BUG:kernel_NULL_pointer_dereference,address | 0 | 12 |
> | Oops | 0 | 12 |
> | EIP:lock_anon_vma_root | 0 | 12 |
> | Kernel_panic-not_syncing:Fatal_exception | 0 | 12 |
> +------------------------------------------------+------------+------------+
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@...el.com>
> | Closes: https://lore.kernel.org/oe-lkp/202412082208.db1fb2c9-lkp@intel.com
Thanks for the report!
It looks like anon_vma passed to lock_anon_vma_root() is NULL but it's
not obvious to me why my patch would cause that.
Oliver, how can I reproduce this locally?
>
>
> [ 6.680723][ T1] BUG: kernel NULL pointer dereference, address: 00000000
> [ 6.681291][ T1] #PF: supervisor read access in kernel mode
> [ 6.681706][ T1] #PF: error_code(0x0000) - not-present page
> [ 6.682122][ T1] *pde = 00000000
> [ 6.682389][ T1] Oops: Oops: 0000 [#1] PREEMPT
> [ 6.682741][ T1] CPU: 0 UID: 0 PID: 1 Comm: init Tainted: G T 6.13.0-rc1-00162-g85ad413389ae #1 b25e7d42bdbf00dd0b477b43b1be4c6af368b663
> [ 6.683729][ T1] Tainted: [T]=RANDSTRUCT
> [ 6.684044][ T1] EIP: lock_anon_vma_root (mm/rmap.c:245)
> [ 6.684422][ T1] Code: 31 d2 31 c9 c3 55 89 e5 e8 55 68 15 00 5d 31 c0 31 d2 31 c9 c3 55 8b 00 83 c0 04 89 e5 e8 64 5f f2 ff 5d 31 c0 c3 55 89 e5 53 <8b> 1a 39 c3 74 18 85 c0 74 0a 0f 0b 83 c0 04 e8 48 5f f2 ff 8d 43
> All code
> ========
> 0: 31 d2 xor %edx,%edx
> 2: 31 c9 xor %ecx,%ecx
> 4: c3 ret
> 5: 55 push %rbp
> 6: 89 e5 mov %esp,%ebp
> 8: e8 55 68 15 00 call 0x156862
> d: 5d pop %rbp
> e: 31 c0 xor %eax,%eax
> 10: 31 d2 xor %edx,%edx
> 12: 31 c9 xor %ecx,%ecx
> 14: c3 ret
> 15: 55 push %rbp
> 16: 8b 00 mov (%rax),%eax
> 18: 83 c0 04 add $0x4,%eax
> 1b: 89 e5 mov %esp,%ebp
> 1d: e8 64 5f f2 ff call 0xfffffffffff25f86
> 22: 5d pop %rbp
> 23: 31 c0 xor %eax,%eax
> 25: c3 ret
> 26: 55 push %rbp
> 27: 89 e5 mov %esp,%ebp
> 29: 53 push %rbx
> 2a:* 8b 1a mov (%rdx),%ebx <-- trapping instruction
> 2c: 39 c3 cmp %eax,%ebx
> 2e: 74 18 je 0x48
> 30: 85 c0 test %eax,%eax
> 32: 74 0a je 0x3e
> 34: 0f 0b ud2
> 36: 83 c0 04 add $0x4,%eax
> 39: e8 48 5f f2 ff call 0xfffffffffff25f86
> 3e: 8d .byte 0x8d
> 3f: 43 rex.XB
>
> Code starting with the faulting instruction
> ===========================================
> 0: 8b 1a mov (%rdx),%ebx
> 2: 39 c3 cmp %eax,%ebx
> 4: 74 18 je 0x1e
> 6: 85 c0 test %eax,%eax
> 8: 74 0a je 0x14
> a: 0f 0b ud2
> c: 83 c0 04 add $0x4,%eax
> f: e8 48 5f f2 ff call 0xfffffffffff25f5c
> 14: 8d .byte 0x8d
> 15: 43 rex.XB
> [ 6.685810][ T1] EAX: 00000000 EBX: 4ccbd680 ECX: 00000000 EDX: 00000000
> [ 6.686314][ T1] ESI: 4ccbd678 EDI: 4ccbd800 EBP: 416e1c60 ESP: 416e1c5c
> [ 6.686817][ T1] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 EFLAGS: 00010202
> [ 6.687338][ T1] CR0: 80050033 CR2: 00000000 CR3: 0ccbc000 CR4: 000406d0
> [ 6.687821][ T1] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
> [ 6.688313][ T1] DR6: fffe0ff0 DR7: 00000400
> [ 6.688632][ T1] Call Trace:
> [ 6.688880][ T1] ? show_regs (arch/x86/kernel/dumpstack.c:479 arch/x86/kernel/dumpstack.c:465)
> [ 6.689181][ T1] ? __die_body (arch/x86/kernel/dumpstack.c:421)
> [ 6.689478][ T1] ? __die (arch/x86/kernel/dumpstack.c:435)
> [ 6.689745][ T1] ? page_fault_oops (arch/x86/mm/fault.c:712)
> [ 6.690080][ T1] ? lock_anon_vma_root (mm/rmap.c:245)
> [ 6.690427][ T1] ? kernelmode_fixup_or_oops+0x50/0x5e
> [ 6.690891][ T1] ? __bad_area_nosemaphore+0x2c/0x17c
> [ 6.691343][ T1] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835)
> [ 6.691700][ T1] ? do_user_addr_fault (arch/x86/mm/fault.c:1280 (discriminator 1))
> [ 6.692055][ T1] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:87 arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
> [ 6.692391][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
> [ 6.692815][ T1] ? handle_exception (arch/x86/entry/entry_32.S:1048)
> [ 6.693136][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
> [ 6.693560][ T1] ? lock_anon_vma_root (mm/rmap.c:245)
> [ 6.693913][ T1] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
> [ 6.694352][ T1] ? lock_anon_vma_root (mm/rmap.c:245)
> [ 6.694717][ T1] ? anon_vma_clone (mm/rmap.c:298)
> [ 6.695053][ T1] ? __split_vma (mm/vma.c:486)
> [ 6.695375][ T1] ? vms_gather_munmap_vmas (mm/vma.c:1289)
> [ 6.695763][ T1] ? __mmap_prepare (mm/vma.c:2242)
> [ 6.696108][ T1] ? __mmap_region (mm/vma.c:2443)
> [ 6.696454][ T1] ? mmap_region (mm/mmap.c:1037)
> [ 6.696782][ T1] ? do_mmap (mm/mmap.c:499)
> [ 6.697091][ T1] ? vm_mmap_pgoff (mm/util.c:580)
> [ 6.697433][ T1] ? ksys_mmap_pgoff (mm/mmap.c:545)
> [ 6.697782][ T1] ? __ia32_sys_mmap_pgoff (mm/mmap.c:552)
> [ 6.698159][ T1] ? ia32_sys_call (kbuild/obj/consumer/i386-randconfig-141-20241208/./arch/x86/include/generated/asm/syscalls_32.h:193)
> [ 6.698507][ T1] ? do_int80_syscall_32 (arch/x86/entry/common.c:165 arch/x86/entry/common.c:339)
> [ 6.698869][ T1] ? entry_INT80_32 (arch/x86/entry/entry_32.S:945)
> [ 6.699231][ T1] Modules linked in:
> [ 6.699518][ T1] CR2: 0000000000000000
> [ 6.699858][ T1] ---[ end trace 0000000000000000 ]---
> [ 6.700258][ T1] EIP: lock_anon_vma_root (mm/rmap.c:245)
> [ 6.700625][ T1] Code: 31 d2 31 c9 c3 55 89 e5 e8 55 68 15 00 5d 31 c0 31 d2 31 c9 c3 55 8b 00 83 c0 04 89 e5 e8 64 5f f2 ff 5d 31 c0 c3 55 89 e5 53 <8b> 1a 39 c3 74 18 85 c0 74 0a 0f 0b 83 c0 04 e8 48 5f f2 ff 8d 43
> All code
> ========
> 0: 31 d2 xor %edx,%edx
> 2: 31 c9 xor %ecx,%ecx
> 4: c3 ret
> 5: 55 push %rbp
> 6: 89 e5 mov %esp,%ebp
> 8: e8 55 68 15 00 call 0x156862
> d: 5d pop %rbp
> e: 31 c0 xor %eax,%eax
> 10: 31 d2 xor %edx,%edx
> 12: 31 c9 xor %ecx,%ecx
> 14: c3 ret
> 15: 55 push %rbp
> 16: 8b 00 mov (%rax),%eax
> 18: 83 c0 04 add $0x4,%eax
> 1b: 89 e5 mov %esp,%ebp
> 1d: e8 64 5f f2 ff call 0xfffffffffff25f86
> 22: 5d pop %rbp
> 23: 31 c0 xor %eax,%eax
> 25: c3 ret
> 26: 55 push %rbp
> 27: 89 e5 mov %esp,%ebp
> 29: 53 push %rbx
> 2a:* 8b 1a mov (%rdx),%ebx <-- trapping instruction
> 2c: 39 c3 cmp %eax,%ebx
> 2e: 74 18 je 0x48
> 30: 85 c0 test %eax,%eax
> 32: 74 0a je 0x3e
> 34: 0f 0b ud2
> 36: 83 c0 04 add $0x4,%eax
> 39: e8 48 5f f2 ff call 0xfffffffffff25f86
> 3e: 8d .byte 0x8d
> 3f: 43 rex.XB
>
> Code starting with the faulting instruction
> ===========================================
> 0: 8b 1a mov (%rdx),%ebx
> 2: 39 c3 cmp %eax,%ebx
> 4: 74 18 je 0x1e
> 6: 85 c0 test %eax,%eax
> 8: 74 0a je 0x14
> a: 0f 0b ud2
> c: 83 c0 04 add $0x4,%eax
> f: e8 48 5f f2 ff call 0xfffffffffff25f5c
> 14: 8d .byte 0x8d
> 15: 43 rex.XB
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
>
Powered by blists - more mailing lists