lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YtLJMxChUupbAa+U@xsang-OptiPlex-9020>
Date:   Sat, 16 Jul 2022 22:20:35 +0800
From:   kernel test robot <oliver.sang@...el.com>
To:     Joanne Koong <joannelkoong@...il.com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        netdev@...r.kernel.org, dccp@...r.kernel.org, lkp@...ts.01.org,
        edumazet@...gle.com, kafai@...com, kuba@...nel.org,
        davem@...emloft.net, pabeni@...hat.com,
        Joanne Koong <joannelkoong@...il.com>
Subject: [net]  2e20fc25bc: BUG:kernel_NULL_pointer_dereference,address



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 2e20fc25bca52fbc786bbae312df56514c10798d ("[PATCH net-next v2 1/3] net: Add a bhash2 table hashed by port + address")
url: https://github.com/intel-lab-lkp/linux/commits/Joanne-Koong/Add-a-second-bind-table-hashed-by-port-address/20220713-075808
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 5022e221c98a609e0e5b0a73852c7e3d32f1c545
patch link: https://lore.kernel.org/netdev/20220712235310.1935121-2-joannelkoong@gmail.com

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+-------------------------------------------------------+------------+------------+
|                                                       | 5022e221c9 | 2e20fc25bc |
+-------------------------------------------------------+------------+------------+
| boot_successes                                        | 8          | 0          |
| boot_failures                                         | 0          | 12         |
| BUG:kernel_NULL_pointer_dereference,address           | 0          | 12         |
| Oops:#[##]                                            | 0          | 12         |
| RIP:inet_bhash2_update_saddr                          | 0          | 12         |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0          | 12         |
+-------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>


[  247.022450][  T328] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  247.024448][  T328] #PF: supervisor write access in kernel mode
[  247.026159][  T328] #PF: error_code(0x0002) - not-present page
[  247.027743][  T328] PGD 800000014b28a067 P4D 800000014b28a067 PUD 14b289067 PMD 0
[  247.029705][  T328] Oops: 0002 [#1] SMP PTI
[  247.030900][  T328] CPU: 1 PID: 328 Comm: wget Not tainted 5.19.0-rc5-01130-g2e20fc25bca5 #1
[  247.033223][  T328] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 247.035984][ T328] RIP: 0010:inet_bhash2_update_saddr (include/linux/list.h:884 include/net/sock.h:824 net/ipv4/inet_hashtables.c:872) 
[ 247.037623][ T328] Code: 48 8d 83 00 03 00 00 4c 8b a3 f8 02 00 00 48 89 c7 48 89 44 24 28 e8 10 79 01 ff 4c 8b ab 00 03 00 00 4c 89 ef e8 f1 87 01 ff <4d> 89 65 00 4d 85 e4 74 14 e8 93 2b ed fe 49 8d 7c 24 08 e8 d9 87
All code
========
   0:	48 8d 83 00 03 00 00 	lea    0x300(%rbx),%rax
   7:	4c 8b a3 f8 02 00 00 	mov    0x2f8(%rbx),%r12
   e:	48 89 c7             	mov    %rax,%rdi
  11:	48 89 44 24 28       	mov    %rax,0x28(%rsp)
  16:	e8 10 79 01 ff       	callq  0xffffffffff01792b
  1b:	4c 8b ab 00 03 00 00 	mov    0x300(%rbx),%r13
  22:	4c 89 ef             	mov    %r13,%rdi
  25:	e8 f1 87 01 ff       	callq  0xffffffffff01881b
  2a:*	4d 89 65 00          	mov    %r12,0x0(%r13)		<-- trapping instruction
  2e:	4d 85 e4             	test   %r12,%r12
  31:	74 14                	je     0x47
  33:	e8 93 2b ed fe       	callq  0xfffffffffeed2bcb
  38:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  3d:	e8                   	.byte 0xe8
  3e:	d9                   	.byte 0xd9
  3f:	87                   	.byte 0x87

Code starting with the faulting instruction
===========================================
   0:	4d 89 65 00          	mov    %r12,0x0(%r13)
   4:	4d 85 e4             	test   %r12,%r12
   7:	74 14                	je     0x1d
   9:	e8 93 2b ed fe       	callq  0xfffffffffeed2ba1
   e:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  13:	e8                   	.byte 0xe8
  14:	d9                   	.byte 0xd9
  15:	87                   	.byte 0x87
[  247.062693][  T328] RSP: 0018:ffffc90000ae7bd8 EFLAGS: 00010246
[  247.064435][  T328] RAX: ffff88811673c3e0 RBX: ffff8881168e4600 RCX: ffffffff823fb28f
[  247.066525][  T328] RDX: 0000000000000a28 RSI: 0001ffffffffffff RDI: 0000000000000000
[  247.068479][  T328] RBP: ffffc90000ae7c60 R08: ffffffff8477ff18 R09: 0000000000000000
[  247.070484][  T328] R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
[  247.072457][  T328] R13: 0000000000000000 R14: ffffffff84cefd40 R15: ffffffff84cf29c0
[  247.074463][  T328] FS:  00007f38cc1a6700(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
[  247.076798][  T328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  247.080161][  T328] CR2: 0000000000000000 CR3: 0000000116a32000 CR4: 00000000000006e0
[  247.082224][  T328] Call Trace:
[  247.083152][  T328]  <TASK>
[ 247.083906][ T328] ? write_comp_data (kernel/kcov.c:229) 
[ 247.085183][ T328] tcp_v4_connect (net/ipv4/tcp_ipv4.c:261) 
[ 247.086542][ T328] __inet_stream_connect (net/ipv4/af_inet.c:661) 
[ 247.088103][ T328] ? write_comp_data (kernel/kcov.c:229) 
[ 247.089429][ T328] inet_stream_connect (net/ipv4/af_inet.c:725) 
[ 247.090707][ T328] ? __inet_stream_connect (net/ipv4/af_inet.c:720) 
[ 247.092104][ T328] __sys_connect_file (net/socket.c:1976) 
[ 247.093453][ T328] __sys_connect (net/socket.c:1993) 
[ 247.094902][ T328] ? write_comp_data (kernel/kcov.c:229) 
[ 247.096382][ T328] ? __x64_sys_alarm (kernel/time/itimer.c:306) 
[ 247.097825][ T328] __x64_sys_connect (net/socket.c:2000) 
[ 247.115487][ T328] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) 
[ 247.116792][ T328] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115) 
[  247.118477][  T328] RIP: 0033:0x7f38cb2662e0
[ 247.119521][ T328] Code: 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 90 90 90 90 90 90 90 90 90 83 3d fd 8e 2c 00 00 75 10 b8 2a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe ce 00 00 48 89 04 24
All code
========
   0:	00 31                	add    %dh,(%rcx)
   2:	d2 48 29             	rorb   %cl,0x29(%rax)
   5:	c2 64 89             	retq   $0x8964
   8:	11 48 83             	adc    %ecx,-0x7d(%rax)
   b:	c8 ff eb ea          	enterq $0xebff,$0xea
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	90                   	nop
  18:	90                   	nop
  19:	90                   	nop
  1a:	83 3d fd 8e 2c 00 00 	cmpl   $0x0,0x2c8efd(%rip)        # 0x2c8f1e
  21:	75 10                	jne    0x33
  23:	b8 2a 00 00 00       	mov    $0x2a,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 31                	jae    0x63
  32:	c3                   	retq   
  33:	48 83 ec 08          	sub    $0x8,%rsp
  37:	e8 fe ce 00 00       	callq  0xcf3a
  3c:	48 89 04 24          	mov    %rax,(%rsp)

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 31                	jae    0x39
   8:	c3                   	retq   
   9:	48 83 ec 08          	sub    $0x8,%rsp
   d:	e8 fe ce 00 00       	callq  0xcf10
  12:	48 89 04 24          	mov    %rax,(%rsp)
[  247.124379][  T328] RSP: 002b:00007fffffe84038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  247.126935][  T328] RAX: ffffffffffffffda RBX: 00007fffffe840d0 RCX: 00007f38cb2662e0
[  247.128978][  T328] RDX: 0000000000000010 RSI: 00007fffffe840f0 RDI: 0000000000000004
[  247.131142][  T328] RBP: 0000000000000004 R08: 00007fffffe83fa0 R09: 0000000000000001
[  247.133075][  T328] R10: 00007fffffe83dd0 R11: 0000000000000246 R12: 0000000000000050
[  247.135155][  T328] R13: 000000000065ade0 R14: 0000000001549a70 R15: 000000000000002a
[  247.137196][  T328]  </TASK>
[  247.142192][  T328] Modules linked in: bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt ppdev fb_sys_fops sr_mod drm joydev i2c_piix4 cdrom parport_pc parport
[  247.147469][  T328] CR2: 0000000000000000
[  247.148548][  T328] ---[ end trace 0000000000000000 ]---
[ 247.186378][ T328] RIP: 0010:inet_bhash2_update_saddr (include/linux/list.h:884 include/net/sock.h:824 net/ipv4/inet_hashtables.c:872) 
[ 247.218516][ T328] Code: 48 8d 83 00 03 00 00 4c 8b a3 f8 02 00 00 48 89 c7 48 89 44 24 28 e8 10 79 01 ff 4c 8b ab 00 03 00 00 4c 89 ef e8 f1 87 01 ff <4d> 89 65 00 4d 85 e4 74 14 e8 93 2b ed fe 49 8d 7c 24 08 e8 d9 87
All code
========
   0:	48 8d 83 00 03 00 00 	lea    0x300(%rbx),%rax
   7:	4c 8b a3 f8 02 00 00 	mov    0x2f8(%rbx),%r12
   e:	48 89 c7             	mov    %rax,%rdi
  11:	48 89 44 24 28       	mov    %rax,0x28(%rsp)
  16:	e8 10 79 01 ff       	callq  0xffffffffff01792b
  1b:	4c 8b ab 00 03 00 00 	mov    0x300(%rbx),%r13
  22:	4c 89 ef             	mov    %r13,%rdi
  25:	e8 f1 87 01 ff       	callq  0xffffffffff01881b
  2a:*	4d 89 65 00          	mov    %r12,0x0(%r13)		<-- trapping instruction
  2e:	4d 85 e4             	test   %r12,%r12
  31:	74 14                	je     0x47
  33:	e8 93 2b ed fe       	callq  0xfffffffffeed2bcb
  38:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  3d:	e8                   	.byte 0xe8
  3e:	d9                   	.byte 0xd9
  3f:	87                   	.byte 0x87

Code starting with the faulting instruction
===========================================
   0:	4d 89 65 00          	mov    %r12,0x0(%r13)
   4:	4d 85 e4             	test   %r12,%r12
   7:	74 14                	je     0x1d
   9:	e8 93 2b ed fe       	callq  0xfffffffffeed2ba1
   e:	49 8d 7c 24 08       	lea    0x8(%r12),%rdi
  13:	e8                   	.byte 0xe8
  14:	d9                   	.byte 0xd9
  15:	87                   	.byte 0x87


To reproduce:

        # build kernel
	cd linux
	cp config-5.19.0-rc5-01130-g2e20fc25bca5 .config
	make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
	make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.



-- 
0-DAY CI Kernel Test Service
https://01.org/lkp



View attachment "config-5.19.0-rc5-01130-g2e20fc25bca5" of type "text/plain" (181537 bytes)

View attachment "job-script" of type "text/plain" (4860 bytes)

Download attachment "dmesg.xz" of type "application/x-xz" (14020 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ