| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 16 Jul 2022 22:20:35 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Joanne Koong <joannelkoong@...il.com>
Cc: 0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
netdev@...r.kernel.org, dccp@...r.kernel.org, lkp@...ts.01.org,
edumazet@...gle.com, kafai@...com, kuba@...nel.org,
davem@...emloft.net, pabeni@...hat.com,
Joanne Koong <joannelkoong@...il.com>
Subject: [net] 2e20fc25bc: BUG:kernel_NULL_pointer_dereference,address
Greeting,
FYI, we noticed the following commit (built with gcc-11):
commit: 2e20fc25bca52fbc786bbae312df56514c10798d ("[PATCH net-next v2 1/3] net: Add a bhash2 table hashed by port + address")
url: https://github.com/intel-lab-lkp/linux/commits/Joanne-Koong/Add-a-second-bind-table-hashed-by-port-address/20220713-075808
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 5022e221c98a609e0e5b0a73852c7e3d32f1c545
patch link: https://lore.kernel.org/netdev/20220712235310.1935121-2-joannelkoong@gmail.com
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+-------------------------------------------------------+------------+------------+
| | 5022e221c9 | 2e20fc25bc |
+-------------------------------------------------------+------------+------------+
| boot_successes | 8 | 0 |
| boot_failures | 0 | 12 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 12 |
| Oops:#[##] | 0 | 12 |
| RIP:inet_bhash2_update_saddr | 0 | 12 |
| Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0 | 12 |
+-------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang@...el.com>
[ 247.022450][ T328] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 247.024448][ T328] #PF: supervisor write access in kernel mode
[ 247.026159][ T328] #PF: error_code(0x0002) - not-present page
[ 247.027743][ T328] PGD 800000014b28a067 P4D 800000014b28a067 PUD 14b289067 PMD 0
[ 247.029705][ T328] Oops: 0002 [#1] SMP PTI
[ 247.030900][ T328] CPU: 1 PID: 328 Comm: wget Not tainted 5.19.0-rc5-01130-g2e20fc25bca5 #1
[ 247.033223][ T328] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 247.035984][ T328] RIP: 0010:inet_bhash2_update_saddr (include/linux/list.h:884 include/net/sock.h:824 net/ipv4/inet_hashtables.c:872)
[ 247.037623][ T328] Code: 48 8d 83 00 03 00 00 4c 8b a3 f8 02 00 00 48 89 c7 48 89 44 24 28 e8 10 79 01 ff 4c 8b ab 00 03 00 00 4c 89 ef e8 f1 87 01 ff <4d> 89 65 00 4d 85 e4 74 14 e8 93 2b ed fe 49 8d 7c 24 08 e8 d9 87
All code
========
0: 48 8d 83 00 03 00 00 lea 0x300(%rbx),%rax
7: 4c 8b a3 f8 02 00 00 mov 0x2f8(%rbx),%r12
e: 48 89 c7 mov %rax,%rdi
11: 48 89 44 24 28 mov %rax,0x28(%rsp)
16: e8 10 79 01 ff callq 0xffffffffff01792b
1b: 4c 8b ab 00 03 00 00 mov 0x300(%rbx),%r13
22: 4c 89 ef mov %r13,%rdi
25: e8 f1 87 01 ff callq 0xffffffffff01881b
2a:* 4d 89 65 00 mov %r12,0x0(%r13) <-- trapping instruction
2e: 4d 85 e4 test %r12,%r12
31: 74 14 je 0x47
33: e8 93 2b ed fe callq 0xfffffffffeed2bcb
38: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
3d: e8 .byte 0xe8
3e: d9 .byte 0xd9
3f: 87 .byte 0x87
Code starting with the faulting instruction
===========================================
0: 4d 89 65 00 mov %r12,0x0(%r13)
4: 4d 85 e4 test %r12,%r12
7: 74 14 je 0x1d
9: e8 93 2b ed fe callq 0xfffffffffeed2ba1
e: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
13: e8 .byte 0xe8
14: d9 .byte 0xd9
15: 87 .byte 0x87
[ 247.062693][ T328] RSP: 0018:ffffc90000ae7bd8 EFLAGS: 00010246
[ 247.064435][ T328] RAX: ffff88811673c3e0 RBX: ffff8881168e4600 RCX: ffffffff823fb28f
[ 247.066525][ T328] RDX: 0000000000000a28 RSI: 0001ffffffffffff RDI: 0000000000000000
[ 247.068479][ T328] RBP: ffffc90000ae7c60 R08: ffffffff8477ff18 R09: 0000000000000000
[ 247.070484][ T328] R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
[ 247.072457][ T328] R13: 0000000000000000 R14: ffffffff84cefd40 R15: ffffffff84cf29c0
[ 247.074463][ T328] FS: 00007f38cc1a6700(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
[ 247.076798][ T328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 247.080161][ T328] CR2: 0000000000000000 CR3: 0000000116a32000 CR4: 00000000000006e0
[ 247.082224][ T328] Call Trace:
[ 247.083152][ T328] <TASK>
[ 247.083906][ T328] ? write_comp_data (kernel/kcov.c:229)
[ 247.085183][ T328] tcp_v4_connect (net/ipv4/tcp_ipv4.c:261)
[ 247.086542][ T328] __inet_stream_connect (net/ipv4/af_inet.c:661)
[ 247.088103][ T328] ? write_comp_data (kernel/kcov.c:229)
[ 247.089429][ T328] inet_stream_connect (net/ipv4/af_inet.c:725)
[ 247.090707][ T328] ? __inet_stream_connect (net/ipv4/af_inet.c:720)
[ 247.092104][ T328] __sys_connect_file (net/socket.c:1976)
[ 247.093453][ T328] __sys_connect (net/socket.c:1993)
[ 247.094902][ T328] ? write_comp_data (kernel/kcov.c:229)
[ 247.096382][ T328] ? __x64_sys_alarm (kernel/time/itimer.c:306)
[ 247.097825][ T328] __x64_sys_connect (net/socket.c:2000)
[ 247.115487][ T328] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 247.116792][ T328] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 247.118477][ T328] RIP: 0033:0x7f38cb2662e0
[ 247.119521][ T328] Code: 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 90 90 90 90 90 90 90 90 90 83 3d fd 8e 2c 00 00 75 10 b8 2a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe ce 00 00 48 89 04 24
All code
========
0: 00 31 add %dh,(%rcx)
2: d2 48 29 rorb %cl,0x29(%rax)
5: c2 64 89 retq $0x8964
8: 11 48 83 adc %ecx,-0x7d(%rax)
b: c8 ff eb ea enterq $0xebff,$0xea
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 83 3d fd 8e 2c 00 00 cmpl $0x0,0x2c8efd(%rip) # 0x2c8f1e
21: 75 10 jne 0x33
23: b8 2a 00 00 00 mov $0x2a,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 31 jae 0x63
32: c3 retq
33: 48 83 ec 08 sub $0x8,%rsp
37: e8 fe ce 00 00 callq 0xcf3a
3c: 48 89 04 24 mov %rax,(%rsp)
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 31 jae 0x39
8: c3 retq
9: 48 83 ec 08 sub $0x8,%rsp
d: e8 fe ce 00 00 callq 0xcf10
12: 48 89 04 24 mov %rax,(%rsp)
[ 247.124379][ T328] RSP: 002b:00007fffffe84038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[ 247.126935][ T328] RAX: ffffffffffffffda RBX: 00007fffffe840d0 RCX: 00007f38cb2662e0
[ 247.128978][ T328] RDX: 0000000000000010 RSI: 00007fffffe840f0 RDI: 0000000000000004
[ 247.131142][ T328] RBP: 0000000000000004 R08: 00007fffffe83fa0 R09: 0000000000000001
[ 247.133075][ T328] R10: 00007fffffe83dd0 R11: 0000000000000246 R12: 0000000000000050
[ 247.135155][ T328] R13: 000000000065ade0 R14: 0000000001549a70 R15: 000000000000002a
[ 247.137196][ T328] </TASK>
[ 247.142192][ T328] Modules linked in: bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt ppdev fb_sys_fops sr_mod drm joydev i2c_piix4 cdrom parport_pc parport
[ 247.147469][ T328] CR2: 0000000000000000
[ 247.148548][ T328] ---[ end trace 0000000000000000 ]---
[ 247.186378][ T328] RIP: 0010:inet_bhash2_update_saddr (include/linux/list.h:884 include/net/sock.h:824 net/ipv4/inet_hashtables.c:872)
[ 247.218516][ T328] Code: 48 8d 83 00 03 00 00 4c 8b a3 f8 02 00 00 48 89 c7 48 89 44 24 28 e8 10 79 01 ff 4c 8b ab 00 03 00 00 4c 89 ef e8 f1 87 01 ff <4d> 89 65 00 4d 85 e4 74 14 e8 93 2b ed fe 49 8d 7c 24 08 e8 d9 87
All code
========
0: 48 8d 83 00 03 00 00 lea 0x300(%rbx),%rax
7: 4c 8b a3 f8 02 00 00 mov 0x2f8(%rbx),%r12
e: 48 89 c7 mov %rax,%rdi
11: 48 89 44 24 28 mov %rax,0x28(%rsp)
16: e8 10 79 01 ff callq 0xffffffffff01792b
1b: 4c 8b ab 00 03 00 00 mov 0x300(%rbx),%r13
22: 4c 89 ef mov %r13,%rdi
25: e8 f1 87 01 ff callq 0xffffffffff01881b
2a:* 4d 89 65 00 mov %r12,0x0(%r13) <-- trapping instruction
2e: 4d 85 e4 test %r12,%r12
31: 74 14 je 0x47
33: e8 93 2b ed fe callq 0xfffffffffeed2bcb
38: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
3d: e8 .byte 0xe8
3e: d9 .byte 0xd9
3f: 87 .byte 0x87
Code starting with the faulting instruction
===========================================
0: 4d 89 65 00 mov %r12,0x0(%r13)
4: 4d 85 e4 test %r12,%r12
7: 74 14 je 0x1d
9: e8 93 2b ed fe callq 0xfffffffffeed2ba1
e: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
13: e8 .byte 0xe8
14: d9 .byte 0xd9
15: 87 .byte 0x87
To reproduce:
# build kernel
cd linux
cp config-5.19.0-rc5-01130-g2e20fc25bca5 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp
View attachment "config-5.19.0-rc5-01130-g2e20fc25bca5" of type "text/plain" (181537 bytes)
View attachment "job-script" of type "text/plain" (4860 bytes)
Download attachment "dmesg.xz" of type "application/x-xz" (14020 bytes)
Powered by blists - more mailing lists