lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 18 Jul 2022 14:31:09 -0700
From:   Joanne Koong <joannelkoong@...il.com>
To:     kernel test robot <oliver.sang@...el.com>
Cc:     0day robot <lkp@...el.com>, LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>, dccp@...r.kernel.org,
        lkp@...ts.01.org, Eric Dumazet <edumazet@...gle.com>,
        Martin KaFai Lau <kafai@...com>,
        Jakub Kicinski <kuba@...nel.org>,
        David Miller <davem@...emloft.net>,
        Paolo Abeni <pabeni@...hat.com>
Subject: Re: [net] 2e20fc25bc: BUG:kernel_NULL_pointer_dereference,address

On Sat, Jul 16, 2022 at 7:20 AM kernel test robot <oliver.sang@...el.com> wrote:
>
>
>
> Greeting,
>
> FYI, we noticed the following commit (built with gcc-11):
>
> commit: 2e20fc25bca52fbc786bbae312df56514c10798d ("[PATCH net-next v2 1/3] net: Add a bhash2 table hashed by port + address")
> url: https://github.com/intel-lab-lkp/linux/commits/Joanne-Koong/Add-a-second-bind-table-hashed-by-port-address/20220713-075808
> base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 5022e221c98a609e0e5b0a73852c7e3d32f1c545
> patch link: https://lore.kernel.org/netdev/20220712235310.1935121-2-joannelkoong@gmail.com
>
> in testcase: boot
>
> on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
>
>
> +-------------------------------------------------------+------------+------------+
> |                                                       | 5022e221c9 | 2e20fc25bc |
> +-------------------------------------------------------+------------+------------+
> | boot_successes                                        | 8          | 0          |
> | boot_failures                                         | 0          | 12         |
> | BUG:kernel_NULL_pointer_dereference,address           | 0          | 12         |
> | Oops:#[##]                                            | 0          | 12         |
> | RIP:inet_bhash2_update_saddr                          | 0          | 12         |
> | Kernel_panic-not_syncing:Fatal_exception_in_interrupt | 0          | 12         |
> +-------------------------------------------------------+------------+------------+
>
>
> If you fix the issue, kindly add following tag
> Reported-by: kernel test robot <oliver.sang@...el.com>
>
I will fix this issue in the next iteration of the patch (if the
previous address was never added to the bhash2 table, then we don't
need to compute the hash for it and remove it from the table). Thanks
for reporting.
>
> [  247.022450][  T328] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [  247.024448][  T328] #PF: supervisor write access in kernel mode
> [  247.026159][  T328] #PF: error_code(0x0002) - not-present page
> [  247.027743][  T328] PGD 800000014b28a067 P4D 800000014b28a067 PUD 14b289067 PMD 0
> [  247.029705][  T328] Oops: 0002 [#1] SMP PTI
> [  247.030900][  T328] CPU: 1 PID: 328 Comm: wget Not tainted 5.19.0-rc5-01130-g2e20fc25bca5 #1
> [  247.033223][  T328] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
> [ 247.035984][ T328] RIP: 0010:inet_bhash2_update_saddr (include/linux/list.h:884 include/net/sock.h:824 net/ipv4/inet_hashtables.c:872)
> [ 247.037623][ T328] Code: 48 8d 83 00 03 00 00 4c 8b a3 f8 02 00 00 48 89 c7 48 89 44 24 28 e8 10 79 01 ff 4c 8b ab 00 03 00 00 4c 89 ef e8 f1 87 01 ff <4d> 89 65 00 4d 85 e4 74 14 e8 93 2b ed fe 49 8d 7c 24 08 e8 d9 87
> All code
> ========
>    0:   48 8d 83 00 03 00 00    lea    0x300(%rbx),%rax
>    7:   4c 8b a3 f8 02 00 00    mov    0x2f8(%rbx),%r12
>    e:   48 89 c7                mov    %rax,%rdi
>   11:   48 89 44 24 28          mov    %rax,0x28(%rsp)
>   16:   e8 10 79 01 ff          callq  0xffffffffff01792b
>   1b:   4c 8b ab 00 03 00 00    mov    0x300(%rbx),%r13
>   22:   4c 89 ef                mov    %r13,%rdi
>   25:   e8 f1 87 01 ff          callq  0xffffffffff01881b
>   2a:*  4d 89 65 00             mov    %r12,0x0(%r13)           <-- trapping instruction
>   2e:   4d 85 e4                test   %r12,%r12
>   31:   74 14                   je     0x47
>   33:   e8 93 2b ed fe          callq  0xfffffffffeed2bcb
>   38:   49 8d 7c 24 08          lea    0x8(%r12),%rdi
>   3d:   e8                      .byte 0xe8
>   3e:   d9                      .byte 0xd9
>   3f:   87                      .byte 0x87
>
> Code starting with the faulting instruction
> ===========================================
>    0:   4d 89 65 00             mov    %r12,0x0(%r13)
>    4:   4d 85 e4                test   %r12,%r12
>    7:   74 14                   je     0x1d
>    9:   e8 93 2b ed fe          callq  0xfffffffffeed2ba1
>    e:   49 8d 7c 24 08          lea    0x8(%r12),%rdi
>   13:   e8                      .byte 0xe8
>   14:   d9                      .byte 0xd9
>   15:   87                      .byte 0x87
> [  247.062693][  T328] RSP: 0018:ffffc90000ae7bd8 EFLAGS: 00010246
> [  247.064435][  T328] RAX: ffff88811673c3e0 RBX: ffff8881168e4600 RCX: ffffffff823fb28f
> [  247.066525][  T328] RDX: 0000000000000a28 RSI: 0001ffffffffffff RDI: 0000000000000000
> [  247.068479][  T328] RBP: ffffc90000ae7c60 R08: ffffffff8477ff18 R09: 0000000000000000
> [  247.070484][  T328] R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000000
> [  247.072457][  T328] R13: 0000000000000000 R14: ffffffff84cefd40 R15: ffffffff84cf29c0
> [  247.074463][  T328] FS:  00007f38cc1a6700(0000) GS:ffff88842fd00000(0000) knlGS:0000000000000000
> [  247.076798][  T328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  247.080161][  T328] CR2: 0000000000000000 CR3: 0000000116a32000 CR4: 00000000000006e0
> [  247.082224][  T328] Call Trace:
> [  247.083152][  T328]  <TASK>
> [ 247.083906][ T328] ? write_comp_data (kernel/kcov.c:229)
> [ 247.085183][ T328] tcp_v4_connect (net/ipv4/tcp_ipv4.c:261)
> [ 247.086542][ T328] __inet_stream_connect (net/ipv4/af_inet.c:661)
> [ 247.088103][ T328] ? write_comp_data (kernel/kcov.c:229)
> [ 247.089429][ T328] inet_stream_connect (net/ipv4/af_inet.c:725)
> [ 247.090707][ T328] ? __inet_stream_connect (net/ipv4/af_inet.c:720)
> [ 247.092104][ T328] __sys_connect_file (net/socket.c:1976)
> [ 247.093453][ T328] __sys_connect (net/socket.c:1993)
> [ 247.094902][ T328] ? write_comp_data (kernel/kcov.c:229)
> [ 247.096382][ T328] ? __x64_sys_alarm (kernel/time/itimer.c:306)
> [ 247.097825][ T328] __x64_sys_connect (net/socket.c:2000)
> [ 247.115487][ T328] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
> [ 247.116792][ T328] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
> [  247.118477][  T328] RIP: 0033:0x7f38cb2662e0
> [ 247.119521][ T328] Code: 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 90 90 90 90 90 90 90 90 90 83 3d fd 8e 2c 00 00 75 10 b8 2a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 fe ce 00 00 48 89 04 24
> All code
> ========
>    0:   00 31                   add    %dh,(%rcx)
>    2:   d2 48 29                rorb   %cl,0x29(%rax)
>    5:   c2 64 89                retq   $0x8964
>    8:   11 48 83                adc    %ecx,-0x7d(%rax)
>    b:   c8 ff eb ea             enterq $0xebff,$0xea
>    f:   90                      nop
>   10:   90                      nop
>   11:   90                      nop
>   12:   90                      nop
>   13:   90                      nop
>   14:   90                      nop
>   15:   90                      nop
>   16:   90                      nop
>   17:   90                      nop
>   18:   90                      nop
>   19:   90                      nop
>   1a:   83 3d fd 8e 2c 00 00    cmpl   $0x0,0x2c8efd(%rip)        # 0x2c8f1e
>   21:   75 10                   jne    0x33
>   23:   b8 2a 00 00 00          mov    $0x2a,%eax
>   28:   0f 05                   syscall
>   2a:*  48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax         <-- trapping instruction
>   30:   73 31                   jae    0x63
>   32:   c3                      retq
>   33:   48 83 ec 08             sub    $0x8,%rsp
>   37:   e8 fe ce 00 00          callq  0xcf3a
>   3c:   48 89 04 24             mov    %rax,(%rsp)
>
> Code starting with the faulting instruction
> ===========================================
>    0:   48 3d 01 f0 ff ff       cmp    $0xfffffffffffff001,%rax
>    6:   73 31                   jae    0x39
>    8:   c3                      retq
>    9:   48 83 ec 08             sub    $0x8,%rsp
>    d:   e8 fe ce 00 00          callq  0xcf10
>   12:   48 89 04 24             mov    %rax,(%rsp)
> [  247.124379][  T328] RSP: 002b:00007fffffe84038 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> [  247.126935][  T328] RAX: ffffffffffffffda RBX: 00007fffffe840d0 RCX: 00007f38cb2662e0
> [  247.128978][  T328] RDX: 0000000000000010 RSI: 00007fffffe840f0 RDI: 0000000000000004
> [  247.131142][  T328] RBP: 0000000000000004 R08: 00007fffffe83fa0 R09: 0000000000000001
> [  247.133075][  T328] R10: 00007fffffe83dd0 R11: 0000000000000246 R12: 0000000000000050
> [  247.135155][  T328] R13: 000000000065ade0 R14: 0000000001549a70 R15: 000000000000002a
> [  247.137196][  T328]  </TASK>
> [  247.142192][  T328] Modules linked in: bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt ppdev fb_sys_fops sr_mod drm joydev i2c_piix4 cdrom parport_pc parport
> [  247.147469][  T328] CR2: 0000000000000000
> [  247.148548][  T328] ---[ end trace 0000000000000000 ]---
> [ 247.186378][ T328] RIP: 0010:inet_bhash2_update_saddr (include/linux/list.h:884 include/net/sock.h:824 net/ipv4/inet_hashtables.c:872)
> [ 247.218516][ T328] Code: 48 8d 83 00 03 00 00 4c 8b a3 f8 02 00 00 48 89 c7 48 89 44 24 28 e8 10 79 01 ff 4c 8b ab 00 03 00 00 4c 89 ef e8 f1 87 01 ff <4d> 89 65 00 4d 85 e4 74 14 e8 93 2b ed fe 49 8d 7c 24 08 e8 d9 87
> All code
> ========
>    0:   48 8d 83 00 03 00 00    lea    0x300(%rbx),%rax
>    7:   4c 8b a3 f8 02 00 00    mov    0x2f8(%rbx),%r12
>    e:   48 89 c7                mov    %rax,%rdi
>   11:   48 89 44 24 28          mov    %rax,0x28(%rsp)
>   16:   e8 10 79 01 ff          callq  0xffffffffff01792b
>   1b:   4c 8b ab 00 03 00 00    mov    0x300(%rbx),%r13
>   22:   4c 89 ef                mov    %r13,%rdi
>   25:   e8 f1 87 01 ff          callq  0xffffffffff01881b
>   2a:*  4d 89 65 00             mov    %r12,0x0(%r13)           <-- trapping instruction
>   2e:   4d 85 e4                test   %r12,%r12
>   31:   74 14                   je     0x47
>   33:   e8 93 2b ed fe          callq  0xfffffffffeed2bcb
>   38:   49 8d 7c 24 08          lea    0x8(%r12),%rdi
>   3d:   e8                      .byte 0xe8
>   3e:   d9                      .byte 0xd9
>   3f:   87                      .byte 0x87
>
> Code starting with the faulting instruction
> ===========================================
>    0:   4d 89 65 00             mov    %r12,0x0(%r13)
>    4:   4d 85 e4                test   %r12,%r12
>    7:   74 14                   je     0x1d
>    9:   e8 93 2b ed fe          callq  0xfffffffffeed2ba1
>    e:   49 8d 7c 24 08          lea    0x8(%r12),%rdi
>   13:   e8                      .byte 0xe8
>   14:   d9                      .byte 0xd9
>   15:   87                      .byte 0x87
>
>
> To reproduce:
>
>         # build kernel
>         cd linux
>         cp config-5.19.0-rc5-01130-g2e20fc25bca5 .config
>         make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
>         make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
>         cd <mod-install-dir>
>         find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
>
>
>         git clone https://github.com/intel/lkp-tests.git
>         cd lkp-tests
>         bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
>
>         # if come across any failure that blocks the test,
>         # please remove ~/.lkp and /lkp dir to run from a clean state.
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://01.org/lkp
>
>

Powered by blists - more mailing lists