Thread (19 messages) 19 messages, 5 authors, 2020-09-15

[mm] 2037ab69a5: BUG:KASAN:null-ptr-deref_in_t

From: kernel test robot <hidden>
Date: 2020-09-14 08:56:41
Also in: intel-gfx, linux-mm, oe-lkp

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 2037ab69a5cd8afe58347135010f6160ea368dd0 ("mm: Convert find_get_entry to return the head page")
url: https://github.com/0day-ci/linux/commits/Matthew-Wilcox-Oracle/Return-head-pages-from-find_-_entry/20200911-023452


in testcase: trinity
version: trinity-x86_64-af355e9-1_2019-12-03
with following parameters:

	runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+----------------------------------------------------------------------------+------------+------------+
|                                                                            | a27ee9830b | 2037ab69a5 |
+----------------------------------------------------------------------------+------------+------------+
| boot_successes                                                             | 4          | 2          |
| boot_failures                                                              | 0          | 8          |
| Kernel_panic-not_syncing:VFS:Unable_to_mount_root_fs_on_unknown-block(#,#) | 0          | 2          |
| BUG:KASAN:null-ptr-deref_in_t                                              | 0          | 6          |
| BUG:kernel_NULL_pointer_dereference,address                                | 0          | 6          |
| Oops:#[##]                                                                 | 0          | 6          |
| RIP:test_bit                                                               | 0          | 6          |
| Kernel_panic-not_syncing:Fatal_exception                                   | 0          | 6          |
+----------------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <redacted>


[  162.744647] BUG: KASAN: null-ptr-deref in test_bit+0x23/0x2e
[  162.745610] Read of size 8 at addr 0000000000000000 by task trinity-c1/1847
[  162.746669] 
[  162.746984] CPU: 0 PID: 1847 Comm: trinity-c1 Not tainted 5.9.0-rc4-next-20200910-00006-g2037ab69a5cd8a #1
[  162.748495] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[  162.749850] Call Trace:
[  162.750377]  kasan_report+0x154/0x170
[  162.751068]  ? test_bit+0x23/0x2e
[  162.751706]  check_memory_region+0x13d/0x145
[  162.752528]  test_bit+0x23/0x2e
[  162.753128]  PageHuge+0x16/0x7c
[  162.753748]  find_get_incore_page+0x29/0xd3
[  162.754631]  __mincore_unmapped_range+0x169/0x210
[  162.755548]  mincore_unmapped_range+0x6d/0x9d
[  162.756379]  walk_pgd_range+0x736/0xa8b
[  162.757156]  __walk_page_range+0xd8/0x3f9
[  162.757935]  walk_page_range+0x178/0x205
[  162.758710]  ? __walk_page_range+0x3f9/0x3f9
[  162.759569]  ? hlock_class+0x3b/0xf2
[  162.760303]  __do_sys_mincore+0x3a5/0x459
[  162.761161]  do_syscall_64+0x2e/0x68
[  162.761861]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  162.762903] RIP: 0033:0x7f923a75f1c9
[  162.763621] Code: 01 00 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 dc 2c 00 f7 d8 64 89 01 48
[  162.766849] RSP: 002b:00007ffc8082ed18 EFLAGS: 00000246 ORIG_RAX: 000000000000001b
[  162.768139] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00007f923a75f1c9
[  162.769213] RDX: 00007f92371ff010 RSI: 00000000000cc000 RDI: 00007f9238b47000
[  162.770389] RBP: 00007f923ae44000 R08: 0000000000000041 R09: fffffffff8000000
[  162.771458] R10: 00006407736b759e R11: 0000000000000246 R12: 00007f923ae44058
[  162.772600] R13: 00007f923ae526b0 R14: 0000000000000000 R15: 00007f923ae44000
[  162.773757] ==================================================================
[  162.774941] Disabling lock debugging due to kernel taint
[  162.775936] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  162.777007] #PF: supervisor read access in kernel mode
[  162.777862] #PF: error_code(0x0000) - not-present page
[  162.778635] PGD 1d6103067 P4D 1d6103067 PUD 1c687e067 PMD 0 
[  162.779570] Oops: 0000 [#1] KASAN
[  162.780129] CPU: 0 PID: 1847 Comm: trinity-c1 Tainted: G    B             5.9.0-rc4-next-20200910-00006-g2037ab69a5cd8a #1
[  162.781812] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[  162.783297] RIP: 0010:test_bit+0x23/0x2e
[  162.784043] Code: 00 8b 43 34 5b 5d c3 48 89 f8 b9 40 00 00 00 55 48 89 f5 48 99 53 48 89 fb 48 f7 f9 48 8d 3c c6 be 08 00 00 00 e8 3d 6b 01 00 <48> 0f a3 5d 00 0f 92 c0 5b 5d c3 53 48 89 fe 48 89 fb bf 10 00 00
[  162.787441] RSP: 0018:ffff88818d587bd0 EFLAGS: 00010286
[  162.788425] RAX: 00000000b4610a00 RBX: 0000000000000010 RCX: ffffffff8c246fc2
[  162.789733] RDX: fffffbfff1e79c96 RSI: 0000000000000000 RDI: ffffffff8d8a2f7b
[  162.791090] RBP: 0000000000000000 R08: fffffbfff1e79c96 R09: 0000000000000000
[  162.792423] R10: fffffbfff1e79c96 R11: ffffffff8f3ce4ab R12: 0000000000000000
[  162.793745] R13: ffff8881f0c076b0 R14: ffff888180f88001 R15: 0000000000000000
[  162.795078] FS:  00007f923ae52740(0000) GS:ffffffff8e8cd000(0000) knlGS:0000000000000000
[  162.796303] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  162.797250] CR2: 0000000000000000 CR3: 000000018f354000 CR4: 00000000000406f0
[  162.798357] DR0: 00007f923ad2e000 DR1: 00007f9238747000 DR2: 0000000000000000
[  162.799515] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  162.800595] Call Trace:
[  162.801031]  PageHuge+0x16/0x7c
[  162.801562]  find_get_incore_page+0x29/0xd3
[  162.802205]  __mincore_unmapped_range+0x169/0x210
[  162.807040]  mincore_unmapped_range+0x6d/0x9d
[  162.807705]  walk_pgd_range+0x736/0xa8b
[  162.808293]  __walk_page_range+0xd8/0x3f9
[  162.808906]  walk_page_range+0x178/0x205
[  162.809496]  ? __walk_page_range+0x3f9/0x3f9
[  162.810161]  ? hlock_class+0x3b/0xf2
[  162.810760]  __do_sys_mincore+0x3a5/0x459
[  162.811460]  do_syscall_64+0x2e/0x68
[  162.812052]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  162.812881] RIP: 0033:0x7f923a75f1c9
[  162.813503] Code: 01 00 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 dc 2c 00 f7 d8 64 89 01 48
[  162.816544] RSP: 002b:00007ffc8082ed18 EFLAGS: 00000246 ORIG_RAX: 000000000000001b
[  162.817626] RAX: ffffffffffffffda RBX: 000000000000001b RCX: 00007f923a75f1c9
[  162.818676] RDX: 00007f92371ff010 RSI: 00000000000cc000 RDI: 00007f9238b47000
[  162.819837] RBP: 00007f923ae44000 R08: 0000000000000041 R09: fffffffff8000000
[  162.820990] R10: 00006407736b759e R11: 0000000000000246 R12: 00007f923ae44058
[  162.822105] R13: 00007f923ae526b0 R14: 0000000000000000 R15: 00007f923ae44000
[  162.823282] Modules linked in:
[  162.823839] CR2: 0000000000000000
[  162.824521] ---[ end trace 2d46de9c846249c1 ]---


To reproduce:

        # build kernel
	cd linux
	cp config-5.9.0-rc4-next-20200910-00006-g2037ab69a5cd8a .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> job-script # job-script is attached in this email



Thanks,
lkp

Attachments

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help