Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 764f4eb6846f5475f1244767d24d25dd86528a4a ("llc: fix netdevice reference leaks in llc_ui_bind()")
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git master
in testcase: trinity
version: trinity-static-x86_64-x86_64-1c734c75-1_2020-01-06
with following parameters:
runtime: 300s
test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/
on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 75.521971][ T1314] WARNING: The mand mount option has been deprecated and
[ 75.521971][ T1314] and is ignored by this kernel. Remove the mand
[ 75.521971][ T1314] option from the mount to silence this warning.
[ 75.521971][ T1314] =======================================================
[ 78.959259][ T1387] can: request_module (can-proto-2) failed.
[ 80.594912][ T1423] can: request_module (can-proto-1) failed.
[ 81.345613][ T1436] futex_wake_op: trinity-c2 tries to shift op by -1703; fix this program
[ 85.385564][ T1544] can: request_module (can-proto-1) failed.
[ 89.567017][ T1623] general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#1] KASAN
[ 89.569460][ T1623] KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df]
[ 89.571360][ T1623] CPU: 0 PID: 1623 Comm: trinity-c1 Not tainted 5.17.0-rc8-02809-g764f4eb6846f #1
[ 89.573563][ T1623] RIP: 0010:llc_ui_sendmsg (net/llc/af_llc.c:947)
[ 89.574622][ T1623] Code: 80 3c 02 00 0f 85 98 0c 00 00 49 8b 84 24 38 05 00 00 48 ba 00 00 00 00 00 fc ff df 48 8d b8 de 00 00 00 48 89 f9 48 c1 e9 03 <0f> b6 0c 11 48 89 fa 83 e2 07 ff c2 38 ca 7c 08 84 c9 0f 85 e5 05
All code
========
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 98 0c 00 00 jne 0xca2
a: 49 8b 84 24 38 05 00 mov 0x538(%r12),%rax
11: 00
12: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
19: fc ff df
1c: 48 8d b8 de 00 00 00 lea 0xde(%rax),%rdi
23: 48 89 f9 mov %rdi,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
2a:* 0f b6 0c 11 movzbl (%rcx,%rdx,1),%ecx <-- trapping instruction
2e: 48 89 fa mov %rdi,%rdx
31: 83 e2 07 and $0x7,%edx
34: ff c2 inc %edx
36: 38 ca cmp %cl,%dl
38: 7c 08 jl 0x42
3a: 84 c9 test %cl,%cl
3c: 0f .byte 0xf
3d: 85 e5 test %esp,%ebp
3f: 05 .byte 0x5
Code starting with the faulting instruction
===========================================
0: 0f b6 0c 11 movzbl (%rcx,%rdx,1),%ecx
4: 48 89 fa mov %rdi,%rdx
7: 83 e2 07 and $0x7,%edx
a: ff c2 inc %edx
c: 38 ca cmp %cl,%dl
e: 7c 08 jl 0x18
10: 84 c9 test %cl,%cl
12: 0f .byte 0xf
13: 85 e5 test %esp,%ebp
15: 05 .byte 0x5
[ 89.574622][ T1623] RSP: 0018:ffffc900001efa68 EFLAGS: 00010207
[ 89.574622][ T1623] RAX: 0000000000000000 RBX: ffffc900001efe60 RCX: 000000000000001b
[ 89.574622][ T1623] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 00000000000000de
[ 89.574622][ T1623] RBP: ffffc900001efb60 R08: 1ffff11021ffca07 R09: ffffed1021ffca08
[ 89.574622][ T1623] R10: ffff88810ffe5538 R11: ffffed1021ffca07 R12: ffff88810ffe5000
[ 89.574622][ T1623] R13: ffffc900001efd40 R14: ffff8881409ac5c0 R15: ffffc900001efb38
[ 89.574622][ T1623] FS: 000000000109a880(0000) GS:ffffffff83ee6000(0000) knlGS:0000000000000000
[ 89.574622][ T1623] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 89.574622][ T1623] CR2: 00007f03db89f7fc CR3: 0000000126691000 CR4: 00000000000406f0
[ 89.574622][ T1623] Call Trace:
[ 89.574622][ T1623] <TASK>
[ 89.574622][ T1623] ? lock_downgrade (kernel/locking/lockdep.c:5647)
[ 89.574622][ T1623] ? llc_ui_autobind (net/llc/af_llc.c:919)
[ 89.574622][ T1623] ? __might_sleep (kernel/sched/core.c:9515 (discriminator 14))
[ 89.574622][ T1623] ? __kasan_check_write (mm/kasan/shadow.c:38)
[ 89.574622][ T1623] ? llc_ui_autobind (net/llc/af_llc.c:919)
[ 89.574622][ T1623] ____sys_sendmsg (net/socket.c:708 net/socket.c:725 net/socket.c:2413)
[ 89.574622][ T1623] ? sock_write_iter (net/socket.c:2360)
[ 89.574622][ T1623] ? pvclock_clocksource_read (arch/x86/include/asm/atomic64_64.h:184 include/linux/atomic/atomic-instrumented.h:1123 arch/x86/kernel/pvclock.c:107)
[ 89.574622][ T1623] ? __lock_acquire (kernel/locking/lockdep.c:5027)
[ 89.574622][ T1623] ___sys_sendmsg (net/socket.c:2469)
[ 89.574622][ T1623] ? __kasan_check_write (mm/kasan/shadow.c:38)
[ 89.574622][ T1623] ? sendmsg_copy_msghdr (net/socket.c:2456)
[ 89.574622][ T1623] ? check_prev_add (kernel/locking/lockdep.c:3757)
[ 89.574622][ T1623] ? __kasan_check_write (mm/kasan/shadow.c:38)
[ 89.574622][ T1623] ? pvclock_clocksource_read (arch/x86/include/asm/atomic64_64.h:184 include/linux/atomic/atomic-instrumented.h:1123 arch/x86/kernel/pvclock.c:107)
[ 89.574622][ T1623] ? __fdget (fs/file.c:1018)
[ 89.574622][ T1623] ? sockfd_lookup_light (net/socket.c:551)
[ 89.574622][ T1623] __sys_sendmsg (include/linux/file.h:32 net/socket.c:2498)
[ 89.574622][ T1623] ? __sys_sendmsg_sock (net/socket.c:2484)
[ 89.574622][ T1623] ? rapl_pmu_event_stop (arch/x86/events/rapl.c:300)
[ 89.574622][ T1623] ? syscall_enter_from_user_mode (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 kernel/entry/common.c:107)
[ 89.574622][ T1623] __x64_sys_sendmsg (net/socket.c:2503)
[ 89.574622][ T1623] ? syscall_enter_from_user_mode (arch/x86/include/asm/irqflags.h:45 arch/x86/include/asm/irqflags.h:80 kernel/entry/common.c:107)
[ 89.574622][ T1623] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 89.574622][ T1623] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113)
[ 89.574622][ T1623] RIP: 0033:0x463519
[ 89.574622][ T1623] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 59 00 00 c3 66 2e 0f 1f 84 00 00 00 00
All code
========
0: 00 f3 add %dh,%bl
2: c3 retq
3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
a: 00 00 00
d: 0f 1f 40 00 nopl 0x0(%rax)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 0f 83 db 59 00 00 jae 0x5a11
36: c3 retq
37: 66 data16
38: 2e cs
39: 0f .byte 0xf
3a: 1f (bad)
3b: 84 00 test %al,(%rax)
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 0f 83 db 59 00 00 jae 0x59e7
c: c3 retq
d: 66 data16
e: 2e cs
f: 0f .byte 0xf
10: 1f (bad)
11: 84 00 test %al,(%rax)
13: 00 00 add %al,(%rax)
To reproduce:
# build kernel
cd linux
cp config-5.17.0-rc8-02809-g764f4eb6846f .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
--
0-DAY CI Kernel Test Service
https://01.org/lkp