2022-05-09 10:15:15

by kernel test robot

[permalink] [raw]
Subject: [fork] 753550eb0c: BUG:KASAN:null-ptr-deref_in_task_nr_scan_windows



Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 753550eb0ce1fea4b5cbd989f2e06ef80b2feb28 ("fork: Explicitly set PF_KTHREAD")
https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git kthread-cleanups-for-v5.19

in testcase: ltp
version: ltp-x86_64-14c1f76-1_20220507
with following parameters:

test: numa
ucode: 0x42e

test-description: The LTP testsuite contains a collection of tools for testing the Linux kernel and related features.
test-url: http://linux-test-project.github.io/


on test machine: 48 threads 2 sockets Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz with 112G memory

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 9.706334][ C0] BUG: KASAN: null-ptr-deref in task_nr_scan_windows+0x2b/0x140
[ 9.706334][ C0] Read of size 8 at addr 00000000000002d8 by task swapper/0/1
[ 9.706334][ C0]
[ 9.706334][ C0] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.18.0-rc1-00006-g753550eb0ce1 #1
[ 9.706334][ C0] Hardware name: Intel Corporation S2600WP/S2600WP, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013
[ 9.706334][ C0] Call Trace:
[ 9.706334][ C0] <IRQ>
[ 9.706334][ C0] ? task_nr_scan_windows+0x2b/0x140
[ 9.706334][ C0] dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1))
[ 9.706334][ C0] kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493)
[ 9.706334][ C0] ? task_nr_scan_windows+0x2b/0x140
[ 9.706334][ C0] kasan_check_range (mm/kasan/generic.c:190)
[ 9.706334][ C0] task_nr_scan_windows+0x2b/0x140
[ 9.706334][ C0] task_scan_start (kernel/sched/fair.c:1132 kernel/sched/fair.c:1138)
[ 9.706334][ C0] task_tick_fair (kernel/sched/fair.c:2932 kernel/sched/fair.c:11216)
[ 9.706334][ C0] ? update_rq_clock (kernel/sched/core.c:739 kernel/sched/core.c:763)
[ 9.706334][ C0] scheduler_tick (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:99 kernel/sched/core.c:5345)
[ 9.706334][ C0] update_process_times (kernel/time/timer.c:1793)
[ 9.706334][ C0] tick_periodic (kernel/time/tick-common.c:101)
[ 9.706334][ C0] tick_handle_periodic (kernel/time/tick-common.c:120)
[ 9.706334][ C0] __sysvec_apic_timer_interrupt (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 arch/x86/include/asm/trace/irq_vectors.h:41 arch/x86/kernel/apic/apic.c:1104)
[ 9.706334][ C0] sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1097 (discriminator 14))
[ 9.706334][ C0] </IRQ>
[ 9.706334][ C0] <TASK>
[ 9.706334][ C0] asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:645)
[ 9.706334][ C0] RIP: 0010:unwind_next_frame (arch/x86/kernel/unwind_orc.c:634)
[ 9.706334][ C0] Code: df 48 c7 44 15 00 00 00 00 00 48 8b 94 24 b0 00 00 00 65 48 2b 14 25 28 00 00 00 0f 85 43 12 00 00 48 81 c4 b8 00 00 00 5b 5d <41> 5c 41 5d 41 5e 41 5f c3 48 b8 00 00 00 00 00 fc ff df 49 8d 7c
All code
========
0: df 48 c7 fisttps -0x39(%rax)
3: 44 15 00 00 00 00 rex.R adc $0x0,%eax
9: 00 48 8b add %cl,-0x75(%rax)
c: 94 xchg %eax,%esp
d: 24 b0 and $0xb0,%al
f: 00 00 add %al,(%rax)
11: 00 65 48 add %ah,0x48(%rbp)
14: 2b 14 25 28 00 00 00 sub 0x28,%edx
1b: 0f 85 43 12 00 00 jne 0x1264
21: 48 81 c4 b8 00 00 00 add $0xb8,%rsp
28: 5b pop %rbx
29: 5d pop %rbp
2a:* 41 5c pop %r12 <-- trapping instruction
2c: 41 5d pop %r13
2e: 41 5e pop %r14
30: 41 5f pop %r15
32: c3 retq
33: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
3a: fc ff df
3d: 49 rex.WB
3e: 8d .byte 0x8d
3f: 7c .byte 0x7c

Code starting with the faulting instruction
===========================================
0: 41 5c pop %r12
2: 41 5d pop %r13
4: 41 5e pop %r14
6: 41 5f pop %r15
8: c3 retq
9: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
10: fc ff df
13: 49 rex.WB
14: 8d .byte 0x8d
15: 7c .byte 0x7c
[ 9.706334][ C0] RSP: 0000:ffffc90000077398 EFLAGS: 00000286
[ 9.706334][ C0] RAX: 0000000000000001 RBX: ffffffff8137cfc0 RCX: 1ffff9200000ee01
[ 9.706334][ C0] RDX: 0000000000000000 RSI: ffffc90000077f40 RDI: ffffc900000773d0
[ 9.706334][ C0] RBP: ffffc90000077458 R08: ffffc90000077400 R09: ffffc90000077418
[ 9.706334][ C0] R10: ffffc90000077f50 R11: 0000000000000001 R12: ffffc90000077f58
[ 9.706334][ C0] R13: ffffc90000070000 R14: 0000000000000001 R15: ffffc90000077401
[ 9.706334][ C0] ? create_prof_cpu_mask (kernel/stacktrace.c:83)
[ 9.706334][ C0] arch_stack_walk (arch/x86/kernel/stacktrace.c:24)
[ 9.706334][ C0] ? ret_from_fork (arch/x86/entry/entry_64.S:304)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] stack_trace_save (kernel/stacktrace.c:123)
[ 9.706334][ C0] ? filter_irq_stacks (kernel/stacktrace.c:114)
[ 9.706334][ C0] ? arch_stack_walk (arch/x86/kernel/stacktrace.c:24)
[ 9.706334][ C0] kasan_save_stack (mm/kasan/common.c:39)
[ 9.706334][ C0] ? kasan_save_stack (mm/kasan/common.c:39)
[ 9.706334][ C0] ? kasan_set_track (mm/kasan/common.c:45)
[ 9.706334][ C0] ? kasan_set_free_info (mm/kasan/generic.c:372)
[ 9.706334][ C0] ? __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 9.706334][ C0] ? kmem_cache_free (mm/slub.c:1754 mm/slub.c:3510 mm/slub.c:3527)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] ? acpi_ds_scope_stack_pop (drivers/acpi/acpica/dswscope.c:180)
[ 9.706334][ C0] ? acpi_ds_load2_end_op (drivers/acpi/acpica/dswload2.c:425)
[ 9.706334][ C0] ? acpi_ds_exec_end_op (drivers/acpi/acpica/dswexec.c:636)
[ 9.706334][ C0] ? acpi_ps_parse_loop (drivers/acpi/acpica/psloop.c:527)
[ 9.706334][ C0] ? acpi_ps_parse_aml (drivers/acpi/acpica/psparse.c:475)
[ 9.706334][ C0] ? acpi_ps_execute_table (drivers/acpi/acpica/psxface.c:295)
[ 9.706334][ C0] ? acpi_ns_execute_table (drivers/acpi/acpica/nsparse.c:116)
[ 9.706334][ C0] ? acpi_ns_load_table (drivers/acpi/acpica/nsload.c:71)
[ 9.706334][ C0] ? acpi_tb_load_namespace (drivers/acpi/acpica/tbxfload.c:159)
[ 9.706334][ C0] ? acpi_load_tables (drivers/acpi/acpica/tbxfload.c:59)
[ 9.706334][ C0] ? acpi_bus_init (drivers/acpi/bus.c:1239)
[ 9.706334][ C0] ? acpi_init (drivers/acpi/bus.c:1350)
[ 9.706334][ C0] ? do_one_initcall (init/main.c:1298)
[ 9.706334][ C0] ? do_initcalls (init/main.c:1370 init/main.c:1387)
[ 9.706334][ C0] ? kernel_init_freeable (init/main.c:1617)
[ 9.706334][ C0] ? kernel_init (init/main.c:1504)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] ? acpi_ds_exec_begin_op (drivers/acpi/acpica/dswexec.c:328)
[ 9.706334][ C0] ? kasan_save_stack (mm/kasan/common.c:40)
[ 9.706334][ C0] ? kasan_save_stack (mm/kasan/common.c:39)
[ 9.706334][ C0] ? kasan_set_track (mm/kasan/common.c:45)
[ 9.706334][ C0] ? kasan_set_free_info (mm/kasan/generic.c:372)
[ 9.706334][ C0] ? __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 9.706334][ C0] ? kmem_cache_free (mm/slub.c:1754 mm/slub.c:3510 mm/slub.c:3527)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] ? acpi_ps_complete_op (drivers/acpi/acpica/psparse.c:190)
[ 9.706334][ C0] ? acpi_ps_parse_loop (drivers/acpi/acpica/psloop.c:552)
[ 9.706334][ C0] ? acpi_ps_parse_aml (drivers/acpi/acpica/psparse.c:475)
[ 9.706334][ C0] ? acpi_ps_execute_table (drivers/acpi/acpica/psxface.c:295)
[ 9.706334][ C0] ? acpi_ns_execute_table (drivers/acpi/acpica/nsparse.c:116)
[ 9.706334][ C0] ? acpi_ns_load_table (drivers/acpi/acpica/nsload.c:71)
[ 9.706334][ C0] ? acpi_tb_load_namespace (drivers/acpi/acpica/tbxfload.c:159)
[ 9.706334][ C0] ? acpi_load_tables (drivers/acpi/acpica/tbxfload.c:59)
[ 9.706334][ C0] ? acpi_bus_init (drivers/acpi/bus.c:1239)
[ 9.706334][ C0] ? acpi_init (drivers/acpi/bus.c:1350)
[ 9.706334][ C0] ? do_one_initcall (init/main.c:1298)
[ 9.706334][ C0] ? do_initcalls (init/main.c:1370 init/main.c:1387)
[ 9.706334][ C0] ? kernel_init_freeable (init/main.c:1617)
[ 9.706334][ C0] ? kernel_init (init/main.c:1504)
[ 9.706334][ C0] ? ret_from_fork (arch/x86/entry/entry_64.S:304)
[ 9.706334][ C0] ? acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] ? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:637)
[ 9.706334][ C0] ? kmem_cache_alloc (mm/slub.c:3219 mm/slub.c:3225 mm/slub.c:3232 mm/slub.c:3242)
[ 9.706334][ C0] kasan_set_track (mm/kasan/common.c:45)
[ 9.706334][ C0] kasan_set_free_info (mm/kasan/generic.c:372)
[ 9.706334][ C0] __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374)
[ 9.706334][ C0] kmem_cache_free (mm/slub.c:1754 mm/slub.c:3510 mm/slub.c:3527)
[ 9.706334][ C0] acpi_os_release_object (drivers/acpi/osl.c:1707)
[ 9.706334][ C0] acpi_ds_scope_stack_pop (drivers/acpi/acpica/dswscope.c:180)
[ 9.706334][ C0] acpi_ds_load2_end_op (drivers/acpi/acpica/dswload2.c:425)
[ 9.706334][ C0] ? acpi_ds_load2_begin_op (drivers/acpi/acpica/dswload2.c:370)
[ 9.706334][ C0] ? kasan_set_track (mm/kasan/common.c:45)
[ 9.706334][ C0] ? kasan_set_free_info (mm/kasan/generic.c:372)
[ 9.706334][ C0] acpi_ds_exec_end_op (drivers/acpi/acpica/dswexec.c:636)
[ 9.706334][ C0] ? acpi_ds_exec_begin_op (drivers/acpi/acpica/dswexec.c:328)
[ 9.706334][ C0] acpi_ps_parse_loop (drivers/acpi/acpica/psloop.c:527)
[ 9.706334][ C0] ? acpi_ps_get_next_arg (drivers/acpi/acpica/psloop.c:222)
[ 9.706334][ C0] ? kmem_cache_alloc (mm/slub.c:3219 mm/slub.c:3225 mm/slub.c:3232 mm/slub.c:3242)
[ 9.706334][ C0] acpi_ps_parse_aml (drivers/acpi/acpica/psparse.c:475)
[ 9.706334][ C0] acpi_ps_execute_table (drivers/acpi/acpica/psxface.c:295)
[ 9.706334][ C0] acpi_ns_execute_table (drivers/acpi/acpica/nsparse.c:116)
[ 9.706334][ C0] ? acpi_ns_get_attached_data (drivers/acpi/acpica/nsparse.c:45)
[ 9.706334][ C0] ? acpi_os_signal_semaphore (drivers/acpi/osl.c:1308)
[ 9.706334][ C0] ? acpi_ut_execute_STA (drivers/acpi/acpica/uteval.c:236)
[ 9.706334][ C0] ? up (include/linux/list.h:292 kernel/locking/semaphore.c:187)


To reproduce:

git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (11.22 kB)
config-5.18.0-rc1-00006-g753550eb0ce1 (168.55 kB)
job-script (5.58 kB)
dmesg.xz (10.29 kB)
ltp (39.95 kB)
job.yaml (4.43 kB)
Download all attachments