2022-11-09 16:34:05

by kernel test robot

[permalink] [raw]
Subject: [sean-jc:x86/kasan_ds_buffer] [x86/mm] c12879206e: BUG:kernel_NULL_pointer_dereference,address


Greeting,

FYI, we noticed BUG:kernel_NULL_pointer_dereference,address due to commit (built with gcc-11):

commit: c12879206e47730ff5ab255bbf625b28ade4028f ("x86/mm: Populate KASAN shadow for per-CPU DS buffers in CPU entry area")
https://github.com/sean-jc/linux x86/kasan_ds_buffer

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <[email protected]>
| Link: https://lore.kernel.org/oe-lkp/[email protected]


[ 0.393625][ T0] BUG: kernel NULL pointer dereference, address: 00000000
[ 0.394409][ T0] #PF: supervisor read access in kernel mode
[ 0.395080][ T0] #PF: error_code(0x0000) - not-present page
[ 0.395754][ T0] *pdpt = 0000000000000000 *pde = f000ff53f000ff53
[ 0.396492][ T0] Oops: 0000 [#1] SMP
[ 0.396934][ T0] CPU: 0 PID: 0 Comm: swapper Not tainted 6.1.0-rc3-00026-gc12879206e47 #1 b77cd08af3ba623e5cfd4322a824090e2c932177
[ 0.398259][ T0] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 0.399354][ T0] EIP: per_cpu_ptr_to_phys (??:?)
[ 0.399957][ T0] Code: 01 89 da b8 a0 6e 80 84 e8 11 27 7a 00 8b 1d f0 6f 80 84 89 c1 39 c3 77 c5 89 f0 81 e6 ff 0f 00 00 e8 08 41 03 00 31 d2 31 c9 <8b> 38 6a 01 89 c3 b8 d0 67 64 84 c1 ef 19 e8 11 a9 f2 ff c1 e7 04
All code
========
0: 01 89 da b8 a0 6e add %ecx,0x6ea0b8da(%rcx)
6: 80 84 e8 11 27 7a 00 addb $0x8b,0x7a2711(%rax,%rbp,8)
d: 8b
e: 1d f0 6f 80 84 sbb $0x84806ff0,%eax
13: 89 c1 mov %eax,%ecx
15: 39 c3 cmp %eax,%ebx
17: 77 c5 ja 0xffffffffffffffde
19: 89 f0 mov %esi,%eax
1b: 81 e6 ff 0f 00 00 and $0xfff,%esi
21: e8 08 41 03 00 callq 0x3412e
26: 31 d2 xor %edx,%edx
28: 31 c9 xor %ecx,%ecx
2a:* 8b 38 mov (%rax),%edi <-- trapping instruction
2c: 6a 01 pushq $0x1
2e: 89 c3 mov %eax,%ebx
30: b8 d0 67 64 84 mov $0x846467d0,%eax
35: c1 ef 19 shr $0x19,%edi
38: e8 11 a9 f2 ff callq 0xfffffffffff2a94e
3d: c1 e7 04 shl $0x4,%edi

Code starting with the faulting instruction
===========================================
0: 8b 38 mov (%rax),%edi
2: 6a 01 pushq $0x1
4: 89 c3 mov %eax,%ebx
6: b8 d0 67 64 84 mov $0x846467d0,%eax
b: c1 ef 19 shr $0x19,%edi
e: e8 11 a9 f2 ff callq 0xfffffffffff2a924
13: c1 e7 04 shl $0x4,%edi
[ 0.402060][ T0] EAX: 00000000 EBX: 00000001 ECX: 00000000 EDX: 00000000
[ 0.402864][ T0] ESI: 00000000 EDI: ff20d000 EBP: 83f89f10 ESP: 83f89f00
[ 0.403654][ T0] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210046
[ 0.404477][ T0] CR0: 80050033 CR2: 00000000 CR3: 049fc000 CR4: 000406b0
[ 0.405280][ T0] Call Trace:
[ 0.405622][ T0] cea_map_percpu_pages (cpu_entry_area.c:?)
[ 0.406169][ T0] setup_cpu_entry_area (cpu_entry_area.c:?)
[ 0.406746][ T0] setup_cpu_entry_areas (??:?)
[ 0.407298][ T0] trap_init (??:?)
[ 0.407746][ T0] start_kernel (??:?)
[ 0.408241][ T0] i386_start_kernel (??:?)
[ 0.408764][ T0] startup_32_smp (??:?)
[ 0.409295][ T0] Modules linked in:
[ 0.409691][ T0] CR2: 0000000000000000
[ 0.410138][ T0] ---[ end trace 0000000000000000 ]---
[ 0.410704][ T0] EIP: per_cpu_ptr_to_phys (??:?)
[ 0.411279][ T0] Code: 01 89 da b8 a0 6e 80 84 e8 11 27 7a 00 8b 1d f0 6f 80 84 89 c1 39 c3 77 c5 89 f0 81 e6 ff 0f 00 00 e8 08 41 03 00 31 d2 31 c9 <8b> 38 6a 01 89 c3 b8 d0 67 64 84 c1 ef 19 e8 11 a9 f2 ff c1 e7 04
All code
========
0: 01 89 da b8 a0 6e add %ecx,0x6ea0b8da(%rcx)
6: 80 84 e8 11 27 7a 00 addb $0x8b,0x7a2711(%rax,%rbp,8)
d: 8b
e: 1d f0 6f 80 84 sbb $0x84806ff0,%eax
13: 89 c1 mov %eax,%ecx
15: 39 c3 cmp %eax,%ebx
17: 77 c5 ja 0xffffffffffffffde
19: 89 f0 mov %esi,%eax
1b: 81 e6 ff 0f 00 00 and $0xfff,%esi
21: e8 08 41 03 00 callq 0x3412e
26: 31 d2 xor %edx,%edx
28: 31 c9 xor %ecx,%ecx
2a:* 8b 38 mov (%rax),%edi <-- trapping instruction
2c: 6a 01 pushq $0x1
2e: 89 c3 mov %eax,%ebx
30: b8 d0 67 64 84 mov $0x846467d0,%eax
35: c1 ef 19 shr $0x19,%edi
38: e8 11 a9 f2 ff callq 0xfffffffffff2a94e
3d: c1 e7 04 shl $0x4,%edi

Code starting with the faulting instruction
===========================================
0: 8b 38 mov (%rax),%edi
2: 6a 01 pushq $0x1
4: 89 c3 mov %eax,%ebx
6: b8 d0 67 64 84 mov $0x846467d0,%eax
b: c1 ef 19 shr $0x19,%edi
e: e8 11 a9 f2 ff callq 0xfffffffffff2a924
13: c1 e7 04 shl $0x4,%edi


To reproduce:

# build kernel
cd linux
cp config-6.1.0-rc3-00026-gc12879206e47 .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp



Attachments:
(No filename) (6.01 kB)
config-6.1.0-rc3-00026-gc12879206e47 (154.32 kB)
job-script (4.92 kB)
dmesg.xz (4.47 kB)
Download all attachments