2022-06-13 07:44:50

by kernel test robot

[permalink] [raw]

Subject: [x86] 0b5e478a23: canonical_address#:#[##]

---

Greeting,

FYI, we noticed the following commit (built with gcc-11):

commit: 0b5e478a23fe2f2e8995e19434c2937b22629b46 ("x86: Expose untagging mask in /proc/$PID/arch_status")
https://git.kernel.org/cgit/linux/kernel/git/kas/linux.git lam

in testcase: trinity
version: trinity-x86_64-3f8670b2-1_20220518
with following parameters:

runtime: 300s

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 161.757975][ T3080] general protection fault, probably for non-canonical address 0xdffffc000000006a: 0000 [#1] SMP KASAN PTI
[ 161.766823][ T3080] KASAN: null-ptr-deref in range [0x0000000000000350-0x0000000000000357]
[ 161.772883][ T3080] CPU: 1 PID: 3080 Comm: trinity-c5 Not tainted 5.19.0-rc1-00007-g0b5e478a23fe #1
[ 161.777263][ T3080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
[ 161.781360][ T3080] RIP: 0010:proc_pid_arch_status (arch/x86/include/asm/mmu_context.h:108 arch/x86/kernel/proc.c:47)
[ 161.785059][ T3080] Code: fa 48 c1 ea 03 80 3c 02 00 75 42 48 8b 9b 88 08 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 50 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 24 48 8b 93 50 03 00 00 48 89 ef 48 c7 c6 60 84 24
All code
========
0: fa cli
1: 48 c1 ea 03 shr $0x3,%rdx
5: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
9: 75 42 jne 0x4d
b: 48 8b 9b 88 08 00 00 mov 0x888(%rbx),%rbx
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 48 8d bb 50 03 00 00 lea 0x350(%rbx),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 75 24 jne 0x54
30: 48 8b 93 50 03 00 00 mov 0x350(%rbx),%rdx
37: 48 89 ef mov %rbp,%rdi
3a: 48 rex.W
3b: c7 .byte 0xc7
3c: c6 (bad)
3d: 60 (bad)
3e: 84 .byte 0x84
3f: 24 .byte 0x24

Code starting with the faulting instruction
===========================================
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 75 24 jne 0x2a
6: 48 8b 93 50 03 00 00 mov 0x350(%rbx),%rdx
d: 48 89 ef mov %rbp,%rdi
10: 48 rex.W
11: c7 .byte 0xc7
12: c6 (bad)
13: 60 (bad)
14: 84 .byte 0x84
15: 24 .byte 0x24
[ 161.792028][ T3080] RSP: 0018:ffffc900018079e8 EFLAGS: 00010206
[ 161.795249][ T3080] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888100372940
[ 161.798532][ T3080] RDX: 000000000000006a RSI: ffffffffacd1b100 RDI: 0000000000000350
[ 161.801804][ T3080] RBP: ffff88812c5d3228 R08: 0000000000000001 R09: ffff88810037296b
[ 161.805086][ T3080] R10: ffffed102006e52d R11: 0000000000000001 R12: ffff8881002f86c0
[ 161.808304][ T3080] R13: ffff888100372968 R14: ffffffffacd1b100 R15: 0000000000000001
[ 161.811464][ T3080] FS: 00007fe5be759600(0000) GS:ffff88839d700000(0000) knlGS:0000000000000000
[ 161.815196][ T3080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 161.818205][ T3080] CR2: 00007fe5bdb1e2fc CR3: 000000017afde000 CR4: 00000000000406e0
[ 161.821282][ T3080] DR0: 00007fe5bc904000 DR1: 00007fe5bcf04000 DR2: 0000000000000000
[ 161.824304][ T3080] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[ 161.827263][ T3080] Call Trace:
[ 161.829901][ T3080] <TASK>
[ 161.832492][ T3080] proc_single_show (include/linux/instrumented.h:101 include/linux/atomic/atomic-instrumented.h:176 include/linux/refcount.h:272 include/linux/refcount.h:315 include/linux/refcount.h:333 include/linux/sched/task.h:118 fs/proc/base.c:779)
[ 161.835175][ T3080] seq_read_iter (fs/seq_file.c:231)
[ 161.837840][ T3080] ? folio_memcg_lock (mm/memcontrol.c:2077)
[ 161.840500][ T3080] seq_read (fs/seq_file.c:163)
[ 161.843010][ T3080] ? seq_read_iter (fs/seq_file.c:152)
[ 161.845560][ T3080] ? filemap_map_pages (mm/filemap.c:3336 mm/filemap.c:3408)
[ 161.848056][ T3080] ? _copy_from_user (arch/x86/include/asm/uaccess_64.h:46 arch/x86/include/asm/uaccess_64.h:52 lib/usercopy.c:16)
[ 161.850492][ T3080] ? __fsnotify_update_child_dentry_flags (fs/notify/fsnotify.c:180)
[ 161.852992][ T3080] do_loop_readv_writev+0xc7/0x300
[ 161.855388][ T3080] do_iter_read (fs/read_write.c:755 fs/read_write.c:805)
[ 161.857712][ T3080] vfs_readv (fs/read_write.c:924)
[ 161.859992][ T3080] ? vfs_iter_read (fs/read_write.c:915)
[ 161.862293][ T3080] ? __hrtimer_start_range_ns (kernel/time/hrtimer.c:1258)
[ 161.864611][ T3080] ? __cond_resched (kernel/sched/core.c:8217)
[ 161.866803][ T3080] ? mutex_lock (arch/x86/include/asm/atomic64_64.h:190 include/linux/atomic/atomic-long.h:443 include/linux/atomic/atomic-instrumented.h:1781 kernel/locking/mutex.c:171 kernel/locking/mutex.c:285)
[ 161.868960][ T3080] ? __mutex_lock_slowpath (kernel/locking/mutex.c:282)
[ 161.871153][ T3080] ? __fget_light (arch/x86/include/asm/atomic.h:29 include/linux/atomic/atomic-instrumented.h:28 fs/file.c:1005)
[ 161.873259][ T3080] do_readv (fs/read_write.c:960)
[ 161.875265][ T3080] ? vfs_readv (fs/read_write.c:950)
[ 161.877233][ T3080] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
[ 161.879133][ T3080] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:115)
[ 161.881074][ T3080] RIP: 0033:0x7fe5be68b9b9
[ 161.882862][ T3080] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48
All code
========
0: 00 c3 add %al,%bl
2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
9: 00 00 00
c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9


To reproduce:

# build kernel
cd linux
cp config-5.19.0-rc1-00007-g0b5e478a23fe .config
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-11 CC=gcc-11 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



--
0-DAY CI Kernel Test Service
https://01.org/lkp

---

Attachments:

(No filename) (7.34 kB)
config-5.19.0-rc1-00007-g0b5e478a23fe (169.80 kB)
job-script (4.72 kB)
dmesg.xz (17.39 kB)
Download all attachments