Hello,
kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
commit: 9ca8b65e411ba759831af5d678f8d01e141816a1 ("[PATCH RFC] : fhandle: relax open_by_handle_at() permission checks")
url: https://github.com/intel-lab-lkp/linux/commits/Christian-Brauner/fhandle-relax-open_by_handle_at-permission-checks/20240524-182059
patch link: https://lore.kernel.org/all/[email protected]/
patch subject: [PATCH RFC] : fhandle: relax open_by_handle_at() permission checks
in testcase: trinity
version:
with following parameters:
runtime: 600s
compiler: gcc-13
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+---------------------------------------------+------------+------------+
| | 8f6a15f095 | 9ca8b65e41 |
+---------------------------------------------+------------+------------+
| boot_successes | 4 | 0 |
| boot_failures | 0 | 6 |
| BUG:kernel_NULL_pointer_dereference,address | 0 | 6 |
| Oops:Oops:#[##] | 0 | 6 |
| EIP:handle_to_path | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+---------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <[email protected]>
| Closes: https://lore.kernel.org/oe-lkp/[email protected]
[ 20.927410][ T678] BUG: kernel NULL pointer dereference, address: 00000002
[ 20.928271][ T678] #PF: supervisor read access in kernel mode
[ 20.928887][ T678] #PF: error_code(0x0000) - not-present page
[ 20.929607][ T678] *pde = 00000000
[ 20.930090][ T678] Oops: Oops: 0000 [#1]
[ 20.930616][ T678] CPU: 0 PID: 678 Comm: trinity-c0 Not tainted 6.9.0-10324-g9ca8b65e411b #1
[ 20.931662][ T678] EIP: handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.932243][ T678] Code: f2 ff ff ff e9 95 fe ff ff 8d b6 00 00 00 00 bb ea ff ff ff e9 85 fe ff ff 8d b6 00 00 00 00 8b 45 d8 ba 15 00 00 00 8b 40 6c <8b> 40 18 e8 c1 3a de ff 84 c0 0f 84 5f fe ff ff 8b 45 d8 8b 55 dc
All code
========
0: f2 ff repnz (bad)
2: ff (bad)
3: ff (bad)
4: e9 95 fe ff ff jmp 0xfffffffffffffe9e
9: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
f: bb ea ff ff ff mov $0xffffffea,%ebx
14: e9 85 fe ff ff jmp 0xfffffffffffffe9e
19: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
1f: 8b 45 d8 mov -0x28(%rbp),%eax
22: ba 15 00 00 00 mov $0x15,%edx
27: 8b 40 6c mov 0x6c(%rax),%eax
2a:* 8b 40 18 mov 0x18(%rax),%eax <-- trapping instruction
2d: e8 c1 3a de ff call 0xffffffffffde3af3
32: 84 c0 test %al,%al
34: 0f 84 5f fe ff ff je 0xfffffffffffffe99
3a: 8b 45 d8 mov -0x28(%rbp),%eax
3d: 8b 55 dc mov -0x24(%rbp),%edx
Code starting with the faulting instruction
===========================================
0: 8b 40 18 mov 0x18(%rax),%eax
3: e8 c1 3a de ff call 0xffffffffffde3ac9
8: 84 c0 test %al,%al
a: 0f 84 5f fe ff ff je 0xfffffffffffffe6f
10: 8b 45 d8 mov -0x28(%rbp),%eax
13: 8b 55 dc mov -0x24(%rbp),%edx
[ 20.934542][ T678] EAX: ffffffea EBX: c38458c0 ECX: 00000015 EDX: 00000015
[ 20.935354][ T678] ESI: ede5bf48 EDI: 00000000 EBP: ede5bf70 ESP: ede5bf2c
[ 20.936199][ T678] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010246
[ 20.937022][ T678] CR0: 80050033 CR2: 00000002 CR3: 0370d000 CR4: 00040690
[ 20.937713][ T678] Call Trace:
[ 20.938034][ T678] ? show_regs (arch/x86/kernel/dumpstack.c:479)
[ 20.938520][ T678] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 20.938942][ T678] ? debug_locks_off (lib/debug_locks.c:44)
[ 20.939502][ T678] ? page_fault_oops (arch/x86/mm/fault.c:715)
[ 20.940033][ T678] ? kernelmode_fixup_or_oops+0x5c/0x70
[ 20.940759][ T678] ? __bad_area_nosemaphore+0x113/0x1b4
[ 20.941504][ T678] ? lock_release (kernel/locking/lockdep.c:467 (discriminator 4) kernel/locking/lockdep.c:5776 (discriminator 4))
[ 20.942005][ T678] ? up_read (kernel/locking/rwsem.c:1623)
[ 20.942838][ T678] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835)
[ 20.943483][ T678] ? do_user_addr_fault (arch/x86/mm/fault.c:1452)
[ 20.944138][ T678] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:67 arch/x86/include/asm/irqflags.h:127 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[ 20.944774][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
[ 20.945558][ T678] ? handle_exception (arch/x86/entry/entry_32.S:1054)
[ 20.946219][ T678] ? keyring_search_rcu (include/linux/refcount.h:192 include/linux/refcount.h:241 include/linux/refcount.h:258 include/linux/key.h:308 security/keys/keyring.c:923)
[ 20.946845][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
[ 20.947517][ T678] ? handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.948115][ T678] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
[ 20.948896][ T678] ? handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.949505][ T678] ? __lock_release+0x54/0x170
[ 20.950147][ T678] ? __task_pid_nr_ns (include/linux/rcupdate.h:810 kernel/pid.c:514)
[ 20.950699][ T678] __ia32_sys_open_by_handle_at (fs/fhandle.c:317 fs/fhandle.c:357 fs/fhandle.c:348 fs/fhandle.c:348)
[ 20.951279][ T678] ? syscall_exit_to_user_mode (kernel/entry/common.c:221)
[ 20.951859][ T678] ia32_sys_call (arch/x86/entry/syscall_32.c:42)
[ 20.952409][ T678] do_int80_syscall_32 (arch/x86/entry/common.c:165 (discriminator 1) arch/x86/entry/common.c:339 (discriminator 1))
[ 20.953037][ T678] entry_INT80_32 (arch/x86/entry/entry_32.S:944)
[ 20.953604][ T678] EIP: 0x8097522
[ 20.954040][ T678] Code: 89 c8 c3 90 8d 74 26 00 85 c0 c7 01 01 00 00 00 75 d8 a1 cc 3c ad 08 eb d1 66 90 66 90 66 90 66 90 66 90 66 90 66 90 90 cd 80 <c3> 8d b6 00 00 00 00 8d bc 27 00 00 00 00 8b 10 a3 f4 3c ad 08 85
All code
========
0: 89 c8 mov %ecx,%eax
2: c3 ret
3: 90 nop
4: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
8: 85 c0 test %eax,%eax
a: c7 01 01 00 00 00 movl $0x1,(%rcx)
10: 75 d8 jne 0xffffffffffffffea
12: a1 cc 3c ad 08 eb d1 movabs 0x9066d1eb08ad3ccc,%eax
19: 66 90
1b: 66 90 xchg %ax,%ax
1d: 66 90 xchg %ax,%ax
1f: 66 90 xchg %ax,%ax
21: 66 90 xchg %ax,%ax
23: 66 90 xchg %ax,%ax
25: 66 90 xchg %ax,%ax
27: 90 nop
28: cd 80 int $0x80
2a:* c3 ret <-- trapping instruction
2b: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
31: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
38: 8b 10 mov (%rax),%edx
3a: a3 .byte 0xa3
3b: f4 hlt
3c: 3c ad cmp $0xad,%al
3e: 08 .byte 0x8
3f: 85 .byte 0x85
Code starting with the faulting instruction
===========================================
0: c3 ret
1: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
7: 8d bc 27 00 00 00 00 lea 0x0(%rdi,%riz,1),%edi
e: 8b 10 mov (%rax),%edx
10: a3 .byte 0xa3
11: f4 hlt
12: 3c ad cmp $0xad,%al
14: 08 .byte 0x8
15: 85 .byte 0x85
[ 20.956462][ T678] EAX: ffffffda EBX: 00000136 ECX: 00000001 EDX: 00033f01
[ 20.957337][ T678] ESI: 000001b6 EDI: fffffff9 EBP: fffffff8 ESP: bf997c98
[ 20.958254][ T678] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 20.959207][ T678] Modules linked in:
[ 20.959695][ T678] CR2: 0000000000000002
[ 20.960372][ T678] ---[ end trace 0000000000000000 ]---
[ 20.960979][ T678] EIP: handle_to_path (fs/fhandle.c:259 (discriminator 1))
[ 20.961566][ T678] Code: f2 ff ff ff e9 95 fe ff ff 8d b6 00 00 00 00 bb ea ff ff ff e9 85 fe ff ff 8d b6 00 00 00 00 8b 45 d8 ba 15 00 00 00 8b 40 6c <8b> 40 18 e8 c1 3a de ff 84 c0 0f 84 5f fe ff ff 8b 45 d8 8b 55 dc
All code
========
0: f2 ff repnz (bad)
2: ff (bad)
3: ff (bad)
4: e9 95 fe ff ff jmp 0xfffffffffffffe9e
9: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
f: bb ea ff ff ff mov $0xffffffea,%ebx
14: e9 85 fe ff ff jmp 0xfffffffffffffe9e
19: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
1f: 8b 45 d8 mov -0x28(%rbp),%eax
22: ba 15 00 00 00 mov $0x15,%edx
27: 8b 40 6c mov 0x6c(%rax),%eax
2a:* 8b 40 18 mov 0x18(%rax),%eax <-- trapping instruction
2d: e8 c1 3a de ff call 0xffffffffffde3af3
32: 84 c0 test %al,%al
34: 0f 84 5f fe ff ff je 0xfffffffffffffe99
3a: 8b 45 d8 mov -0x28(%rbp),%eax
3d: 8b 55 dc mov -0x24(%rbp),%edx
Code starting with the faulting instruction
===========================================
0: 8b 40 18 mov 0x18(%rax),%eax
3: e8 c1 3a de ff call 0xffffffffffde3ac9
8: 84 c0 test %al,%al
a: 0f 84 5f fe ff ff je 0xfffffffffffffe6f
10: 8b 45 d8 mov -0x28(%rbp),%eax
13: 8b 55 dc mov -0x24(%rbp),%edx
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240527/[email protected]
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki