Hello,
kernel test robot noticed "BUG:KASAN:null-ptr-deref_in_hugetlbfs_fallocate" on:
commit: 1f944358dbb5e9a6493fd7b1f77ee64376d2bdf1 ("[PATCH] mm/hugetlb: revert use of page_cache_next_miss()") url: https://github.com/intel-lab-lkp/linux/commits/Sidhartha-Kumar/mm-hugetlb-re... base: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git 78b421b6a7c6dbb6a213877c742af52330f5026d patch link: https://lore.kernel.org/all/20230505185301.534259-1-sidhartha.kumar@oracle.c... patch subject: [PATCH] mm/hugetlb: revert use of page_cache_next_miss()
in testcase: trinity version: trinity-x86_64-abe9de86-1_20230501 with following parameters:
runtime: 600s
test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/
compiler: clang-14 test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue, kindly add following tag | Reported-by: kernel test robot oliver.sang@intel.com | Closes: https://lore.kernel.org/oe-lkp/202305231207.35d53791-oliver.sang@intel.com
[ 144.098719][ T1547] BUG: KASAN: null-ptr-deref in hugetlbfs_fallocate (inode.c:?) [ 144.099404][ T1547] Read of size 4 at addr 0000000000000032 by task trinity-c1/1547 [ 144.100071][ T1547] [ 144.100282][ T1547] CPU: 0 PID: 1547 Comm: trinity-c1 Not tainted 6.3.0-13165-g1f944358dbb5 #1 1f0cfaa9708c3e99bb7e2ecf8f7fd22c51fc3e3b [ 144.101310][ T1547] Call Trace: [ 144.101602][ T1547] <TASK> [ 144.101858][ T1547] dump_stack_lvl (??:?) [ 144.102269][ T1547] print_report (report.c:?) [ 144.102655][ T1547] ? start_report (report.c:?) [ 144.103044][ T1547] ? hugetlbfs_fallocate (inode.c:?) [ 144.103497][ T1547] ? hugetlbfs_fallocate (inode.c:?) [ 144.103937][ T1547] kasan_report (??:?) [ 144.104270][ T1547] ? filemap_get_entry (??:?) [ 144.104656][ T1547] ? hugetlbfs_fallocate (inode.c:?) [ 144.105082][ T1547] kasan_check_range (??:?) [ 144.105503][ T1547] hugetlbfs_fallocate (inode.c:?) [ 144.105921][ T1547] vfs_fallocate (??:?) [ 144.106317][ T1547] ksys_fallocate (??:?) [ 144.106702][ T1547] __x64_sys_fallocate (??:?) [ 144.107121][ T1547] do_syscall_64 (??:?) [ 144.107521][ T1547] entry_SYSCALL_64_after_hwframe (??:?) [ 144.108022][ T1547] RIP: 0033:0x7fedb9a039b9 [ 144.108398][ T1547] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48 All code ======== 0: 00 c3 add %al,%bl 2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 9: 00 00 00 c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54e1 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W
Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54b7 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W [ 144.109953][ T1547] RSP: 002b:00007ffdf492f6a8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 144.110612][ T1547] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fedb9a039b9 [ 144.111233][ T1547] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 000000000000011a [ 144.111870][ T1547] RBP: 00007fedb839a000 R08: 0000000000000020 R09: 0000000000000090 [ 144.112514][ T1547] R10: 0000000000000800 R11: 0000000000000246 R12: 000000000000011d [ 144.113168][ T1547] R13: 00007fedb9ad1580 R14: 00007fedb839a058 R15: 00007fedb839a000 [ 144.113814][ T1547] </TASK> [ 144.114073][ T1547] ================================================================== [ 144.114752][ T1547] Disabling lock debugging due to kernel taint [ 144.115284][ T1547] general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] KASAN [ 144.116161][ T1547] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 144.116830][ T1547] CPU: 0 PID: 1547 Comm: trinity-c1 Tainted: G B 6.3.0-13165-g1f944358dbb5 #1 1f0cfaa9708c3e99bb7e2ecf8f7fd22c51fc3e3b [ 144.117939][ T1547] RIP: 0010:hugetlbfs_fallocate (inode.c:?) [ 144.118431][ T1547] Code: 84 9c 00 00 00 48 89 c5 48 8d 58 34 48 89 df be 04 00 00 00 e8 d5 83 ca ff 48 89 d8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <8a> 04 08 84 c0 0f 85 d8 01 00 00 83 3b 00 0f 84 3a 07 00 00 48 89 All code ======== 0: 84 9c 00 00 00 48 89 test %bl,-0x76b80000(%rax,%rax,1) 7: c5 48 8d (bad) a: 58 pop %rax b: 34 48 xor $0x48,%al d: 89 df mov %ebx,%edi f: be 04 00 00 00 mov $0x4,%esi 14: e8 d5 83 ca ff callq 0xffffffffffca83ee 19: 48 89 d8 mov %rbx,%rax 1c: 48 c1 e8 03 shr $0x3,%rax 20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx 27: fc ff df 2a:* 8a 04 08 mov (%rax,%rcx,1),%al <-- trapping instruction 2d: 84 c0 test %al,%al 2f: 0f 85 d8 01 00 00 jne 0x20d 35: 83 3b 00 cmpl $0x0,(%rbx) 38: 0f 84 3a 07 00 00 je 0x778 3e: 48 rex.W 3f: 89 .byte 0x89
Code starting with the faulting instruction =========================================== 0: 8a 04 08 mov (%rax,%rcx,1),%al 3: 84 c0 test %al,%al 5: 0f 85 d8 01 00 00 jne 0x1e3 b: 83 3b 00 cmpl $0x0,(%rbx) e: 0f 84 3a 07 00 00 je 0x74e 14: 48 rex.W 15: 89 .byte 0x89 [ 144.120027][ T1547] RSP: 0018:ffff88812ba3fd48 EFLAGS: 00010206 [ 144.120545][ T1547] RAX: 0000000000000006 RBX: 0000000000000032 RCX: dffffc0000000000 [ 144.121198][ T1547] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff8a927100 [ 144.121864][ T1547] RBP: fffffffffffffffe R08: dffffc0000000000 R09: fffffbfff1524e21 [ 144.122535][ T1547] R10: 0000000000000000 R11: dffff7fff1524e22 R12: 0000000000000000 [ 144.123214][ T1547] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000fffffffc [ 144.123947][ T1547] FS: 00007fedb9ad1600(0000) GS:ffffffff87f0a000(0000) knlGS:0000000000000000 [ 144.124701][ T1547] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 144.125263][ T1547] CR2: 00007fedb95005fc CR3: 000000012dfd0000 CR4: 00000000000406f0 [ 144.125925][ T1547] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 144.126601][ T1547] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 144.127277][ T1547] Call Trace: [ 144.127584][ T1547] <TASK> [ 144.127848][ T1547] vfs_fallocate (??:?) [ 144.128251][ T1547] ksys_fallocate (??:?) [ 144.128646][ T1547] __x64_sys_fallocate (??:?) [ 144.129072][ T1547] do_syscall_64 (??:?) [ 144.129460][ T1547] entry_SYSCALL_64_after_hwframe (??:?) [ 144.129972][ T1547] RIP: 0033:0x7fedb9a039b9 [ 144.130359][ T1547] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d a7 54 0c 00 f7 d8 64 89 01 48 All code ======== 0: 00 c3 add %al,%bl 2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 9: 00 00 00 c: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 11: 48 89 f8 mov %rdi,%rax 14: 48 89 f7 mov %rsi,%rdi 17: 48 89 d6 mov %rdx,%rsi 1a: 48 89 ca mov %rcx,%rdx 1d: 4d 89 c2 mov %r8,%r10 20: 4d 89 c8 mov %r9,%r8 23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9 28: 0f 05 syscall 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction 30: 73 01 jae 0x33 32: c3 retq 33: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54e1 3a: f7 d8 neg %eax 3c: 64 89 01 mov %eax,%fs:(%rcx) 3f: 48 rex.W
Code starting with the faulting instruction =========================================== 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax 6: 73 01 jae 0x9 8: c3 retq 9: 48 8b 0d a7 54 0c 00 mov 0xc54a7(%rip),%rcx # 0xc54b7 10: f7 d8 neg %eax 12: 64 89 01 mov %eax,%fs:(%rcx) 15: 48 rex.W
To reproduce:
# build kernel cd linux cp config-6.3.0-13165-g1f944358dbb5 .config make HOSTCC=clang-14 CC=clang-14 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage modules make HOSTCC=clang-14 CC=clang-14 ARCH=x86_64 INSTALL_MOD_PATH=<mod-install-dir> modules_install cd <mod-install-dir> find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test, # please remove ~/.lkp and /lkp dir to run from a clean state.