[brauner-vfs:vfs.open_tree] [fs] 6d2ad41f48: BUG:kernel_NULL_pointer_dereference,address

kernel test robot <oliver.sang@xxxxxxxxx> · Wed, 12 Jun 2024 15:45:41 +0800

Hello,

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: 6d2ad41f48768f325a552666b71724bc40ba52c3 ("fs: allow updating idmappings")
https://git.kernel.org/cgit/linux/kernel/git/vfs/vfs.git vfs.open_tree

in testcase: boot

compiler: clang-18
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)

+---------------------------------------------+------------+------------+
|                                             | 2c673193e1 | 6d2ad41f48 |
+---------------------------------------------+------------+------------+
| BUG:kernel_NULL_pointer_dereference,address | 0          | 6          |
| Oops                                        | 0          | 6          |
| RIP:mnt_idmap_put                           | 0          | 6          |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 6          |
+---------------------------------------------+------------+------------+

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202406121525.65264f68-oliver.sang@xxxxxxxxx

[   15.358677][  T206] BUG: kernel NULL pointer dereference, address: 0000000000000090
[   15.359960][  T206] #PF: supervisor write access in kernel mode
[   15.360932][  T206] #PF: error_code(0x0002) - not-present page
[   15.361897][  T206] PGD 0 P4D 0
[   15.362470][  T206] Oops: Oops: 0002 [#1] SMP PTI
[   15.363270][  T206] CPU: 0 PID: 206 Comm: (crub_all) Not tainted 6.10.0-rc1-00007-g6d2ad41f4876 #1
[   15.364699][  T206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 15.366361][ T206] RIP: 0010:mnt_idmap_put (arch/x86/include/asm/atomic.h:93 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/mnt_idmapping.c:315) 
[ 15.367186][ T206] Code: 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 81 ff e8 37 c8 88 74 26 b8 ff ff ff ff <f0> 0f c1 87 90 00 00 00 83 f8 01 75 12 53 83 3f 06 73 14 83 7f 48
All code
========
   0:	1f                   	(bad)  
   1:	84 00                	test   %al,(%rax)
   3:	00 00                	add    %al,(%rax)
   5:	00 00                	add    %al,(%rax)
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	90                   	nop
  15:	90                   	nop
  16:	90                   	nop
  17:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  1c:	48 81 ff e8 37 c8 88 	cmp    $0xffffffff88c837e8,%rdi
  23:	74 26                	je     0x4b
  25:	b8 ff ff ff ff       	mov    $0xffffffff,%eax
  2a:*	f0 0f c1 87 90 00 00 	lock xadd %eax,0x90(%rdi)		<-- trapping instruction
  31:	00 
  32:	83 f8 01             	cmp    $0x1,%eax
  35:	75 12                	jne    0x49
  37:	53                   	push   %rbx
  38:	83 3f 06             	cmpl   $0x6,(%rdi)
  3b:	73 14                	jae    0x51
  3d:	83                   	.byte 0x83
  3e:	7f 48                	jg     0x88

Code starting with the faulting instruction
===========================================
   0:	f0 0f c1 87 90 00 00 	lock xadd %eax,0x90(%rdi)
   7:	00 
   8:	83 f8 01             	cmp    $0x1,%eax
   b:	75 12                	jne    0x1f
   d:	53                   	push   %rbx
   e:	83 3f 06             	cmpl   $0x6,(%rdi)
  11:	73 14                	jae    0x27
  13:	83                   	.byte 0x83
  14:	7f 48                	jg     0x5e
[   15.370213][  T206] RSP: 0018:ffffa44d80513e20 EFLAGS: 00010217
[   15.371181][  T206] RAX: 00000000ffffffff RBX: ffff95d25d031800 RCX: ffff95d25d031858
[   15.372426][  T206] RDX: 0000000010000040 RSI: 0000000010000041 RDI: 0000000000000000
[   15.373695][  T206] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000003
[   15.374968][  T206] R10: 0000000000000018 R11: 0000000000000002 R12: 0000000000000000
[   15.376229][  T206] R13: ffff95d25d031820 R14: ffffa44d80513e70 R15: ffff95d25d031800
[   15.377492][  T206] FS:  00007fd6818e7940(0000) GS:ffff95d52fc00000(0000) knlGS:0000000000000000
[   15.378934][  T206] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.379980][  T206] CR2: 0000000000000090 CR3: 000000015d008000 CR4: 00000000000406f0
[   15.382019][  T206] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   15.383918][  T206] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   15.385811][  T206] Call Trace:
[   15.387072][  T206]  <TASK>
[ 15.388218][ T206] ? __die_body (arch/x86/kernel/dumpstack.c:421) 
[ 15.389618][ T206] ? page_fault_oops (arch/x86/mm/fault.c:711) 
[ 15.391056][ T206] ? exc_page_fault (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) 
[ 15.392444][ T206] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623) 
[ 15.393938][ T206] ? mnt_idmap_put (arch/x86/include/asm/atomic.h:93 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 fs/mnt_idmapping.c:315) 
[ 15.395356][ T206] do_mount_setattr (fs/namespace.c:4388 fs/namespace.c:4528 fs/namespace.c:4607) 
[ 15.396817][ T206] __se_sys_mount_setattr (fs/namespace.c:4826 fs/namespace.c:4749) 
[ 15.398325][ T206] do_syscall_64 (arch/x86/entry/common.c:?) 
[ 15.399628][ T206] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   15.401168][  T206] RIP: 0033:0x7fd68245ad6a
[ 15.402449][ T206] Code: 73 01 c3 48 8b 0d 96 80 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 ba 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 80 0c 00 f7 d8 64 89 01 48
All code
========
   0:	73 01                	jae    0x3
   2:	c3                   	retq   
   3:	48 8b 0d 96 80 0c 00 	mov    0xc8096(%rip),%rcx        # 0xc80a0
   a:	f7 d8                	neg    %eax
   c:	64 89 01             	mov    %eax,%fs:(%rcx)
   f:	48 83 c8 ff          	or     $0xffffffffffffffff,%rax
  13:	c3                   	retq   
  14:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
  1b:	00 00 00 
  1e:	66 90                	xchg   %ax,%ax
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 ba 01 00 00       	mov    $0x1ba,%eax
  28:	0f 05                	syscall 
  2a:*	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax		<-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	retq   
  33:	48 8b 0d 66 80 0c 00 	mov    0xc8066(%rip),%rcx        # 0xc80a0
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax
   6:	73 01                	jae    0x9
   8:	c3                   	retq   
   9:	48 8b 0d 66 80 0c 00 	mov    0xc8066(%rip),%rcx        # 0xc8076
  10:	f7 d8                	neg    %eax
  12:	64 89 01             	mov    %eax,%fs:(%rcx)
  15:	48                   	rex.W

The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240612/202406121525.65264f68-oliver.sang@xxxxxxxxx

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki