[brauner-vfs:vfs.misc.jeff] [[DRAFT UNTESTED] fs] 6a0f6c435f: BUG:kernel_NULL_pointer_dereference,address

kernel test robot <oliver.sang@xxxxxxxxx> · Mon, 19 Aug 2024 16:23:53 +0800

Hello,

we noticed this is a "[DRAFT UNTESTED]" patch, below report just FYI what we
observed in our tests.

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: 6a0f6c435fb1bbc61b7319146c520b872bb3d86d ("[DRAFT UNTESTED] fs: try an opportunistic lookup for O_CREAT opens too")
https://git.kernel.org/cgit/linux/kernel/git/vfs/vfs.git vfs.misc.jeff

in testcase: trinity
version: trinity-x86_64-bba80411-1_20240603
with following parameters:

	runtime: 300s
	group: group-02
	nr_groups: 5

compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)

+---------------------------------------------+------------+------------+
|                                             | 619d77cf74 | 6a0f6c435f |
+---------------------------------------------+------------+------------+
| boot_successes                              | 6          | 0          |
| boot_failures                               | 0          | 6          |
| BUG:kernel_NULL_pointer_dereference,address | 0          | 6          |
| Oops                                        | 0          | 6          |
| RIP:open_last_lookups                       | 0          | 6          |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 6          |
+---------------------------------------------+------------+------------+

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202408191554.44eda558-lkp@xxxxxxxxx

[   67.376606][ T6760] BUG: kernel NULL pointer dereference, address: 000000000000005e
[   67.377423][ T6760] #PF: supervisor read access in kernel mode
[   67.377976][ T6760] #PF: error_code(0x0000) - not-present page
[   67.378502][ T6760] PGD 16b2ea067 P4D 16b2ea067 PUD 0
[   67.378978][ T6760] Oops: Oops: 0000 [#1] PREEMPT SMP
[   67.379444][ T6760] CPU: 0 UID: 65534 PID: 6760 Comm: trinity-c4 Tainted: G                T  6.11.0-rc1-00022-g6a0f6c435fb1 #1
[   67.380468][ T6760] Tainted: [T]=RANDSTRUCT
[ 67.380817][ T6760] RIP: 0010:open_last_lookups (fs/namei.c:3633 fs/namei.c:3660) 
[ 67.381294][ T6760] Code: c8 03 89 47 34 48 89 df 48 89 54 24 08 e8 ee eb ff ff 8b 34 24 48 8b 54 24 08 49 89 c7 85 f6 74 50 48 85 c0 0f 84 0b 01 00 00 <48> 83 78 68 00 0f 84 f3 03 00 00 48 3d 00 f0 ff ff 77 14 8b 43 14
All code
========
   0:	c8 03 89 47          	enter  $0x8903,$0x47
   4:	34 48                	xor    $0x48,%al
   6:	89 df                	mov    %ebx,%edi
   8:	48 89 54 24 08       	mov    %rdx,0x8(%rsp)
   d:	e8 ee eb ff ff       	call   0xffffffffffffec00
  12:	8b 34 24             	mov    (%rsp),%esi
  15:	48 8b 54 24 08       	mov    0x8(%rsp),%rdx
  1a:	49 89 c7             	mov    %rax,%r15
  1d:	85 f6                	test   %esi,%esi
  1f:	74 50                	je     0x71
  21:	48 85 c0             	test   %rax,%rax
  24:	0f 84 0b 01 00 00    	je     0x135
  2a:*	48 83 78 68 00       	cmpq   $0x0,0x68(%rax)		<-- trapping instruction
  2f:	0f 84 f3 03 00 00    	je     0x428
  35:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
  3b:	77 14                	ja     0x51
  3d:	8b 43 14             	mov    0x14(%rbx),%eax

Code starting with the faulting instruction
===========================================
   0:	48 83 78 68 00       	cmpq   $0x0,0x68(%rax)
   5:	0f 84 f3 03 00 00    	je     0x3fe
   b:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
  11:	77 14                	ja     0x27
  13:	8b 43 14             	mov    0x14(%rbx),%eax
[   67.382823][ T6760] RSP: 0018:ffff8881a5407d20 EFLAGS: 00010286
[   67.383333][ T6760] RAX: fffffffffffffff6 RBX: ffff8881a5407db0 RCX: 0000000000000000
[   67.384026][ T6760] RDX: ffff8881a5407ed4 RSI: 0000000000000040 RDI: 0000000000000000
[   67.384726][ T6760] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   67.385415][ T6760] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88816b431200
[   67.386090][ T6760] R13: 0000000000008241 R14: ffff8881a544d9c0 R15: fffffffffffffff6
[   67.386767][ T6760] FS:  00007fe3bc195740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
[   67.387496][ T6760] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   67.388081][ T6760] CR2: 000000000000005e CR3: 000000016b376000 CR4: 00000000000406f0
[   67.388799][ T6760] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   67.389519][ T6760] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   67.390229][ T6760] Call Trace:
[   67.390532][ T6760]  <TASK>
[ 67.390796][ T6760] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) 
[ 67.391153][ T6760] ? page_fault_oops (arch/x86/mm/fault.c:715) 
[ 67.391591][ T6760] ? exc_page_fault (arch/x86/include/asm/paravirt.h:687 arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) 
[ 67.392027][ T6760] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623) 
[ 67.392485][ T6760] ? open_last_lookups (fs/namei.c:3633 fs/namei.c:3660) 
[ 67.392930][ T6760] ? link_path_walk+0x247/0x280 
[ 67.393496][ T6760] path_openat (fs/namei.c:3942 (discriminator 1)) 
[ 67.393876][ T6760] do_filp_open (fs/namei.c:3972) 
[ 67.394267][ T6760] ? simple_attr_release (fs/libfs.c:1617) 
[ 67.394754][ T6760] ? alloc_fd (fs/file.c:560 (discriminator 10)) 
[ 67.395155][ T6760] ? lock_release (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5782) 
[ 67.395585][ T6760] do_sys_openat2 (fs/open.c:1416) 
[ 67.396012][ T6760] __x64_sys_openat (fs/open.c:1442) 
[ 67.396453][ T6760] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 67.396873][ T6760] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[   67.397426][ T6760] RIP: 0033:0x7fe3bc28ff01
[ 67.397838][ T6760] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
All code
========
   0:	75 57                	jne    0x59
   2:	89 f0                	mov    %esi,%eax
   4:	25 00 00 41 00       	and    $0x410000,%eax
   9:	3d 00 00 41 00       	cmp    $0x410000,%eax
   e:	74 49                	je     0x59
  10:	80 3d ea 26 0e 00 00 	cmpb   $0x0,0xe26ea(%rip)        # 0xe2701
  17:	74 6d                	je     0x86
  19:	89 da                	mov    %ebx,%edx
  1b:	48 89 ee             	mov    %rbp,%rsi
  1e:	bf 9c ff ff ff       	mov    $0xffffff9c,%edi
  23:	b8 01 01 00 00       	mov    $0x101,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	0f 87 93 00 00 00    	ja     0xc9
  36:	48 8b 54 24 28       	mov    0x28(%rsp),%rdx
  3b:	64                   	fs
  3c:	48                   	rex.W
  3d:	2b                   	.byte 0x2b
  3e:	14 25                	adc    $0x25,%al

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	0f 87 93 00 00 00    	ja     0x9f
   c:	48 8b 54 24 28       	mov    0x28(%rsp),%rdx
  11:	64                   	fs
  12:	48                   	rex.W
  13:	2b                   	.byte 0x2b
  14:	14 25                	adc    $0x25,%al
[   67.399602][ T6760] RSP: 002b:00007ffdc391cab0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[   67.400397][ T6760] RAX: ffffffffffffffda RBX: 0000000000000241 RCX: 00007fe3bc28ff01
[   67.401128][ T6760] RDX: 0000000000000241 RSI: 000055acb903417a RDI: 00000000ffffff9c
[   67.401835][ T6760] RBP: 000055acb903417a R08: 0000000000000004 R09: 0000000000000001
[   67.402551][ T6760] R10: 00000000000001b6 R11: 0000000000000202 R12: 000055acb903417a
[   67.403261][ T6760] R13: 000055acb903cfa2 R14: 0000000000000001 R15: 0000000000000000
[   67.403999][ T6760]  </TASK>
[   67.404281][ T6760] Modules linked in: crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel sha1_ssse3 ipmi_msghandler serio_raw
[   67.405542][ T6760] CR2: 000000000000005e
[   67.405992][ T6760] ---[ end trace 0000000000000000 ]---
[ 67.406504][ T6760] RIP: 0010:open_last_lookups (fs/namei.c:3633 fs/namei.c:3660) 
[ 67.406987][ T6760] Code: c8 03 89 47 34 48 89 df 48 89 54 24 08 e8 ee eb ff ff 8b 34 24 48 8b 54 24 08 49 89 c7 85 f6 74 50 48 85 c0 0f 84 0b 01 00 00 <48> 83 78 68 00 0f 84 f3 03 00 00 48 3d 00 f0 ff ff 77 14 8b 43 14
All code
========
   0:	c8 03 89 47          	enter  $0x8903,$0x47
   4:	34 48                	xor    $0x48,%al
   6:	89 df                	mov    %ebx,%edi
   8:	48 89 54 24 08       	mov    %rdx,0x8(%rsp)
   d:	e8 ee eb ff ff       	call   0xffffffffffffec00
  12:	8b 34 24             	mov    (%rsp),%esi
  15:	48 8b 54 24 08       	mov    0x8(%rsp),%rdx
  1a:	49 89 c7             	mov    %rax,%r15
  1d:	85 f6                	test   %esi,%esi
  1f:	74 50                	je     0x71
  21:	48 85 c0             	test   %rax,%rax
  24:	0f 84 0b 01 00 00    	je     0x135
  2a:*	48 83 78 68 00       	cmpq   $0x0,0x68(%rax)		<-- trapping instruction
  2f:	0f 84 f3 03 00 00    	je     0x428
  35:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
  3b:	77 14                	ja     0x51
  3d:	8b 43 14             	mov    0x14(%rbx),%eax

Code starting with the faulting instruction
===========================================
   0:	48 83 78 68 00       	cmpq   $0x0,0x68(%rax)
   5:	0f 84 f3 03 00 00    	je     0x3fe
   b:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
  11:	77 14                	ja     0x27
  13:	8b 43 14             	mov    0x14(%rbx),%eax

The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20240819/202408191554.44eda558-lkp@xxxxxxxxx

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki