On Mon, 2024-08-19 at 16:23 +0800, kernel test robot wrote:
>
> Hello,
>
> we noticed this is a "[DRAFT UNTESTED]" patch, below report just FYI what we
> observed in our tests.
>
>
> kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
>
> commit: 6a0f6c435fb1bbc61b7319146c520b872bb3d86d ("[DRAFT UNTESTED] fs: try an opportunistic lookup for O_CREAT opens too")
> https://git.kernel.org/cgit/linux/kernel/git/vfs/vfs.git vfs.misc.jeff
>
This is an earlier version of this patch. It had a bug in it where it
didn't properly check for IS_ERR returns from lookup_fast. The current
version fixes this, so I think we can disregard this report.
> in testcase: trinity
> version: trinity-x86_64-bba80411-1_20240603
> with following parameters:
>
> runtime: 300s
> group: group-02
> nr_groups: 5
>
>
>
> compiler: gcc-12
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
> +---------------------------------------------+------------+------------+
> > | 619d77cf74 | 6a0f6c435f |
> +---------------------------------------------+------------+------------+
> > boot_successes | 6 | 0 |
> > boot_failures | 0 | 6 |
> > BUG:kernel_NULL_pointer_dereference,address | 0 | 6 |
> > Oops | 0 | 6 |
> > RIP:open_last_lookups | 0 | 6 |
> > Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
> +---------------------------------------------+------------+------------+
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> > Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> > Closes: https://lore.kernel.org/oe-lkp/202408191554.44eda558-lkp@xxxxxxxxx
>
>
> [ 67.376606][ T6760] BUG: kernel NULL pointer dereference, address: 000000000000005e
> [ 67.377423][ T6760] #PF: supervisor read access in kernel mode
> [ 67.377976][ T6760] #PF: error_code(0x0000) - not-present page
> [ 67.378502][ T6760] PGD 16b2ea067 P4D 16b2ea067 PUD 0
> [ 67.378978][ T6760] Oops: Oops: 0000 [#1] PREEMPT SMP
> [ 67.379444][ T6760] CPU: 0 UID: 65534 PID: 6760 Comm: trinity-c4 Tainted: G T 6.11.0-rc1-00022-g6a0f6c435fb1 #1
> [ 67.380468][ T6760] Tainted: [T]=RANDSTRUCT
> [ 67.380817][ T6760] RIP: 0010:open_last_lookups (fs/namei.c:3633 fs/namei.c:3660)
> [ 67.381294][ T6760] Code: c8 03 89 47 34 48 89 df 48 89 54 24 08 e8 ee eb ff ff 8b 34 24 48 8b 54 24 08 49 89 c7 85 f6 74 50 48 85 c0 0f 84 0b 01 00 00 <48> 83 78 68 00 0f 84 f3 03 00 00 48 3d 00 f0 ff ff 77 14 8b 43 14
> All code
> ========
> 0: c8 03 89 47 enter $0x8903,$0x47
> 4: 34 48 xor $0x48,%al
> 6: 89 df mov %ebx,%edi
> 8: 48 89 54 24 08 mov %rdx,0x8(%rsp)
> d: e8 ee eb ff ff call 0xffffffffffffec00
> 12: 8b 34 24 mov (%rsp),%esi
> 15: 48 8b 54 24 08 mov 0x8(%rsp),%rdx
> 1a: 49 89 c7 mov %rax,%r15
> 1d: 85 f6 test %esi,%esi
> 1f: 74 50 je 0x71
> 21: 48 85 c0 test %rax,%rax
> 24: 0f 84 0b 01 00 00 je 0x135
> 2a:* 48 83 78 68 00 cmpq $0x0,0x68(%rax) <-- trapping instruction
> 2f: 0f 84 f3 03 00 00 je 0x428
> 35: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
> 3b: 77 14 ja 0x51
> 3d: 8b 43 14 mov 0x14(%rbx),%eax
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 83 78 68 00 cmpq $0x0,0x68(%rax)
> 5: 0f 84 f3 03 00 00 je 0x3fe
> b: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
> 11: 77 14 ja 0x27
> 13: 8b 43 14 mov 0x14(%rbx),%eax
> [ 67.382823][ T6760] RSP: 0018:ffff8881a5407d20 EFLAGS: 00010286
> [ 67.383333][ T6760] RAX: fffffffffffffff6 RBX: ffff8881a5407db0 RCX: 0000000000000000
> [ 67.384026][ T6760] RDX: ffff8881a5407ed4 RSI: 0000000000000040 RDI: 0000000000000000
> [ 67.384726][ T6760] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
> [ 67.385415][ T6760] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88816b431200
> [ 67.386090][ T6760] R13: 0000000000008241 R14: ffff8881a544d9c0 R15: fffffffffffffff6
> [ 67.386767][ T6760] FS: 00007fe3bc195740(0000) GS:ffff88842fc00000(0000) knlGS:0000000000000000
> [ 67.387496][ T6760] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 67.388081][ T6760] CR2: 000000000000005e CR3: 000000016b376000 CR4: 00000000000406f0
> [ 67.388799][ T6760] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 67.389519][ T6760] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 67.390229][ T6760] Call Trace:
> [ 67.390532][ T6760] <TASK>
> [ 67.390796][ T6760] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
> [ 67.391153][ T6760] ? page_fault_oops (arch/x86/mm/fault.c:715)
> [ 67.391591][ T6760] ? exc_page_fault (arch/x86/include/asm/paravirt.h:687 arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
> [ 67.392027][ T6760] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:623)
> [ 67.392485][ T6760] ? open_last_lookups (fs/namei.c:3633 fs/namei.c:3660)
> [ 67.392930][ T6760] ? link_path_walk+0x247/0x280
> [ 67.393496][ T6760] path_openat (fs/namei.c:3942 (discriminator 1))
> [ 67.393876][ T6760] do_filp_open (fs/namei.c:3972)
> [ 67.394267][ T6760] ? simple_attr_release (fs/libfs.c:1617)
> [ 67.394754][ T6760] ? alloc_fd (fs/file.c:560 (discriminator 10))
> [ 67.395155][ T6760] ? lock_release (kernel/locking/lockdep.c:466 kernel/locking/lockdep.c:5782)
> [ 67.395585][ T6760] do_sys_openat2 (fs/open.c:1416)
> [ 67.396012][ T6760] __x64_sys_openat (fs/open.c:1442)
> [ 67.396453][ T6760] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
> [ 67.396873][ T6760] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
> [ 67.397426][ T6760] RIP: 0033:0x7fe3bc28ff01
> [ 67.397838][ T6760] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d ea 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 93 00 00 00 48 8b 54 24 28 64 48 2b 14 25
> All code
> ========
> 0: 75 57 jne 0x59
> 2: 89 f0 mov %esi,%eax
> 4: 25 00 00 41 00 and $0x410000,%eax
> 9: 3d 00 00 41 00 cmp $0x410000,%eax
> e: 74 49 je 0x59
> 10: 80 3d ea 26 0e 00 00 cmpb $0x0,0xe26ea(%rip) # 0xe2701
> 17: 74 6d je 0x86
> 19: 89 da mov %ebx,%edx
> 1b: 48 89 ee mov %rbp,%rsi
> 1e: bf 9c ff ff ff mov $0xffffff9c,%edi
> 23: b8 01 01 00 00 mov $0x101,%eax
> 28: 0f 05 syscall
> 2a:* 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax <-- trapping instruction
> 30: 0f 87 93 00 00 00 ja 0xc9
> 36: 48 8b 54 24 28 mov 0x28(%rsp),%rdx
> 3b: 64 fs
> 3c: 48 rex.W
> 3d: 2b .byte 0x2b
> 3e: 14 25 adc $0x25,%al
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
> 6: 0f 87 93 00 00 00 ja 0x9f
> c: 48 8b 54 24 28 mov 0x28(%rsp),%rdx
> 11: 64 fs
> 12: 48 rex.W
> 13: 2b .byte 0x2b
> 14: 14 25 adc $0x25,%al
> [ 67.399602][ T6760] RSP: 002b:00007ffdc391cab0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
> [ 67.400397][ T6760] RAX: ffffffffffffffda RBX: 0000000000000241 RCX: 00007fe3bc28ff01
> [ 67.401128][ T6760] RDX: 0000000000000241 RSI: 000055acb903417a RDI: 00000000ffffff9c
> [ 67.401835][ T6760] RBP: 000055acb903417a R08: 0000000000000004 R09: 0000000000000001
> [ 67.402551][ T6760] R10: 00000000000001b6 R11: 0000000000000202 R12: 000055acb903417a
> [ 67.403261][ T6760] R13: 000055acb903cfa2 R14: 0000000000000001 R15: 0000000000000000
> [ 67.403999][ T6760] </TASK>
> [ 67.404281][ T6760] Modules linked in: crc32_pclmul crc32c_intel polyval_clmulni polyval_generic ghash_clmulni_intel sha1_ssse3 ipmi_msghandler serio_raw
> [ 67.405542][ T6760] CR2: 000000000000005e
> [ 67.405992][ T6760] ---[ end trace 0000000000000000 ]---
> [ 67.406504][ T6760] RIP: 0010:open_last_lookups (fs/namei.c:3633 fs/namei.c:3660)
> [ 67.406987][ T6760] Code: c8 03 89 47 34 48 89 df 48 89 54 24 08 e8 ee eb ff ff 8b 34 24 48 8b 54 24 08 49 89 c7 85 f6 74 50 48 85 c0 0f 84 0b 01 00 00 <48> 83 78 68 00 0f 84 f3 03 00 00 48 3d 00 f0 ff ff 77 14 8b 43 14
> All code
> ========
> 0: c8 03 89 47 enter $0x8903,$0x47
> 4: 34 48 xor $0x48,%al
> 6: 89 df mov %ebx,%edi
> 8: 48 89 54 24 08 mov %rdx,0x8(%rsp)
> d: e8 ee eb ff ff call 0xffffffffffffec00
> 12: 8b 34 24 mov (%rsp),%esi
> 15: 48 8b 54 24 08 mov 0x8(%rsp),%rdx
> 1a: 49 89 c7 mov %rax,%r15
> 1d: 85 f6 test %esi,%esi
> 1f: 74 50 je 0x71
> 21: 48 85 c0 test %rax,%rax
> 24: 0f 84 0b 01 00 00 je 0x135
> 2a:* 48 83 78 68 00 cmpq $0x0,0x68(%rax) <-- trapping instruction
> 2f: 0f 84 f3 03 00 00 je 0x428
> 35: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
> 3b: 77 14 ja 0x51
> 3d: 8b 43 14 mov 0x14(%rbx),%eax
>
> Code starting with the faulting instruction
> ===========================================
> 0: 48 83 78 68 00 cmpq $0x0,0x68(%rax)
> 5: 0f 84 f3 03 00 00 je 0x3fe
> b: 48 3d 00 f0 ff ff cmp $0xfffffffffffff000,%rax
> 11: 77 14 ja 0x27
> 13: 8b 43 14 mov 0x14(%rbx),%eax
>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20240819/202408191554.44eda558-lkp@xxxxxxxxx
>
>
>
--
Jeff Layton <jlayton@xxxxxxxxxx>
