Re: [linux-next:master] [mm] [confidence: ] 131e4ef350: BUG:kernel_NULL_pointer_dereference,address

[Lorenzo Stoakes <lorenzo.stoakes@xxxxxxxxxx>]

On Wed, Aug 28, 2024 at 12:42:43PM GMT, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
>
> commit: 131e4ef350fae9d7bb5077330f4a7805d429d4b7 ("mm: change failure of MAP_FIXED to restoring the gap on failure")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master 6f923748057a4f6aa187e0d5b22990d633a48d12]
>
> in testcase: trinity
> version:
> with following parameters:
>
> 	runtime: 300s
> 	group: group-03
> 	nr_groups: 5
>
>
>
> compiler: gcc-12
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
> +-------------------------------------------------------+------------+------------+
> |                                                       | 80cb1398c2 | 131e4ef350 |
> +-------------------------------------------------------+------------+------------+
> | BUG:kernel_NULL_pointer_dereference,address           | 0          | 12         |
> | Oops:Oops:#[##]                                       | 0          | 12         |
> | EIP:mmap_region                                       | 0          | 12         |
> | Kernel_panic-not_syncing:Fatal_exception              | 0          | 12         |
> +-------------------------------------------------------+------------+------------+
>
>

This looks to be the already fixed [0] as the stack trace winds up in
vms_abort_munmap_vmas() at precisely the line you'd expect.

So this is already fixed!

[0]:https://lore.kernel.org/all/20240827225835.857A6C4E674@xxxxxxxxxxxxxxx/

> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
> | Closes: https://lore.kernel.org/oe-lkp/202408281008.b26bed01-lkp@xxxxxxxxx
>
>
> [   36.945736][ T3519] BUG: kernel NULL pointer dereference, address: 00000000
> [   36.947543][ T3519] #PF: supervisor read access in kernel mode
> [   36.948751][ T3519] #PF: error_code(0x0000) - not-present page
> [   36.950005][ T3519] *pde = 00000000
> [   36.951050][ T3519] Oops: Oops: 0000 [#1]
> [   36.952388][ T3519] CPU: 0 UID: 0 PID: 3519 Comm: trinity-main Not tainted 6.11.0-rc4-00360-g131e4ef350fa #1
> [   36.955401][ T3519] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [ 36.958508][ T3519] EIP: mmap_region (mm/vma.h:90 mm/vma.h:187 mm/mmap.c:1625)
> [ 36.959891][ T3519] Code: ff 8b 85 0c ff ff ff 85 c0 0f 85 17 01 00 00 8b 45 a8 85 c0 0f 84 8e fe ff ff 80 7d c1 00 0f 85 07 02 00 00 8b 9d 7c ff ff ff <a1> 00 00 00 00 83 7b 1c 01 74 0a 3b 43 04 72 49 39 43 08 72 44 8b
> All code
> ========
>    0:	ff 8b 85 0c ff ff    	decl   -0xf37b(%rbx)
>    6:	ff 85 c0 0f 85 17    	incl   0x17850fc0(%rbp)
>    c:	01 00                	add    %eax,(%rax)
>    e:	00 8b 45 a8 85 c0    	add    %cl,-0x3f7a57bb(%rbx)
>   14:	0f 84 8e fe ff ff    	je     0xfffffffffffffea8
>   1a:	80 7d c1 00          	cmpb   $0x0,-0x3f(%rbp)
>   1e:	0f 85 07 02 00 00    	jne    0x22b
>   24:	8b 9d 7c ff ff ff    	mov    -0x84(%rbp),%ebx
>   2a:*	a1 00 00 00 00 83 7b 	movabs 0x11c7b8300000000,%eax		<-- trapping instruction
>   31:	1c 01
>   33:	74 0a                	je     0x3f
>   35:	3b 43 04             	cmp    0x4(%rbx),%eax
>   38:	72 49                	jb     0x83
>   3a:	39 43 08             	cmp    %eax,0x8(%rbx)
>   3d:	72 44                	jb     0x83
>   3f:	8b                   	.byte 0x8b
>
> Code starting with the faulting instruction
> ===========================================
>    0:	a1 00 00 00 00 83 7b 	movabs 0x11c7b8300000000,%eax
>    7:	1c 01
>    9:	74 0a                	je     0x15
>    b:	3b 43 04             	cmp    0x4(%rbx),%eax
>    e:	72 49                	jb     0x59
>   10:	39 43 08             	cmp    %eax,0x8(%rbx)
>   13:	72 44                	jb     0x59
>   15:	8b                   	.byte 0x8b
> [   36.965467][ T3519] EAX: 00000001 EBX: ec941df4 ECX: 0003d5a1 EDX: 0003d5a0
> [   36.967583][ T3519] ESI: ecbf3090 EDI: ffffffed EBP: ec941ea0 ESP: ec941d94
> [   36.969628][ T3519] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 EFLAGS: 00010246
> [   36.972151][ T3519] CR0: 80050033 CR2: 00000000 CR3: 2c027000 CR4: 00040690
> [   36.976717][ T3519] Call Trace:
> [ 36.978114][ T3519] ? show_regs (arch/x86/kernel/dumpstack.c:479)
> [ 36.979568][ T3519] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
> [ 36.980890][ T3519] ? debug_locks_off (lib/debug_locks.c:44)
> [ 36.982519][ T3519] ? oops_enter (kernel/panic.c:624 kernel/panic.c:682)
> [ 36.983919][ T3519] ? page_fault_oops (arch/x86/mm/fault.c:715)
> [ 36.985598][ T3519] ? kernelmode_fixup_or_oops+0x68/0x7c
> [ 36.987717][ T3519] ? __bad_area_nosemaphore+0x11d/0x1fc
> [ 36.989674][ T3519] ? search_extable (lib/extable.c:118)
> [ 36.991264][ T3519] ? search_module_extables (kernel/module/main.c:3277)
> [ 36.992945][ T3519] ? mmap_region (mm/vma.h:90 mm/vma.h:187 mm/mmap.c:1625)
> [ 36.994489][ T3519] ? search_exception_tables (kernel/extable.c:64)
> [ 36.996215][ T3519] ? lock_mm_and_find_vma (mm/memory.c:5883 mm/memory.c:5938)
> [ 36.997911][ T3519] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835)
> [ 36.999481][ T3519] ? do_user_addr_fault (arch/x86/mm/fault.c:1452)
> [ 37.001030][ T3519] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:87 arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
> [ 37.002529][ T3519] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
> [ 37.004196][ T3519] ? handle_exception (arch/x86/entry/entry_32.S:1047)
> [ 37.005567][ T3519] ? alloc_pages_bulk_noprof (mm/page_alloc.c:4528)
> [ 37.007193][ T3519] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
> [ 37.008933][ T3519] ? mmap_region (mm/vma.h:90 mm/vma.h:187 mm/mmap.c:1625)

This is:

In mm/vma.h:
static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms,
		struct ma_state *mas_detach)
{
	...
	if (unlikely(vma_iter_store_gfp(vms->vmi, NULL, GFP_KERNEL))) { <--- here
	...
}

In mm/mmap.c:
unsigned long mmap_region(struct file *file, unsigned long addr,
		unsigned long len, vm_flags_t vm_flags, unsigned long pgoff,
		struct list_head *uf)
{
	...
abort_munmap:
	vms_abort_munmap_vmas(&vms, &mas_detach); <---- here
	...
}

> [ 37.010396][ T3519] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494)
> [ 37.012303][ T3519] ? mmap_region (mm/vma.h:90 mm/vma.h:187 mm/mmap.c:1625)
> [ 37.013810][ T3519] ? mas_prev_slot (lib/maple_tree.c:760 lib/maple_tree.c:4553)
> [ 37.015420][ T3519] do_mmap (mm/mmap.c:495)
> [ 37.016772][ T3519] vm_mmap_pgoff (mm/util.c:588)
> [ 37.018235][ T3519] ksys_mmap_pgoff (mm/mmap.c:541)
> [ 37.019761][ T3519] __ia32_sys_mmap_pgoff (mm/mmap.c:548)
> [ 37.021406][ T3519] ia32_sys_call (arch/x86/entry/syscall_32.c:44)
> [ 37.022995][ T3519] __do_fast_syscall_32 (arch/x86/entry/common.c:165 arch/x86/entry/common.c:386)
> [ 37.024620][ T3519] do_fast_syscall_32 (arch/x86/entry/common.c:411)
> [ 37.026203][ T3519] do_SYSENTER_32 (arch/x86/entry/common.c:450)
> [ 37.027715][ T3519] entry_SYSENTER_32 (arch/x86/entry/entry_32.S:836)
> [   37.029275][ T3519] EIP: 0xb7ff1579
> [ 37.030483][ T3519] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
> All code
> ========
>    0:	b8 01 10 06 03       	mov    $0x3061001,%eax
>    5:	74 b4                	je     0xffffffffffffffbb
>    7:	01 10                	add    %edx,(%rax)
>    9:	07                   	(bad)
>    a:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
>    e:	10 08                	adc    %cl,(%rax)
>   10:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
> 	...
>   20:	00 51 52             	add    %dl,0x52(%rcx)
>   23:	55                   	push   %rbp
>   24:*	89 e5                	mov    %esp,%ebp		<-- trapping instruction
>   26:	0f 34                	sysenter
>   28:	cd 80                	int    $0x80
>   2a:	5d                   	pop    %rbp
>   2b:	5a                   	pop    %rdx
>   2c:	59                   	pop    %rcx
>   2d:	c3                   	ret
>   2e:	90                   	nop
>   2f:	90                   	nop
>   30:	90                   	nop
>   31:	90                   	nop
>   32:	8d 76 00             	lea    0x0(%rsi),%esi
>   35:	58                   	pop    %rax
>   36:	b8 77 00 00 00       	mov    $0x77,%eax
>   3b:	cd 80                	int    $0x80
>   3d:	90                   	nop
>   3e:	8d                   	.byte 0x8d
>   3f:	76                   	.byte 0x76
>
> Code starting with the faulting instruction
> ===========================================
>    0:	5d                   	pop    %rbp
>    1:	5a                   	pop    %rdx
>    2:	59                   	pop    %rcx
>    3:	c3                   	ret
>    4:	90                   	nop
>    5:	90                   	nop
>    6:	90                   	nop
>    7:	90                   	nop
>    8:	8d 76 00             	lea    0x0(%rsi),%esi
>    b:	58                   	pop    %rax
>    c:	b8 77 00 00 00       	mov    $0x77,%eax
>   11:	cd 80                	int    $0x80
>   13:	90                   	nop
>   14:	8d                   	.byte 0x8d
>   15:	76                   	.byte 0x76
>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20240828/202408281008.b26bed01-lkp@xxxxxxxxx
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>