[bvanassche:block-for-next] [scsi] b4cd894093: BUG:kernel_NULL_pointer_dereference,address

kernel test robot <oliver.sang@xxxxxxxxx> · Tue, 29 Aug 2023 15:38:48 +0800

Hello,

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: b4cd894093d32204e911d4bac07fbbe7cd9e60ce ("scsi: core: Introduce a mechanism for reordering requests in the error handler")
https://github.com/bvanassche/linux block-for-next

in testcase: boot

compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)

+---------------------------------------------+------------+------------+
|                                             | 15dcd22cb3 | b4cd894093 |
+---------------------------------------------+------------+------------+
| boot_successes                              | 19         | 0          |
| boot_failures                               | 0          | 20         |
| BUG:kernel_NULL_pointer_dereference,address | 0          | 20         |
| Oops:#[##]                                  | 0          | 20         |
| RIP:scsi_call_prepare_resubmit              | 0          | 20         |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 20         |
+---------------------------------------------+------------+------------+

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202308291549.d323e980-oliver.sang@xxxxxxxxx

[    6.360846][  T118] BUG: kernel NULL pointer dereference, address: 00000000000000c0
[    6.361947][  T118] #PF: supervisor read access in kernel mode
[    6.362752][  T118] #PF: error_code(0x0000) - not-present page
[    6.363560][  T118] PGD 800000035271b067 P4D 800000035271b067 PUD 0
[    6.364435][  T118] Oops: 0000 [#1] SMP PTI
[    6.365052][  T118] CPU: 0 PID: 118 Comm: scsi_eh_1 Not tainted 6.5.0-rc7-00153-gb4cd894093d3 #1
[    6.366200][  T118] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 6.367514][ T118] RIP: 0010:scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2200 drivers/scsi/scsi_error.c:2226) 
[ 6.368392][ T118] Code: 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 39 c7 74 36 48 89 fd 48 8d 58 f8 48 8b 03 48 8b 80 20 02 00 00 <48> 8b 80 c0 00 00 00 48 85 c0 74 0c 48 89 df e8 c2 f6 59 00 84 c0
All code
========
   0:	83 ec 20             	sub    $0x20,%esp
   3:	65 48 8b 04 25 28 00 	mov    %gs:0x28,%rax
   a:	00 00 
   c:	48 89 44 24 18       	mov    %rax,0x18(%rsp)
  11:	48 8b 07             	mov    (%rdi),%rax
  14:	48 39 c7             	cmp    %rax,%rdi
  17:	74 36                	je     0x4f
  19:	48 89 fd             	mov    %rdi,%rbp
  1c:	48 8d 58 f8          	lea    -0x8(%rax),%rbx
  20:	48 8b 03             	mov    (%rbx),%rax
  23:	48 8b 80 20 02 00 00 	mov    0x220(%rax),%rax
  2a:*	48 8b 80 c0 00 00 00 	mov    0xc0(%rax),%rax		<-- trapping instruction
  31:	48 85 c0             	test   %rax,%rax
  34:	74 0c                	je     0x42
  36:	48 89 df             	mov    %rbx,%rdi
  39:	e8 c2 f6 59 00       	callq  0x59f700
  3e:	84 c0                	test   %al,%al

Code starting with the faulting instruction
===========================================
   0:	48 8b 80 c0 00 00 00 	mov    0xc0(%rax),%rax
   7:	48 85 c0             	test   %rax,%rax
   a:	74 0c                	je     0x18
   c:	48 89 df             	mov    %rbx,%rdi
   f:	e8 c2 f6 59 00       	callq  0x59f6d6
  14:	84 c0                	test   %al,%al
[    6.370771][  T118] RSP: 0000:ffffb19a40493df0 EFLAGS: 00010202
[    6.371593][  T118] RAX: 0000000000000000 RBX: ffff9aa0177120f8 RCX: 0000000000000000
[    6.372648][  T118] RDX: 0000000000000000 RSI: 0000000000000206 RDI: ffff9aa01829bd80
[    6.373707][  T118] RBP: ffff9aa01829bd80 R08: 0000000000000000 R09: 0000000000000000
[    6.374741][  T118] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[    6.375790][  T118] R13: ffff9aa01829bd80 R14: 0000000000000206 R15: 0000000000000000
[    6.376909][  T118] FS:  0000000000000000(0000) GS:ffff9aa32fc00000(0000) knlGS:0000000000000000
[    6.378126][  T118] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.378965][  T118] CR2: 00000000000000c0 CR3: 0000000116d94000 CR4: 00000000000406f0
[    6.380007][  T118] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    6.385149][  T118] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    6.386254][  T118] Call Trace:
[    6.386808][  T118]  <TASK>
[ 6.387282][ T118] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) 
[ 6.387845][ T118] ? page_fault_oops (arch/x86/mm/fault.c:707) 
[ 6.388500][ T118] ? exc_page_fault (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1494 arch/x86/mm/fault.c:1542) 
[ 6.389166][ T118] ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:570) 
[ 6.389872][ T118] ? scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2200 drivers/scsi/scsi_error.c:2226) 
[ 6.390643][ T118] scsi_eh_flush_done_q (drivers/scsi/scsi_error.c:2262) 
[ 6.391338][ T118] ata_scsi_port_error_handler (drivers/ata/libata-eh.c:754) libata
[ 6.397364][ T118] ? __pfx_scsi_error_handler (drivers/scsi/scsi_error.c:2345) 
[ 6.398111][ T118] ata_scsi_error (include/linux/list.h:292 drivers/ata/libata-eh.c:549) libata
[ 6.398877][ T118] scsi_error_handler (drivers/scsi/scsi_error.c:2402) 
[ 6.399561][ T118] kthread (kernel/kthread.c:389) 
[ 6.400139][ T118] ? __pfx_kthread (kernel/kthread.c:342) 
[ 6.400778][ T118] ret_from_fork (arch/x86/kernel/process.c:151) 
[ 6.401411][ T118] ? __pfx_kthread (kernel/kthread.c:342) 
[ 6.402051][ T118] ret_from_fork_asm (arch/x86/entry/entry_64.S:312) 
[    6.402716][  T118]  </TASK>
[    6.403190][  T118] Modules linked in: ppdev rapl drm_kms_helper drm_ttm_helper ata_piix ttm parport_pc parport joydev drm libata serio_raw i2c_piix4
[    6.404866][  T118] CR2: 00000000000000c0
[    6.405461][  T118] ---[ end trace 0000000000000000 ]---
[ 6.406196][ T118] RIP: 0010:scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2200 drivers/scsi/scsi_error.c:2226) 
[ 6.407046][ T118] Code: 83 ec 20 65 48 8b 04 25 28 00 00 00 48 89 44 24 18 48 8b 07 48 39 c7 74 36 48 89 fd 48 8d 58 f8 48 8b 03 48 8b 80 20 02 00 00 <48> 8b 80 c0 00 00 00 48 85 c0 74 0c 48 89 df e8 c2 f6 59 00 84 c0
All code
========
   0:	83 ec 20             	sub    $0x20,%esp
   3:	65 48 8b 04 25 28 00 	mov    %gs:0x28,%rax
   a:	00 00 
   c:	48 89 44 24 18       	mov    %rax,0x18(%rsp)
  11:	48 8b 07             	mov    (%rdi),%rax
  14:	48 39 c7             	cmp    %rax,%rdi
  17:	74 36                	je     0x4f
  19:	48 89 fd             	mov    %rdi,%rbp
  1c:	48 8d 58 f8          	lea    -0x8(%rax),%rbx
  20:	48 8b 03             	mov    (%rbx),%rax
  23:	48 8b 80 20 02 00 00 	mov    0x220(%rax),%rax
  2a:*	48 8b 80 c0 00 00 00 	mov    0xc0(%rax),%rax		<-- trapping instruction
  31:	48 85 c0             	test   %rax,%rax
  34:	74 0c                	je     0x42
  36:	48 89 df             	mov    %rbx,%rdi
  39:	e8 c2 f6 59 00       	callq  0x59f700
  3e:	84 c0                	test   %al,%al

Code starting with the faulting instruction
===========================================
   0:	48 8b 80 c0 00 00 00 	mov    0xc0(%rax),%rax
   7:	48 85 c0             	test   %rax,%rax
   a:	74 0c                	je     0x18
   c:	48 89 df             	mov    %rbx,%rdi
   f:	e8 c2 f6 59 00       	callq  0x59f6d6
  14:	84 c0                	test   %al,%al

The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20230829/202308291549.d323e980-oliver.sang@xxxxxxxxx

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki