[bvanassche:block-for-next] [scsi] 6d1716982b: BUG:kernel_NULL_pointer_dereference,address

kernel test robot <oliver.sang@xxxxxxxxx> · Wed, 6 Sep 2023 09:38:21 +0800

Hello,

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: 6d1716982bc67e5c6409456e4a6d37fb6909a779 ("scsi: core: Introduce a mechanism for reordering requests in the error handler")
https://github.com/bvanassche/linux block-for-next

in testcase: boot

compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)

+---------------------------------------------+------------+------------+
|                                             | 4618ba9202 | 6d1716982b |
+---------------------------------------------+------------+------------+
| boot_successes                              | 6          | 0          |
| boot_failures                               | 0          | 6          |
| BUG:kernel_NULL_pointer_dereference,address | 0          | 6          |
| Oops:#[##]                                  | 0          | 6          |
| EIP:scsi_call_prepare_resubmit              | 0          | 6          |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 6          |
+---------------------------------------------+------------+------------+

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-lkp/202309060922.cefc15f7-oliver.sang@xxxxxxxxx

[    7.088822][  T113] BUG: kernel NULL pointer dereference, address: 00000064
[    7.089409][  T113] #PF: supervisor read access in kernel mode
[    7.089981][  T113] #PF: error_code(0x0000) - not-present page
[    7.090463][  T113] *pdpt = 000000002de92001 *pde = 0000000000000000
[    7.090986][  T113] Oops: 0000 [#1] SMP PTI
[    7.091358][  T113] CPU: 0 PID: 113 Comm: scsi_eh_1 Tainted: G            E      6.5.0-rc7-00153-g6d1716982bc6 #1
[    7.092170][  T113] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 7.092974][ T113] EIP: scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2202 drivers/scsi/scsi_error.c:2228) 
[ 7.093463][ T113] Code: 89 e5 57 89 c7 56 53 83 ec 1c 64 a1 1c 17 4d cd 89 45 f0 8b 07 39 c7 74 2d 8d 58 fc 8d b6 00 00 00 00 8b 03 8b 80 4c 01 00 00 <8b> 50 64 85 d2 74 0b 89 d8 e8 c2 17 45 00 84 c0 75 26 8b 43 04 8d
All code
========
   0:	89 e5                	mov    %esp,%ebp
   2:	57                   	push   %rdi
   3:	89 c7                	mov    %eax,%edi
   5:	56                   	push   %rsi
   6:	53                   	push   %rbx
   7:	83 ec 1c             	sub    $0x1c,%esp
   a:	64 a1 1c 17 4d cd 89 	movabs %fs:0x8bf04589cd4d171c,%eax
  11:	45 f0 8b 
  14:	07                   	(bad)
  15:	39 c7                	cmp    %eax,%edi
  17:	74 2d                	je     0x46
  19:	8d 58 fc             	lea    -0x4(%rax),%ebx
  1c:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  22:	8b 03                	mov    (%rbx),%eax
  24:	8b 80 4c 01 00 00    	mov    0x14c(%rax),%eax
  2a:*	8b 50 64             	mov    0x64(%rax),%edx		<-- trapping instruction
  2d:	85 d2                	test   %edx,%edx
  2f:	74 0b                	je     0x3c
  31:	89 d8                	mov    %ebx,%eax
  33:	e8 c2 17 45 00       	call   0x4517fa
  38:	84 c0                	test   %al,%al
  3a:	75 26                	jne    0x62
  3c:	8b 43 04             	mov    0x4(%rbx),%eax
  3f:	8d                   	.byte 0x8d

Code starting with the faulting instruction
===========================================
   0:	8b 50 64             	mov    0x64(%rax),%edx
   3:	85 d2                	test   %edx,%edx
   5:	74 0b                	je     0x12
   7:	89 d8                	mov    %ebx,%eax
   9:	e8 c2 17 45 00       	call   0x4517d0
   e:	84 c0                	test   %al,%al
  10:	75 26                	jne    0x38
  12:	8b 43 04             	mov    0x4(%rbx),%eax
  15:	8d                   	.byte 0x8d
[    7.094917][  T113] EAX: 00000000 EBX: ed40a0a0 ECX: 00000000 EDX: c21ded44
[    7.095473][  T113] ESI: edfb2ed4 EDI: edfb2ed4 EBP: c23fded8 ESP: c23fdeb0
[    7.096024][  T113] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010206
[    7.096644][  T113] CR0: 80050033 CR2: 00000064 CR3: 2de50000 CR4: 000406f0
[    7.097201][  T113] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[    7.097756][  T113] DR6: fffe0ff0 DR7: 00000400
[    7.098160][  T113] Call Trace:
[ 7.098464][ T113] ? show_regs (arch/x86/kernel/dumpstack.c:479 arch/x86/kernel/dumpstack.c:465) 
[ 7.098831][ T113] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) 
[ 7.099176][ T113] ? page_fault_oops (arch/x86/mm/fault.c:707) 
[ 7.099582][ T113] ? kernelmode_fixup_or_oops+0x73/0x100 
[ 7.100106][ T113] ? __bad_area_nosemaphore+0xdc/0x1c0 
[ 7.100621][ T113] ? ata_eh_speed_down (drivers/ata/libata-eh.c:1819) libata
[ 7.101108][ T113] ? bad_area_nosemaphore (arch/x86/mm/fault.c:867) 
[ 7.101535][ T113] ? do_user_addr_fault (arch/x86/mm/fault.c:1457) 
[ 7.101972][ T113] ? exc_page_fault (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:72 arch/x86/mm/fault.c:1494 arch/x86/mm/fault.c:1542) 
[ 7.102377][ T113] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1499) 
[ 7.102868][ T113] ? handle_exception (arch/x86/entry/entry_32.S:1056) 
[ 7.103285][ T113] ? ata_eh_thaw_port (arch/x86/include/asm/bitops.h:228 arch/x86/include/asm/bitops.h:240 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:504 include/linux/cpumask.h:1082 include/trace/events/libata.h:630 drivers/ata/libata-eh.c:1149 drivers/ata/libata-eh.c:1133) libata
[ 7.103755][ T113] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1499) 
[ 7.104251][ T113] ? scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2202 drivers/scsi/scsi_error.c:2228) 
[ 7.104723][ T113] ? ata_eh_thaw_port (arch/x86/include/asm/bitops.h:228 arch/x86/include/asm/bitops.h:240 include/asm-generic/bitops/instrumented-non-atomic.h:142 include/linux/cpumask.h:504 include/linux/cpumask.h:1082 include/trace/events/libata.h:630 drivers/ata/libata-eh.c:1149 drivers/ata/libata-eh.c:1133) libata
[ 7.105189][ T113] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1499) 
[ 7.105681][ T113] ? scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2202 drivers/scsi/scsi_error.c:2228) 
[ 7.106158][ T113] ? ata_sff_error_handler (drivers/ata/libata-sff.c:2096) libata
[ 7.106665][ T113] ? ata_sff_softreset (drivers/ata/libata-sff.c:2000) libata
[ 7.107153][ T113] ? ata_sff_dev_classify (drivers/ata/libata-sff.c:1920) libata
[ 7.107658][ T113] scsi_eh_flush_done_q (drivers/scsi/scsi_error.c:2266) 
[ 7.108084][ T113] ata_scsi_port_error_handler (drivers/ata/libata-eh.c:754) libata
[ 7.108616][ T113] ata_scsi_error (include/linux/list.h:292 drivers/ata/libata-eh.c:549) libata
[ 7.109060][ T113] scsi_error_handler (drivers/scsi/scsi_error.c:2406) 
[ 7.109472][ T113] kthread (kernel/kthread.c:389) 
[ 7.109847][ T113] ? scsi_eh_flush_done_q (drivers/scsi/scsi_error.c:2349) 
[ 7.110291][ T113] ? kthread_complete_and_exit (kernel/kthread.c:342) 
[ 7.110747][ T113] ret_from_fork (arch/x86/kernel/process.c:151) 
[ 7.111126][ T113] ? kthread_complete_and_exit (kernel/kthread.c:342) 
[ 7.111585][ T113] ret_from_fork_asm (arch/x86/entry/entry_32.S:741) 
[ 7.111989][ T113] entry_INT80_32 (arch/x86/entry/entry_32.S:947) 
[    7.112377][  T113] Modules linked in: rapl(E) ppdev(E) evdev(E) drm(E) ata_piix(E) psmouse(E) serio_raw(E) i2c_piix4(E) libata(E) floppy(E) parport_pc(E) parport(E) qemu_fw_cfg(E) button(E)
[    7.113658][  T113] CR2: 0000000000000064
[    7.114027][  T113] ---[ end trace 0000000000000000 ]---
[ 7.114475][ T113] EIP: scsi_call_prepare_resubmit (drivers/scsi/scsi_error.c:2202 drivers/scsi/scsi_error.c:2228) 
[ 7.114956][ T113] Code: 89 e5 57 89 c7 56 53 83 ec 1c 64 a1 1c 17 4d cd 89 45 f0 8b 07 39 c7 74 2d 8d 58 fc 8d b6 00 00 00 00 8b 03 8b 80 4c 01 00 00 <8b> 50 64 85 d2 74 0b 89 d8 e8 c2 17 45 00 84 c0 75 26 8b 43 04 8d
All code
========
   0:	89 e5                	mov    %esp,%ebp
   2:	57                   	push   %rdi
   3:	89 c7                	mov    %eax,%edi
   5:	56                   	push   %rsi
   6:	53                   	push   %rbx
   7:	83 ec 1c             	sub    $0x1c,%esp
   a:	64 a1 1c 17 4d cd 89 	movabs %fs:0x8bf04589cd4d171c,%eax
  11:	45 f0 8b 
  14:	07                   	(bad)
  15:	39 c7                	cmp    %eax,%edi
  17:	74 2d                	je     0x46
  19:	8d 58 fc             	lea    -0x4(%rax),%ebx
  1c:	8d b6 00 00 00 00    	lea    0x0(%rsi),%esi
  22:	8b 03                	mov    (%rbx),%eax
  24:	8b 80 4c 01 00 00    	mov    0x14c(%rax),%eax
  2a:*	8b 50 64             	mov    0x64(%rax),%edx		<-- trapping instruction
  2d:	85 d2                	test   %edx,%edx
  2f:	74 0b                	je     0x3c
  31:	89 d8                	mov    %ebx,%eax
  33:	e8 c2 17 45 00       	call   0x4517fa
  38:	84 c0                	test   %al,%al
  3a:	75 26                	jne    0x62
  3c:	8b 43 04             	mov    0x4(%rbx),%eax
  3f:	8d                   	.byte 0x8d

Code starting with the faulting instruction
===========================================
   0:	8b 50 64             	mov    0x64(%rax),%edx
   3:	85 d2                	test   %edx,%edx
   5:	74 0b                	je     0x12
   7:	89 d8                	mov    %ebx,%eax
   9:	e8 c2 17 45 00       	call   0x4517d0
   e:	84 c0                	test   %al,%al
  10:	75 26                	jne    0x38
  12:	8b 43 04             	mov    0x4(%rbx),%eax
  15:	8d                   	.byte 0x8d

The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20230906/202309060922.cefc15f7-oliver.sang@xxxxxxxxx

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki