* [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next
@ 2021-10-26 9:33 Yi Zhang
2021-10-26 14:44 ` Jens Axboe
0 siblings, 1 reply; 5+ messages in thread
From: Yi Zhang @ 2021-10-26 9:33 UTC (permalink / raw)
To: linux-block; +Cc: Jens Axboe
Hello
Below NULL pointer was triggered[2] with blktests block/029 on latest
linux-block/for-next, pls check it.
[1]
9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch
'for-5.16/block' into for-next
[2]
[ 110.508269] run blktests block/029 at 2021-10-26 05:29:11
[ 110.535182] null_blk: module loaded
[ 110.674174] Kernel attempted to read user page (d8) - exploit
attempt? (uid: 0)
[ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8
[ 110.674236] Faulting instruction address: 0xc0000000009414c4
[ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1]
[ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
[ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart
ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd
tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum
opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs
ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm
vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks
[ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3
[ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000
[ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+)
[ 110.674580] MSR: 900000000280b033
<SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006
[ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR:
40000000 IRQMASK: 0
[ 110.674634] GPR00: c000000000941638 c00000003aea7a60
c0000000028a9a00 c00000001ad8a8c0
[ 110.674634] GPR04: c000000089287e00 0000000000000001
00000000ffffffff ffffffffffffffff
[ 110.674634] GPR08: 00000000000000d8 0000000000000000
00000000000000d8 0000000000000400
[ 110.674634] GPR12: 0000000000008000 c000000ffff9e600
c00000001ac416c0 0000000000000000
[ 110.674634] GPR16: 0000000000000001 0000000000000001
0000000000000000 c009dfffff94f300
[ 110.674634] GPR20: 0000000000000000 0000000000000000
c0000000028e72b8 c0000000028e78a0
[ 110.674634] GPR24: 0000000000000001 0000000000000008
c0000000aaa53838 c009dfffff94f388
[ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0
0000000000000002 c0000000aaa53858
[ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490
[ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490
[ 110.675021] Call Trace:
[ 110.675038] [c00000003aea7a60] [c000000000941638]
blk_mq_map_swqueue+0x318/0x490 (unreliable)
[ 110.675080] [c00000003aea7b10] [c0000000009420e4]
blk_mq_update_nr_hw_queues+0x244/0x480
[ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60]
nullb_device_submit_queues_store+0x98/0x120 [null_blk]
[ 110.675182] [c00000003aea7c20] [c000000000648aa8]
configfs_write_iter+0x118/0x1e0
[ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0
[ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390
[ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130
[ 110.675316] [c00000003aea7db0] [c00000000002d648]
system_call_exception+0x188/0x360
[ 110.675335] [c00000003aea7e10] [c00000000000c1e8]
system_call_vectored_common+0xe8/0x278
[ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4
[ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000
[ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+)
[ 110.675429] MSR: 900000000280f033
<SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000
[ 110.675482] IRQMASK: 0
[ 110.675482] GPR00: 0000000000000004 00007fffc592dd30
00007fffa1be7000 0000000000000001
[ 110.675482] GPR04: 0000000143297fc0 0000000000000002
0000000000000010 00000001432bd791
[ 110.675482] GPR08: 0000000000000000 0000000000000000
0000000000000000 0000000000000000
[ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0
0000000000000000 0000000000000000
[ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4
0000000020000000 000000010deeae80
[ 110.675482] GPR20: 0000000000000000 00007fffc592df54
000000010df83128 000000010dfd89bc
[ 110.675482] GPR24: 000000010dfd8a50 0000000000000000
0000000143297fc0 0000000000000002
[ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8
0000000143297fc0 0000000000000002
[ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4
[ 110.675750] LR [0000000000000000] 0x0
[ 110.675769] --- interrupt: 3000
[ 110.675789] Instruction dump:
[ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a
7d29a82e 79291f24
[ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839
4082004c 7d0050a8
[ 110.675885] ---[ end trace b9b604499c6b5b71 ]---
[ 110.814135]
[ 111.814148] Kernel panic - not syncing: Fatal exception
[ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]---
--
Best Regards,
Yi Zhang
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next
2021-10-26 9:33 [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next Yi Zhang
@ 2021-10-26 14:44 ` Jens Axboe
2021-10-27 6:06 ` Yi Zhang
0 siblings, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2021-10-26 14:44 UTC (permalink / raw)
To: Yi Zhang, linux-block
On 10/26/21 3:33 AM, Yi Zhang wrote:
> Hello
>
> Below NULL pointer was triggered[2] with blktests block/029 on latest
> linux-block/for-next, pls check it.
>
> [1]
> 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch
> 'for-5.16/block' into for-next
>
> [2]
> [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11
> [ 110.535182] null_blk: module loaded
> [ 110.674174] Kernel attempted to read user page (d8) - exploit
> attempt? (uid: 0)
> [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8
> [ 110.674236] Faulting instruction address: 0xc0000000009414c4
> [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1]
> [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
> [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart
> ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd
> tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum
> opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs
> ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea
> sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm
> vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks
> [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3
> [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000
> [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+)
> [ 110.674580] MSR: 900000000280b033
> <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006
> [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR:
> 40000000 IRQMASK: 0
> [ 110.674634] GPR00: c000000000941638 c00000003aea7a60
> c0000000028a9a00 c00000001ad8a8c0
> [ 110.674634] GPR04: c000000089287e00 0000000000000001
> 00000000ffffffff ffffffffffffffff
> [ 110.674634] GPR08: 00000000000000d8 0000000000000000
> 00000000000000d8 0000000000000400
> [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600
> c00000001ac416c0 0000000000000000
> [ 110.674634] GPR16: 0000000000000001 0000000000000001
> 0000000000000000 c009dfffff94f300
> [ 110.674634] GPR20: 0000000000000000 0000000000000000
> c0000000028e72b8 c0000000028e78a0
> [ 110.674634] GPR24: 0000000000000001 0000000000000008
> c0000000aaa53838 c009dfffff94f388
> [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0
> 0000000000000002 c0000000aaa53858
> [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490
> [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490
> [ 110.675021] Call Trace:
> [ 110.675038] [c00000003aea7a60] [c000000000941638]
> blk_mq_map_swqueue+0x318/0x490 (unreliable)
> [ 110.675080] [c00000003aea7b10] [c0000000009420e4]
> blk_mq_update_nr_hw_queues+0x244/0x480
> [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60]
> nullb_device_submit_queues_store+0x98/0x120 [null_blk]
> [ 110.675182] [c00000003aea7c20] [c000000000648aa8]
> configfs_write_iter+0x118/0x1e0
> [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0
> [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390
> [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130
> [ 110.675316] [c00000003aea7db0] [c00000000002d648]
> system_call_exception+0x188/0x360
> [ 110.675335] [c00000003aea7e10] [c00000000000c1e8]
> system_call_vectored_common+0xe8/0x278
> [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4
> [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000
> [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+)
> [ 110.675429] MSR: 900000000280f033
> <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000
> [ 110.675482] IRQMASK: 0
> [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30
> 00007fffa1be7000 0000000000000001
> [ 110.675482] GPR04: 0000000143297fc0 0000000000000002
> 0000000000000010 00000001432bd791
> [ 110.675482] GPR08: 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000
> [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0
> 0000000000000000 0000000000000000
> [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4
> 0000000020000000 000000010deeae80
> [ 110.675482] GPR20: 0000000000000000 00007fffc592df54
> 000000010df83128 000000010dfd89bc
> [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000
> 0000000143297fc0 0000000000000002
> [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8
> 0000000143297fc0 0000000000000002
> [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4
> [ 110.675750] LR [0000000000000000] 0x0
> [ 110.675769] --- interrupt: 3000
> [ 110.675789] Instruction dump:
> [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a
> 7d29a82e 79291f24
> [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839
> 4082004c 7d0050a8
> [ 110.675885] ---[ end trace b9b604499c6b5b71 ]---
> [ 110.814135]
> [ 111.814148] Kernel panic - not syncing: Fatal exception
> [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]---
Should be fixed in my current for-next branch.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next
2021-10-26 14:44 ` Jens Axboe
@ 2021-10-27 6:06 ` Yi Zhang
2021-10-27 10:36 ` Shinichiro Kawasaki
0 siblings, 1 reply; 5+ messages in thread
From: Yi Zhang @ 2021-10-27 6:06 UTC (permalink / raw)
To: Jens Axboe; +Cc: linux-block
Hi Jens
It still can be reproduced with the latest for-next update below, and
it's 100% reproduced on my x86_64 environment.
7c5835a8640c (HEAD -> for-next, origin/for-next) Merge branch
'for-5.16/scsi-ma' into for-next
On Tue, Oct 26, 2021 at 10:44 PM Jens Axboe <axboe@kernel.dk> wrote:
>
> On 10/26/21 3:33 AM, Yi Zhang wrote:
> > Hello
> >
> > Below NULL pointer was triggered[2] with blktests block/029 on latest
> > linux-block/for-next, pls check it.
> >
> > [1]
> > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch
> > 'for-5.16/block' into for-next
> >
> > [2]
> > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11
> > [ 110.535182] null_blk: module loaded
> > [ 110.674174] Kernel attempted to read user page (d8) - exploit
> > attempt? (uid: 0)
> > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8
> > [ 110.674236] Faulting instruction address: 0xc0000000009414c4
> > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1]
> > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
> > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart
> > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd
> > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum
> > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs
> > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea
> > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm
> > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks
> > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3
> > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000
> > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+)
> > [ 110.674580] MSR: 900000000280b033
> > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006
> > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR:
> > 40000000 IRQMASK: 0
> > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60
> > c0000000028a9a00 c00000001ad8a8c0
> > [ 110.674634] GPR04: c000000089287e00 0000000000000001
> > 00000000ffffffff ffffffffffffffff
> > [ 110.674634] GPR08: 00000000000000d8 0000000000000000
> > 00000000000000d8 0000000000000400
> > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600
> > c00000001ac416c0 0000000000000000
> > [ 110.674634] GPR16: 0000000000000001 0000000000000001
> > 0000000000000000 c009dfffff94f300
> > [ 110.674634] GPR20: 0000000000000000 0000000000000000
> > c0000000028e72b8 c0000000028e78a0
> > [ 110.674634] GPR24: 0000000000000001 0000000000000008
> > c0000000aaa53838 c009dfffff94f388
> > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0
> > 0000000000000002 c0000000aaa53858
> > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490
> > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490
> > [ 110.675021] Call Trace:
> > [ 110.675038] [c00000003aea7a60] [c000000000941638]
> > blk_mq_map_swqueue+0x318/0x490 (unreliable)
> > [ 110.675080] [c00000003aea7b10] [c0000000009420e4]
> > blk_mq_update_nr_hw_queues+0x244/0x480
> > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60]
> > nullb_device_submit_queues_store+0x98/0x120 [null_blk]
> > [ 110.675182] [c00000003aea7c20] [c000000000648aa8]
> > configfs_write_iter+0x118/0x1e0
> > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0
> > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390
> > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130
> > [ 110.675316] [c00000003aea7db0] [c00000000002d648]
> > system_call_exception+0x188/0x360
> > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8]
> > system_call_vectored_common+0xe8/0x278
> > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4
> > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000
> > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+)
> > [ 110.675429] MSR: 900000000280f033
> > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000
> > [ 110.675482] IRQMASK: 0
> > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30
> > 00007fffa1be7000 0000000000000001
> > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002
> > 0000000000000010 00000001432bd791
> > [ 110.675482] GPR08: 0000000000000000 0000000000000000
> > 0000000000000000 0000000000000000
> > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0
> > 0000000000000000 0000000000000000
> > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4
> > 0000000020000000 000000010deeae80
> > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54
> > 000000010df83128 000000010dfd89bc
> > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000
> > 0000000143297fc0 0000000000000002
> > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8
> > 0000000143297fc0 0000000000000002
> > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4
> > [ 110.675750] LR [0000000000000000] 0x0
> > [ 110.675769] --- interrupt: 3000
> > [ 110.675789] Instruction dump:
> > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a
> > 7d29a82e 79291f24
> > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839
> > 4082004c 7d0050a8
> > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]---
> > [ 110.814135]
> > [ 111.814148] Kernel panic - not syncing: Fatal exception
> > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]---
>
> Should be fixed in my current for-next branch.
>
> --
> Jens Axboe
>
--
Best Regards,
Yi Zhang
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next
2021-10-27 6:06 ` Yi Zhang
@ 2021-10-27 10:36 ` Shinichiro Kawasaki
2021-10-29 10:36 ` Shinichiro Kawasaki
0 siblings, 1 reply; 5+ messages in thread
From: Shinichiro Kawasaki @ 2021-10-27 10:36 UTC (permalink / raw)
To: Yi Zhang; +Cc: Jens Axboe, linux-block, Damien Le Moal
On Oct 27, 2021 / 14:06, Yi Zhang wrote:
> Hi Jens
>
> It still can be reproduced with the latest for-next update below, and
> it's 100% reproduced on my x86_64 environment.
>
> 7c5835a8640c (HEAD -> for-next, origin/for-next) Merge branch
> 'for-5.16/scsi-ma' into for-next
I also observe the null-ptr-deref during blktests block/029 run, using
for-next branch tip, git hash 7c5835a8640c. With my configuration, KASAN
reported null-ptr-deref in blk_mq_map_swqueue().
I bisected and found that the commit 0a593fbbc245 ("null_blk: poll queue
support") triggers it. Reverting this commit from the tip of for-next
branch, the KASAN null-ptr-deref message was not observed.
>
> On Tue, Oct 26, 2021 at 10:44 PM Jens Axboe <axboe@kernel.dk> wrote:
> >
> > On 10/26/21 3:33 AM, Yi Zhang wrote:
> > > Hello
> > >
> > > Below NULL pointer was triggered[2] with blktests block/029 on latest
> > > linux-block/for-next, pls check it.
> > >
> > > [1]
> > > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch
> > > 'for-5.16/block' into for-next
> > >
> > > [2]
> > > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11
> > > [ 110.535182] null_blk: module loaded
> > > [ 110.674174] Kernel attempted to read user page (d8) - exploit
> > > attempt? (uid: 0)
> > > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8
> > > [ 110.674236] Faulting instruction address: 0xc0000000009414c4
> > > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1]
> > > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
> > > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart
> > > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd
> > > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum
> > > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs
> > > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea
> > > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm
> > > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks
> > > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3
> > > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000
> > > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+)
> > > [ 110.674580] MSR: 900000000280b033
> > > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006
> > > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR:
> > > 40000000 IRQMASK: 0
> > > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60
> > > c0000000028a9a00 c00000001ad8a8c0
> > > [ 110.674634] GPR04: c000000089287e00 0000000000000001
> > > 00000000ffffffff ffffffffffffffff
> > > [ 110.674634] GPR08: 00000000000000d8 0000000000000000
> > > 00000000000000d8 0000000000000400
> > > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600
> > > c00000001ac416c0 0000000000000000
> > > [ 110.674634] GPR16: 0000000000000001 0000000000000001
> > > 0000000000000000 c009dfffff94f300
> > > [ 110.674634] GPR20: 0000000000000000 0000000000000000
> > > c0000000028e72b8 c0000000028e78a0
> > > [ 110.674634] GPR24: 0000000000000001 0000000000000008
> > > c0000000aaa53838 c009dfffff94f388
> > > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0
> > > 0000000000000002 c0000000aaa53858
> > > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490
> > > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490
> > > [ 110.675021] Call Trace:
> > > [ 110.675038] [c00000003aea7a60] [c000000000941638]
> > > blk_mq_map_swqueue+0x318/0x490 (unreliable)
> > > [ 110.675080] [c00000003aea7b10] [c0000000009420e4]
> > > blk_mq_update_nr_hw_queues+0x244/0x480
> > > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60]
> > > nullb_device_submit_queues_store+0x98/0x120 [null_blk]
> > > [ 110.675182] [c00000003aea7c20] [c000000000648aa8]
> > > configfs_write_iter+0x118/0x1e0
> > > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0
> > > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390
> > > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130
> > > [ 110.675316] [c00000003aea7db0] [c00000000002d648]
> > > system_call_exception+0x188/0x360
> > > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8]
> > > system_call_vectored_common+0xe8/0x278
> > > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4
> > > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000
> > > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+)
> > > [ 110.675429] MSR: 900000000280f033
> > > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000
> > > [ 110.675482] IRQMASK: 0
> > > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30
> > > 00007fffa1be7000 0000000000000001
> > > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002
> > > 0000000000000010 00000001432bd791
> > > [ 110.675482] GPR08: 0000000000000000 0000000000000000
> > > 0000000000000000 0000000000000000
> > > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0
> > > 0000000000000000 0000000000000000
> > > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4
> > > 0000000020000000 000000010deeae80
> > > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54
> > > 000000010df83128 000000010dfd89bc
> > > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000
> > > 0000000143297fc0 0000000000000002
> > > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8
> > > 0000000143297fc0 0000000000000002
> > > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4
> > > [ 110.675750] LR [0000000000000000] 0x0
> > > [ 110.675769] --- interrupt: 3000
> > > [ 110.675789] Instruction dump:
> > > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a
> > > 7d29a82e 79291f24
> > > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839
> > > 4082004c 7d0050a8
> > > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]---
> > > [ 110.814135]
> > > [ 111.814148] Kernel panic - not syncing: Fatal exception
> > > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]---
> >
> > Should be fixed in my current for-next branch.
> >
> > --
> > Jens Axboe
> >
>
>
> --
> Best Regards,
> Yi Zhang
>
--
Best Regards,
Shin'ichiro Kawasaki
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next
2021-10-27 10:36 ` Shinichiro Kawasaki
@ 2021-10-29 10:36 ` Shinichiro Kawasaki
0 siblings, 0 replies; 5+ messages in thread
From: Shinichiro Kawasaki @ 2021-10-29 10:36 UTC (permalink / raw)
To: Yi Zhang; +Cc: Jens Axboe, linux-block, Damien Le Moal
On Oct 27, 2021 / 10:36, Shinichiro Kawasaki wrote:
> On Oct 27, 2021 / 14:06, Yi Zhang wrote:
> > Hi Jens
> >
> > It still can be reproduced with the latest for-next update below, and
> > it's 100% reproduced on my x86_64 environment.
> >
> > 7c5835a8640c (HEAD -> for-next, origin/for-next) Merge branch
> > 'for-5.16/scsi-ma' into for-next
>
> I also observe the null-ptr-deref during blktests block/029 run, using
> for-next branch tip, git hash 7c5835a8640c. With my configuration, KASAN
> reported null-ptr-deref in blk_mq_map_swqueue().
>
> I bisected and found that the commit 0a593fbbc245 ("null_blk: poll queue
> support") triggers it. Reverting this commit from the tip of for-next
> branch, the KASAN null-ptr-deref message was not observed.
The test case block/029 changes /sys/kernel/config/nullb/nullb0/submit_queues.
When the submit_queues value changes, nr_hw_queue is updated without counting
the number of poll_queues. Another test case block/030 also changes the number
of submit queues, and shows the same failure symptom.
I also tried to change /sys/kernel/config/nullb/nullb0/poll_queues value, and
observed the same failure. So, null_blk needs a fix for handling of these
attributes.
I have created a fix patch and confirmed that the patch avoids the
null-ptr-deref. Will post the patch to linux-block list. Review will be
appreciated.
--
Best Regards,
Shin'ichiro Kawasaki
>
> >
> > On Tue, Oct 26, 2021 at 10:44 PM Jens Axboe <axboe@kernel.dk> wrote:
> > >
> > > On 10/26/21 3:33 AM, Yi Zhang wrote:
> > > > Hello
> > > >
> > > > Below NULL pointer was triggered[2] with blktests block/029 on latest
> > > > linux-block/for-next, pls check it.
> > > >
> > > > [1]
> > > > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch
> > > > 'for-5.16/block' into for-next
> > > >
> > > > [2]
> > > > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11
> > > > [ 110.535182] null_blk: module loaded
> > > > [ 110.674174] Kernel attempted to read user page (d8) - exploit
> > > > attempt? (uid: 0)
> > > > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8
> > > > [ 110.674236] Faulting instruction address: 0xc0000000009414c4
> > > > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1]
> > > > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV
> > > > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart
> > > > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd
> > > > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum
> > > > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs
> > > > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea
> > > > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm
> > > > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks
> > > > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3
> > > > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000
> > > > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+)
> > > > [ 110.674580] MSR: 900000000280b033
> > > > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006
> > > > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR:
> > > > 40000000 IRQMASK: 0
> > > > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60
> > > > c0000000028a9a00 c00000001ad8a8c0
> > > > [ 110.674634] GPR04: c000000089287e00 0000000000000001
> > > > 00000000ffffffff ffffffffffffffff
> > > > [ 110.674634] GPR08: 00000000000000d8 0000000000000000
> > > > 00000000000000d8 0000000000000400
> > > > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600
> > > > c00000001ac416c0 0000000000000000
> > > > [ 110.674634] GPR16: 0000000000000001 0000000000000001
> > > > 0000000000000000 c009dfffff94f300
> > > > [ 110.674634] GPR20: 0000000000000000 0000000000000000
> > > > c0000000028e72b8 c0000000028e78a0
> > > > [ 110.674634] GPR24: 0000000000000001 0000000000000008
> > > > c0000000aaa53838 c009dfffff94f388
> > > > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0
> > > > 0000000000000002 c0000000aaa53858
> > > > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490
> > > > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490
> > > > [ 110.675021] Call Trace:
> > > > [ 110.675038] [c00000003aea7a60] [c000000000941638]
> > > > blk_mq_map_swqueue+0x318/0x490 (unreliable)
> > > > [ 110.675080] [c00000003aea7b10] [c0000000009420e4]
> > > > blk_mq_update_nr_hw_queues+0x244/0x480
> > > > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60]
> > > > nullb_device_submit_queues_store+0x98/0x120 [null_blk]
> > > > [ 110.675182] [c00000003aea7c20] [c000000000648aa8]
> > > > configfs_write_iter+0x118/0x1e0
> > > > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0
> > > > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390
> > > > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130
> > > > [ 110.675316] [c00000003aea7db0] [c00000000002d648]
> > > > system_call_exception+0x188/0x360
> > > > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8]
> > > > system_call_vectored_common+0xe8/0x278
> > > > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4
> > > > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000
> > > > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+)
> > > > [ 110.675429] MSR: 900000000280f033
> > > > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000
> > > > [ 110.675482] IRQMASK: 0
> > > > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30
> > > > 00007fffa1be7000 0000000000000001
> > > > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002
> > > > 0000000000000010 00000001432bd791
> > > > [ 110.675482] GPR08: 0000000000000000 0000000000000000
> > > > 0000000000000000 0000000000000000
> > > > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0
> > > > 0000000000000000 0000000000000000
> > > > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4
> > > > 0000000020000000 000000010deeae80
> > > > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54
> > > > 000000010df83128 000000010dfd89bc
> > > > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000
> > > > 0000000143297fc0 0000000000000002
> > > > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8
> > > > 0000000143297fc0 0000000000000002
> > > > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4
> > > > [ 110.675750] LR [0000000000000000] 0x0
> > > > [ 110.675769] --- interrupt: 3000
> > > > [ 110.675789] Instruction dump:
> > > > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a
> > > > 7d29a82e 79291f24
> > > > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839
> > > > 4082004c 7d0050a8
> > > > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]---
> > > > [ 110.814135]
> > > > [ 111.814148] Kernel panic - not syncing: Fatal exception
> > > > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]---
> > >
> > > Should be fixed in my current for-next branch.
> > >
> > > --
> > > Jens Axboe
> > >
> >
> >
> > --
> > Best Regards,
> > Yi Zhang
> >
>
> --
> Best Regards,
> Shin'ichiro Kawasaki
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-29 10:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-26 9:33 [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next Yi Zhang
2021-10-26 14:44 ` Jens Axboe
2021-10-27 6:06 ` Yi Zhang
2021-10-27 10:36 ` Shinichiro Kawasaki
2021-10-29 10:36 ` Shinichiro Kawasaki
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).