* [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next @ 2021-10-26 9:33 Yi Zhang 2021-10-26 14:44 ` Jens Axboe 0 siblings, 1 reply; 5+ messages in thread From: Yi Zhang @ 2021-10-26 9:33 UTC (permalink / raw) To: linux-block; +Cc: Jens Axboe Hello Below NULL pointer was triggered[2] with blktests block/029 on latest linux-block/for-next, pls check it. [1] 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch 'for-5.16/block' into for-next [2] [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11 [ 110.535182] null_blk: module loaded [ 110.674174] Kernel attempted to read user page (d8) - exploit attempt? (uid: 0) [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8 [ 110.674236] Faulting instruction address: 0xc0000000009414c4 [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1] [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3 [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000 [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+) [ 110.674580] MSR: 900000000280b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006 [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR: 40000000 IRQMASK: 0 [ 110.674634] GPR00: c000000000941638 c00000003aea7a60 c0000000028a9a00 c00000001ad8a8c0 [ 110.674634] GPR04: c000000089287e00 0000000000000001 00000000ffffffff ffffffffffffffff [ 110.674634] GPR08: 00000000000000d8 0000000000000000 00000000000000d8 0000000000000400 [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600 c00000001ac416c0 0000000000000000 [ 110.674634] GPR16: 0000000000000001 0000000000000001 0000000000000000 c009dfffff94f300 [ 110.674634] GPR20: 0000000000000000 0000000000000000 c0000000028e72b8 c0000000028e78a0 [ 110.674634] GPR24: 0000000000000001 0000000000000008 c0000000aaa53838 c009dfffff94f388 [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0 0000000000000002 c0000000aaa53858 [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490 [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490 [ 110.675021] Call Trace: [ 110.675038] [c00000003aea7a60] [c000000000941638] blk_mq_map_swqueue+0x318/0x490 (unreliable) [ 110.675080] [c00000003aea7b10] [c0000000009420e4] blk_mq_update_nr_hw_queues+0x244/0x480 [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60] nullb_device_submit_queues_store+0x98/0x120 [null_blk] [ 110.675182] [c00000003aea7c20] [c000000000648aa8] configfs_write_iter+0x118/0x1e0 [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0 [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390 [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130 [ 110.675316] [c00000003aea7db0] [c00000000002d648] system_call_exception+0x188/0x360 [ 110.675335] [c00000003aea7e10] [c00000000000c1e8] system_call_vectored_common+0xe8/0x278 [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4 [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000 [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+) [ 110.675429] MSR: 900000000280f033 <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000 [ 110.675482] IRQMASK: 0 [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30 00007fffa1be7000 0000000000000001 [ 110.675482] GPR04: 0000000143297fc0 0000000000000002 0000000000000010 00000001432bd791 [ 110.675482] GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0 0000000000000000 0000000000000000 [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4 0000000020000000 000000010deeae80 [ 110.675482] GPR20: 0000000000000000 00007fffc592df54 000000010df83128 000000010dfd89bc [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000 0000000143297fc0 0000000000000002 [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8 0000000143297fc0 0000000000000002 [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4 [ 110.675750] LR [0000000000000000] 0x0 [ 110.675769] --- interrupt: 3000 [ 110.675789] Instruction dump: [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a 7d29a82e 79291f24 [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839 4082004c 7d0050a8 [ 110.675885] ---[ end trace b9b604499c6b5b71 ]--- [ 110.814135] [ 111.814148] Kernel panic - not syncing: Fatal exception [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]--- -- Best Regards, Yi Zhang ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next 2021-10-26 9:33 [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next Yi Zhang @ 2021-10-26 14:44 ` Jens Axboe 2021-10-27 6:06 ` Yi Zhang 0 siblings, 1 reply; 5+ messages in thread From: Jens Axboe @ 2021-10-26 14:44 UTC (permalink / raw) To: Yi Zhang, linux-block On 10/26/21 3:33 AM, Yi Zhang wrote: > Hello > > Below NULL pointer was triggered[2] with blktests block/029 on latest > linux-block/for-next, pls check it. > > [1] > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch > 'for-5.16/block' into for-next > > [2] > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11 > [ 110.535182] null_blk: module loaded > [ 110.674174] Kernel attempted to read user page (d8) - exploit > attempt? (uid: 0) > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8 > [ 110.674236] Faulting instruction address: 0xc0000000009414c4 > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1] > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3 > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000 > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+) > [ 110.674580] MSR: 900000000280b033 > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006 > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR: > 40000000 IRQMASK: 0 > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60 > c0000000028a9a00 c00000001ad8a8c0 > [ 110.674634] GPR04: c000000089287e00 0000000000000001 > 00000000ffffffff ffffffffffffffff > [ 110.674634] GPR08: 00000000000000d8 0000000000000000 > 00000000000000d8 0000000000000400 > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600 > c00000001ac416c0 0000000000000000 > [ 110.674634] GPR16: 0000000000000001 0000000000000001 > 0000000000000000 c009dfffff94f300 > [ 110.674634] GPR20: 0000000000000000 0000000000000000 > c0000000028e72b8 c0000000028e78a0 > [ 110.674634] GPR24: 0000000000000001 0000000000000008 > c0000000aaa53838 c009dfffff94f388 > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0 > 0000000000000002 c0000000aaa53858 > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490 > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490 > [ 110.675021] Call Trace: > [ 110.675038] [c00000003aea7a60] [c000000000941638] > blk_mq_map_swqueue+0x318/0x490 (unreliable) > [ 110.675080] [c00000003aea7b10] [c0000000009420e4] > blk_mq_update_nr_hw_queues+0x244/0x480 > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60] > nullb_device_submit_queues_store+0x98/0x120 [null_blk] > [ 110.675182] [c00000003aea7c20] [c000000000648aa8] > configfs_write_iter+0x118/0x1e0 > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0 > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390 > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130 > [ 110.675316] [c00000003aea7db0] [c00000000002d648] > system_call_exception+0x188/0x360 > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8] > system_call_vectored_common+0xe8/0x278 > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4 > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000 > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+) > [ 110.675429] MSR: 900000000280f033 > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000 > [ 110.675482] IRQMASK: 0 > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30 > 00007fffa1be7000 0000000000000001 > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002 > 0000000000000010 00000001432bd791 > [ 110.675482] GPR08: 0000000000000000 0000000000000000 > 0000000000000000 0000000000000000 > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0 > 0000000000000000 0000000000000000 > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4 > 0000000020000000 000000010deeae80 > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54 > 000000010df83128 000000010dfd89bc > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000 > 0000000143297fc0 0000000000000002 > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8 > 0000000143297fc0 0000000000000002 > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4 > [ 110.675750] LR [0000000000000000] 0x0 > [ 110.675769] --- interrupt: 3000 > [ 110.675789] Instruction dump: > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a > 7d29a82e 79291f24 > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839 > 4082004c 7d0050a8 > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]--- > [ 110.814135] > [ 111.814148] Kernel panic - not syncing: Fatal exception > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]--- Should be fixed in my current for-next branch. -- Jens Axboe ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next 2021-10-26 14:44 ` Jens Axboe @ 2021-10-27 6:06 ` Yi Zhang 2021-10-27 10:36 ` Shinichiro Kawasaki 0 siblings, 1 reply; 5+ messages in thread From: Yi Zhang @ 2021-10-27 6:06 UTC (permalink / raw) To: Jens Axboe; +Cc: linux-block Hi Jens It still can be reproduced with the latest for-next update below, and it's 100% reproduced on my x86_64 environment. 7c5835a8640c (HEAD -> for-next, origin/for-next) Merge branch 'for-5.16/scsi-ma' into for-next On Tue, Oct 26, 2021 at 10:44 PM Jens Axboe <axboe@kernel.dk> wrote: > > On 10/26/21 3:33 AM, Yi Zhang wrote: > > Hello > > > > Below NULL pointer was triggered[2] with blktests block/029 on latest > > linux-block/for-next, pls check it. > > > > [1] > > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch > > 'for-5.16/block' into for-next > > > > [2] > > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11 > > [ 110.535182] null_blk: module loaded > > [ 110.674174] Kernel attempted to read user page (d8) - exploit > > attempt? (uid: 0) > > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8 > > [ 110.674236] Faulting instruction address: 0xc0000000009414c4 > > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1] > > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV > > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart > > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd > > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum > > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs > > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea > > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm > > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks > > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3 > > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000 > > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+) > > [ 110.674580] MSR: 900000000280b033 > > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006 > > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR: > > 40000000 IRQMASK: 0 > > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60 > > c0000000028a9a00 c00000001ad8a8c0 > > [ 110.674634] GPR04: c000000089287e00 0000000000000001 > > 00000000ffffffff ffffffffffffffff > > [ 110.674634] GPR08: 00000000000000d8 0000000000000000 > > 00000000000000d8 0000000000000400 > > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600 > > c00000001ac416c0 0000000000000000 > > [ 110.674634] GPR16: 0000000000000001 0000000000000001 > > 0000000000000000 c009dfffff94f300 > > [ 110.674634] GPR20: 0000000000000000 0000000000000000 > > c0000000028e72b8 c0000000028e78a0 > > [ 110.674634] GPR24: 0000000000000001 0000000000000008 > > c0000000aaa53838 c009dfffff94f388 > > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0 > > 0000000000000002 c0000000aaa53858 > > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490 > > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490 > > [ 110.675021] Call Trace: > > [ 110.675038] [c00000003aea7a60] [c000000000941638] > > blk_mq_map_swqueue+0x318/0x490 (unreliable) > > [ 110.675080] [c00000003aea7b10] [c0000000009420e4] > > blk_mq_update_nr_hw_queues+0x244/0x480 > > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60] > > nullb_device_submit_queues_store+0x98/0x120 [null_blk] > > [ 110.675182] [c00000003aea7c20] [c000000000648aa8] > > configfs_write_iter+0x118/0x1e0 > > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0 > > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390 > > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130 > > [ 110.675316] [c00000003aea7db0] [c00000000002d648] > > system_call_exception+0x188/0x360 > > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8] > > system_call_vectored_common+0xe8/0x278 > > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4 > > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000 > > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+) > > [ 110.675429] MSR: 900000000280f033 > > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000 > > [ 110.675482] IRQMASK: 0 > > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30 > > 00007fffa1be7000 0000000000000001 > > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002 > > 0000000000000010 00000001432bd791 > > [ 110.675482] GPR08: 0000000000000000 0000000000000000 > > 0000000000000000 0000000000000000 > > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0 > > 0000000000000000 0000000000000000 > > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4 > > 0000000020000000 000000010deeae80 > > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54 > > 000000010df83128 000000010dfd89bc > > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000 > > 0000000143297fc0 0000000000000002 > > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8 > > 0000000143297fc0 0000000000000002 > > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4 > > [ 110.675750] LR [0000000000000000] 0x0 > > [ 110.675769] --- interrupt: 3000 > > [ 110.675789] Instruction dump: > > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a > > 7d29a82e 79291f24 > > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839 > > 4082004c 7d0050a8 > > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]--- > > [ 110.814135] > > [ 111.814148] Kernel panic - not syncing: Fatal exception > > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]--- > > Should be fixed in my current for-next branch. > > -- > Jens Axboe > -- Best Regards, Yi Zhang ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next 2021-10-27 6:06 ` Yi Zhang @ 2021-10-27 10:36 ` Shinichiro Kawasaki 2021-10-29 10:36 ` Shinichiro Kawasaki 0 siblings, 1 reply; 5+ messages in thread From: Shinichiro Kawasaki @ 2021-10-27 10:36 UTC (permalink / raw) To: Yi Zhang; +Cc: Jens Axboe, linux-block, Damien Le Moal On Oct 27, 2021 / 14:06, Yi Zhang wrote: > Hi Jens > > It still can be reproduced with the latest for-next update below, and > it's 100% reproduced on my x86_64 environment. > > 7c5835a8640c (HEAD -> for-next, origin/for-next) Merge branch > 'for-5.16/scsi-ma' into for-next I also observe the null-ptr-deref during blktests block/029 run, using for-next branch tip, git hash 7c5835a8640c. With my configuration, KASAN reported null-ptr-deref in blk_mq_map_swqueue(). I bisected and found that the commit 0a593fbbc245 ("null_blk: poll queue support") triggers it. Reverting this commit from the tip of for-next branch, the KASAN null-ptr-deref message was not observed. > > On Tue, Oct 26, 2021 at 10:44 PM Jens Axboe <axboe@kernel.dk> wrote: > > > > On 10/26/21 3:33 AM, Yi Zhang wrote: > > > Hello > > > > > > Below NULL pointer was triggered[2] with blktests block/029 on latest > > > linux-block/for-next, pls check it. > > > > > > [1] > > > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch > > > 'for-5.16/block' into for-next > > > > > > [2] > > > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11 > > > [ 110.535182] null_blk: module loaded > > > [ 110.674174] Kernel attempted to read user page (d8) - exploit > > > attempt? (uid: 0) > > > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8 > > > [ 110.674236] Faulting instruction address: 0xc0000000009414c4 > > > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1] > > > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV > > > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart > > > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd > > > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum > > > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs > > > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea > > > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm > > > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks > > > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3 > > > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000 > > > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+) > > > [ 110.674580] MSR: 900000000280b033 > > > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006 > > > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR: > > > 40000000 IRQMASK: 0 > > > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60 > > > c0000000028a9a00 c00000001ad8a8c0 > > > [ 110.674634] GPR04: c000000089287e00 0000000000000001 > > > 00000000ffffffff ffffffffffffffff > > > [ 110.674634] GPR08: 00000000000000d8 0000000000000000 > > > 00000000000000d8 0000000000000400 > > > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600 > > > c00000001ac416c0 0000000000000000 > > > [ 110.674634] GPR16: 0000000000000001 0000000000000001 > > > 0000000000000000 c009dfffff94f300 > > > [ 110.674634] GPR20: 0000000000000000 0000000000000000 > > > c0000000028e72b8 c0000000028e78a0 > > > [ 110.674634] GPR24: 0000000000000001 0000000000000008 > > > c0000000aaa53838 c009dfffff94f388 > > > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0 > > > 0000000000000002 c0000000aaa53858 > > > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490 > > > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490 > > > [ 110.675021] Call Trace: > > > [ 110.675038] [c00000003aea7a60] [c000000000941638] > > > blk_mq_map_swqueue+0x318/0x490 (unreliable) > > > [ 110.675080] [c00000003aea7b10] [c0000000009420e4] > > > blk_mq_update_nr_hw_queues+0x244/0x480 > > > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60] > > > nullb_device_submit_queues_store+0x98/0x120 [null_blk] > > > [ 110.675182] [c00000003aea7c20] [c000000000648aa8] > > > configfs_write_iter+0x118/0x1e0 > > > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0 > > > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390 > > > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130 > > > [ 110.675316] [c00000003aea7db0] [c00000000002d648] > > > system_call_exception+0x188/0x360 > > > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8] > > > system_call_vectored_common+0xe8/0x278 > > > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4 > > > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000 > > > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+) > > > [ 110.675429] MSR: 900000000280f033 > > > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000 > > > [ 110.675482] IRQMASK: 0 > > > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30 > > > 00007fffa1be7000 0000000000000001 > > > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002 > > > 0000000000000010 00000001432bd791 > > > [ 110.675482] GPR08: 0000000000000000 0000000000000000 > > > 0000000000000000 0000000000000000 > > > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0 > > > 0000000000000000 0000000000000000 > > > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4 > > > 0000000020000000 000000010deeae80 > > > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54 > > > 000000010df83128 000000010dfd89bc > > > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000 > > > 0000000143297fc0 0000000000000002 > > > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8 > > > 0000000143297fc0 0000000000000002 > > > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4 > > > [ 110.675750] LR [0000000000000000] 0x0 > > > [ 110.675769] --- interrupt: 3000 > > > [ 110.675789] Instruction dump: > > > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a > > > 7d29a82e 79291f24 > > > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839 > > > 4082004c 7d0050a8 > > > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]--- > > > [ 110.814135] > > > [ 111.814148] Kernel panic - not syncing: Fatal exception > > > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]--- > > > > Should be fixed in my current for-next branch. > > > > -- > > Jens Axboe > > > > > -- > Best Regards, > Yi Zhang > -- Best Regards, Shin'ichiro Kawasaki ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next 2021-10-27 10:36 ` Shinichiro Kawasaki @ 2021-10-29 10:36 ` Shinichiro Kawasaki 0 siblings, 0 replies; 5+ messages in thread From: Shinichiro Kawasaki @ 2021-10-29 10:36 UTC (permalink / raw) To: Yi Zhang; +Cc: Jens Axboe, linux-block, Damien Le Moal On Oct 27, 2021 / 10:36, Shinichiro Kawasaki wrote: > On Oct 27, 2021 / 14:06, Yi Zhang wrote: > > Hi Jens > > > > It still can be reproduced with the latest for-next update below, and > > it's 100% reproduced on my x86_64 environment. > > > > 7c5835a8640c (HEAD -> for-next, origin/for-next) Merge branch > > 'for-5.16/scsi-ma' into for-next > > I also observe the null-ptr-deref during blktests block/029 run, using > for-next branch tip, git hash 7c5835a8640c. With my configuration, KASAN > reported null-ptr-deref in blk_mq_map_swqueue(). > > I bisected and found that the commit 0a593fbbc245 ("null_blk: poll queue > support") triggers it. Reverting this commit from the tip of for-next > branch, the KASAN null-ptr-deref message was not observed. The test case block/029 changes /sys/kernel/config/nullb/nullb0/submit_queues. When the submit_queues value changes, nr_hw_queue is updated without counting the number of poll_queues. Another test case block/030 also changes the number of submit queues, and shows the same failure symptom. I also tried to change /sys/kernel/config/nullb/nullb0/poll_queues value, and observed the same failure. So, null_blk needs a fix for handling of these attributes. I have created a fix patch and confirmed that the patch avoids the null-ptr-deref. Will post the patch to linux-block list. Review will be appreciated. -- Best Regards, Shin'ichiro Kawasaki > > > > > On Tue, Oct 26, 2021 at 10:44 PM Jens Axboe <axboe@kernel.dk> wrote: > > > > > > On 10/26/21 3:33 AM, Yi Zhang wrote: > > > > Hello > > > > > > > > Below NULL pointer was triggered[2] with blktests block/029 on latest > > > > linux-block/for-next, pls check it. > > > > > > > > [1] > > > > 9b3b463f3955 (HEAD -> for-next, origin/for-next) Merge branch > > > > 'for-5.16/block' into for-next > > > > > > > > [2] > > > > [ 110.508269] run blktests block/029 at 2021-10-26 05:29:11 > > > > [ 110.535182] null_blk: module loaded > > > > [ 110.674174] Kernel attempted to read user page (d8) - exploit > > > > attempt? (uid: 0) > > > > [ 110.674212] BUG: Kernel NULL pointer dereference on read at 0x000000d8 > > > > [ 110.674236] Faulting instruction address: 0xc0000000009414c4 > > > > [ 110.674251] Oops: Kernel access of bad area, sig: 11 [#1] > > > > [ 110.674272] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV > > > > [ 110.674308] Modules linked in: null_blk rfkill sunrpc joydev ofpart > > > > ses enclosure scsi_transport_sas i40e at24 powernv_flash mtd > > > > tpm_i2c_nuvoton regmap_i2c ipmi_powernv rtc_opal crct10dif_vpmsum > > > > opal_prd ipmi_devintf i2c_opal ipmi_msghandler fuse zram ip_tables xfs > > > > ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea > > > > sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm > > > > vmx_crypto crc32c_vpmsum i2c_core aacraid drm_panel_orientation_quirks > > > > [ 110.674485] CPU: 60 PID: 3469 Comm: check Not tainted 5.15.0-rc6+ #3 > > > > [ 110.674520] NIP: c0000000009414c4 LR: c000000000941638 CTR: 0000000000000000 > > > > [ 110.674556] REGS: c00000003aea77c0 TRAP: 0300 Not tainted (5.15.0-rc6+) > > > > [ 110.674580] MSR: 900000000280b033 > > > > <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 84428482 XER: 00000006 > > > > [ 110.674634] CFAR: c000000000941648 DAR: 00000000000000d8 DSISR: > > > > 40000000 IRQMASK: 0 > > > > [ 110.674634] GPR00: c000000000941638 c00000003aea7a60 > > > > c0000000028a9a00 c00000001ad8a8c0 > > > > [ 110.674634] GPR04: c000000089287e00 0000000000000001 > > > > 00000000ffffffff ffffffffffffffff > > > > [ 110.674634] GPR08: 00000000000000d8 0000000000000000 > > > > 00000000000000d8 0000000000000400 > > > > [ 110.674634] GPR12: 0000000000008000 c000000ffff9e600 > > > > c00000001ac416c0 0000000000000000 > > > > [ 110.674634] GPR16: 0000000000000001 0000000000000001 > > > > 0000000000000000 c009dfffff94f300 > > > > [ 110.674634] GPR20: 0000000000000000 0000000000000000 > > > > c0000000028e72b8 c0000000028e78a0 > > > > [ 110.674634] GPR24: 0000000000000001 0000000000000008 > > > > c0000000aaa53838 c009dfffff94f388 > > > > [ 110.674634] GPR28: c00000009d527698 c009dfffff94f3a0 > > > > 0000000000000002 c0000000aaa53858 > > > > [ 110.674942] NIP [c0000000009414c4] blk_mq_map_swqueue+0x1a4/0x490 > > > > [ 110.674982] LR [c000000000941638] blk_mq_map_swqueue+0x318/0x490 > > > > [ 110.675021] Call Trace: > > > > [ 110.675038] [c00000003aea7a60] [c000000000941638] > > > > blk_mq_map_swqueue+0x318/0x490 (unreliable) > > > > [ 110.675080] [c00000003aea7b10] [c0000000009420e4] > > > > blk_mq_update_nr_hw_queues+0x244/0x480 > > > > [ 110.675128] [c00000003aea7bd0] [c00800000f3e2d60] > > > > nullb_device_submit_queues_store+0x98/0x120 [null_blk] > > > > [ 110.675182] [c00000003aea7c20] [c000000000648aa8] > > > > configfs_write_iter+0x118/0x1e0 > > > > [ 110.675224] [c00000003aea7c70] [c000000000521494] new_sync_write+0x124/0x1b0 > > > > [ 110.675281] [c00000003aea7d10] [c000000000524794] vfs_write+0x2c4/0x390 > > > > [ 110.675299] [c00000003aea7d60] [c000000000524b08] ksys_write+0x78/0x130 > > > > [ 110.675316] [c00000003aea7db0] [c00000000002d648] > > > > system_call_exception+0x188/0x360 > > > > [ 110.675335] [c00000003aea7e10] [c00000000000c1e8] > > > > system_call_vectored_common+0xe8/0x278 > > > > [ 110.675355] --- interrupt: 3000 at 0x7fffa1aefee4 > > > > [ 110.675367] NIP: 00007fffa1aefee4 LR: 0000000000000000 CTR: 0000000000000000 > > > > [ 110.675393] REGS: c00000003aea7e80 TRAP: 3000 Not tainted (5.15.0-rc6+) > > > > [ 110.675429] MSR: 900000000280f033 > > > > <SF,HV,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48422488 XER: 00000000 > > > > [ 110.675482] IRQMASK: 0 > > > > [ 110.675482] GPR00: 0000000000000004 00007fffc592dd30 > > > > 00007fffa1be7000 0000000000000001 > > > > [ 110.675482] GPR04: 0000000143297fc0 0000000000000002 > > > > 0000000000000010 00000001432bd791 > > > > [ 110.675482] GPR08: 0000000000000000 0000000000000000 > > > > 0000000000000000 0000000000000000 > > > > [ 110.675482] GPR12: 0000000000000000 00007fffa1d2afa0 > > > > 0000000000000000 0000000000000000 > > > > [ 110.675482] GPR16: 000000010dfd87b8 000000010dfd94d4 > > > > 0000000020000000 000000010deeae80 > > > > [ 110.675482] GPR20: 0000000000000000 00007fffc592df54 > > > > 000000010df83128 000000010dfd89bc > > > > [ 110.675482] GPR24: 000000010dfd8a50 0000000000000000 > > > > 0000000143297fc0 0000000000000002 > > > > [ 110.675482] GPR28: 0000000000000002 00007fffa1be16d8 > > > > 0000000143297fc0 0000000000000002 > > > > [ 110.675718] NIP [00007fffa1aefee4] 0x7fffa1aefee4 > > > > [ 110.675750] LR [0000000000000000] 0x0 > > > > [ 110.675769] --- interrupt: 3000 > > > > [ 110.675789] Instruction dump: > > > > [ 110.675798] 2c290000 41820168 e91c0600 7bc926e4 e95c0048 7d28482a > > > > 7d29a82e 79291f24 > > > > [ 110.675845] 7d2a482a f93d0000 390900d8 7d489214 <7d08a02a> 7d088839 > > > > 4082004c 7d0050a8 > > > > [ 110.675885] ---[ end trace b9b604499c6b5b71 ]--- > > > > [ 110.814135] > > > > [ 111.814148] Kernel panic - not syncing: Fatal exception > > > > [ 113.674122] ---[ end Kernel panic - not syncing: Fatal exception ]--- > > > > > > Should be fixed in my current for-next branch. > > > > > > -- > > > Jens Axboe > > > > > > > > > -- > > Best Regards, > > Yi Zhang > > > > -- > Best Regards, > Shin'ichiro Kawasaki ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-29 10:36 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-10-26 9:33 [bug report] blktests block/029 triggered NULL pointer on latest linux-block/for-next Yi Zhang 2021-10-26 14:44 ` Jens Axboe 2021-10-27 6:06 ` Yi Zhang 2021-10-27 10:36 ` Shinichiro Kawasaki 2021-10-29 10:36 ` Shinichiro Kawasaki
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).