BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

[Naresh Kamboju]

While running LTP syscalls ioctl_sg01 test case this kernel crash reported on
x86_64 and i386 running today's Linux next tag 20201130.

Steps to reproduce:
--------------------
# TuxMake is a command line tool and Python library that provides
# portable and repeatable Linux kernel builds across a variety of
# architectures, toolchains, kernel configurations, and make targets.
#
# TuxMake supports the concept of runtimes.
# See https://docs.tuxmake.org/runtimes/, for that to work it requires
# that you install podman or docker on your system.
#
# To install tuxmake on your system globally:
# sudo pip3 install -U tuxmake
#
# See https://docs.tuxmake.org/ for complete documentation.

# tuxmake --runtime docker --target-arch x86 --toolchain gcc-9
--kconfig defconfig --kconfig-add
https://builds.tuxbuild.com/1l0FDtgxYSNunuG5ERIXtvPjZ7R/config
# run LTP
# cd /opt/ltp
# ./runltp -s ioctl_sg01
# you see below crash

Crash log:
-----------
ioctl_sg01.c:81: TINFO: Found SCSI device /dev/sg1
[  285.862123] ==================================================================
[  285.863025] BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0
[  285.863025] Read of size 4 at addr 00000000000000c8 by task kswapd0/245
[  285.863025]
[  285.863025] CPU: 1 PID: 245 Comm: kswapd0 Not tainted
5.10.0-rc5-next-20201130 #2
[  285.863025] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.12.0-1 04/01/2014
[  285.863025] Call Trace:
[  285.863025]  dump_stack+0xa4/0xd9
[  285.863025]  ? workingset_eviction+0xf2/0x1e0
[  285.863025]  kasan_report.cold+0x108/0x10a
[  285.863025]  ? workingset_eviction+0xf2/0x1e0
[  285.863025]  __asan_load4+0x88/0xb0
[  285.863025]  workingset_eviction+0xf2/0x1e0
[  285.863025]  ? __kasan_check_read+0x11/0x20
[  285.863025]  __remove_mapping+0x2b6/0x350
[  285.863025]  shrink_page_list+0xcfb/0x16e0
[  285.863025]  ? pageout+0x670/0x670
[  285.863025]  ? __kasan_check_write+0x14/0x20
[  285.863025]  ? shrink_inactive_list+0x2cc/0x6b0
[  285.863025]  ? shrink_lruvec+0x680/0x9b0
[  285.863025]  shrink_inactive_list+0x361/0x6b0
[  285.863025]  ? isolate_lru_pages+0x710/0x710
[  285.863025]  ? lruvec_lru_size+0xab/0x130
[  285.863025]  shrink_lruvec+0x680/0x9b0
[  285.863025]  ? shrink_active_list+0x810/0x810
[  285.863025]  ? __update_load_avg_cfs_rq+0x1b7/0x560
[  285.863025]  ? mem_cgroup_iter+0xde/0x4d0
[  285.863025]  shrink_node+0x753/0xcc0
[  285.863025]  balance_pgdat+0x42a/0x7b0
[  285.863025]  ? __node_reclaim+0x3d0/0x3d0
[  285.863025]  ? __schedule+0x6cc/0x11d0
[  285.863025]  ? find_next_bit+0x14/0x20
[  285.863025]  ? cpumask_next+0x1a/0x20
[  285.863025]  kswapd+0x3a8/0x650
[  285.863025]  ? balance_pgdat+0x7b0/0x7b0
[  285.863025]  ? _raw_spin_unlock_irqrestore+0x34/0x40
[  285.863025]  ? __kthread_parkme+0x6d/0xb0
[  285.863025]  ? wait_woken+0x120/0x120
[  285.863025]  ? __kasan_check_read+0x11/0x20
[  285.863025]  ? balance_pgdat+0x7b0/0x7b0
[  285.863025]  kthread+0x1bd/0x210
[  285.863025]  ? kthread_create_on_node+0xd0/0xd0
[  285.863025]  ret_from_fork+0x22/0x30
[  285.863025] ==================================================================
[  285.863025] Disabling lock debugging due to kernel taint
[  285.863025] BUG: kernel NULL pointer dereference, address: 00000000000000c8
[  285.863025] #PF: supervisor read access in kernel mode
[  285.863025] #PF: error_code(0x0000) - not-present page
[  285.863025] PGD 1060fd067 P4D 1060fd067 PUD 108d6e067 PMD 0
[  285.863025] Oops: 0000 [#1] SMP KASAN NOPTI
[  285.863025] CPU: 1 PID: 245 Comm: kswapd0 Tainted: G    B
  5.10.0-rc5-next-20201130 #2
[  285.863025] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.12.0-1 04/01/2014
[  285.863025] RIP: 0010:workingset_eviction+0xf2/0x1e0
[  285.863025] Code: 0f 1f 44 00 00 49 8d bf a8 02 00 00 e8 f7 ee 07
00 4d 8b a7 a8 02 00 00 0f 1f 44 00 00 49 8d bc 24 c8 00 00 00 e8 7e
ed 07 00 <41> 0f b7 94 24 c8 00 00 00 4d 8d 67 68 be 08 00 00 00 48 89
55 d0
[  285.863025] RSP: 0018:ffff8881021e7550 EFLAGS: 00010082
[  285.863025] RAX: 0000000000000001 RBX: ffffea000429c200 RCX: ffffffff980ac1d7
[  285.863025] RDX: 1ffffffff33692dc RSI: 0000000000000046 RDI: ffffffff99b496e0
[  285.863025] RBP: ffff8881021e7580 R08: 0000000000000001 R09: fffffbfff335d4d9
[  285.863025] R10: ffffffff99aea6c7 R11: fffffbfff335d4d8 R12: 0000000000000000
[  285.863025] R13: ffff88813fffa000 R14: ffff88813fffd440 R15: ffff88813fffd520
[  285.863025] FS:  0000000000000000(0000) GS:ffff88811b480000(0000)
knlGS:0000000000000000
[  285.863025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  285.863025] CR2: 00000000000000c8 CR3: 000000010a998000 CR4: 00000000003506e0
[  285.863025] Call Trace:
[  285.863025]  ? __kasan_check_read+0x11/0x20
[  285.863025]  __remove_mapping+0x2b6/0x350
[  285.863025]  shrink_page_list+0xcfb/0x16e0
[  285.863025]  ? pageout+0x670/0x670
[  285.863025]  ? __kasan_check_write+0x14/0x20
[  285.863025]  ? shrink_inactive_list+0x2cc/0x6b0
[  285.863025]  ? shrink_lruvec+0x680/0x9b0
[  285.863025]  shrink_inactive_list+0x361/0x6b0
[  285.863025]  ? isolate_lru_pages+0x710/0x710
[  285.863025]  ? lruvec_lru_size+0xab/0x130
[  285.863025]  shrink_lruvec+0x680/0x9b0
[  285.863025]  ? shrink_active_list+0x810/0x810
[  285.863025]  ? __update_load_avg_cfs_rq+0x1b7/0x560
[  285.863025]  ? mem_cgroup_iter+0xde/0x4d0
[  285.863025]  shrink_node+0x753/0xcc0
[  285.863025]  balance_pgdat+0x42a/0x7b0
[  285.863025]  ? __node_reclaim+0x3d0/0x3d0
[  285.863025]  ? __schedule+0x6cc/0x11d0
[  285.863025]  ? find_next_bit+0x14/0x20
[  285.863025]  ? cpumask_next+0x1a/0x20
[  285.863025]  kswapd+0x3a8/0x650
[  285.863025]  ? balance_pgdat+0x7b0/0x7b0
[  285.863025]  ? _raw_spin_unlock_irqrestore+0x34/0x40
[  285.863025]  ? __kthread_parkme+0x6d/0xb0
[  285.863025]  ? wait_woken+0x120/0x120
[  285.863025]  ? __kasan_check_read+0x11/0x20
[  285.863025]  ? balance_pgdat+0x7b0/0x7b0
[  285.863025]  kthread+0x1bd/0x210
[  285.863025]  ? kthread_create_on_node+0xd0/0xd0
[  285.863025]  ret_from_fork+0x22/0x30
[  285.863025] Modules linked in: tun
[  285.863025] CR2: 00000000000000c8
[  285.863025] ---[ end trace 060018eba39c640c ]---
[  285.863025] RIP: 0010:workingset_eviction+0xf2/0x1e0
[  285.863025] Code: 0f 1f 44 00 00 49 8d bf a8 02 00 00 e8 f7 ee 07
00 4d 8b a7 a8 02 00 00 0f 1f 44 00 00 49 8d bc 24 c8 00 00 00 e8 7e
ed 07 00 <41> 0f b7 94 24 c8 00 00 00 4d 8d 67 68 be 08 00 00 00 48 89
55 d0
[  285.863025] RSP: 0018:ffff8881021e7550 EFLAGS: 00010082
[  285.863025] RAX: 0000000000000001 RBX: ffffea000429c200 RCX: ffffffff980ac1d7
[  285.863025] RDX: 1ffffffff33692dc RSI: 0000000000000046 RDI: ffffffff99b496e0
[  285.863025] RBP: ffff8881021e7580 R08: 0000000000000001 R09: fffffbfff335d4d9
[  285.863025] R10: ffffffff99aea6c7 R11: fffffbfff335d4d8 R12: 0000000000000000
[  285.863025] R13: ffff88813fffa000 R14: ffff88813fffd440 R15: ffff88813fffd520
[  285.863025] FS:  0000000000000000(0000) GS:ffff88811b480000(0000)
knlGS:0000000000000000
[  285.863025] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  285.863025] CR2: 00000000000000c8 CR3: 000000010a998000 CR4: 00000000003506e0
[  285.863025] note: kswapd0[245] exited with preempt_count 1

Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>

Full test log link,
https://lkft.validation.linaro.org/scheduler/job/1993290#L7948
https://lkft.validation.linaro.org/scheduler/job/1993236#L8528

metadata:
  git branch: master
  git repo: https://gitlab.com/Linaro/lkft/mirrors/next/linux-next
  git commit: c6b11acc5f85b6e11d128fad8e0b7b223aa7e33f
  git describe: next-20201130
  make_kernelversion: 5.10.0-rc5
  kernel-config: https://builds.tuxbuild.com/1l0FDtgxYSNunuG5ERIXtvPjZ7R/config


-- 
Linaro LKFT
https://lkft.linaro.org

Re: BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

[Lorenzo Stoakes]

On Mon, 30 Nov 2020 at 19:52, Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
> [  285.863025] BUG: kernel NULL pointer dereference, address: 00000000000000c8

This looks to be the same as
https://lore.kernel.org/linux-mm/20201130132345.GJ17338@dhcp22.suse.cz/T/#t

Re: BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

[Alex Shi]

在 2020/12/1 上午3:52, Naresh Kamboju 写道:
> Crash log:
> -----------
> ioctl_sg01.c:81: TINFO: Found SCSI device /dev/sg1
> [  285.862123] ==================================================================
> [  285.863025] BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0
> [  285.863025] Read of size 4 at addr 00000000000000c8 by task kswapd0/245

Hi Naresh,

Good to know you again. :)

Would you like to use command to check whichh line cause the panic:

scripts/faddr2line vmlinux workingset_eviction+0xf2/0x1e0

I can't reproduce it. and my gcc version mismatch with yours.

Thanks
Alex

Re: [External] Re: BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

[Muchun Song]

On Tue, Dec 1, 2020 at 4:02 AM Lorenzo Stoakes <lstoakes@gmail.com> wrote:
>
> On Mon, 30 Nov 2020 at 19:52, Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
> > [  285.863025] BUG: kernel NULL pointer dereference, address: 00000000000000c8
>
> This looks to be the same as
> https://lore.kernel.org/linux-mm/20201130132345.GJ17338@dhcp22.suse.cz/T/#t

I am sure it is the same issue.



-- 
Yours,
Muchun

Re: BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

[Naresh Kamboju]

Hi Alex,

On Tue, 1 Dec 2020 at 13:14, Alex Shi <alex.shi@linux.alibaba.com> wrote:
>
>
>
> 在 2020/12/1 上午3:52, Naresh Kamboju 写道:
> > Crash log:
> > -----------
> > ioctl_sg01.c:81: TINFO: Found SCSI device /dev/sg1
> > [  285.862123] ==================================================================
> > [  285.863025] BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0
> > [  285.863025] Read of size 4 at addr 00000000000000c8 by task kswapd0/245
>
> Hi Naresh,
>
> Good to know you again. :)

Same here :)

>
> Would you like to use command to check whichh line cause the panic:
>
> scripts/faddr2line vmlinux workingset_eviction+0xf2/0x1e0

scripts/faddr2line vmlinux workingset_eviction+0xf2/0x1e0
workingset_eviction+0xf2/0x1e0:
workingset_eviction at ??:?


vmlinux and system.map files available in this location,
https://builds.tuxbuild.com/1l0FDtgxYSNunuG5ERIXtvPjZ7R/

>
> I can't reproduce it. and my gcc version mismatch with yours.

Please run below easy steps to reproduce.
you may install docker and tuxmake.

Please share if you have any debug patch or proposed fix patch,
I would be happy to test.

Steps to reproduce:
--------------------
# TuxMake is a command line tool and Python library that provides
# portable and repeatable Linux kernel builds across a variety of
# architectures, toolchains, kernel configurations, and make targets.
#
# TuxMake supports the concept of runtimes.
# See https://docs.tuxmake.org/runtimes/, for that to work it requires
# that you install podman or docker on your system.
#
# To install tuxmake on your system globally:
# sudo pip3 install -U tuxmake
#
# See https://docs.tuxmake.org/ for complete documentation.

# tuxmake --runtime docker --target-arch x86_64 --toolchain gcc-9 \
--kconfig defconfig \
--kconfig-add https://builds.tuxbuild.com/1l0FDtgxYSNunuG5ERIXtvPjZ7R/config

# run LTP
# cd /opt/ltp
# ./runltp -s ioctl_sg01
# you see below crash

- Naresh

Re: [External] Re: BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0

[Muchun Song]

On Tue, Dec 1, 2020 at 5:09 PM Naresh Kamboju <naresh.kamboju@linaro.org> wrote:
>
> Hi Alex,
>
> On Tue, 1 Dec 2020 at 13:14, Alex Shi <alex.shi@linux.alibaba.com> wrote:
> >
> >
> >
> > 在 2020/12/1 上午3:52, Naresh Kamboju 写道:
> > > Crash log:
> > > -----------
> > > ioctl_sg01.c:81: TINFO: Found SCSI device /dev/sg1
> > > [  285.862123] ==================================================================
> > > [  285.863025] BUG: KASAN: null-ptr-deref in workingset_eviction+0xf2/0x1e0
> > > [  285.863025] Read of size 4 at addr 00000000000000c8 by task kswapd0/245
> >
> > Hi Naresh,
> >
> > Good to know you again. :)
>
> Same here :)
>
> >
> > Would you like to use command to check whichh line cause the panic:
> >
> > scripts/faddr2line vmlinux workingset_eviction+0xf2/0x1e0
>
> scripts/faddr2line vmlinux workingset_eviction+0xf2/0x1e0
> workingset_eviction+0xf2/0x1e0:
> workingset_eviction at ??:?
>
>
> vmlinux and system.map files available in this location,
> https://builds.tuxbuild.com/1l0FDtgxYSNunuG5ERIXtvPjZ7R/
>
> >
> > I can't reproduce it. and my gcc version mismatch with yours.
>
> Please run below easy steps to reproduce.
> you may install docker and tuxmake.
>
> Please share if you have any debug patch or proposed fix patch,
> I would be happy to test.

This is the fix patch. Thanks.

https://lore.kernel.org/linux-mm/20201130132345.GJ17338@dhcp22.suse.cz/T/#m963f10e3e7f588156432131019136d53b7178bac

>
> Steps to reproduce:
> --------------------
> # TuxMake is a command line tool and Python library that provides
> # portable and repeatable Linux kernel builds across a variety of
> # architectures, toolchains, kernel configurations, and make targets.
> #
> # TuxMake supports the concept of runtimes.
> # See https://docs.tuxmake.org/runtimes/, for that to work it requires
> # that you install podman or docker on your system.
> #
> # To install tuxmake on your system globally:
> # sudo pip3 install -U tuxmake
> #
> # See https://docs.tuxmake.org/ for complete documentation.
>
> # tuxmake --runtime docker --target-arch x86_64 --toolchain gcc-9 \
> --kconfig defconfig \
> --kconfig-add https://builds.tuxbuild.com/1l0FDtgxYSNunuG5ERIXtvPjZ7R/config
>
> # run LTP
> # cd /opt/ltp
> # ./runltp -s ioctl_sg01
> # you see below crash
>
> - Naresh



-- 
Yours,
Muchun