[linux-next:master] [mm/mremap] c1cda7af3f: Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

* [linux-next:master] [mm/mremap]  c1cda7af3f: Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN
@ 2025-03-10  5:27 kernel test robot
  2025-03-10 10:00 ` Lorenzo Stoakes
  0 siblings, 1 reply; 2+ messages in thread
From: kernel test robot @ 2025-03-10  5:27 UTC (permalink / raw)
  To: Lorenzo Stoakes
  Cc: oe-lkp, lkp, Andrew Morton, Harry Yoo, Jann Horn, Liam Howlett,
	Vlastimil Babka, Yosry Ahmed, linux-mm, oliver.sang



Hello,

kernel test robot noticed "Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN" on:

commit: c1cda7af3fc96879b4b2d217b1e8a4ab5fa70df5 ("mm/mremap: introduce and use vma_remap_struct threaded state")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master

[test failed on linux-next/master 0a2f889128969dab41861b6e40111aa03dc57014]

in testcase: trinity
version: trinity-x86_64-ba2360ed-1_20241228
with following parameters:

	runtime: 300s
	group: group-01
	nr_groups: 5



config: x86_64-randconfig-161-20250305
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202503101328.442cc724-lkp@intel.com


[  386.012648][T30778] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
[  386.013652][T30778] KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
[  386.014339][T30778] CPU: 0 UID: 65534 PID: 30778 Comm: trinity-c2 Not tainted 6.14.0-rc3-00386-gc1cda7af3fc9 #1 678ccffbca77f1cea62114cb252a9002fbee4b41
[  386.015339][T30778] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[386.016126][T30778] RIP: 0010:resize_is_valid (kbuild/src/consumer/mm/mremap.c:1010 (discriminator 1)) 
[ 386.016591][T30778] Code: 00 74 05 e8 7d 4a 07 00 4d 85 ff 4c 8b 73 10 0f 85 f2 00 00 00 49 8d 7c 24 20 b8 ff ff 37 00 48 c1 e0 2a 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8 50 4a 07 00 41 f6 44 24 20 88 75 6a 80 3d b4
All code
========
   0:	00 74 05 e8          	add    %dh,-0x18(%rbp,%rax,1)
   4:	7d 4a                	jge    0x50
   6:	07                   	(bad)
   7:	00 4d 85             	add    %cl,-0x7b(%rbp)
   a:	ff 4c 8b 73          	decl   0x73(%rbx,%rcx,4)
   e:	10 0f                	adc    %cl,(%rdi)
  10:	85 f2                	test   %esi,%edx
  12:	00 00                	add    %al,(%rax)
  14:	00 49 8d             	add    %cl,-0x73(%rcx)
  17:	7c 24                	jl     0x3d
  19:	20 b8 ff ff 37 00    	and    %bh,0x37ffff(%rax)
  1f:	48 c1 e0 2a          	shl    $0x2a,%rax
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
  2a:*	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)		<-- trapping instruction
  2e:	74 05                	je     0x35
  30:	e8 50 4a 07 00       	call   0x74a85
  35:	41 f6 44 24 20 88    	testb  $0x88,0x20(%r12)
  3b:	75 6a                	jne    0xa7
  3d:	80                   	.byte 0x80
  3e:	3d                   	.byte 0x3d
  3f:	b4                   	.byte 0xb4

Code starting with the faulting instruction
===========================================
   0:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   4:	74 05                	je     0xb
   6:	e8 50 4a 07 00       	call   0x74a5b
   b:	41 f6 44 24 20 88    	testb  $0x88,0x20(%r12)
  11:	75 6a                	jne    0x7d
  13:	80                   	.byte 0x80
  14:	3d                   	.byte 0x3d
  15:	b4                   	.byte 0xb4
[  386.018009][T30778] RSP: 0018:ffffc900088f7a78 EFLAGS: 00010202
[  386.018494][T30778] RAX: dffffc0000000000 RBX: ffffc900088f7c08 RCX: 1ffff9200111ef89
[  386.019127][T30778] RDX: 0000000000000004 RSI: ffffffff848b6760 RDI: 0000000000000020
[  386.019764][T30778] RBP: ffffc900088f7aa8 R08: fffffbfff105c033 R09: 0000000000000000
[  386.020395][T30778] R10: ffffffff8146f920 R11: fffffbfff105c032 R12: 0000000000000000
[  386.021032][T30778] R13: 0000000000400000 R14: 0000000000001000 R15: 0000000000000000
[  386.021676][T30778] FS:  00007f012ebf1740(0000) GS:ffff8883aec00000(0000) knlGS:0000000000000000
[  386.022767][T30778] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  386.023585][T30778] CR2: 00007f012e8a2efc CR3: 0000000102319000 CR4: 00000000000406b0
[  386.024598][T30778] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  386.025614][T30778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  386.026665][T30778] Call Trace:
[  386.027160][T30778]  <TASK>
[386.027624][T30778] ? show_regs (kbuild/src/consumer/arch/x86/kernel/dumpstack.c:479) 
[386.028222][T30778] ? __die_body (kbuild/src/consumer/arch/x86/kernel/dumpstack.c:421) 
[386.028816][T30778] ? die_addr (kbuild/src/consumer/arch/x86/kernel/dumpstack.c:455) 
[386.029399][T30778] ? exc_general_protection (kbuild/src/consumer/arch/x86/kernel/traps.c:751 kbuild/src/consumer/arch/x86/kernel/traps.c:693) 


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250310/202503101328.442cc724-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [linux-next:master] [mm/mremap]  c1cda7af3f: Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN
  2025-03-10  5:27 [linux-next:master] [mm/mremap] c1cda7af3f: Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN kernel test robot
@ 2025-03-10 10:00 ` Lorenzo Stoakes
  0 siblings, 0 replies; 2+ messages in thread
From: Lorenzo Stoakes @ 2025-03-10 10:00 UTC (permalink / raw)
  To: kernel test robot
  Cc: oe-lkp, lkp, Andrew Morton, Harry Yoo, Jann Horn, Liam Howlett,
	Vlastimil Babka, Yosry Ahmed, linux-mm

On Mon, Mar 10, 2025 at 01:27:06PM +0800, kernel test robot wrote:
>
>
> Hello,
>
> kernel test robot noticed "Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN" on:
>
> commit: c1cda7af3fc96879b4b2d217b1e8a4ab5fa70df5 ("mm/mremap: introduce and use vma_remap_struct threaded state")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master 0a2f889128969dab41861b6e40111aa03dc57014]
>
> in testcase: trinity
> version: trinity-x86_64-ba2360ed-1_20241228
> with following parameters:
>
> 	runtime: 300s
> 	group: group-01
> 	nr_groups: 5
>
>
>
> config: x86_64-randconfig-161-20250305
> compiler: gcc-12
> test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
>
> (please refer to attached dmesg/kmsg for entire log/backtrace)
>
>
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <oliver.sang@intel.com>
> | Closes: https://lore.kernel.org/oe-lkp/202503101328.442cc724-lkp@intel.com
>
>
> [  386.012648][T30778] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
> [  386.013652][T30778] KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
> [  386.014339][T30778] CPU: 0 UID: 65534 PID: 30778 Comm: trinity-c2 Not tainted 6.14.0-rc3-00386-gc1cda7af3fc9 #1 678ccffbca77f1cea62114cb252a9002fbee4b41
> [  386.015339][T30778] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> [386.016126][T30778] RIP: 0010:resize_is_valid (kbuild/src/consumer/mm/mremap.c:1010 (discriminator 1))

This is:
	if (!old_len && !(vma->vm_flags & (VM_SHARED | VM_MAYSHARE))) {

So this suggests that vma is NULL.

I think the problem we have is we first invalidate the VMA (to avoid dangling
pointer), then re-lookup the VMA in a couple places.

In each of those we should be checking for !vma and returning -EFAULT.

Thanks for the report, will send a patch shortly!

> [ 386.016591][T30778] Code: 00 74 05 e8 7d 4a 07 00 4d 85 ff 4c 8b 73 10 0f 85 f2 00 00 00 49 8d 7c 24 20 b8 ff ff 37 00 48 c1 e0 2a 48 89 fa 48 c1 ea 03 <80> 3c 02 00 74 05 e8 50 4a 07 00 41 f6 44 24 20 88 75 6a 80 3d b4
> All code
> ========
>    0:	00 74 05 e8          	add    %dh,-0x18(%rbp,%rax,1)
>    4:	7d 4a                	jge    0x50
>    6:	07                   	(bad)
>    7:	00 4d 85             	add    %cl,-0x7b(%rbp)
>    a:	ff 4c 8b 73          	decl   0x73(%rbx,%rcx,4)
>    e:	10 0f                	adc    %cl,(%rdi)
>   10:	85 f2                	test   %esi,%edx
>   12:	00 00                	add    %al,(%rax)
>   14:	00 49 8d             	add    %cl,-0x73(%rcx)
>   17:	7c 24                	jl     0x3d
>   19:	20 b8 ff ff 37 00    	and    %bh,0x37ffff(%rax)
>   1f:	48 c1 e0 2a          	shl    $0x2a,%rax
>   23:	48 89 fa             	mov    %rdi,%rdx
>   26:	48 c1 ea 03          	shr    $0x3,%rdx
>   2a:*	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)		<-- trapping instruction
>   2e:	74 05                	je     0x35
>   30:	e8 50 4a 07 00       	call   0x74a85
>   35:	41 f6 44 24 20 88    	testb  $0x88,0x20(%r12)
>   3b:	75 6a                	jne    0xa7
>   3d:	80                   	.byte 0x80
>   3e:	3d                   	.byte 0x3d
>   3f:	b4                   	.byte 0xb4
>
> Code starting with the faulting instruction
> ===========================================
>    0:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
>    4:	74 05                	je     0xb
>    6:	e8 50 4a 07 00       	call   0x74a5b
>    b:	41 f6 44 24 20 88    	testb  $0x88,0x20(%r12)
>   11:	75 6a                	jne    0x7d
>   13:	80                   	.byte 0x80
>   14:	3d                   	.byte 0x3d
>   15:	b4                   	.byte 0xb4
> [  386.018009][T30778] RSP: 0018:ffffc900088f7a78 EFLAGS: 00010202
> [  386.018494][T30778] RAX: dffffc0000000000 RBX: ffffc900088f7c08 RCX: 1ffff9200111ef89
> [  386.019127][T30778] RDX: 0000000000000004 RSI: ffffffff848b6760 RDI: 0000000000000020
> [  386.019764][T30778] RBP: ffffc900088f7aa8 R08: fffffbfff105c033 R09: 0000000000000000
> [  386.020395][T30778] R10: ffffffff8146f920 R11: fffffbfff105c032 R12: 0000000000000000
> [  386.021032][T30778] R13: 0000000000400000 R14: 0000000000001000 R15: 0000000000000000
> [  386.021676][T30778] FS:  00007f012ebf1740(0000) GS:ffff8883aec00000(0000) knlGS:0000000000000000
> [  386.022767][T30778] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  386.023585][T30778] CR2: 00007f012e8a2efc CR3: 0000000102319000 CR4: 00000000000406b0
> [  386.024598][T30778] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [  386.025614][T30778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [  386.026665][T30778] Call Trace:
> [  386.027160][T30778]  <TASK>
> [386.027624][T30778] ? show_regs (kbuild/src/consumer/arch/x86/kernel/dumpstack.c:479)
> [386.028222][T30778] ? __die_body (kbuild/src/consumer/arch/x86/kernel/dumpstack.c:421)
> [386.028816][T30778] ? die_addr (kbuild/src/consumer/arch/x86/kernel/dumpstack.c:455)
> [386.029399][T30778] ? exc_general_protection (kbuild/src/consumer/arch/x86/kernel/traps.c:751 kbuild/src/consumer/arch/x86/kernel/traps.c:693)

Rest of stack:

[  386.030146][T30778]  ? asm_exc_general_protection+0x2b/0x30
[  386.030892][T30778]  ? lock_release+0x10f/0x275
[  386.031534][T30778]  ? resize_is_valid+0xf0/0x39b
[  386.032193][T30778]  mremap_to+0x3a2/0x5d1
[  386.032781][T30778]  do_mremap+0x74d/0x9ef
[  386.033401][T30778]  ? __this_cpu_preempt_check+0x17/0x19
[  386.034138][T30778]  __do_sys_mremap+0xf6/0x11c
[  386.034773][T30778]  ? do_mremap+0x9ef/0x9ef
[  386.035426][T30778]  ? find_held_lock+0x34/0x103
[  386.036128][T30778]  ? __lock_release+0x111/0x393
[  386.036959][T30778]  __x64_sys_mremap+0xd4/0xdf
[  386.037736][T30778]  x64_sys_call+0x13ef/0x1eb0
[  386.038483][T30778]  do_syscall_64+0x144/0x1a4
[  386.039206][T30778]  ? lockdep_hardirqs_on+0xe5/0x110
[  386.039988][T30778]  ? syscall_exit_to_user_mode+0x108/0x10f
[  386.040783][T30778]  ? do_syscall_64+0x151/0x1a4
[  386.041462][T30778]  ? debug_smp_processor_id+0x1b/0x1d
[  386.042213][T30778]  ? do_syscall_64+0x151/0x1a4
[  386.042916][T30778]  ? __this_cpu_preempt_check+0x17/0x19
[  386.043717][T30778]  ? lockdep_hardirqs_on+0xe5/0x110
[  386.044456][T30778]  ? syscall_exit_to_user_mode+0x108/0x10f
[  386.045239][T30778]  ? do_syscall_64+0x151/0x1a4
[  386.045923][T30778]  ? syscall_exit_to_user_mode+0x108/0x10f
[  386.046770][T30778]  ? do_syscall_64+0x151/0x1a4
[  386.047499][T30778]  ? debug_smp_processor_id+0x1b/0x1d
[  386.048299][T30778]  ? do_syscall_64+0x151/0x1a4
[  386.049008][T30778]  ? __this_cpu_preempt_check+0x17/0x19
[  386.049812][T30778]  ? lockdep_hardirqs_on+0xe5/0x110
[  386.050626][T30778]  ? syscall_exit_to_user_mode+0x108/0x10f
[  386.051482][T30778]  ? do_syscall_64+0x151/0x1a4
[  386.052185][T30778]  ? irqentry_exit_to_user_mode+0xfe/0x105
[  386.052983][T30778]  ? irqentry_exit+0x39/0x7f
[  386.053648][T30778]  ? exc_page_fault+0xe6/0xef
[  386.054345][T30778]  entry_SYSCALL_64_after_hwframe+0x4b/0x53


>
>
> The kernel config and materials to reproduce are available at:
> https://download.01.org/0day-ci/archive/20250310/202503101328.442cc724-lkp@intel.com
>
>
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-03-10 10:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-10  5:27 [linux-next:master] [mm/mremap] c1cda7af3f: Oops:general_protection_fault,probably_for_non-canonical_address#:#[##]PREEMPT_SMP_KASAN kernel test robot
2025-03-10 10:00 ` Lorenzo Stoakes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox