[driver core] ef446f19e7: BUG:kernel_NULL_pointer_dereference,address

Wednesday, 15 December 2021

Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: ef446f19e7249c44e8088d49a1042f5d37edc6d2 ("driver core: Add dma_cleanup
callback in bus_type")
https://github.com/luxis1999/iommufd iommufd-v5.16-rc3

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):

+---------------------------------------------+------------+------------+
|                                             | 54e936574b | ef446f19e7 |
+---------------------------------------------+------------+------------+
| boot_successes                              | 22         | 0          |
| boot_failures                               | 0          | 20         |
| BUG:kernel_NULL_pointer_dereference,address | 0          | 20         |
| Oops:#[##]                                  | 0          | 20         |
| EIP:device_release_driver_internal          | 0          | 20         |
| Kernel_panic-not_syncing:Fatal_exception    | 0          | 20         |
+---------------------------------------------+------------+------------+

If you fix the issue, kindly add following tag
Reported-by: kernel test robot <oliver.sang(a)intel.com&gt;

[  118.619747][    T1] BUG: kernel NULL pointer dereference, address: 00000048
[  118.620877][    T1] #PF: supervisor read access in kernel mode
[  118.621799][    T1] #PF: error_code(0x0000) - not-present page
[  118.622312][    T1] *pdpt = 0000000000000000 *pde = f000ff53f000ff53
[  118.622312][    T1] Oops: 0000 [#1] PREEMPT SMP PTI
[  118.622312][    T1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted
5.16.0-rc3-00003-gef446f19e724 #1
[ 118.622312][ T1] EIP: device_release_driver_internal (drivers/base/dd.c:1209
drivers/base/dd.c:1241) 
[ 118.622312][ T1] Code: 80 ff ff 8b 57 3c 89 d8 e8 ff 7c ff ff 8b 43 34 85 c0 0f 84 c4 00
00 00 8b 50 28 85 d2 0f 84 b9 00 00 00 89 d8 ff d2 8b 43 34 <8b> 50 48 85 d2 74 04
89 d8 ff d2 89 d8 e8 50 ac ff ff 89 d8 e8 c9
All code
========
   0:	80 ff ff             	cmp    $0xff,%bh
   3:	8b 57 3c             	mov    0x3c(%rdi),%edx
   6:	89 d8                	mov    %ebx,%eax
   8:	e8 ff 7c ff ff       	callq  0xffffffffffff7d0c
   d:	8b 43 34             	mov    0x34(%rbx),%eax
  10:	85 c0                	test   %eax,%eax
  12:	0f 84 c4 00 00 00    	je     0xdc
  18:	8b 50 28             	mov    0x28(%rax),%edx
  1b:	85 d2                	test   %edx,%edx
  1d:	0f 84 b9 00 00 00    	je     0xdc
  23:	89 d8                	mov    %ebx,%eax
  25:	ff d2                	callq  *%rdx
  27:	8b 43 34             	mov    0x34(%rbx),%eax
  2a:*	8b 50 48             	mov    0x48(%rax),%edx		<-- trapping instruction
  2d:	85 d2                	test   %edx,%edx
  2f:	74 04                	je     0x35
  31:	89 d8                	mov    %ebx,%eax
  33:	ff d2                	callq  *%rdx
  35:	89 d8                	mov    %ebx,%eax
  37:	e8 50 ac ff ff       	callq  0xffffffffffffac8c
  3c:	89 d8                	mov    %ebx,%eax
  3e:	e8                   	.byte 0xe8
  3f:	c9                   	leaveq 

Code starting with the faulting instruction
===========================================
   0:	8b 50 48             	mov    0x48(%rax),%edx
   3:	85 d2                	test   %edx,%edx
   5:	74 04                	je     0xb
   7:	89 d8                	mov    %ebx,%eax
   9:	ff d2                	callq  *%rdx
   b:	89 d8                	mov    %ebx,%eax
   d:	e8 50 ac ff ff       	callq  0xffffffffffffac62
  12:	89 d8                	mov    %ebx,%eax
  14:	e8                   	.byte 0xe8
  15:	c9                   	leaveq 
[  118.622312][    T1] EAX: 00000000 EBX: 84e0e000 ECX: 000002ce EDX: 00000000
[  118.622312][    T1] ESI: 00000000 EDI: 9798a714 EBP: 81119e70 ESP: 81119e64
[  118.622312][    T1] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00010246
[  118.622312][    T1] CR0: 80050033 CR2: 00000048 CR3: 17d06000 CR4: 000006b0
[  118.622312][    T1] Call Trace:
[ 118.622312][ T1] device_release_driver (drivers/base/dd.c:1265) 
[ 118.622312][ T1] mac80211_hwsim_new_radio (drivers/net/wireless/mac80211_hwsim.c:3533) 
[ 118.622312][ T1] ? mac80211_hwsim_new_radio (include/linux/rcupdate.h:720
include/net/netns/generic.h:47 drivers/net/wireless/mac80211_hwsim.c:270
drivers/net/wireless/mac80211_hwsim.c:3452) 
[ 118.622312][ T1] init_mac80211_hwsim (drivers/net/wireless/mac80211_hwsim.c:4706) 
[ 118.622312][ T1] ? hwsim_init_net (drivers/net/wireless/mac80211_hwsim.c:4591) 
[ 118.622312][ T1] do_one_initcall (init/main.c:1297) 
[ 118.622312][ T1] ? rcu_read_lock_sched_held (include/linux/lockdep.h:283
kernel/rcu/update.c:125) 
[ 118.622312][ T1] kernel_init_freeable (init/main.c:1369 init/main.c:1386
init/main.c:1405 init/main.c:1610) 
[ 118.622312][ T1] ? rest_init (init/main.c:1491) 
[ 118.622312][ T1] kernel_init (init/main.c:1501) 
[ 118.622312][ T1] ? schedule_tail_wrapper (arch/x86/entry/entry_32.S:740) 
[ 118.622312][ T1] ret_from_fork (arch/x86/entry/entry_32.S:775) 
[  118.622312][    T1] Modules linked in:
[  118.622312][    T1] CR2: 0000000000000048
[  118.622312][    T1] ---[ end trace ef61ac6e9c41aa4e ]---
[ 118.622312][ T1] EIP: device_release_driver_internal (drivers/base/dd.c:1209
drivers/base/dd.c:1241) 
[ 118.622312][ T1] Code: 80 ff ff 8b 57 3c 89 d8 e8 ff 7c ff ff 8b 43 34 85 c0 0f 84 c4 00
00 00 8b 50 28 85 d2 0f 84 b9 00 00 00 89 d8 ff d2 8b 43 34 <8b> 50 48 85 d2 74 04
89 d8 ff d2 89 d8 e8 50 ac ff ff 89 d8 e8 c9
All code
========
   0:	80 ff ff             	cmp    $0xff,%bh
   3:	8b 57 3c             	mov    0x3c(%rdi),%edx
   6:	89 d8                	mov    %ebx,%eax
   8:	e8 ff 7c ff ff       	callq  0xffffffffffff7d0c
   d:	8b 43 34             	mov    0x34(%rbx),%eax
  10:	85 c0                	test   %eax,%eax
  12:	0f 84 c4 00 00 00    	je     0xdc
  18:	8b 50 28             	mov    0x28(%rax),%edx
  1b:	85 d2                	test   %edx,%edx
  1d:	0f 84 b9 00 00 00    	je     0xdc
  23:	89 d8                	mov    %ebx,%eax
  25:	ff d2                	callq  *%rdx
  27:	8b 43 34             	mov    0x34(%rbx),%eax
  2a:*	8b 50 48             	mov    0x48(%rax),%edx		<-- trapping instruction
  2d:	85 d2                	test   %edx,%edx
  2f:	74 04                	je     0x35
  31:	89 d8                	mov    %ebx,%eax
  33:	ff d2                	callq  *%rdx
  35:	89 d8                	mov    %ebx,%eax
  37:	e8 50 ac ff ff       	callq  0xffffffffffffac8c
  3c:	89 d8                	mov    %ebx,%eax
  3e:	e8                   	.byte 0xe8
  3f:	c9                   	leaveq 

Code starting with the faulting instruction
===========================================
   0:	8b 50 48             	mov    0x48(%rax),%edx
   3:	85 d2                	test   %edx,%edx
   5:	74 04                	je     0xb
   7:	89 d8                	mov    %ebx,%eax
   9:	ff d2                	callq  *%rdx
   b:	89 d8                	mov    %ebx,%eax
   d:	e8 50 ac ff ff       	callq  0xffffffffffffac62
  12:	89 d8                	mov    %ebx,%eax
  14:	e8                   	.byte 0xe8
  15:	c9                   	leaveq 

To reproduce:

        # build kernel
	cd linux
	cp config-5.16.0-rc3-00003-gef446f19e724 .config
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage
modules
	make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir>
modules_install
	cd <mod-install-dir>
	find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz

        git clone https://github.com/intel/lkp-tests.git
        cd lkp-tests
        bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached
in this email

        # if come across any failure that blocks the test,
        # please remove ~/.lkp and /lkp dir to run from a clean state.

---
0DAY/LKP+ Test Infrastructure                   Open Source Technology Center
https://lists.01.org/hyperkitty/list/lkp@lists.01.org       Intel Corporation

Thanks,
Oliver Sang

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013