Hello,

kernel test robot noticed "BUG:KASAN:null-ptr-deref_in_perf_mmap_to_page" on:

commit: eca51ce01d4956ab4b8f06bb55c031f4913fffcb ("perf: Map pages in advance")
https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git perf/core

[test failed on linux-next/master ebe1b11614e079c5e366ce9bd3c8f44ca0fbcc1b]

in testcase: perf-event-tests
version: perf-event-tests-x86_64-a052241-1_20241102
with following parameters:

	paranoid: not_paranoid_at_all



config: x86_64-rhel-9.4-bpf
compiler: gcc-12
test machine: 4 threads Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz (Skylake) with 32G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202412082200.aefeb02-lkp@intel.com


[ 307.127855][ T2618] BUG: KASAN: null-ptr-deref in perf_mmap_to_page (kernel/events/ring_buffer.c:950)
[  307.127867][ T2618] Read of size 4 at addr 0000000000000178 by task record_mmap/2618
[  307.127872][ T2618]
[  307.133120][  T298]
[  307.140280][ T2618] CPU: 0 UID: 0 PID: 2618 Comm: record_mmap Not tainted 6.13.0-rc1-00027-geca51ce01d49 #1
[  307.140287][ T2618] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.8.1 12/05/2017
[  307.140291][ T2618] Call Trace:
[  307.140294][ T2618]  <TASK>
[ 307.140297][ T2618] dump_stack_lvl (lib/dump_stack.c:124)
[  307.149632][  T298]     Testing PERF_RECORD_FORK...                                PASSED
[ 307.150214][ T2618] kasan_report (mm/kasan/report.c:604)
[ 307.150226][ T2618] ? perf_mmap_to_page (kernel/events/ring_buffer.c:950)
[  307.152429][  T298]
[ 307.162112][ T2618] perf_mmap_to_page (kernel/events/ring_buffer.c:950)
[ 307.162122][ T2618] perf_mmap (kernel/events/core.c:6579 kernel/events/core.c:6819)
[ 307.162135][ T2618] ? __init_rwsem (arch/x86/include/asm/atomic.h:28 include/linux/atomic/atomic-arch-fallback.h:503 include/linux/atomic/atomic-instrumented.h:68 include/linux/osq_lock.h:25 kernel/locking/rwsem.c:326)
[  307.171025][  T298]   + tests/record_sample/record_mmap
[ 307.173349][ T2618] __mmap_new_vma (include/linux/fs.h:2183 mm/internal.h:124 mm/vma.c:2291 mm/vma.c:2355)
[ 307.173364][ T2618] __mmap_region (mm/vma.c:2457)
[  307.176222][  T298]
[ 307.180519][ T2618] ? __pfx___mmap_region (mm/vma.c:2436)
[ 307.180526][ T2618] ? lock_is_held_type (kernel/locking/lockdep.c:5590 kernel/locking/lockdep.c:5921)
[ 307.180582][ T2618] ? vm_unmapped_area (mm/mmap.c:711)
[ 307.244366][ T2618] ? lock_acquire (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814)
[ 307.248898][ T2618] ? mm_get_unmapped_area_vmflags (mm/mmap.c:853)
[ 307.254645][ T2618] mmap_region (mm/mmap.c:1351)
[ 307.258921][ T2618] do_mmap (mm/mmap.c:497)
[ 307.262848][ T2618] ? __pfx_do_mmap (mm/mmap.c:288)
[ 307.267292][ T2618] ? down_write_killable (arch/x86/include/asm/current.h:49 kernel/locking/rwsem.c:143 kernel/locking/rwsem.c:268 kernel/locking/rwsem.c:1303 kernel/locking/rwsem.c:1318 kernel/locking/rwsem.c:1590)
[ 307.272426][ T2618] ? __pfx_down_write_killable (kernel/locking/rwsem.c:1586)
[ 307.277912][ T2618] ? __fget_files (include/linux/rcupdate.h:347 include/linux/rcupdate.h:880 fs/file.c:1050)
[ 307.282455][ T2618] vm_mmap_pgoff (mm/util.c:580)
[ 307.286907][ T2618] ? __pfx_vm_mmap_pgoff (mm/util.c:570)
[ 307.291882][ T2618] ? __fget_files (fs/file.c:1053)
[ 307.296422][ T2618] ksys_mmap_pgoff (mm/mmap.c:542)
[ 307.301050][ T2618] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
[ 307.305415][ T2618] ? __up_write (arch/x86/include/asm/atomic64_64.h:87 include/linux/atomic/atomic-arch-fallback.h:2852 include/linux/atomic/atomic-long.h:268 include/linux/atomic/atomic-instrumented.h:3391 kernel/locking/rwsem.c:1372)
[ 307.309689][ T2618] ? vm_mmap_pgoff (mm/util.c:584)
[ 307.314306][ T2618] ? __pfx_vm_mmap_pgoff (mm/util.c:570)
[ 307.319269][ T2618] ? put_ctx (arch/x86/include/asm/atomic.h:93 include/linux/atomic/atomic-arch-fallback.h:949 include/linux/atomic/atomic-instrumented.h:401 include/linux/refcount.h:264 include/linux/refcount.h:307 include/linux/refcount.h:325 kernel/events/core.c:1223)
[ 307.323279][ T2618] ? mark_held_locks (kernel/locking/lockdep.c:4309)
[ 307.327901][ T2618] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 307.333732][ T2618] ? syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:36 include/linux/context_tracking_state.h:108 include/linux/context_tracking.h:41 include/linux/entry-common.h:364 kernel/entry/common.c:220)
[ 307.339303][ T2618] ? do_syscall_64 (arch/x86/entry/common.c:102)
[ 307.343834][ T2618] ? __kasan_slab_alloc (mm/kasan/common.c:318 mm/kasan/common.c:345)
[ 307.348711][ T2618] ? rcu_is_watching (arch/x86/include/asm/atomic.h:23 include/linux/atomic/atomic-arch-fallback.h:457 include/linux/context_tracking.h:128 kernel/rcu/tree.c:737)
[ 307.353326][ T2618] ? lockdep_init_map_type (kernel/locking/lockdep.c:4980)
[ 307.358551][ T2618] ? __rwlock_init (kernel/locking/spinlock_debug.c:49)
[ 307.362995][ T2618] ? file_f_owner_allocate (fs/fcntl.c:110)
[ 307.368150][ T2618] ? do_fcntl (fs/fcntl.c:440 fs/fcntl.c:530)
[ 307.372347][ T2618] ? __pfx_do_fcntl (fs/fcntl.c:448)
[ 307.376880][ T2618] ? mark_held_locks (kernel/locking/lockdep.c:4309)
[ 307.381499][ T2618] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 307.387330][ T2618] ? syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:36 include/linux/context_tracking_state.h:108 include/linux/context_tracking.h:41 include/linux/entry-common.h:364 kernel/entry/common.c:220)
[ 307.392898][ T2618] ? do_syscall_64 (arch/x86/entry/common.c:102)
[ 307.397430][ T2618] ? mark_held_locks (kernel/locking/lockdep.c:4309)
[ 307.402050][ T2618] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 307.407881][ T2618] ? syscall_exit_to_user_mode (arch/x86/include/asm/jump_label.h:36 include/linux/context_tracking_state.h:108 include/linux/context_tracking.h:41 include/linux/entry-common.h:364 kernel/entry/common.c:220)
[ 307.413451][ T2618] ? do_syscall_64 (arch/x86/entry/common.c:102)
[ 307.417985][ T2618] ? do_user_addr_fault (include/linux/rcupdate.h:347 include/linux/rcupdate.h:880 include/linux/mm.h:741 arch/x86/mm/fault.c:1340)
[ 307.423037][ T2618] ? __rcu_read_unlock (kernel/rcu/tree_plugin.h:440 (discriminator 2))
[ 307.427828][ T2618] ? do_user_addr_fault (include/linux/rcupdate.h:883 include/linux/mm.h:741 arch/x86/mm/fault.c:1340)
[ 307.432877][ T2618] ? mark_held_locks (kernel/locking/lockdep.c:4309)
[ 307.437499][ T2618] ? lockdep_hardirqs_on_prepare (kernel/locking/lockdep.c:4347 kernel/locking/lockdep.c:4406)
[ 307.443331][ T2618] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[  307.449076][ T2618] RIP: 0033:0x7f9dbc1c88a3
[ 307.453360][ T2618] Code: ef e8 d1 b4 ff ff eb e7 e8 3a 68 01 00 66 2e 0f 1f 84 00 00 00 00 00 41 89 ca 41 f7 c1 ff 0f 00 00 75 14 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 25 c3 0f 1f 40 00 48 8b 05 29 05 0d 00 64 c7
All code
========
   0:	ef                   	out    %eax,(%dx)
   1:	e8 d1 b4 ff ff       	call   0xffffffffffffb4d7
   6:	eb e7                	jmp    0xffffffffffffffef
   8:	e8 3a 68 01 00       	call   0x16847
   d:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  14:	00 00 00 
  17:	41 89 ca             	mov    %ecx,%r10d
  1a:	41 f7 c1 ff 0f 00 00 	test   $0xfff,%r9d
  21:	75 14                	jne    0x37
  23:	b8 09 00 00 00       	mov    $0x9,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 25                	ja     0x57
  32:	c3                   	ret
  33:	0f 1f 40 00          	nopl   0x0(%rax)
  37:	48 8b 05 29 05 0d 00 	mov    0xd0529(%rip),%rax        # 0xd0567
  3e:	64                   	fs
  3f:	c7                   	.byte 0xc7

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 25                	ja     0x2d
   8:	c3                   	ret
   9:	0f 1f 40 00          	nopl   0x0(%rax)
   d:	48 8b 05 29 05 0d 00 	mov    0xd0529(%rip),%rax        # 0xd053d
  14:	64                   	fs
  15:	c7                   	.byte 0xc7
[  307.472788][ T2618] RSP: 002b:00007ffd7c31e008 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[  307.481042][ T2618] RAX: ffffffffffffffda RBX: 00007ffd7c31e318 RCX: 00007f9dbc1c88a3
[  307.488860][ T2618] RDX: 0000000000000003 RSI: 0000000000009000 RDI: 0000000000000000
[  307.496678][ T2618] RBP: 00007ffd7c31e070 R08: 0000000000000004 R09: 0000000000000000
[  307.504497][ T2618] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
[  307.512326][ T2618] R13: 00007ffd7c31e328 R14: 000055886087cdd8 R15: 00007f9dbc2e7020
[  307.520166][ T2618]  </TASK>
[  307.523050][ T2618] ==================================================================
[  307.532190][ T2618] Disabling lock debugging due to kernel taint



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki