All of lore.kernel.org
 help / color / mirror / Atom feed
From: syzbot <syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: [syzbot] general protection fault in vma_interval_tree_remove
Date: Mon, 02 May 2022 05:06:22 -0700	[thread overview]
Message-ID: <0000000000007f31db05de0638f0@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    bdc61aad77fa Add linux-next specific files for 20220428
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1196c4bcf00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=87767e89da13a759
dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com

RBP: 0000000020000000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020000800
R13: 0000000020000000 R14: 00000000200007c0 R15: 0000000020000000
 </TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 32272 Comm: syz-executor.4 Not tainted 5.18.0-rc4-next-20220428-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:359 [inline]
RIP: 0010:__rb_erase_color+0x2fd/0xdb0 lib/rbtree.c:413
Code: 00 4d 89 ec 4d 8b 6d 10 e9 ac fd ff ff 4c 89 60 10 eb be 4c 89 e9 48 89 e8 4c 89 6d 10 48 c1 e9 03 49 89 6c 24 08 48 83 c8 01 <80> 3c 19 00 0f 85 1d 08 00 00 49 89 45 00 48 89 e8 48 c1 e8 03 80
RSP: 0018:ffffc900149ffa48 EFLAGS: 00010286
RAX: ffff88801f3fbb21 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed1002fe1617 RSI: ffff888017f0b0b8 RDI: ffff8880790928a0
RBP: ffff88801f3fbb20 R08: ffff88801f3fbb30 R09: ffff888017f0b0af
R10: ffffffff81b01168 R11: 0000000000000001 R12: ffff888079092898
R13: 0000000000000000 R14: ffff888017f0b0b8 R15: ffffffff81afff50
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001da88000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
 rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
 vma_interval_tree_remove+0x694/0xed0 mm/interval_tree.c:23
 __remove_shared_vm_struct mm/mmap.c:160 [inline]
 unlink_file_vma+0xbd/0x110 mm/mmap.c:175
 free_pgtables+0x255/0x420 mm/memory.c:440
 exit_mmap+0x1ff/0x740 mm/mmap.c:3148
 __mmput+0xe4/0x460 kernel/fork.c:1175
 mmput+0x5c/0x70 kernel/fork.c:1197
 exit_mm kernel/exit.c:510 [inline]
 do_exit+0xa18/0x2a00 kernel/exit.c:782
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f858fe890e9
Code: Unable to access opcode bytes at RIP 0x7f858fe890bf.
RSP: 002b:00007f85910bbaf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f858fe890e9
RDX: 00007f858fe89132 RSI: 0000000000000000 RDI: 000000000000000b
RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000020000800
R13: 0000000020000000 R14: 00000000200007c0 R15: 0000000020000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:359 [inline]
RIP: 0010:__rb_erase_color+0x2fd/0xdb0 lib/rbtree.c:413
Code: 00 4d 89 ec 4d 8b 6d 10 e9 ac fd ff ff 4c 89 60 10 eb be 4c 89 e9 48 89 e8 4c 89 6d 10 48 c1 e9 03 49 89 6c 24 08 48 83 c8 01 <80> 3c 19 00 0f 85 1d 08 00 00 49 89 45 00 48 89 e8 48 c1 e8 03 80
RSP: 0018:ffffc900149ffa48 EFLAGS: 00010286
RAX: ffff88801f3fbb21 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed1002fe1617 RSI: ffff888017f0b0b8 RDI: ffff8880790928a0
RBP: ffff88801f3fbb20 R08: ffff88801f3fbb30 R09: ffff888017f0b0af
R10: ffffffff81b01168 R11: 0000000000000001 R12: ffff888079092898
R13: 0000000000000000 R14: ffff888017f0b0b8 R15: ffffffff81afff50
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001da88000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	00 4d 89             	add    %cl,-0x77(%rbp)
   3:	ec                   	in     (%dx),%al
   4:	4d 8b 6d 10          	mov    0x10(%r13),%r13
   8:	e9 ac fd ff ff       	jmpq   0xfffffdb9
   d:	4c 89 60 10          	mov    %r12,0x10(%rax)
  11:	eb be                	jmp    0xffffffd1
  13:	4c 89 e9             	mov    %r13,%rcx
  16:	48 89 e8             	mov    %rbp,%rax
  19:	4c 89 6d 10          	mov    %r13,0x10(%rbp)
  1d:	48 c1 e9 03          	shr    $0x3,%rcx
  21:	49 89 6c 24 08       	mov    %rbp,0x8(%r12)
  26:	48 83 c8 01          	or     $0x1,%rax
* 2a:	80 3c 19 00          	cmpb   $0x0,(%rcx,%rbx,1) <-- trapping instruction
  2e:	0f 85 1d 08 00 00    	jne    0x851
  34:	49 89 45 00          	mov    %rax,0x0(%r13)
  38:	48 89 e8             	mov    %rbp,%rax
  3b:	48 c1 e8 03          	shr    $0x3,%rax
  3f:	80                   	.byte 0x80


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

             reply	other threads:[~2022-05-02 12:06 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-02 12:06 syzbot [this message]
2022-05-14 20:18 ` [syzbot] general protection fault in vma_interval_tree_remove syzbot
2022-05-14 20:50   ` Andrew Morton
2022-05-16 18:00     ` Liam Howlett
2022-05-19  2:03       ` Liam Howlett
2022-05-19  5:18         ` Dmitry Vyukov
2022-05-15  0:09 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000007f31db05de0638f0@google.com \
    --to=syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.