From: Liam Howlett <liam.howlett@oracle.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: syzbot <syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"syzkaller-bugs@googlegroups.com"
<syzkaller-bugs@googlegroups.com>,
Michel Lespinasse <michel@lespinasse.org>
Subject: Re: [syzbot] general protection fault in vma_interval_tree_remove
Date: Mon, 16 May 2022 18:00:06 +0000 [thread overview]
Message-ID: <20220516175958.cswumupmeddptzdb@revolver> (raw)
In-Reply-To: <20220514135010.2528f75eb053a7b38d80584b@linux-foundation.org>
* Andrew Morton <akpm@linux-foundation.org> [220514 16:50]:
> On Sat, 14 May 2022 13:18:26 -0700 syzbot <syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com> wrote:
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> > git tree: linux-next
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
>
> Thanks.
>
> So it was there on April 28 and it's there now. Liam, do you think
> anything in the mapletree changes could have perturbed the interval
> tree handling?
It is certainly possible, these two trees are intertwined so much. One
area that sticks out as a possibility is vma_expand(). I created a
vma_expand() function to handle growing a vma and potentially removing
the next vma. I do some interval tree modifications in there.
I'll add it to my list of items to look at.
>
>
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com
> >
> > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > CPU: 1 PID: 3612 Comm: syz-executor255 Not tainted 5.18.0-rc6-next-20220513-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:____rb_erase_color lib/rbtree.c:354 [inline]
> > RIP: 0010:__rb_erase_color+0x159/0xdb0 lib/rbtree.c:413
> > Code: 89 ed 48 89 c5 e9 f5 fe ff ff 4c 8d 45 10 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 3a 08 00 00 4c 8b 65 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 6a 08 00 00 49 8b 04 24 49 8d 7c 24 08 48 89 f9
> > RSP: 0018:ffffc90002e877a8 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
> > RDX: ffffed100e8d3aed RSI: ffff88807469d768 RDI: ffff8880202132b0
> > RBP: ffff8880202132b0 R08: ffff8880202132c0 R09: ffff88807469d75f
> > R10: ffffffff81b02518 R11: 0000000000000001 R12: 0000000000000000
> > R13: 0000000000000000 R14: ffff88807469d768 R15: ffffffff81b01300
> > FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007ffe92002ff8 CR3: 00000000764a0000 CR4: 00000000003506e0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> > <TASK>
> > rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
> > rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
> > vma_interval_tree_remove+0x694/0xed0 mm/interval_tree.c:23
> > __remove_shared_vm_struct mm/mmap.c:160 [inline]
> > unlink_file_vma+0xbd/0x110 mm/mmap.c:175
> > free_pgtables+0x255/0x420 mm/memory.c:440
> > exit_mmap+0x1ff/0x740 mm/mmap.c:3219
> > __mmput+0x128/0x4c0 kernel/fork.c:1180
> > mmput+0x5c/0x70 kernel/fork.c:1201
> > exit_mm kernel/exit.c:510 [inline]
> > do_exit+0xa18/0x2a00 kernel/exit.c:782
> > do_group_exit+0xd2/0x2f0 kernel/exit.c:925
> > get_signal+0x2542/0x2600 kernel/signal.c:2857
> > arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:869
> > exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
> > exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
> > irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:307
> > exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1543
> > asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570
> > RIP: 0033:0x7f1771dc98cf
> > Code: Unable to access opcode bytes at RIP 0x7f1771dc98a5.
> > RSP: 002b:00007ffe920035a0 EFLAGS: 00010206
> > RAX: 0000000000000001 RBX: 00007f1771e78138 RCX: 0000000000000001
> > RDX: 0000000000000001 RSI: 00007f1771e78138 RDI: 000000000000000b
> > RBP: 000000000000000b R08: 0000000000000005 R09: 0000000000000000
> > R10: 0000000000008011 R11: 0000000000000206 R12: 0000000000000000
> > R13: 0000000000000001 R14: 00000000000c3ec0 R15: 0000000000000001
> > </TASK>
> > Modules linked in:
> > ---[ end trace 0000000000000000 ]---
> > RIP: 0010:____rb_erase_color lib/rbtree.c:354 [inline]
> > RIP: 0010:__rb_erase_color+0x159/0xdb0 lib/rbtree.c:413
> > Code: 89 ed 48 89 c5 e9 f5 fe ff ff 4c 8d 45 10 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 3a 08 00 00 4c 8b 65 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 6a 08 00 00 49 8b 04 24 49 8d 7c 24 08 48 89 f9
> > RSP: 0018:ffffc90002e877a8 EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
> > RDX: ffffed100e8d3aed RSI: ffff88807469d768 RDI: ffff8880202132b0
> > RBP: ffff8880202132b0 R08: ffff8880202132c0 R09: ffff88807469d75f
> > R10: ffffffff81b02518 R11: 0000000000000001 R12: 0000000000000000
> > R13: 0000000000000000 R14: ffff88807469d768 R15: ffffffff81b01300
> > FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00000000000c3ec8 CR3: 0000000023516000 CR4: 00000000003506f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > ----------------
> > Code disassembly (best guess):
> > 0: 89 ed mov %ebp,%ebp
> > 2: 48 89 c5 mov %rax,%rbp
> > 5: e9 f5 fe ff ff jmpq 0xfffffeff
> > a: 4c 8d 45 10 lea 0x10(%rbp),%r8
> > e: 4c 89 c0 mov %r8,%rax
> > 11: 48 c1 e8 03 shr $0x3,%rax
> > 15: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1)
> > 19: 0f 85 3a 08 00 00 jne 0x859
> > 1f: 4c 8b 65 10 mov 0x10(%rbp),%r12
> > 23: 4c 89 e0 mov %r12,%rax
> > 26: 48 c1 e8 03 shr $0x3,%rax
> > * 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction
> > 2e: 0f 85 6a 08 00 00 jne 0x89e
> > 34: 49 8b 04 24 mov (%r12),%rax
> > 38: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
> > 3d: 48 89 f9 mov %rdi,%rcx
> >
next prev parent reply other threads:[~2022-05-16 18:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-02 12:06 [syzbot] general protection fault in vma_interval_tree_remove syzbot
2022-05-14 20:18 ` syzbot
2022-05-14 20:50 ` Andrew Morton
2022-05-16 18:00 ` Liam Howlett [this message]
2022-05-19 2:03 ` Liam Howlett
2022-05-19 5:18 ` Dmitry Vyukov
2022-05-15 0:09 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220516175958.cswumupmeddptzdb@revolver \
--to=liam.howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=michel@lespinasse.org \
--cc=syzbot+ee1fdd8dcc770a3a169a@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.