* Re: [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read
@ 2023-11-16 7:53 xingwei lee
2023-11-16 17:32 ` Mike Kravetz
0 siblings, 1 reply; 3+ messages in thread
From: xingwei lee @ 2023-11-16 7:53 UTC (permalink / raw)
To: syzbot+93e7c679006f0d4e6105
Cc: akpm, linux-kernel, linux-mm, llvm, mike.kravetz, muchun.song,
Nathan Chancellor, ndesaulniers, syzkaller-bugs, trix
[-- Attachment #1.1: Type: text/plain, Size: 7525 bytes --]
Hello, since I found there is no reproduce from then to now. I try to
reproduce this bug to generate repro.c.
Maybe this bug is the same bug as [syzbot] [mm?] general protection fault
in hugetlb_vma_lock_write I guess...
But no matter what, with the reproduce.c, we can quickly fix this bug or
check the correctness of our fix.
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..")
== 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort),
"/sys/fs/fuse/connections/%s/abort", ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
#define USLEEP_FORKED_CHILD (3 * 50 *1000)
static long handle_clone_ret(long ret)
{
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}
static long syz_clone(volatile long flags, volatile long stack, volatile
long stack_len,
volatile long ptid, volatile long ctid, volatile long tls)
{
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid,
tls);
return handle_clone_ret(ret);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[2] = {0xffffffffffffffff, 0x0};
void execute_one(void)
{
intptr_t res = 0;
memcpy((void*)0x20000800,
"\001\375\256.+\246\214\266?2\0319\224S,|x?Ue[\275\341!\0033\274\'#\377\027\233%\363[d
\227\365G\227A\302\330\360Uq\346+\245l\224\v\266\a\027\\\373\004!\344\304\261\262\034\377C;\224Q\r\266}\234\354C\v\317\353\344\232R\345,\202\003\000\031\215\350\306\271\344\264\231\212\031P\270\214x\b\231\004R\005\257\242\3525\f\314\032\233\000Uf\245\367\200Tgi\264\300\346\264\357\250i\330\242\322(\230\233A\217\023\353\364b/\357!\217\366]-\351k\2662\211gEv\023\364\307\262\365\\\027\220\265\246\250\270o\017\342
\347\234$\327\362@\367cdv[\t\000\215\363\3141\r$\036\377\360P\262\227\270\274\353\221\207\213u\277\324\'\377\037\f\0016\235Q\356T\350\bY\000\262\006\246\276l\233.o\276\200\235x\325O\326h\\I\311\215\a\035\311\017\202\333s\307\203L\236\242\321\263\254\215\330\264\264\352\220Q\330\307\353%\213Op\032b\226\317\273\025\317\374N\355\000\000\000\000\000\000\000\000\000\000\000\000\000s\257\242\024]p+\226\036i|n\332\356\\\256\226*\202*\270j\332\252\024\037\035\370\370\256\374H\304\263j\350\317O\357\016\257e\265*\211\030\262w\226\b\033y\352T\335\263g6\274\205\262Y\314v\006\000\000\000\305e\220\3051\237\v_#
\b\245\274P,|\351\326s\037\037\276\323\200\261\250
\316|df\2203\v\002\352.\003X\265\344,8\267\255EI\334A\247\314\327\371n\033\225\370\021Z\346:\003\316\376\002\214tdy~_oC\236\357\360\242K\351;\216:\001\003C\222\353\026\000\000\000\000\314Uxhg\377\344\a\203\246z\377\001\235
o_{!O\252jU\204
\351\2659r\234w\030Z\323\315\016\272\\\333\360\341\206\340\037\373\322\247\2040\216\n\275^\005\300\316uC}\250\307\255\206\327\025&\271]1\005J\226\360\204\301\f\246p\226\270\002\023pA\031\tf\022\210\310\234\311Cn\324\2447V\'+\314\277\r\251\020\035\317\353Klb\345:\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000G\337\273\300_\231F\364n]\024\274\315\323\237\237e\305\346\350Mb\306\202\202\314\312Xe\341\242\252\002\206\270\030\342C\353\251\027&\001&\'w\241t0\200\360\223\200\237\233\340\237\352\271\236D]#V\332\222\312\306\372.\326\3431\376\350\002\353X\220@\352\224\237a/\242-E\337\030yoSYua\031\357\363I\001\361\266\222gl7\361\035\027\027\361\313\217]\351Z\263q\365N\207\326q\300\320\213\273+\205\v\335n2lV\260]\254T\2636J\352\324\236\357L^
\301\364\374\000\000\000\000\000\000\000\000\000\000\000", 746);
res = syscall(__NR_memfd_create, /*name=*/0x20000800ul, /*flags=*/5ul);
if (res != -1)
r[0] = res;
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x4000ul,
/*prot=*/0xeul, /*flags=*/0x12ul, /*fd=*/r[0], /*offset=*/0ul);
syscall(__NR_socketpair, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0,
/*fds=*/0x200008c0ul);
res = -1;
res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0,
/*childtid=*/0, /*tls=*/0);
if (res != -1)
r[1] = res;
*(uint64_t*)0x20000f80 = 0;
*(uint64_t*)0x20000f88 = 0;
syscall(__NR_process_vm_writev, /*pid=*/r[1], /*loc_vec=*/0ul,
/*loc_vlen=*/0ul, /*rem_vec=*/0x20000f80ul, /*rem_vlen=*/1ul,
/*flags=*/0ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul,
/*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul,
/*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}
[-- Attachment #1.2: Type: text/html, Size: 9206 bytes --]
[-- Attachment #2: repro.txt --]
[-- Type: text/plain, Size: 2440 bytes --]
r0 = memfd_create(&(0x7f0000000800)='\x01\xfd\xae.+\xa6\x8c\xb6?2\x199\x94S,|x?Ue[\xbd\xe1!\x033\xbc\'#\xff\x17\x9b%\xf3[d \x97\xf5G\x97A\xc2\xd8\xf0Uq\xe6+\xa5l\x94\v\xb6\a\x17\\\xfb\x04!\xe4\xc4\xb1\xb2\x1c\xffC;\x94Q\r\xb6}\x9c\xecC\v\xcf\xeb\xe4\x9aR\xe5,\x82\x03\x00\x19\x8d\xe8\xc6\xb9\xe4\xb4\x99\x8a\x19P\xb8\x8cx\b\x99\x04R\x05\xaf\xa2\xea5\f\xcc\x1a\x9b\x00Uf\xa5\xf7\x80Tgi\xb4\xc0\xe6\xb4\xef\xa8i\xd8\xa2\xd2(\x98\x9bA\x8f\x13\xeb\xf4b/\xef!\x8f\xf6]-\xe9k\xb62\x89gEv\x13\xf4\xc7\xb2\xf5\\\x17\x90\xb5\xa6\xa8\xb8o\x0f\xe2 \xe7\x9c$\xd7\xf2@\xf7cdv[\t\x00\x8d\xf3\xcc1\r$\x1e\xff\xf0P\xb2\x97\xb8\xbc\xeb\x91\x87\x8bu\xbf\xd4\'\xff\x1f\f\x016\x9dQ\xeeT\xe8\bY\x00\xb2\x06\xa6\xbel\x9b.o\xbe\x80\x9dx\xd5O\xd6h\\I\xc9\x8d\a\x1d\xc9\x0f\x82\xdbs\xc7\x83L\x9e\xa2\xd1\xb3\xac\x8d\xd8\xb4\xb4\xea\x90Q\xd8\xc7\xeb%\x8bOp\x1ab\x96\xcf\xbb\x15\xcf\xfcN\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s\xaf\xa2\x14]p+\x96\x1ei|n\xda\xee\\\xae\x96*\x82*\xb8j\xda\xaa\x14\x1f\x1d\xf8\xf8\xae\xfcH\xc4\xb3j\xe8\xcfO\xef\x0e\xafe\xb5*\x89\x18\xb2w\x96\b\x1by\xeaT\xdd\xb3g6\xbc\x85\xb2Y\xccv\x06\x00\x00\x00\xc5e\x90\xc51\x9f\v_# \b\xa5\xbcP,|\xe9\xd6s\x1f\x1f\xbe\xd3\x80\xb1\xa8 \xce|df\x903\v\x02\xea.\x03X\xb5\xe4,8\xb7\xadEI\xdcA\xa7\xcc\xd7\xf9n\x1b\x95\xf8\x11Z\xe6:\x03\xce\xfe\x02\x8ctdy~_oC\x9e\xef\xf0\xa2K\xe9;\x8e:\x01\x03C\x92\xeb\x16\x00\x00\x00\x00\xccUxhg\xff\xe4\a\x83\xa6z\xff\x01\x9d o_{!O\xaajU\x84 \xe9\xb59r\x9cw\x18Z\xd3\xcd\x0e\xba\\\xdb\xf0\xe1\x86\xe0\x1f\xfb\xd2\xa7\x840\x8e\n\xbd^\x05\xc0\xceuC}\xa8\xc7\xad\x86\xd7\x15&\xb9]1\x05J\x96\xf0\x84\xc1\f\xa6p\x96\xb8\x02\x13pA\x19\tf\x12\x88\xc8\x9c\xc9Cn\xd4\xa47V\'+\xcc\xbf\r\xa9\x10\x1d\xcf\xebKlb\xe5:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00G\xdf\xbb\xc0_\x99F\xf4n]\x14\xbc\xcd\xd3\x9f\x9fe\xc5\xe6\xe8Mb\xc6\x82\x82\xcc\xcaXe\xe1\xa2\xaa\x02\x86\xb8\x18\xe2C\xeb\xa9\x17&\x01&\'w\xa1t0\x80\xf0\x93\x80\x9f\x9b\xe0\x9f\xea\xb9\x9eD]#V\xda\x92\xca\xc6\xfa.\xd6\xe31\xfe\xe8\x02\xebX\x90@\xea\x94\x9fa/\xa2-E\xdf\x18yoSYua\x19\xef\xf3I\x01\xf1\xb6\x92gl7\xf1\x1d\x17\x17\xf1\xcb\x8f]\xe9Z\xb3q\xf5N\x87\xd6q\xc0\xd0\x8b\xbb+\x85\v\xddn2lV\xb0]\xacT\xb36J\xea\xd4\x9e\xefL^ \xc1\xf4\xfc\x00'/746, 0x5)
mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0xe, 0x12, r0, 0x0)
socketpair$unix(0x2, 0x2, 0x0, &(0x7f00000008c0))
r1 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
process_vm_writev(r1, 0x0, 0x0, &(0x7f0000000f80)=[{0x0}], 0x1, 0x0)
[-- Attachment #3: repro.c --]
[-- Type: application/octet-stream, Size: 6502 bytes --]
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
static void sleep_ms(uint64_t ms)
{
usleep(ms * 1000);
}
static uint64_t current_time_ms(void)
{
struct timespec ts;
if (clock_gettime(CLOCK_MONOTONIC, &ts))
exit(1);
return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}
static bool write_file(const char* file, const char* what, ...)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
int err = errno;
close(fd);
errno = err;
return false;
}
close(fd);
return true;
}
static void kill_and_wait(int pid, int* status)
{
kill(-pid, SIGKILL);
kill(pid, SIGKILL);
for (int i = 0; i < 100; i++) {
if (waitpid(-1, status, WNOHANG | __WALL) == pid)
return;
usleep(1000);
}
DIR* dir = opendir("/sys/fs/fuse/connections");
if (dir) {
for (;;) {
struct dirent* ent = readdir(dir);
if (!ent)
break;
if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
continue;
char abort[300];
snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
int fd = open(abort, O_WRONLY);
if (fd == -1) {
continue;
}
if (write(fd, abort, 1) < 0) {
}
close(fd);
}
closedir(dir);
} else {
}
while (waitpid(-1, status, __WALL) != pid) {
}
}
static void setup_test()
{
prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
setpgrp();
write_file("/proc/self/oom_score_adj", "1000");
}
#define USLEEP_FORKED_CHILD (3 * 50 *1000)
static long handle_clone_ret(long ret)
{
if (ret != 0) {
return ret;
}
usleep(USLEEP_FORKED_CHILD);
syscall(__NR_exit, 0);
while (1) {
}
}
static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len,
volatile long ptid, volatile long ctid, volatile long tls)
{
long sp = (stack + stack_len) & ~15;
long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
return handle_clone_ret(ret);
}
static void execute_one(void);
#define WAIT_FLAGS __WALL
static void loop(void)
{
int iter = 0;
for (;; iter++) {
int pid = fork();
if (pid < 0)
exit(1);
if (pid == 0) {
setup_test();
execute_one();
exit(0);
}
int status = 0;
uint64_t start = current_time_ms();
for (;;) {
if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
break;
sleep_ms(1);
if (current_time_ms() - start < 5000)
continue;
kill_and_wait(pid, &status);
break;
}
}
}
uint64_t r[2] = {0xffffffffffffffff, 0x0};
void execute_one(void)
{
intptr_t res = 0;
memcpy((void*)0x20000800, "\001\375\256.+\246\214\266?2\0319\224S,|x?Ue[\275\341!\0033\274\'#\377\027\233%\363[d \227\365G\227A\302\330\360Uq\346+\245l\224\v\266\a\027\\\373\004!\344\304\261\262\034\377C;\224Q\r\266}\234\354C\v\317\353\344\232R\345,\202\003\000\031\215\350\306\271\344\264\231\212\031P\270\214x\b\231\004R\005\257\242\3525\f\314\032\233\000Uf\245\367\200Tgi\264\300\346\264\357\250i\330\242\322(\230\233A\217\023\353\364b/\357!\217\366]-\351k\2662\211gEv\023\364\307\262\365\\\027\220\265\246\250\270o\017\342 \347\234$\327\362@\367cdv[\t\000\215\363\3141\r$\036\377\360P\262\227\270\274\353\221\207\213u\277\324\'\377\037\f\0016\235Q\356T\350\bY\000\262\006\246\276l\233.o\276\200\235x\325O\326h\\I\311\215\a\035\311\017\202\333s\307\203L\236\242\321\263\254\215\330\264\264\352\220Q\330\307\353%\213Op\032b\226\317\273\025\317\374N\355\000\000\000\000\000\000\000\000\000\000\000\000\000s\257\242\024]p+\226\036i|n\332\356\\\256\226*\202*\270j\332\252\024\037\035\370\370\256\374H\304\263j\350\317O\357\016\257e\265*\211\030\262w\226\b\033y\352T\335\263g6\274\205\262Y\314v\006\000\000\000\305e\220\3051\237\v_# \b\245\274P,|\351\326s\037\037\276\323\200\261\250 \316|df\2203\v\002\352.\003X\265\344,8\267\255EI\334A\247\314\327\371n\033\225\370\021Z\346:\003\316\376\002\214tdy~_oC\236\357\360\242K\351;\216:\001\003C\222\353\026\000\000\000\000\314Uxhg\377\344\a\203\246z\377\001\235 o_{!O\252jU\204 \351\2659r\234w\030Z\323\315\016\272\\\333\360\341\206\340\037\373\322\247\2040\216\n\275^\005\300\316uC}\250\307\255\206\327\025&\271]1\005J\226\360\204\301\f\246p\226\270\002\023pA\031\tf\022\210\310\234\311Cn\324\2447V\'+\314\277\r\251\020\035\317\353Klb\345:\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000G\337\273\300_\231F\364n]\024\274\315\323\237\237e\305\346\350Mb\306\202\202\314\312Xe\341\242\252\002\206\270\030\342C\353\251\027&\001&\'w\241t0\200\360\223\200\237\233\340\237\352\271\236D]#V\332\222\312\306\372.\326\3431\376\350\002\353X\220@\352\224\237a/\242-E\337\030yoSYua\031\357\363I\001\361\266\222gl7\361\035\027\027\361\313\217]\351Z\263q\365N\207\326q\300\320\213\273+\205\v\335n2lV\260]\254T\2636J\352\324\236\357L^ \301\364\374\000\000\000\000\000\000\000\000\000\000\000", 746);
res = syscall(__NR_memfd_create, /*name=*/0x20000800ul, /*flags=*/5ul);
if (res != -1)
r[0] = res;
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x4000ul, /*prot=*/0xeul, /*flags=*/0x12ul, /*fd=*/r[0], /*offset=*/0ul);
syscall(__NR_socketpair, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0, /*fds=*/0x200008c0ul);
res = -1;
res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
if (res != -1)
r[1] = res;
*(uint64_t*)0x20000f80 = 0;
*(uint64_t*)0x20000f88 = 0;
syscall(__NR_process_vm_writev, /*pid=*/r[1], /*loc_vec=*/0ul, /*loc_vlen=*/0ul, /*rem_vec=*/0x20000f80ul, /*rem_vlen=*/1ul, /*flags=*/0ul);
}
int main(void)
{
syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
loop();
return 0;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read
2023-11-16 7:53 [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read xingwei lee
@ 2023-11-16 17:32 ` Mike Kravetz
0 siblings, 0 replies; 3+ messages in thread
From: Mike Kravetz @ 2023-11-16 17:32 UTC (permalink / raw)
To: xingwei lee
Cc: syzbot+93e7c679006f0d4e6105, akpm, linux-kernel, linux-mm, llvm,
muchun.song, Nathan Chancellor, ndesaulniers, syzkaller-bugs,
trix
On 11/16/23 15:53, xingwei lee wrote:
> Hello, since I found there is no reproduce from then to now. I try to
> reproduce this bug to generate repro.c.
> Maybe this bug is the same bug as [syzbot] [mm?] general protection fault
> in hugetlb_vma_lock_write I guess...
> But no matter what, with the reproduce.c, we can quickly fix this bug or
> check the correctness of our fix.
I am not sure what fix you suggested for this issue. The following was
sent upstream and is now included in Andrew's tree and linux-next.
https://lore.kernel.org/linux-mm/20231114012033.259600-1-mike.kravetz@oracle.com/
I tested with a reproducer previously provided by syzbot, and assume this
resolves the issue with your reproducer as well.
--
Mike Kravetz
^ permalink raw reply [flat|nested] 3+ messages in thread
* [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read
@ 2023-11-02 15:26 syzbot
0 siblings, 0 replies; 3+ messages in thread
From: syzbot @ 2023-11-02 15:26 UTC (permalink / raw)
To: akpm, linux-kernel, linux-mm, llvm, mike.kravetz, muchun.song,
nathan, ndesaulniers, syzkaller-bugs, trix
Hello,
syzbot found the following issue on:
HEAD commit: babe393974de Merge tag 'docs-6.7' of git://git.lwn.net/linux
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=176e7813680000
kernel config: https://syzkaller.appspot.com/x/.config?x=34994593e74fdcfe
dashboard link: https://syzkaller.appspot.com/bug?extid=93e7c679006f0d4e6105
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/81ff19e40c77/disk-babe3939.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a92e6d2d9507/vmlinux-babe3939.xz
kernel image: https://storage.googleapis.com/syzbot-assets/afd2bad18cfc/bzImage-babe3939.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+93e7c679006f0d4e6105@syzkaller.appspotmail.com
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.1'.
general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 1 PID: 15736 Comm: syz-executor.1 Not tainted 6.6.0-syzkaller-10265-gbabe393974de #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 21 dc 81 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a e0 09 b3 90 0f 84 96 0d 00
RSP: 0018:ffffc90003387378 EFLAGS: 00010006
RAX: ffff88801d5e9dc0 RBX: 1ffff92000670e9f RCX: 000000000000001d
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 00000000000000e8 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f07477fc6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000b80 CR3: 000000006a8b7000 CR4: 00000000003506f0
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5753 [inline]
lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
down_read+0x9c/0x470 kernel/locking/rwsem.c:1526
hugetlb_vma_lock_read mm/hugetlb.c:274 [inline]
hugetlb_vma_lock_read+0xae/0x100 mm/hugetlb.c:265
hugetlb_follow_page_mask+0x156/0xf20 mm/hugetlb.c:6500
follow_page_mask+0x49e/0xda0 mm/gup.c:824
__get_user_pages+0x366/0x1480 mm/gup.c:1237
__get_user_pages_locked mm/gup.c:1504 [inline]
__gup_longterm_locked+0x755/0x2570 mm/gup.c:2198
pin_user_pages_remote+0xee/0x140 mm/gup.c:3346
process_vm_rw_single_vec mm/process_vm_access.c:105 [inline]
process_vm_rw_core.constprop.0+0x43d/0xa10 mm/process_vm_access.c:215
process_vm_rw+0x2ff/0x360 mm/process_vm_access.c:283
__do_sys_process_vm_writev mm/process_vm_access.c:303 [inline]
__se_sys_process_vm_writev mm/process_vm_access.c:298 [inline]
__x64_sys_process_vm_writev+0xe2/0x1b0 mm/process_vm_access.c:298
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f0746a7cae9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f07477fc0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000137
RAX: ffffffffffffffda RBX: 00007f0746b9bf80 RCX: 00007f0746a7cae9
RDX: 0000000000000001 RSI: 0000000020000b80 RDI: 0000000000001d1b
RBP: 00007f0746ac847a R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020000f80 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f0746b9bf80 R15: 00007f0746cbfa48
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 21 dc 81 0b 45 85 c0 0f 84 be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> 3c 11 00 0f 85 e8 40 00 00 49 81 3a e0 09 b3 90 0f 84 96 0d 00
RSP: 0018:ffffc90003387378 EFLAGS: 00010006
RAX: ffff88801d5e9dc0 RBX: 1ffff92000670e9f RCX: 000000000000001d
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 00000000000000e8 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f07477fc6c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000b80 CR3: 000000006a8b7000 CR4: 00000000003506f0
----------------
Code disassembly (best guess):
0: 45 85 c9 test %r9d,%r9d
3: 0f 84 cc 0e 00 00 je 0xed5
9: 44 8b 05 21 dc 81 0b mov 0xb81dc21(%rip),%r8d # 0xb81dc31
10: 45 85 c0 test %r8d,%r8d
13: 0f 84 be 0d 00 00 je 0xdd7
19: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
20: fc ff df
23: 4c 89 d1 mov %r10,%rcx
26: 48 c1 e9 03 shr $0x3,%rcx
* 2a: 80 3c 11 00 cmpb $0x0,(%rcx,%rdx,1) <-- trapping instruction
2e: 0f 85 e8 40 00 00 jne 0x411c
34: 49 81 3a e0 09 b3 90 cmpq $0xffffffff90b309e0,(%r10)
3b: 0f .byte 0xf
3c: 84 .byte 0x84
3d: 96 xchg %eax,%esi
3e: 0d .byte 0xd
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-16 17:32 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-16 7:53 [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read xingwei lee
2023-11-16 17:32 ` Mike Kravetz
-- strict thread matches above, loose matches on Subject: below --
2023-11-02 15:26 syzbot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.