* Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access
[not found] <bug-200095-27@https.bugzilla.kernel.org/>
@ 2018-06-18 23:25 ` Andrew Morton
2018-06-19 5:12 ` Dmitry Vyukov
2018-06-19 9:45 ` Andrey Ryabinin
0 siblings, 2 replies; 3+ messages in thread
From: Andrew Morton @ 2018-06-18 23:25 UTC (permalink / raw)
To: linux-mm
Cc: bugzilla-daemon, icytxw, Andrey Ryabinin, Alexander Potapenko,
Dmitry Vyukov
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
Could the KASAN people please help interpret this one?
On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=200095
>
> Bug ID: 200095
> Summary: kasan: GPF could be caused by NULL-ptr deref or user
> memory access
> Product: Alternate Trees
> Version: 2.5
> Kernel Version: v4.17
> Hardware: All
> OS: Linux
> Status: NEW
> Severity: normal
> Priority: P1
> Component: mm
> Assignee: akpm@linux-foundation.org
> Reporter: icytxw@gmail.com
> Regression: No
>
> Created attachment 276605
> --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
> log0
>
> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN PTI
> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> FS: 0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> Call Trace:
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 650893cd43a30701 ]---
> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> FS: 0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>
> --
> You are receiving this mail because:
> You are the assignee for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access
2018-06-18 23:25 ` [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access Andrew Morton
@ 2018-06-19 5:12 ` Dmitry Vyukov
2018-06-19 9:45 ` Andrey Ryabinin
1 sibling, 0 replies; 3+ messages in thread
From: Dmitry Vyukov @ 2018-06-19 5:12 UTC (permalink / raw)
To: Andrew Morton
Cc: Linux-MM, bugzilla-daemon, air icy, Andrey Ryabinin, Alexander Potapenko
On Tue, Jun 19, 2018 at 1:25 AM, Andrew Morton
<akpm@linux-foundation.org> wrote:
>
> (switched to email. Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> Could the KASAN people please help interpret this one?
Most of the time this just means a NULL deref. Under KASAN it happens
on shadow address for NULL rather than on NULL itself, and so it's
diagnosed differently.
icytxw, what kernel commit is this? I see a recent ""mm/vmalloc: keep
track of free blocks for allocation"" that touches this function.
Also, why all frames are questionable? Do you have frame pointers enabled?
> On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
>
>> https://bugzilla.kernel.org/show_bug.cgi?id=200095
>>
>> Bug ID: 200095
>> Summary: kasan: GPF could be caused by NULL-ptr deref or user
>> memory access
>> Product: Alternate Trees
>> Version: 2.5
>> Kernel Version: v4.17
>> Hardware: All
>> OS: Linux
>> Status: NEW
>> Severity: normal
>> Priority: P1
>> Component: mm
>> Assignee: akpm@linux-foundation.org
>> Reporter: icytxw@gmail.com
>> Regression: No
>>
>> Created attachment 276605
>> --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
>> log0
>>
>> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] SMP KASAN PTI
>> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
>> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
>> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
>> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
>> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
>> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
>> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
>> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
>> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
>> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
>> FS: 0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
>> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>> Call Trace:
>> Modules linked in:
>> Dumping ftrace buffer:
>> (ftrace buffer empty)
>> ---[ end trace 650893cd43a30701 ]---
>> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
>> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
>> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02
>> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
>> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
>> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
>> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
>> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
>> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
>> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
>> FS: 0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
>> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
>> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>
>> --
>> You are receiving this mail because:
>> You are the assignee for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access
2018-06-18 23:25 ` [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access Andrew Morton
2018-06-19 5:12 ` Dmitry Vyukov
@ 2018-06-19 9:45 ` Andrey Ryabinin
1 sibling, 0 replies; 3+ messages in thread
From: Andrey Ryabinin @ 2018-06-19 9:45 UTC (permalink / raw)
To: Andrew Morton, linux-mm
Cc: bugzilla-daemon, icytxw, Alexander Potapenko, Dmitry Vyukov
On 06/19/2018 02:25 AM, Andrew Morton wrote:
>
> (switched to email. Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> Could the KASAN people please help interpret this one?
>
[ 274.337561] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
[ 274.339796] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
[ 274.342043] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
[ 274.344269] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
[ 274.346529] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
All code
========
0: 76 e8 jbe 0xffffffffffffffea
2: 78 3f js 0x43
4: e5 ff in $0xff,%eax
6: 4c 89 e0 mov %r12,%rax
9: 48 c1 e8 03 shr $0x3,%rax
d: 80 3c 28 00 cmpb $0x0,(%rax,%rbp,1)
11: 0f 85 c7 02 00 00 jne 0x2de
17: 4c 8d 6b e8 lea -0x18(%rbx),%r13
1b: 4d 8b 3c 24 mov (%r12),%r15
1f: 49 8d 7d 08 lea 0x8(%r13),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
2a:* 80 3c 2a 00 cmpb $0x0,(%rdx,%rbp,1) <-- trapping instruction
2e: 0f 85 a0 02 00 00 jne 0x2d4
34: 4c 3b 7b f0 cmp -0x10(%rbx),%r15
38: 72 9d jb 0xffffffffffffffd7
3a: e8 3f 3f e5 ff callq 0xffffffffffe53f7e
3f: 41 rex.B
cmpb $0x0,(%rdx,%rbp,1) is shadow check for -0x10(%rbx) address (this address is also in %rdi).
So this is attempt to dereference 0x00000416000003f6 address.
%rbx seems contains 'parent' pointer, -0x10(%rbx) is tmp_va->va_end
tmp_va = rb_entry(parent, struct vmap_area, rb_node);
if (va->va_start < tmp_va->va_end)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-06-19 9:44 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <bug-200095-27@https.bugzilla.kernel.org/>
2018-06-18 23:25 ` [Bug 200095] New: kasan: GPF could be caused by NULL-ptr deref or user memory access Andrew Morton
2018-06-19 5:12 ` Dmitry Vyukov
2018-06-19 9:45 ` Andrey Ryabinin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.