All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dmitry Vyukov <dvyukov@google.com>
To: Al Viro <viro@zeniv.linux.org.uk>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Subject: fs: GPF in deactivate_locked_super
Date: Thu, 23 Mar 2017 15:14:50 +0100	[thread overview]
Message-ID: <CACT4Y+b-purC3HHbw=SctmS3MA8FKqtNYZUS_KCo2WMctTwyNA@mail.gmail.com> (raw)

Hello,

I've got the following crash while running syzkaller on
093b995e3b55a0ae0670226ddfcb05bfbf0099ae. Note the preceding injected
kmalloc failure, most likely it's the root cause.


FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 4874 Comm: syz-executor3 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 kzalloc include/linux/slab.h:495 [inline]
 register_shrinker+0x10e/0x2d0 mm/vmscan.c:284
 sget_userns+0xbf2/0xe40 fs/super.c:521
 mount_ns+0x6d/0x190 fs/super.c:1026
 mqueue_mount+0xbe/0xe0 ipc/mqueue.c:340
 mount_fs+0x66/0x2f0 fs/super.c:1223
 vfs_kern_mount.part.23+0xc6/0x4b0 fs/namespace.c:979
 vfs_kern_mount fs/namespace.c:3293 [inline]
 kern_mount_data+0x50/0xb0 fs/namespace.c:3293
 mq_init_ns+0x167/0x220 ipc/mqueue.c:1418
 create_ipc_ns ipc/namespace.c:57 [inline]
 copy_ipcs+0x39b/0x580 ipc/namespace.c:83
 create_new_namespaces+0x285/0x8c0 kernel/nsproxy.c:86
 unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
 SYSC_unshare kernel/fork.c:2319 [inline]
 SyS_unshare+0x664/0xf80 kernel/fork.c:2269
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x445b79
RSP: 002b:00007fb4faa4e858 EFLAGS: 00000286 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 0000000000708000 RCX: 0000000000445b79
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000a040000
RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000286 R12: 00000000004a7e31
R13: 0000000000000000 R14: 00007fb4faa4e618 R15: 00007fb4faa4e788

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4874 Comm: syz-executor3 Not tainted 4.11.0-rc3+ #364
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff8800390760c0 task.stack: ffff880039228000
RIP: 0010:__list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51
RSP: 0018:ffff88003922ef00 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88003a232ea0 RDI: ffff88003a232ea8
RBP: ffff88003922ef18 R08: fffffbfff0c0242c R09: 0000000000000001
R10: ffff8800390760c0 R11: fffffbfff0c0242b R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88003a232740 R15: ffff88003a232ea0
FS:  00007fb4faa4f700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000ff7 CR3: 0000000043a01000 CR4: 00000000000026e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 __list_del_entry include/linux/list.h:116 [inline]
 list_del include/linux/list.h:124 [inline]
 unregister_shrinker+0x79/0x300 mm/vmscan.c:301
 deactivate_locked_super+0x75/0xe0 fs/super.c:308
 deactivate_super+0x151/0x160 fs/super.c:340
 cleanup_mnt+0xb2/0x160 fs/namespace.c:1115
 mntput_no_expire+0x6e9/0xaa0 fs/namespace.c:1181
 mntput fs/namespace.c:1191 [inline]
 kern_unmount+0x9c/0xd0 fs/namespace.c:2995
 mq_put_mnt+0x37/0x50 ipc/mqueue.c:1434
 put_ipc_ns+0x4d/0x160 ipc/namespace.c:150
 free_nsproxy+0xde/0x230 kernel/nsproxy.c:179
 switch_task_namespaces+0xaa/0xc0 kernel/nsproxy.c:228
 exit_task_namespaces+0x17/0x20 kernel/nsproxy.c:233
 do_exit+0x1ac6/0x26d0 kernel/exit.c:878
 do_group_exit+0x149/0x400 kernel/exit.c:983
 get_signal+0x696/0x1810 kernel/signal.c:2318
 do_signal+0x90/0x1ee0 arch/x86/kernel/signal.c:808
 exit_to_usermode_loop+0x1e5/0x2d0 arch/x86/entry/common.c:157
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath+0x3bd/0x460 arch/x86/entry/common.c:260
 entry_SYSCALL_64_fastpath+0xc0/0xc2
RIP: 0033:0x445b79
RSP: 002b:00007fb4faa4e858 EFLAGS: 00000202 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 0000000000708000 RCX: 0000000000445b79
RDX: 0000000000000009 RSI: 0000000000000001 RDI: 0000000000708024
RBP: 0000000000001d10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00000000006dfdd0
R13: 000000008208ae63 R14: 000000002000a000 R15: ffffffffffffffff
Code: 00 00 00 00 ad de 49 39 c4 74 66 48 b8 00 02 00 00 00 00 ad de
48 89 da 48 39 c3 74 65 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80>
3c 02 00 75 7b 48 8b 13 48 39 f2 75 57 49 8d 7c 24 08 48 b8
RIP: __list_del_entry_valid+0x7e/0x150 lib/list_debug.c:51 RSP: ffff88003922ef00
---[ end trace 569c84071b70c014 ]---

             reply	other threads:[~2017-03-23 14:15 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-23 14:14 Dmitry Vyukov [this message]
2017-03-24  7:57 ` [PATCH] fs: Handle register_shrinker failure Nikolay Borisov
2017-03-24  8:25   ` [PATCHv2] " Nikolay Borisov
2017-04-01  9:11     ` Nikolay Borisov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACT4Y+b-purC3HHbw=SctmS3MA8FKqtNYZUS_KCo2WMctTwyNA@mail.gmail.com' \
    --to=dvyukov@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.