[syzbot] linux-next boot error: WARNING in find_vma

[syzbot] linux-next boot error: WARNING in find_vma

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c3f7b3be172b Add linux-next specific files for 20210803
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10b71b42300000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ae62f6b8af876a89
dashboard link: https://syzkaller.appspot.com/bug?extid=dcb8a1e30879e0d60e8c
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dcb8a1e30879e0d60e8c@syzkaller.appspotmail.com

kAFS: Red Hat AFS client v0.1 registering.
FS-Cache: Netfs 'afs' registered for caching
Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
Key type big_key registered
Key type encrypted registered
AppArmor: AppArmor sha1 policy hashing enabled
ima: No TPM chip found, activating TPM-bypass!
Loading compiled-in module X.509 certificates
Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
ima: Allocated hash algorithm: sha256
ima: No architecture policies found
evm: Initialising EVM extended attributes:
evm: security.selinux (disabled)
evm: security.SMACK64 (disabled)
evm: security.SMACK64EXEC (disabled)
evm: security.SMACK64TRANSMUTE (disabled)
evm: security.SMACK64MMAP (disabled)
evm: security.apparmor
evm: security.ima
evm: security.capability
evm: HMAC attrs: 0x1
PM:   Magic number: 1:653:286
usb usb32-port1: hash matches
usb usb22: hash matches
ppp ppp: hash matches
tty ttyz0: hash matches
printk: console [netcon0] enabled
netconsole: network logging started
gtp: GTP module loaded (pdp ctx size 104 bytes)
rdma_rxe: loaded
cfg80211: Loading compiled-in X.509 certificates for regulatory database
cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
ALSA device list:
  #0: Dummy 1
  #1: Loopback 1
  #2: Virtual MIDI Card 1
md: Waiting for all devices to be available before autodetect
md: If you don't use raid, use raid=noautodetect
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
EXT4-fs (sda1): mounted filesystem without journal. Opts: (null). Quota mode: none.
VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
devtmpfs: mounted
Freeing unused kernel image (initmem) memory: 4348K
Write protecting the kernel read-only data: 169984k
Freeing unused kernel image (text/rodata gap) memory: 2012K
Freeing unused kernel image (rodata/data gap) memory: 1460K
Run /sbin/init as init process
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1 at include/linux/mmap_lock.h:164 mmap_assert_locked include/linux/mmap_lock.h:164 [inline]
WARNING: CPU: 1 PID: 1 at include/linux/mmap_lock.h:164 find_vma+0xf8/0x270 mm/mmap.c:2307
Modules linked in:
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.14.0-rc4-next-20210803-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mmap_assert_locked include/linux/mmap_lock.h:164 [inline]
RIP: 0010:find_vma+0xf8/0x270 mm/mmap.c:2307
Code: 49 8d bc 24 28 01 00 00 be ff ff ff ff e8 00 e0 81 07 31 ff 89 c3 89 c6 e8 e5 a5 c9 ff 85 db 0f 85 61 ff ff ff e8 98 9e c9 ff <0f> 0b e9 55 ff ff ff e8 8c 9e c9 ff 4c 89 e7 e8 d4 da fb ff 0f 0b
RSP: 0000:ffffc90000c67600 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888011a78000 RSI: ffffffff81ac1ac8 RDI: 0000000000000003
RBP: 00007fffffffe000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81ac1abb R11: 0000000000000001 R12: ffff8880260df000
R13: 0000000000000000 R14: 0000000000002016 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000b68e000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 find_extend_vma+0x25/0x150 mm/mmap.c:2622
 __get_user_pages+0x1c7/0xf70 mm/gup.c:1124
 __get_user_pages_locked mm/gup.c:1359 [inline]
 __get_user_pages_remote+0x18f/0x840 mm/gup.c:1868
 get_user_pages_remote+0x63/0x90 mm/gup.c:1941
 tomoyo_dump_page+0xd3/0x5b0 security/tomoyo/domain.c:915
 tomoyo_print_bprm security/tomoyo/audit.c:46 [inline]
 tomoyo_init_log+0xdc4/0x1ec0 security/tomoyo/audit.c:264
 tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_execute_permission+0x37f/0x4a0 security/tomoyo/file.c:619
 tomoyo_find_next_domain+0x348/0x1f80 security/tomoyo/domain.c:752
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
 tomoyo_bprm_check_security+0x121/0x1a0 security/tomoyo/tomoyo.c:91
 security_bprm_check+0x45/0xa0 security/security.c:865
 search_binary_handler fs/exec.c:1711 [inline]
 exec_binprm fs/exec.c:1764 [inline]
 bprm_execve fs/exec.c:1833 [inline]
 bprm_execve+0x732/0x19b0 fs/exec.c:1795
 kernel_execve+0x370/0x460 fs/exec.c:1976
 try_to_run_init_process+0x14/0x4e init/main.c:1426
 kernel_init+0x12c/0x1d0 init/main.c:1542
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] linux-next boot error: WARNING in find_vma

[Andrew Morton]

On Tue, 03 Aug 2021 09:46:28 -0700 syzbot <syzbot+dcb8a1e30879e0d60e8c@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    c3f7b3be172b Add linux-next specific files for 20210803
> git tree:       linux-next

Thanks.  I'm suspecting "Add mmap_assert_locked() annotations to
find_vma*()" found an error in Tomoyo - tomoyo_dump_page() should be
holding mmap_lock?

> console output: https://syzkaller.appspot.com/x/log.txt?x=10b71b42300000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=ae62f6b8af876a89
> dashboard link: https://syzkaller.appspot.com/bug?extid=dcb8a1e30879e0d60e8c
> compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+dcb8a1e30879e0d60e8c@syzkaller.appspotmail.com
> 
> kAFS: Red Hat AFS client v0.1 registering.
> FS-Cache: Netfs 'afs' registered for caching
> Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
> Key type big_key registered
> Key type encrypted registered
> AppArmor: AppArmor sha1 policy hashing enabled
> ima: No TPM chip found, activating TPM-bypass!
> Loading compiled-in module X.509 certificates
> Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
> ima: Allocated hash algorithm: sha256
> ima: No architecture policies found
> evm: Initialising EVM extended attributes:
> evm: security.selinux (disabled)
> evm: security.SMACK64 (disabled)
> evm: security.SMACK64EXEC (disabled)
> evm: security.SMACK64TRANSMUTE (disabled)
> evm: security.SMACK64MMAP (disabled)
> evm: security.apparmor
> evm: security.ima
> evm: security.capability
> evm: HMAC attrs: 0x1
> PM:   Magic number: 1:653:286
> usb usb32-port1: hash matches
> usb usb22: hash matches
> ppp ppp: hash matches
> tty ttyz0: hash matches
> printk: console [netcon0] enabled
> netconsole: network logging started
> gtp: GTP module loaded (pdp ctx size 104 bytes)
> rdma_rxe: loaded
> cfg80211: Loading compiled-in X.509 certificates for regulatory database
> cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
> ALSA device list:
>   #0: Dummy 1
>   #1: Loopback 1
>   #2: Virtual MIDI Card 1
> md: Waiting for all devices to be available before autodetect
> md: If you don't use raid, use raid=noautodetect
> md: Autodetecting RAID arrays.
> md: autorun ...
> md: ... autorun DONE.
> EXT4-fs (sda1): mounted filesystem without journal. Opts: (null). Quota mode: none.
> VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
> devtmpfs: mounted
> Freeing unused kernel image (initmem) memory: 4348K
> Write protecting the kernel read-only data: 169984k
> Freeing unused kernel image (text/rodata gap) memory: 2012K
> Freeing unused kernel image (rodata/data gap) memory: 1460K
> Run /sbin/init as init process
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 1 at include/linux/mmap_lock.h:164 mmap_assert_locked include/linux/mmap_lock.h:164 [inline]
> WARNING: CPU: 1 PID: 1 at include/linux/mmap_lock.h:164 find_vma+0xf8/0x270 mm/mmap.c:2307
> Modules linked in:
> CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.14.0-rc4-next-20210803-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> RIP: 0010:mmap_assert_locked include/linux/mmap_lock.h:164 [inline]
> RIP: 0010:find_vma+0xf8/0x270 mm/mmap.c:2307
> Code: 49 8d bc 24 28 01 00 00 be ff ff ff ff e8 00 e0 81 07 31 ff 89 c3 89 c6 e8 e5 a5 c9 ff 85 db 0f 85 61 ff ff ff e8 98 9e c9 ff <0f> 0b e9 55 ff ff ff e8 8c 9e c9 ff 4c 89 e7 e8 d4 da fb ff 0f 0b
> RSP: 0000:ffffc90000c67600 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: ffff888011a78000 RSI: ffffffff81ac1ac8 RDI: 0000000000000003
> RBP: 00007fffffffe000 R08: 0000000000000000 R09: 0000000000000001
> R10: ffffffff81ac1abb R11: 0000000000000001 R12: ffff8880260df000
> R13: 0000000000000000 R14: 0000000000002016 R15: 0000000000000000
> FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 000000000b68e000 CR4: 00000000001506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  find_extend_vma+0x25/0x150 mm/mmap.c:2622
>  __get_user_pages+0x1c7/0xf70 mm/gup.c:1124
>  __get_user_pages_locked mm/gup.c:1359 [inline]
>  __get_user_pages_remote+0x18f/0x840 mm/gup.c:1868
>  get_user_pages_remote+0x63/0x90 mm/gup.c:1941
>  tomoyo_dump_page+0xd3/0x5b0 security/tomoyo/domain.c:915
>  tomoyo_print_bprm security/tomoyo/audit.c:46 [inline]
>  tomoyo_init_log+0xdc4/0x1ec0 security/tomoyo/audit.c:264
>  tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097
>  tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
>  tomoyo_execute_permission+0x37f/0x4a0 security/tomoyo/file.c:619
>  tomoyo_find_next_domain+0x348/0x1f80 security/tomoyo/domain.c:752
>  tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
>  tomoyo_bprm_check_security+0x121/0x1a0 security/tomoyo/tomoyo.c:91
>  security_bprm_check+0x45/0xa0 security/security.c:865
>  search_binary_handler fs/exec.c:1711 [inline]
>  exec_binprm fs/exec.c:1764 [inline]
>  bprm_execve fs/exec.c:1833 [inline]
>  bprm_execve+0x732/0x19b0 fs/exec.c:1795
>  kernel_execve+0x370/0x460 fs/exec.c:1976
>  try_to_run_init_process+0x14/0x4e init/main.c:1426
>  kernel_init+0x12c/0x1d0 init/main.c:1542
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Re: [syzbot] linux-next boot error: WARNING in find_vma

[Tetsuo Handa]

On 2021/08/04 5:24, Andrew Morton wrote:
> Thanks.  I'm suspecting "Add mmap_assert_locked() annotations to
> find_vma*()" found an error in Tomoyo - tomoyo_dump_page() should be
> holding mmap_lock?

Yes, TOMOYO needs the same protection which get_arg_page() needs.
Please fold below diff into "mm/pagemap: add mmap_assert_locked() annotations to find_vma*()".

diff --git a/fs/exec.c b/fs/exec.c
index 816c7e347c9c..c982de69fab9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -214,8 +214,7 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 		gup_flags |= FOLL_WRITE;
 
 	/*
-	 * We are doing an exec().  'current' is the process
-	 * doing the exec and bprm->mm is the new process's mm.
+	 * We are doing an exec(). bprm->mm is the new process's mm.
 	 */
 	mmap_read_lock(bprm->mm);
 	ret = get_user_pages_remote(bprm->mm, pos, 1, gup_flags,
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 98d985895ec8..31af29f669d2 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -897,6 +897,9 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
 		      struct tomoyo_page_dump *dump)
 {
 	struct page *page;
+#ifdef CONFIG_MMU
+	int ret;
+#endif
 
 	/* dump->data is released by tomoyo_find_next_domain(). */
 	if (!dump->data) {
@@ -909,11 +912,13 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
 	/*
 	 * This is called at execve() time in order to dig around
 	 * in the argv/environment of the new proceess
-	 * (represented by bprm).  'current' is the process doing
-	 * the execve().
+	 * (represented by bprm).
 	 */
-	if (get_user_pages_remote(bprm->mm, pos, 1,
-				FOLL_FORCE, &page, NULL, NULL) <= 0)
+	mmap_read_lock(bprm->mm);
+	ret = get_user_pages_remote(bprm->mm, pos, 1,
+				    FOLL_FORCE, &page, NULL, NULL);
+	mmap_read_unlock(bprm->mm);
+	if (ret <= 0)
 		return false;
 #else
 	page = bprm->page[pos / PAGE_SIZE];