general protection fault in vma_interval_tree_remove
8 views
Skip to first unread message
syzbot
Oct 12, 2022, 3:12:50 PM10/12/22
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 43eb03f7ce81 Merge 5.15.72 into android13-5.15-lts
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11a1ab84880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1f5e2a41a2f89af
dashboard link: https://syzkaller.appspot.com/bug?extid=50baee3dcb12b4ae92b7
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171308aa880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1586468a880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e6914a80f72e/disk-43eb03f7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c0b71dce9a71/vmlinux-43eb03f7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50baee...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 417 Comm: syz-executor425 Not tainted 5.15.72-syzkaller-04310-g43eb03f7ce81 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline]
RIP: 0010:__rb_erase_color+0x116/0xb60 lib/rbtree.c:413
Code: 00 74 08 4c 89 f7 e8 99 03 2d ff 4c 8b 6d c8 4d 89 2e 4d 89 ee 49 83 ce 01 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 6c 03 2d ff 4d 89 37 4d 89 ee 49 c1
RSP: 0018:ffffc9000041f928 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff11023670f33 RCX: dffffc0000000000
RDX: ffffffff81a6fa00 RSI: ffff88810973cf40 RDI: ffff88811ef3b4f8
RBP: ffffc9000041f988 R08: ffffffff81a6db99 R09: ffffed10212e79ec
R10: ffffed10212e79ec R11: 1ffff110212e79eb R12: ffff88811b387998
R13: ffff88811ef3b4f8 R14: ffff88811ef3b4f9 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6054be61c8 CR3: 0000000104fd5000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
vma_interval_tree_remove+0xa66/0xa80 mm/interval_tree.c:23
__remove_shared_vm_struct mm/mmap.c:158 [inline]
unlink_file_vma+0xd9/0xf0 mm/mmap.c:173
free_pgtables+0x13b/0x210 mm/memory.c:417
exit_mmap+0x466/0x7a0 mm/mmap.c:3198
__mmput+0x95/0x300 kernel/fork.c:1162
mmput+0x50/0x60 kernel/fork.c:1184
exit_mm+0x50d/0x760 kernel/exit.c:504
do_exit+0x63c/0x24d0 kernel/exit.c:815
do_group_exit+0x13a/0x300 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f6054b97389
Code: Unable to access opcode bytes at RIP 0x7f6054b9735f.
RSP: 002b:00007ffe1c912608 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f6054c201f0 RCX: 00007f6054b97389
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 00007ffe1c9126a0
R10: 00007ffe1c9126a0 R11: 0000000000000246 R12: 00007f6054c201f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace d7da67c254431e14 ]---
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline]
RIP: 0010:__rb_erase_color+0x116/0xb60 lib/rbtree.c:413
Code: 00 74 08 4c 89 f7 e8 99 03 2d ff 4c 8b 6d c8 4d 89 2e 4d 89 ee 49 83 ce 01 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 6c 03 2d ff 4d 89 37 4d 89 ee 49 c1
RSP: 0018:ffffc9000041f928 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff11023670f33 RCX: dffffc0000000000
RDX: ffffffff81a6fa00 RSI: ffff88810973cf40 RDI: ffff88811ef3b4f8
RBP: ffffc9000041f988 R08: ffffffff81a6db99 R09: ffffed10212e79ec
R10: ffffed10212e79ec R11: 1ffff110212e79eb R12: ffff88811b387998
R13: ffff88811ef3b4f8 R14: ffff88811ef3b4f9 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6054be61c8 CR3: 000000011b3c5000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
4: 89 f7 mov %esi,%edi
6: e8 99 03 2d ff callq 0xff2d03a4
b: 4c 8b 6d c8 mov -0x38(%rbp),%r13
f: 4d 89 2e mov %r13,(%r14)
12: 4d 89 ee mov %r13,%r14
15: 49 83 ce 01 or $0x1,%r14
19: 4c 89 f8 mov %r15,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 ff mov %r15,%rdi
33: e8 6c 03 2d ff callq 0xff2d03a4
38: 4d 89 37 mov %r14,(%r15)
3b: 4d 89 ee mov %r13,%r14
3e: 49 rex.WB
3f: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following issue on:
HEAD commit: 43eb03f7ce81 Merge 5.15.72 into android13-5.15-lts
git tree: android13-5.15-lts
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11a1ab84880000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1f5e2a41a2f89af
dashboard link: https://syzkaller.appspot.com/bug?extid=50baee3dcb12b4ae92b7
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171308aa880000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1586468a880000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e6914a80f72e/disk-43eb03f7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c0b71dce9a71/vmlinux-43eb03f7.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+50baee...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 417 Comm: syz-executor425 Not tainted 5.15.72-syzkaller-04310-g43eb03f7ce81 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline]
RIP: 0010:__rb_erase_color+0x116/0xb60 lib/rbtree.c:413
Code: 00 74 08 4c 89 f7 e8 99 03 2d ff 4c 8b 6d c8 4d 89 2e 4d 89 ee 49 83 ce 01 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 6c 03 2d ff 4d 89 37 4d 89 ee 49 c1
RSP: 0018:ffffc9000041f928 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff11023670f33 RCX: dffffc0000000000
RDX: ffffffff81a6fa00 RSI: ffff88810973cf40 RDI: ffff88811ef3b4f8
RBP: ffffc9000041f988 R08: ffffffff81a6db99 R09: ffffed10212e79ec
R10: ffffed10212e79ec R11: 1ffff110212e79eb R12: ffff88811b387998
R13: ffff88811ef3b4f8 R14: ffff88811ef3b4f9 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6054be61c8 CR3: 0000000104fd5000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
vma_interval_tree_remove+0xa66/0xa80 mm/interval_tree.c:23
__remove_shared_vm_struct mm/mmap.c:158 [inline]
unlink_file_vma+0xd9/0xf0 mm/mmap.c:173
free_pgtables+0x13b/0x210 mm/memory.c:417
exit_mmap+0x466/0x7a0 mm/mmap.c:3198
__mmput+0x95/0x300 kernel/fork.c:1162
mmput+0x50/0x60 kernel/fork.c:1184
exit_mm+0x50d/0x760 kernel/exit.c:504
do_exit+0x63c/0x24d0 kernel/exit.c:815
do_group_exit+0x13a/0x300 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x61/0xcb
RIP: 0033:0x7f6054b97389
Code: Unable to access opcode bytes at RIP 0x7f6054b9735f.
RSP: 002b:00007ffe1c912608 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f6054c201f0 RCX: 00007f6054b97389
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffb8 R09: 00007ffe1c9126a0
R10: 00007ffe1c9126a0 R11: 0000000000000246 R12: 00007f6054c201f0
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace d7da67c254431e14 ]---
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:255 [inline]
RIP: 0010:__rb_erase_color+0x116/0xb60 lib/rbtree.c:413
Code: 00 74 08 4c 89 f7 e8 99 03 2d ff 4c 8b 6d c8 4d 89 2e 4d 89 ee 49 83 ce 01 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 6c 03 2d ff 4d 89 37 4d 89 ee 49 c1
RSP: 0018:ffffc9000041f928 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff11023670f33 RCX: dffffc0000000000
RDX: ffffffff81a6fa00 RSI: ffff88810973cf40 RDI: ffff88811ef3b4f8
RBP: ffffc9000041f988 R08: ffffffff81a6db99 R09: ffffed10212e79ec
R10: ffffed10212e79ec R11: 1ffff110212e79eb R12: ffff88811b387998
R13: ffff88811ef3b4f8 R14: ffff88811ef3b4f9 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6054be61c8 CR3: 000000011b3c5000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
4: 89 f7 mov %esi,%edi
6: e8 99 03 2d ff callq 0xff2d03a4
b: 4c 8b 6d c8 mov -0x38(%rbp),%r13
f: 4d 89 2e mov %r13,(%r14)
12: 4d 89 ee mov %r13,%r14
15: 49 83 ce 01 or $0x1,%r14
19: 4c 89 f8 mov %r15,%rax
1c: 48 c1 e8 03 shr $0x3,%rax
20: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
27: fc ff df
* 2a: 80 3c 08 00 cmpb $0x0,(%rax,%rcx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 ff mov %r15,%rdi
33: e8 6c 03 2d ff callq 0xff2d03a4
38: 4d 89 37 mov %r14,(%r15)
3b: 4d 89 ee mov %r13,%r14
3e: 49 rex.WB
3f: c1 .byte 0xc1
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches
Reply all
Reply to author
Forward
0 new messages