[syzbot] linux-next boot error: WARNING in find_vma

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: c3f7b3be172b Add linux-next specific files for 20210803
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=10b71b42300000
kernel config: https://syzkaller.appspot.com/x/.config?x=ae62f6b8af876a89
dashboard link: https://syzkaller.appspot.com/bug?extid=dcb8a1e30879e0d60e8c
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.1

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+dcb8a1...@syzkaller.appspotmail.com

kAFS: Red Hat AFS client v0.1 registering.
FS-Cache: Netfs 'afs' registered for caching
Btrfs loaded, crc32c=crc32c-intel, assert=on, zoned=yes, fsverity=yes
Key type big_key registered
Key type encrypted registered
AppArmor: AppArmor sha1 policy hashing enabled
ima: No TPM chip found, activating TPM-bypass!
Loading compiled-in module X.509 certificates
Loaded X.509 cert 'Build time autogenerated kernel key: f850c787ad998c396ae089c083b940ff0a9abb77'
ima: Allocated hash algorithm: sha256
ima: No architecture policies found
evm: Initialising EVM extended attributes:
evm: security.selinux (disabled)
evm: security.SMACK64 (disabled)
evm: security.SMACK64EXEC (disabled)
evm: security.SMACK64TRANSMUTE (disabled)
evm: security.SMACK64MMAP (disabled)
evm: security.apparmor
evm: security.ima
evm: security.capability
evm: HMAC attrs: 0x1
PM: Magic number: 1:653:286
usb usb32-port1: hash matches
usb usb22: hash matches
ppp ppp: hash matches
tty ttyz0: hash matches
printk: console [netcon0] enabled
netconsole: network logging started
gtp: GTP module loaded (pdp ctx size 104 bytes)
rdma_rxe: loaded
cfg80211: Loading compiled-in X.509 certificates for regulatory database
cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
ALSA device list:
#0: Dummy 1
#1: Loopback 1
#2: Virtual MIDI Card 1
md: Waiting for all devices to be available before autodetect
md: If you don't use raid, use raid=noautodetect
md: Autodetecting RAID arrays.
md: autorun ...
md: ... autorun DONE.
EXT4-fs (sda1): mounted filesystem without journal. Opts: (null). Quota mode: none.
VFS: Mounted root (ext4 filesystem) readonly on device 8:1.
devtmpfs: mounted
Freeing unused kernel image (initmem) memory: 4348K
Write protecting the kernel read-only data: 169984k
Freeing unused kernel image (text/rodata gap) memory: 2012K
Freeing unused kernel image (rodata/data gap) memory: 1460K
Run /sbin/init as init process
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1 at include/linux/mmap_lock.h:164 mmap_assert_locked include/linux/mmap_lock.h:164 [inline]
WARNING: CPU: 1 PID: 1 at include/linux/mmap_lock.h:164 find_vma+0xf8/0x270 mm/mmap.c:2307
Modules linked in:
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.14.0-rc4-next-20210803-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:mmap_assert_locked include/linux/mmap_lock.h:164 [inline]
RIP: 0010:find_vma+0xf8/0x270 mm/mmap.c:2307
Code: 49 8d bc 24 28 01 00 00 be ff ff ff ff e8 00 e0 81 07 31 ff 89 c3 89 c6 e8 e5 a5 c9 ff 85 db 0f 85 61 ff ff ff e8 98 9e c9 ff <0f> 0b e9 55 ff ff ff e8 8c 9e c9 ff 4c 89 e7 e8 d4 da fb ff 0f 0b
RSP: 0000:ffffc90000c67600 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888011a78000 RSI: ffffffff81ac1ac8 RDI: 0000000000000003
RBP: 00007fffffffe000 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff81ac1abb R11: 0000000000000001 R12: ffff8880260df000
R13: 0000000000000000 R14: 0000000000002016 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000000b68e000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
find_extend_vma+0x25/0x150 mm/mmap.c:2622
__get_user_pages+0x1c7/0xf70 mm/gup.c:1124
__get_user_pages_locked mm/gup.c:1359 [inline]
__get_user_pages_remote+0x18f/0x840 mm/gup.c:1868
get_user_pages_remote+0x63/0x90 mm/gup.c:1941
tomoyo_dump_page+0xd3/0x5b0 security/tomoyo/domain.c:915
tomoyo_print_bprm security/tomoyo/audit.c:46 [inline]
tomoyo_init_log+0xdc4/0x1ec0 security/tomoyo/audit.c:264
tomoyo_supervisor+0x34d/0xf00 security/tomoyo/common.c:2097
tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
tomoyo_execute_permission+0x37f/0x4a0 security/tomoyo/file.c:619
tomoyo_find_next_domain+0x348/0x1f80 security/tomoyo/domain.c:752
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:101 [inline]
tomoyo_bprm_check_security+0x121/0x1a0 security/tomoyo/tomoyo.c:91
security_bprm_check+0x45/0xa0 security/security.c:865
search_binary_handler fs/exec.c:1711 [inline]
exec_binprm fs/exec.c:1764 [inline]
bprm_execve fs/exec.c:1833 [inline]
bprm_execve+0x732/0x19b0 fs/exec.c:1795
kernel_execve+0x370/0x460 fs/exec.c:1976
try_to_run_init_process+0x14/0x4e init/main.c:1426
kernel_init+0x12c/0x1d0 init/main.c:1542
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[Andrew Morton]

On Tue, 03 Aug 2021 09:46:28 -0700 syzbot <syzbot+dcb8a1...@syzkaller.appspotmail.com> wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: c3f7b3be172b Add linux-next specific files for 20210803
> git tree: linux-next

Thanks. I'm suspecting "Add mmap_assert_locked() annotations to
find_vma*()" found an error in Tomoyo - tomoyo_dump_page() should be
holding mmap_lock?

[Tetsuo Handa]

On 2021/08/04 5:24, Andrew Morton wrote:
> Thanks. I'm suspecting "Add mmap_assert_locked() annotations to
> find_vma*()" found an error in Tomoyo - tomoyo_dump_page() should be
> holding mmap_lock?

Yes, TOMOYO needs the same protection which get_arg_page() needs.
Please fold below diff into "mm/pagemap: add mmap_assert_locked() annotations to find_vma*()".

diff --git a/fs/exec.c b/fs/exec.c
index 816c7e347c9c..c982de69fab9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -214,8 +214,7 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
gup_flags |= FOLL_WRITE;

/*
- * We are doing an exec(). 'current' is the process
- * doing the exec and bprm->mm is the new process's mm.
+ * We are doing an exec(). bprm->mm is the new process's mm.
*/
mmap_read_lock(bprm->mm);
ret = get_user_pages_remote(bprm->mm, pos, 1, gup_flags,
diff --git a/security/tomoyo/domain.c b/security/tomoyo/domain.c
index 98d985895ec8..31af29f669d2 100644
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -897,6 +897,9 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
struct tomoyo_page_dump *dump)
{
struct page *page;
+#ifdef CONFIG_MMU
+ int ret;
+#endif

/* dump->data is released by tomoyo_find_next_domain(). */
if (!dump->data) {
@@ -909,11 +912,13 @@ bool tomoyo_dump_page(struct linux_binprm *bprm, unsigned long pos,
/*
* This is called at execve() time in order to dig around
* in the argv/environment of the new proceess
- * (represented by bprm). 'current' is the process doing
- * the execve().
+ * (represented by bprm).
*/
- if (get_user_pages_remote(bprm->mm, pos, 1,
- FOLL_FORCE, &page, NULL, NULL) <= 0)
+ mmap_read_lock(bprm->mm);
+ ret = get_user_pages_remote(bprm->mm, pos, 1,
+ FOLL_FORCE, &page, NULL, NULL);
+ mmap_read_unlock(bprm->mm);
+ if (ret <= 0)
return false;
#else
page = bprm->page[pos / PAGE_SIZE];

[syzbot]

Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.