[syzbot] general protection fault in vma_interval_tree_remove
18 views
Skip to first unread message
syzbot
May 2, 2022, 8:06:23 AM5/2/22
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: bdc61aad77fa Add linux-next specific files for 20220428
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1196c4bcf00000
kernel config: https://syzkaller.appspot.com/x/.config?x=87767e89da13a759
dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee1fdd...@syzkaller.appspotmail.com
RBP: 0000000020000000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020000800
R13: 0000000020000000 R14: 00000000200007c0 R15: 0000000020000000
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 32272 Comm: syz-executor.4 Not tainted 5.18.0-rc4-next-20220428-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:359 [inline]
RIP: 0010:__rb_erase_color+0x2fd/0xdb0 lib/rbtree.c:413
Code: 00 4d 89 ec 4d 8b 6d 10 e9 ac fd ff ff 4c 89 60 10 eb be 4c 89 e9 48 89 e8 4c 89 6d 10 48 c1 e9 03 49 89 6c 24 08 48 83 c8 01 <80> 3c 19 00 0f 85 1d 08 00 00 49 89 45 00 48 89 e8 48 c1 e8 03 80
RSP: 0018:ffffc900149ffa48 EFLAGS: 00010286
RAX: ffff88801f3fbb21 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed1002fe1617 RSI: ffff888017f0b0b8 RDI: ffff8880790928a0
RBP: ffff88801f3fbb20 R08: ffff88801f3fbb30 R09: ffff888017f0b0af
R10: ffffffff81b01168 R11: 0000000000000001 R12: ffff888079092898
R13: 0000000000000000 R14: ffff888017f0b0b8 R15: ffffffff81afff50
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001da88000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
vma_interval_tree_remove+0x694/0xed0 mm/interval_tree.c:23
__remove_shared_vm_struct mm/mmap.c:160 [inline]
unlink_file_vma+0xbd/0x110 mm/mmap.c:175
free_pgtables+0x255/0x420 mm/memory.c:440
exit_mmap+0x1ff/0x740 mm/mmap.c:3148
__mmput+0xe4/0x460 kernel/fork.c:1175
mmput+0x5c/0x70 kernel/fork.c:1197
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa18/0x2a00 kernel/exit.c:782
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f858fe890e9
Code: Unable to access opcode bytes at RIP 0x7f858fe890bf.
RSP: 002b:00007f85910bbaf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f858fe890e9
RDX: 00007f858fe89132 RSI: 0000000000000000 RDI: 000000000000000b
RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000020000800
R13: 0000000020000000 R14: 00000000200007c0 R15: 0000000020000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:359 [inline]
RIP: 0010:__rb_erase_color+0x2fd/0xdb0 lib/rbtree.c:413
Code: 00 4d 89 ec 4d 8b 6d 10 e9 ac fd ff ff 4c 89 60 10 eb be 4c 89 e9 48 89 e8 4c 89 6d 10 48 c1 e9 03 49 89 6c 24 08 48 83 c8 01 <80> 3c 19 00 0f 85 1d 08 00 00 49 89 45 00 48 89 e8 48 c1 e8 03 80
RSP: 0018:ffffc900149ffa48 EFLAGS: 00010286
RAX: ffff88801f3fbb21 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed1002fe1617 RSI: ffff888017f0b0b8 RDI: ffff8880790928a0
RBP: ffff88801f3fbb20 R08: ffff88801f3fbb30 R09: ffff888017f0b0af
R10: ffffffff81b01168 R11: 0000000000000001 R12: ffff888079092898
R13: 0000000000000000 R14: ffff888017f0b0b8 R15: ffffffff81afff50
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001da88000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 4d 89 add %cl,-0x77(%rbp)
3: ec in (%dx),%al
4: 4d 8b 6d 10 mov 0x10(%r13),%r13
8: e9 ac fd ff ff jmpq 0xfffffdb9
d: 4c 89 60 10 mov %r12,0x10(%rax)
11: eb be jmp 0xffffffd1
13: 4c 89 e9 mov %r13,%rcx
16: 48 89 e8 mov %rbp,%rax
19: 4c 89 6d 10 mov %r13,0x10(%rbp)
1d: 48 c1 e9 03 shr $0x3,%rcx
21: 49 89 6c 24 08 mov %rbp,0x8(%r12)
26: 48 83 c8 01 or $0x1,%rax
* 2a: 80 3c 19 00 cmpb $0x0,(%rcx,%rbx,1) <-- trapping instruction
2e: 0f 85 1d 08 00 00 jne 0x851
34: 49 89 45 00 mov %rax,0x0(%r13)
38: 48 89 e8 mov %rbp,%rax
3b: 48 c1 e8 03 shr $0x3,%rax
3f: 80 .byte 0x80
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: bdc61aad77fa Add linux-next specific files for 20220428
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1196c4bcf00000
kernel config: https://syzkaller.appspot.com/x/.config?x=87767e89da13a759
dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee1fdd...@syzkaller.appspotmail.com
RBP: 0000000020000000 R08: 0000000000000004 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000020000800
R13: 0000000020000000 R14: 00000000200007c0 R15: 0000000020000000
</TASK>
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 32272 Comm: syz-executor.4 Not tainted 5.18.0-rc4-next-20220428-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:359 [inline]
RIP: 0010:__rb_erase_color+0x2fd/0xdb0 lib/rbtree.c:413
Code: 00 4d 89 ec 4d 8b 6d 10 e9 ac fd ff ff 4c 89 60 10 eb be 4c 89 e9 48 89 e8 4c 89 6d 10 48 c1 e9 03 49 89 6c 24 08 48 83 c8 01 <80> 3c 19 00 0f 85 1d 08 00 00 49 89 45 00 48 89 e8 48 c1 e8 03 80
RSP: 0018:ffffc900149ffa48 EFLAGS: 00010286
RAX: ffff88801f3fbb21 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed1002fe1617 RSI: ffff888017f0b0b8 RDI: ffff8880790928a0
RBP: ffff88801f3fbb20 R08: ffff88801f3fbb30 R09: ffff888017f0b0af
R10: ffffffff81b01168 R11: 0000000000000001 R12: ffff888079092898
R13: 0000000000000000 R14: ffff888017f0b0b8 R15: ffffffff81afff50
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001da88000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
vma_interval_tree_remove+0x694/0xed0 mm/interval_tree.c:23
__remove_shared_vm_struct mm/mmap.c:160 [inline]
unlink_file_vma+0xbd/0x110 mm/mmap.c:175
free_pgtables+0x255/0x420 mm/memory.c:440
exit_mmap+0x1ff/0x740 mm/mmap.c:3148
__mmput+0xe4/0x460 kernel/fork.c:1175
mmput+0x5c/0x70 kernel/fork.c:1197
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa18/0x2a00 kernel/exit.c:782
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
__do_sys_exit_group kernel/exit.c:936 [inline]
__se_sys_exit_group kernel/exit.c:934 [inline]
__x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f858fe890e9
Code: Unable to access opcode bytes at RIP 0x7f858fe890bf.
RSP: 002b:00007f85910bbaf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f858fe890e9
RDX: 00007f858fe89132 RSI: 0000000000000000 RDI: 000000000000000b
RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000020000800
R13: 0000000020000000 R14: 00000000200007c0 R15: 0000000020000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:rb_set_parent_color include/linux/rbtree_augmented.h:165 [inline]
RIP: 0010:____rb_erase_color lib/rbtree.c:359 [inline]
RIP: 0010:__rb_erase_color+0x2fd/0xdb0 lib/rbtree.c:413
Code: 00 4d 89 ec 4d 8b 6d 10 e9 ac fd ff ff 4c 89 60 10 eb be 4c 89 e9 48 89 e8 4c 89 6d 10 48 c1 e9 03 49 89 6c 24 08 48 83 c8 01 <80> 3c 19 00 0f 85 1d 08 00 00 49 89 45 00 48 89 e8 48 c1 e8 03 80
RSP: 0018:ffffc900149ffa48 EFLAGS: 00010286
RAX: ffff88801f3fbb21 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed1002fe1617 RSI: ffff888017f0b0b8 RDI: ffff8880790928a0
RBP: ffff88801f3fbb20 R08: ffff88801f3fbb30 R09: ffff888017f0b0af
R10: ffffffff81b01168 R11: 0000000000000001 R12: ffff888079092898
R13: 0000000000000000 R14: ffff888017f0b0b8 R15: ffffffff81afff50
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001da88000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 00 4d 89 add %cl,-0x77(%rbp)
3: ec in (%dx),%al
4: 4d 8b 6d 10 mov 0x10(%r13),%r13
8: e9 ac fd ff ff jmpq 0xfffffdb9
d: 4c 89 60 10 mov %r12,0x10(%rax)
11: eb be jmp 0xffffffd1
13: 4c 89 e9 mov %r13,%rcx
16: 48 89 e8 mov %rbp,%rax
19: 4c 89 6d 10 mov %r13,0x10(%rbp)
1d: 48 c1 e9 03 shr $0x3,%rcx
21: 49 89 6c 24 08 mov %rbp,0x8(%r12)
26: 48 83 c8 01 or $0x1,%rax
* 2a: 80 3c 19 00 cmpb $0x0,(%rcx,%rbx,1) <-- trapping instruction
2e: 0f 85 1d 08 00 00 jne 0x851
34: 49 89 45 00 mov %rax,0x0(%r13)
38: 48 89 e8 mov %rbp,%rax
3b: 48 c1 e8 03 shr $0x3,%rax
3f: 80 .byte 0x80
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
May 14, 2022, 4:18:27 PM5/14/22
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee1fdd...@syzkaller.appspotmail.com
RIP: 0010:__rb_erase_color+0x159/0xdb0 lib/rbtree.c:413
Code: 89 ed 48 89 c5 e9 f5 fe ff ff 4c 8d 45 10 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 3a 08 00 00 4c 8b 65 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 6a 08 00 00 49 8b 04 24 49 8d 7c 24 08 48 89 f9
RSP: 0018:ffffc90002e877a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed100e8d3aed RSI: ffff88807469d768 RDI: ffff8880202132b0
RBP: ffff8880202132b0 R08: ffff8880202132c0 R09: ffff88807469d75f
R10: ffffffff81b02518 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88807469d768 R15: ffffffff81b01300
__mmput+0x128/0x4c0 kernel/fork.c:1180
mmput+0x5c/0x70 kernel/fork.c:1201
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:307
exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1543
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f1771dc98cf
Code: Unable to access opcode bytes at RIP 0x7f1771dc98a5.
RSP: 002b:00007ffe920035a0 EFLAGS: 00010206
RAX: 0000000000000001 RBX: 00007f1771e78138 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 00007f1771e78138 RDI: 000000000000000b
RBP: 000000000000000b R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000001 R14: 00000000000c3ec0 R15: 0000000000000001
RIP: 0010:__rb_erase_color+0x159/0xdb0 lib/rbtree.c:413
Code: 89 ed 48 89 c5 e9 f5 fe ff ff 4c 8d 45 10 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 3a 08 00 00 4c 8b 65 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 6a 08 00 00 49 8b 04 24 49 8d 7c 24 08 48 89 f9
RSP: 0018:ffffc90002e877a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed100e8d3aed RSI: ffff88807469d768 RDI: ffff8880202132b0
RBP: ffff8880202132b0 R08: ffff8880202132c0 R09: ffff88807469d75f
R10: ffffffff81b02518 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88807469d768 R15: ffffffff81b01300
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
2: 48 89 c5 mov %rax,%rbp
5: e9 f5 fe ff ff jmpq 0xfffffeff
a: 4c 8d 45 10 lea 0x10(%rbp),%r8
e: 4c 89 c0 mov %r8,%rax
11: 48 c1 e8 03 shr $0x3,%rax
15: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1)
19: 0f 85 3a 08 00 00 jne 0x859
1f: 4c 8b 65 10 mov 0x10(%rbp),%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction
2e: 0f 85 6a 08 00 00 jne 0x89e
34: 49 8b 04 24 mov (%r12),%rax
38: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
3d: 48 89 f9 mov %rdi,%rcx
HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ee1fdd...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 3612 Comm: syz-executor255 Not tainted 5.18.0-rc6-next-20220513-syzkaller #0
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:____rb_erase_color lib/rbtree.c:354 [inline]
RIP: 0010:__rb_erase_color+0x159/0xdb0 lib/rbtree.c:413
Code: 89 ed 48 89 c5 e9 f5 fe ff ff 4c 8d 45 10 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 3a 08 00 00 4c 8b 65 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 6a 08 00 00 49 8b 04 24 49 8d 7c 24 08 48 89 f9
RSP: 0018:ffffc90002e877a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed100e8d3aed RSI: ffff88807469d768 RDI: ffff8880202132b0
RBP: ffff8880202132b0 R08: ffff8880202132c0 R09: ffff88807469d75f
R10: ffffffff81b02518 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88807469d768 R15: ffffffff81b01300
FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe92002ff8 CR3: 00000000764a0000 CR4: 00000000003506e0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
vma_interval_tree_remove+0x694/0xed0 mm/interval_tree.c:23
__remove_shared_vm_struct mm/mmap.c:160 [inline]
unlink_file_vma+0xbd/0x110 mm/mmap.c:175
free_pgtables+0x255/0x420 mm/memory.c:440
exit_mmap+0x1ff/0x740 mm/mmap.c:3219
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
rb_erase_augmented include/linux/rbtree_augmented.h:305 [inline]
rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
vma_interval_tree_remove+0x694/0xed0 mm/interval_tree.c:23
__remove_shared_vm_struct mm/mmap.c:160 [inline]
unlink_file_vma+0xbd/0x110 mm/mmap.c:175
free_pgtables+0x255/0x420 mm/memory.c:440
__mmput+0x128/0x4c0 kernel/fork.c:1180
mmput+0x5c/0x70 kernel/fork.c:1201
exit_mm kernel/exit.c:510 [inline]
do_exit+0xa18/0x2a00 kernel/exit.c:782
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
get_signal+0x2542/0x2600 kernel/signal.c:2857
do_exit+0xa18/0x2a00 kernel/exit.c:782
do_group_exit+0xd2/0x2f0 kernel/exit.c:925
arch_do_signal_or_restart+0x82/0x20f0 arch/x86/kernel/signal.c:869
exit_to_user_mode_loop kernel/entry/common.c:166 [inline]
exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:201
irqentry_exit_to_user_mode+0x5/0x30 kernel/entry/common.c:307
exc_page_fault+0xc6/0x180 arch/x86/mm/fault.c:1543
asm_exc_page_fault+0x27/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7f1771dc98cf
Code: Unable to access opcode bytes at RIP 0x7f1771dc98a5.
RSP: 002b:00007ffe920035a0 EFLAGS: 00010206
RAX: 0000000000000001 RBX: 00007f1771e78138 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 00007f1771e78138 RDI: 000000000000000b
RBP: 000000000000000b R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000008011 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000001 R14: 00000000000c3ec0 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:____rb_erase_color lib/rbtree.c:354 [inline]
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__rb_erase_color+0x159/0xdb0 lib/rbtree.c:413
Code: 89 ed 48 89 c5 e9 f5 fe ff ff 4c 8d 45 10 4c 89 c0 48 c1 e8 03 80 3c 18 00 0f 85 3a 08 00 00 4c 8b 65 10 4c 89 e0 48 c1 e8 03 <80> 3c 18 00 0f 85 6a 08 00 00 49 8b 04 24 49 8d 7c 24 08 48 89 f9
RSP: 0018:ffffc90002e877a8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffffed100e8d3aed RSI: ffff88807469d768 RDI: ffff8880202132b0
RBP: ffff8880202132b0 R08: ffff8880202132c0 R09: ffff88807469d75f
R10: ffffffff81b02518 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000000 R14: ffff88807469d768 R15: ffffffff81b01300
FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000c3ec8 CR3: 0000000023516000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 ed mov %ebp,%ebp
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
2: 48 89 c5 mov %rax,%rbp
5: e9 f5 fe ff ff jmpq 0xfffffeff
a: 4c 8d 45 10 lea 0x10(%rbp),%r8
e: 4c 89 c0 mov %r8,%rax
11: 48 c1 e8 03 shr $0x3,%rax
15: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1)
19: 0f 85 3a 08 00 00 jne 0x859
1f: 4c 8b 65 10 mov 0x10(%rbp),%r12
23: 4c 89 e0 mov %r12,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction
2e: 0f 85 6a 08 00 00 jne 0x89e
34: 49 8b 04 24 mov (%r12),%rax
38: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
3d: 48 89 f9 mov %rdi,%rcx
Andrew Morton
May 14, 2022, 4:50:12 PM5/14/22
to syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Liam Howlett, Michel Lespinasse
On Sat, 14 May 2022 13:18:26 -0700 syzbot <syzbot+ee1fdd...@syzkaller.appspotmail.com> wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
Thanks.
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
So it was there on April 28 and it's there now. Liam, do you think
anything in the mapletree changes could have perturbed the interval
tree handling?
syzbot
May 14, 2022, 8:09:11 PM5/14/22
to Liam.H...@oracle.com, ak...@linux-foundation.org, ar...@arndb.de, ccr...@google.com, da...@redhat.com, ebie...@xmission.com, liam.h...@oracle.com, linux-...@vger.kernel.org, linu...@kvack.org, mic...@lespinasse.org, syzkall...@googlegroups.com, vba...@suse.cz, wi...@infradead.org
syzbot has bisected this issue to:
commit b7d0f898f5ce328ad809417f2e728b58153d52d1
Author: Liam R. Howlett <Liam.H...@Oracle.com>
Date: Fri May 13 04:15:44 2022 +0000
mm: remove the vma linked list
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12fefe69f00000
start commit: 1e1b28b936ae Add linux-next specific files for 20220513
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=11fefe69f00000
console output: https://syzkaller.appspot.com/x/log.txt?x=16fefe69f00000
Fixes: b7d0f898f5ce ("mm: remove the vma linked list")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit b7d0f898f5ce328ad809417f2e728b58153d52d1
Author: Liam R. Howlett <Liam.H...@Oracle.com>
Date: Fri May 13 04:15:44 2022 +0000
mm: remove the vma linked list
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=12fefe69f00000
start commit: 1e1b28b936ae Add linux-next specific files for 20220513
git tree: linux-next
final oops: https://syzkaller.appspot.com/x/report.txt?x=11fefe69f00000
console output: https://syzkaller.appspot.com/x/log.txt?x=16fefe69f00000
kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
Reported-by: syzbot+ee1fdd...@syzkaller.appspotmail.com
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
Fixes: b7d0f898f5ce ("mm: remove the vma linked list")
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Liam Howlett
May 16, 2022, 2:00:11 PM5/16/22
to Andrew Morton, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Michel Lespinasse
* Andrew Morton <ak...@linux-foundation.org> [220514 16:50]:
area that sticks out as a possibility is vma_expand(). I created a
vma_expand() function to handle growing a vma and potentially removing
the next vma. I do some interval tree modifications in there.
I'll add it to my list of items to look at.
> On Sat, 14 May 2022 13:18:26 -0700 syzbot <syzbot+ee1fdd...@syzkaller.appspotmail.com> wrote:
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> > git tree: linux-next
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
>
> Thanks.
>
> So it was there on April 28 and it's there now. Liam, do you think
> anything in the mapletree changes could have perturbed the interval
> tree handling?
It is certainly possible, these two trees are intertwined so much. One
>
> > syzbot has found a reproducer for the following issue on:
> >
> > HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> > git tree: linux-next
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
>
> Thanks.
>
> So it was there on April 28 and it's there now. Liam, do you think
> anything in the mapletree changes could have perturbed the interval
> tree handling?
area that sticks out as a possibility is vma_expand(). I created a
vma_expand() function to handle growing a vma and potentially removing
the next vma. I do some interval tree modifications in there.
I'll add it to my list of items to look at.
Liam Howlett
May 18, 2022, 10:04:00 PM5/18/22
to Andrew Morton, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Michel Lespinasse, maple...@lists.infradead.org
* Liam R. Howlett <Liam.H...@Oracle.com> [220516 13:59]:
until I altered the error path in this commit.
Please apply this patch to the maple tree series to fix "mm/mmap: use
advanced maple tree API for mmap_region()"
Thanks,
Liam
> * Andrew Morton <ak...@linux-foundation.org> [220514 16:50]:
> > On Sat, 14 May 2022 13:18:26 -0700 syzbot <syzbot+ee1fdd...@syzkaller.appspotmail.com> wrote:
> >
> > > syzbot has found a reproducer for the following issue on:
> > >
> > > HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> > > git tree: linux-next
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
> >
> > Thanks.
> >
> > So it was there on April 28 and it's there now. Liam, do you think
> > anything in the mapletree changes could have perturbed the interval
> > tree handling?
>
> It is certainly possible, these two trees are intertwined so much. One
> area that sticks out as a possibility is vma_expand(). I created a
> vma_expand() function to handle growing a vma and potentially removing
> the next vma. I do some interval tree modifications in there.
>
> I'll add it to my list of items to look at.
This was my bug. I reused a pointer that wasn't reused in this function
> > On Sat, 14 May 2022 13:18:26 -0700 syzbot <syzbot+ee1fdd...@syzkaller.appspotmail.com> wrote:
> >
> > > syzbot has found a reproducer for the following issue on:
> > >
> > > HEAD commit: 1e1b28b936ae Add linux-next specific files for 20220513
> > > git tree: linux-next
> > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=11da21b9f00000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=e4eb3c0c4b289571
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ee1fdd8dcc770a3a169a
> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=142757f1f00000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17cf0966f00000
> >
> > Thanks.
> >
> > So it was there on April 28 and it's there now. Liam, do you think
> > anything in the mapletree changes could have perturbed the interval
> > tree handling?
>
> It is certainly possible, these two trees are intertwined so much. One
> area that sticks out as a possibility is vma_expand(). I created a
> vma_expand() function to handle growing a vma and potentially removing
> the next vma. I do some interval tree modifications in there.
>
> I'll add it to my list of items to look at.
until I altered the error path in this commit.
Please apply this patch to the maple tree series to fix "mm/mmap: use
advanced maple tree API for mmap_region()"
Thanks,
Liam
Dmitry Vyukov
May 19, 2022, 1:18:36 AM5/19/22
to Liam Howlett, Andrew Morton, syzbot, linux-...@vger.kernel.org, linu...@kvack.org, syzkall...@googlegroups.com, Michel Lespinasse, maple...@lists.infradead.org
Reply all
Reply to author
Forward
0 new messages