[v6.1] general protection fault in __unmap_hugepage_range_final
0 views
Skip to first unread message
syzbot
Nov 2, 2023, 7:08:30 AM11/2/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4a61839152cc Linux 6.1.61
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=173585a0e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1472537c0348d87
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c92cdf120616d1f63b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f10d3d8a196/disk-4a618391.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5f64dac603f/vmlinux-4a618391.xz
kernel image: https://storage.googleapis.com/syzbot-assets/172392fd3ea1/bzImage-4a618391.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b2c92c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 1 PID: 2394 Comm: syz-executor.5 Not tainted 6.1.61-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc900063076a0 EFLAGS: 00010006
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff88802e729dc0 R14: 00000000000000e8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32530000 CR3: 000000004efa3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5661
down_write+0x36/0x60 kernel/locking/rwsem.c:1573
__unmap_hugepage_range_final+0x13d/0x5a0 mm/hugetlb.c:5430
unmap_vmas+0x48b/0x640 mm/memory.c:1730
exit_mmap+0x252/0x9f0 mm/mmap.c:3214
__mmput+0x115/0x3c0 kernel/fork.c:1199
exit_mm+0x226/0x300 kernel/exit.c:563
do_exit+0x9f6/0x26a0 kernel/exit.c:856
__do_sys_exit kernel/exit.c:986 [inline]
__se_sys_exit kernel/exit.c:984 [inline]
__x64_sys_exit+0x3c/0x40 kernel/exit.c:984
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f270be7cae9
Code: Unable to access opcode bytes at 0x7f270be7cabf.
RSP: 002b:00007f270cc3b078 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 00007f270bf9bf80 RCX: 00007f270be7cae9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f270bec847a R08: 0000000020000000 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f270bf9bf80 R15: 00007ffe89469b68
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc900063076a0 EFLAGS: 00010006
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff88802e729dc0 R14: 00000000000000e8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32530000 CR3: 000000004efa3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 10 84 c0 0f 85 fb 15 adc %al,0x15fb850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d 31 17 09 0d 00 cmpl $0x0,0xd091731(%rip) # 0xd091745
14: 0f 84 a8 14 00 00 je 0x14c2
1a: 83 3d e0 30 95 0b 00 cmpl $0x0,0xb9530e0(%rip) # 0xb953101
21: 74 2b je 0x4e
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 f7 mov %r14,%rdi
33: e8 29 76 77 00 call 0x777661
38: 48 rex.W
39: ba 00 00 00 00 mov $0x0,%edx
3e: 00 fc add %bh,%ah
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4a61839152cc Linux 6.1.61
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=173585a0e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=a1472537c0348d87
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c92cdf120616d1f63b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f10d3d8a196/disk-4a618391.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5f64dac603f/vmlinux-4a618391.xz
kernel image: https://storage.googleapis.com/syzbot-assets/172392fd3ea1/bzImage-4a618391.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b2c92c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 1 PID: 2394 Comm: syz-executor.5 Not tainted 6.1.61-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc900063076a0 EFLAGS: 00010006
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff88802e729dc0 R14: 00000000000000e8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32530000 CR3: 000000004efa3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5661
down_write+0x36/0x60 kernel/locking/rwsem.c:1573
__unmap_hugepage_range_final+0x13d/0x5a0 mm/hugetlb.c:5430
unmap_vmas+0x48b/0x640 mm/memory.c:1730
exit_mmap+0x252/0x9f0 mm/mmap.c:3214
__mmput+0x115/0x3c0 kernel/fork.c:1199
exit_mm+0x226/0x300 kernel/exit.c:563
do_exit+0x9f6/0x26a0 kernel/exit.c:856
__do_sys_exit kernel/exit.c:986 [inline]
__se_sys_exit kernel/exit.c:984 [inline]
__x64_sys_exit+0x3c/0x40 kernel/exit.c:984
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f270be7cae9
Code: Unable to access opcode bytes at 0x7f270be7cabf.
RSP: 002b:00007f270cc3b078 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 00007f270bf9bf80 RCX: 00007f270be7cae9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f270bec847a R08: 0000000020000000 R09: 0000000020000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f270bf9bf80 R15: 00007ffe89469b68
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc900063076a0 EFLAGS: 00010006
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff88802e729dc0 R14: 00000000000000e8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32530000 CR3: 000000004efa3000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 10 84 c0 0f 85 fb 15 adc %al,0x15fb850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d 31 17 09 0d 00 cmpl $0x0,0xd091731(%rip) # 0xd091745
14: 0f 84 a8 14 00 00 je 0x14c2
1a: 83 3d e0 30 95 0b 00 cmpl $0x0,0xb9530e0(%rip) # 0xb953101
21: 74 2b je 0x4e
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 f7 mov %r14,%rdi
33: e8 29 76 77 00 call 0x777661
38: 48 rex.W
39: ba 00 00 00 00 mov $0x0,%edx
3e: 00 fc add %bh,%ah
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 3, 2023, 2:55:35 PM11/3/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 4a61839152cc Linux 6.1.61
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=119de6bb680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14986437680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f10d3d8a196/disk-4a618391.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5f64dac603f/vmlinux-4a618391.xz
kernel image: https://storage.googleapis.com/syzbot-assets/172392fd3ea1/bzImage-4a618391.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b2c92c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 0 PID: 3556 Comm: syz-executor311 Not tainted 6.1.61-syzkaller #0
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff88807a2b0000 R14: 00000000000000e8 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
Code: Unable to access opcode bytes at 0x7f4a852fda4f.
RSP: 002b:00007ffe33e8b878 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4a852fda79
RDX: 00007f4a853373b3 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 000000000000cd02 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe33e8b88c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 4a61839152cc Linux 6.1.61
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=a1472537c0348d87
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c92cdf120616d1f63b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bdee6f680000
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c92cdf120616d1f63b
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14986437680000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5f10d3d8a196/disk-4a618391.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5f64dac603f/vmlinux-4a618391.xz
kernel image: https://storage.googleapis.com/syzbot-assets/172392fd3ea1/bzImage-4a618391.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b2c92c...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90003adf6a0 EFLAGS: 00010006
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555573b0ca8 CR3: 00000000768ac000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5661
down_write+0x36/0x60 kernel/locking/rwsem.c:1573
__unmap_hugepage_range_final+0x13d/0x5a0 mm/hugetlb.c:5430
unmap_vmas+0x48b/0x640 mm/memory.c:1730
exit_mmap+0x252/0x9f0 mm/mmap.c:3214
__mmput+0x115/0x3c0 kernel/fork.c:1199
exit_mm+0x226/0x300 kernel/exit.c:563
do_exit+0x9f6/0x26a0 kernel/exit.c:856
__do_sys_exit kernel/exit.c:986 [inline]
__se_sys_exit kernel/exit.c:984 [inline]
__x64_sys_exit+0x3c/0x40 kernel/exit.c:984
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f4a852fda79
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0x1f8/0x5a0 kernel/locking/lockdep.c:5661
down_write+0x36/0x60 kernel/locking/rwsem.c:1573
__unmap_hugepage_range_final+0x13d/0x5a0 mm/hugetlb.c:5430
unmap_vmas+0x48b/0x640 mm/memory.c:1730
exit_mmap+0x252/0x9f0 mm/mmap.c:3214
__mmput+0x115/0x3c0 kernel/fork.c:1199
exit_mm+0x226/0x300 kernel/exit.c:563
do_exit+0x9f6/0x26a0 kernel/exit.c:856
__do_sys_exit kernel/exit.c:986 [inline]
__se_sys_exit kernel/exit.c:984 [inline]
__x64_sys_exit+0x3c/0x40 kernel/exit.c:984
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Code: Unable to access opcode bytes at 0x7f4a852fda4f.
RSP: 002b:00007ffe33e8b878 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4a852fda79
RDX: 00007f4a853373b3 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 000000000000cd02 R08: 0000000000000000 R09: 0000000000000006
R10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe33e8b88c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RSP: 0018:ffffc90003adf6a0 EFLAGS: 00010006
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x69/0x1f80 kernel/locking/lockdep.c:4918
Code: df 0f b6 04 10 84 c0 0f 85 fb 15 00 00 83 3d 31 17 09 0d 00 0f 84 a8 14 00 00 83 3d e0 30 95 0b 00 74 2b 4c 89 f0 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 f7 e8 29 76 77 00 48 ba 00 00 00 00 00 fc
RAX: 000000000000001d RBX: 0000000000000000 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
R13: ffff88807a2b0000 R14: 00000000000000e8 R15: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555573b0ca8 CR3: 00000000768ac000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 10 84 c0 0f 85 fb 15 adc %al,0x15fb850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d 31 17 09 0d 00 cmpl $0x0,0xd091731(%rip) # 0xd091745
14: 0f 84 a8 14 00 00 je 0x14c2
1a: 83 3d e0 30 95 0b 00 cmpl $0x0,0xb9530e0(%rip) # 0xb953101
21: 74 2b je 0x4e
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 f7 mov %r14,%rdi
33: e8 29 76 77 00 call 0x777661
38: 48 rex.W
39: ba 00 00 00 00 mov $0x0,%edx
3e: 00 fc add %bh,%ah
---
If you want syzbot to run the reproducer, reply with:
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: df 0f fisttps (%rdi)
2: b6 04 mov $0x4,%dh
4: 10 84 c0 0f 85 fb 15 adc %al,0x15fb850f(%rax,%rax,8)
b: 00 00 add %al,(%rax)
d: 83 3d 31 17 09 0d 00 cmpl $0x0,0xd091731(%rip) # 0xd091745
14: 0f 84 a8 14 00 00 je 0x14c2
1a: 83 3d e0 30 95 0b 00 cmpl $0x0,0xb9530e0(%rip) # 0xb953101
21: 74 2b je 0x4e
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 80 3c 10 00 cmpb $0x0,(%rax,%rdx,1) <-- trapping instruction
2e: 74 12 je 0x42
30: 4c 89 f7 mov %r14,%rdi
33: e8 29 76 77 00 call 0x777661
38: 48 rex.W
39: ba 00 00 00 00 mov $0x0,%edx
3e: 00 fc add %bh,%ah
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
syzbot
Jan 10, 2024, 3:44:06 PMJan 10
to syzkaller...@googlegroups.com
syzbot suspects this issue was fixed by commit:
commit 574a6db80f3eff7cb3a27aa92d126a69895a285d
Author: Mike Kravetz <mike.k...@oracle.com>
Date: Tue Nov 14 01:20:33 2023 +0000
hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1616c513e80000
start commit: 4a61839152cc Linux 6.1.61
git tree: linux-6.1.y
#syz fix: hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
commit 574a6db80f3eff7cb3a27aa92d126a69895a285d
Author: Mike Kravetz <mike.k...@oracle.com>
Date: Tue Nov 14 01:20:33 2023 +0000
hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1616c513e80000
start commit: 4a61839152cc Linux 6.1.61
git tree: linux-6.1.y
kernel config: https://syzkaller.appspot.com/x/.config?x=a1472537c0348d87
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c92cdf120616d1f63b
dashboard link: https://syzkaller.appspot.com/bug?extid=b2c92cdf120616d1f63b
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bdee6f680000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14986437680000
If the result looks correct, please mark the issue as fixed by replying with:
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14986437680000
#syz fix: hugetlb: fix null-ptr-deref in hugetlb_vma_lock_write
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Reply all
Reply to author
Forward
0 new messages