[moderation] [mm?] general protection fault in remove_vma
2 views
Skip to first unread message
syzbot
Jan 10, 2024, 6:16:34 PMJan 10
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 95c8a35f1c01 Merge tag 'mm-hotfixes-stable-2024-01-05-11-3..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136af59de80000
kernel config: https://syzkaller.appspot.com/x/.config?x=247b5a935d307ee5
dashboard link: https://syzkaller.appspot.com/bug?extid=28ffce7d8664aefeb332
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
CC: [ak...@linux-foundation.org linux-...@vger.kernel.org linu...@kvack.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bb889a17a22f/disk-95c8a35f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/995090e5a4ae/vmlinux-95c8a35f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e962df6644b/bzImage-95c8a35f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+28ffce...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000040: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000200-0x0000000000000207]
CPU: 0 PID: 8881 Comm: syz-executor.2 Not tainted 6.7.0-rc8-syzkaller-00174-g95c8a35f1c01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:remove_vma+0x6c/0x170 mm/mmap.c:140
Code: 0f 85 03 01 00 00 4c 8b 63 78 4d 85 e4 74 3a e8 6a 21 bc ff 49 8d 7c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f0 00 00 00 4d 8b 64 24 08 4d 85 e4 74 0b e8 3b
RSP: 0018:ffffc900145f7c18 EFLAGS: 00010213
RAX: dffffc0000000000 RBX: ffff88808d24fd00 RCX: 0000000000000001
RDX: 0000000000000040 RSI: ffffffff81cb5126 RDI: 0000000000000207
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 00000000000001ff
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000001822
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555a35b7a70 CR3: 000000003479e000 CR4: 0000000000350ef0
Call Trace:
<TASK>
exit_mmap+0x453/0xa70 mm/mmap.c:3335
__mmput+0x12a/0x4d0 kernel/fork.c:1349
mmput+0x62/0x70 kernel/fork.c:1371
exit_mm kernel/exit.c:567 [inline]
do_exit+0x9a5/0x2ad0 kernel/exit.c:856
do_group_exit+0xd4/0x2a0 kernel/exit.c:1018
__do_sys_exit_group kernel/exit.c:1029 [inline]
__se_sys_exit_group kernel/exit.c:1027 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1027
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f39de47cd29
Code: Unable to access opcode bytes at 0x7f39de47ccff.
RSP: 002b:00007ffeb0945598 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f39de47cd29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000e29 R09: 0000000000000000
R10: 0000001b32320000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
----------------
Code disassembly (best guess):
0: 0f 85 03 01 00 00 jne 0x109
6: 4c 8b 63 78 mov 0x78(%rbx),%r12
a: 4d 85 e4 test %r12,%r12
d: 74 3a je 0x49
f: e8 6a 21 bc ff call 0xffbc217e
14: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 f0 00 00 00 jne 0x124
34: 4d 8b 64 24 08 mov 0x8(%r12),%r12
39: 4d 85 e4 test %r12,%r12
3c: 74 0b je 0x49
3e: e8 .byte 0xe8
3f: 3b .byte 0x3b
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 95c8a35f1c01 Merge tag 'mm-hotfixes-stable-2024-01-05-11-3..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136af59de80000
kernel config: https://syzkaller.appspot.com/x/.config?x=247b5a935d307ee5
dashboard link: https://syzkaller.appspot.com/bug?extid=28ffce7d8664aefeb332
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
CC: [ak...@linux-foundation.org linux-...@vger.kernel.org linu...@kvack.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bb889a17a22f/disk-95c8a35f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/995090e5a4ae/vmlinux-95c8a35f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3e962df6644b/bzImage-95c8a35f.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+28ffce...@syzkaller.appspotmail.com
general protection fault, probably for non-canonical address 0xdffffc0000000040: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000200-0x0000000000000207]
CPU: 0 PID: 8881 Comm: syz-executor.2 Not tainted 6.7.0-rc8-syzkaller-00174-g95c8a35f1c01 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:remove_vma+0x6c/0x170 mm/mmap.c:140
Code: 0f 85 03 01 00 00 4c 8b 63 78 4d 85 e4 74 3a e8 6a 21 bc ff 49 8d 7c 24 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f0 00 00 00 4d 8b 64 24 08 4d 85 e4 74 0b e8 3b
RSP: 0018:ffffc900145f7c18 EFLAGS: 00010213
RAX: dffffc0000000000 RBX: ffff88808d24fd00 RCX: 0000000000000001
RDX: 0000000000000040 RSI: ffffffff81cb5126 RDI: 0000000000000207
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 00000000000001ff
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000001822
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005555a35b7a70 CR3: 000000003479e000 CR4: 0000000000350ef0
Call Trace:
<TASK>
exit_mmap+0x453/0xa70 mm/mmap.c:3335
__mmput+0x12a/0x4d0 kernel/fork.c:1349
mmput+0x62/0x70 kernel/fork.c:1371
exit_mm kernel/exit.c:567 [inline]
do_exit+0x9a5/0x2ad0 kernel/exit.c:856
do_group_exit+0xd4/0x2a0 kernel/exit.c:1018
__do_sys_exit_group kernel/exit.c:1029 [inline]
__se_sys_exit_group kernel/exit.c:1027 [inline]
__x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1027
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f39de47cd29
Code: Unable to access opcode bytes at 0x7f39de47ccff.
RSP: 002b:00007ffeb0945598 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f39de47cd29
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000001 R08: 0000000000000e29 R09: 0000000000000000
R10: 0000001b32320000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
</TASK>
Modules linked in:
----------------
Code disassembly (best guess):
0: 0f 85 03 01 00 00 jne 0x109
6: 4c 8b 63 78 mov 0x78(%rbx),%r12
a: 4d 85 e4 test %r12,%r12
d: 74 3a je 0x49
f: e8 6a 21 bc ff call 0xffbc217e
14: 49 8d 7c 24 08 lea 0x8(%r12),%rdi
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 f0 00 00 00 jne 0x124
34: 4d 8b 64 24 08 mov 0x8(%r12),%r12
39: 4d 85 e4 test %r12,%r12
3c: 74 0b je 0x49
3e: e8 .byte 0xe8
3f: 3b .byte 0x3b
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Apr 5, 2024, 7:06:16 PMApr 5
to syzkaller-upst...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages