Hello,
The following program triggers GPF in find_get_pages_tag if run in
parallel loop for minutes:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 2 PID: 301 Comm: a.out Tainted: G W 4.7.0-rc5+ #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880063d12440 ti: ffff880067350000 task.ti: ffff880067350000
RIP: 0010:[<ffffffff816951a4>]
[< inline >] radix_tree_next_slot include/linux/radix-tree.h:473
[<ffffffff816951a4>] find_get_pages_tag+0x334/0x930 mm/filemap.c:1452
RSP: 0018:ffff880067357840 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000001 RCX: ffff880063d12c80
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000008
RBP: ffff880067357910 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff89f06360 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffffed0007058ee5
FS: 00007f56e017c700(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f56df97ae78 CR3: 0000000063d9e000 CR4: 00000000000006e0
Stack:
ffffffff81694efc ffff8800673578a8 0000010267357860 ffff880067357a50
ffff880065986aa0 1ffff1000ce6af11 0000000e00000000 ffff880067357a00
0000000000000003 0000000041b58ab3 ffffffff87e2a722 ffffffff81694e70
Call Trace:
[<ffffffff816cd91a>] pagevec_lookup_tag+0x3a/0x80 mm/swap.c:960
[<ffffffff81ab4231>] mpage_prepare_extent_to_map+0x321/0xa90
fs/ext4/inode.c:2516
[<ffffffff81ac883e>] ext4_writepages+0x10be/0x2b20 fs/ext4/inode.c:2736
[<ffffffff816c99c7>] do_writepages+0x97/0x100 mm/page-writeback.c:2364
[<ffffffff8169bee8>] __filemap_fdatawrite_range+0x248/0x2e0 mm/filemap.c:300
[<ffffffff8169c371>] filemap_write_and_wait_range+0x121/0x1b0 mm/filemap.c:490
[<ffffffff81aa584d>] ext4_sync_file+0x34d/0xdb0 fs/ext4/fsync.c:115
[<ffffffff818b667a>] vfs_fsync_range+0x10a/0x250 fs/sync.c:195
[< inline >] vfs_fsync fs/sync.c:209
[<ffffffff818b6832>] do_fsync+0x42/0x70 fs/sync.c:219
[< inline >] SYSC_fdatasync fs/sync.c:232
[<ffffffff818b6f89>] SyS_fdatasync+0x19/0x20 fs/sync.c:230
[<ffffffff86a94e00>] entry_SYSCALL_64_fastpath+0x23/0xc1
arch/x86/entry/entry_64.S:207
Code: 85 70 ff ff ff 49 d1 ec 4d 85 e4 4c 89 65 a8 74 65 e8 51 06 f0
ff 49 8d 7e 08 48 be 00 00 00 00 00 fc ff df 48 89 f8 48 c1 e8 03 <80>
3c 30 00 0f 85 9c 05 00 00 4d 8b 6e 08 4c 89 eb 83 e3 03 48
RIP [< inline >] radix_tree_next_slot include/linux/radix-tree.h:473
RIP [<ffffffff816951a4>] find_get_pages_tag+0x334/0x930 mm/filemap.c:1452
RSP <ffff880067357840>
---[ end trace 33a0cc4dd9a49a67 ]---
// autogenerated by syzkaller (
http://github.com/google/syzkaller)
#include <pthread.h>
#include <stdint.h>
#include <string.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <unistd.h>
int fd;
char buf[8192];
char filename[256];
void* thr(void* arg)
{
switch ((long)arg) {
case 0:
write(fd, buf, 0x1001ul);
break;
case 1:
fdatasync(fd);
break;
case 2:
ftruncate(fd, 2);
break;
case 3:
write(fd, buf, 0x20ul);
break;
case 5:
fd = open(filename, 0x50042ul, 0x41ul);
break;
}
return 0;
}
int main()
{
long i;
pthread_t th[10];
srand(getpid());
sprintf(filename, "./file%d", getpid());
fd = open(filename, 0x50042ul, 0x41ul);
for (i = 0; i < 10; i++) {
pthread_create(&th[i], 0, thr, (void*)(i % 5));
usleep(rand() % 10);
}
for (i = 0; i < 10; i++)
pthread_join(th[i], 0);
unlink(filename);
return 0;
}
The faulting instruction is:
ffffffff816951a4: 80 3c 30 00 cmpb $0x0,(%rax,%rsi,1)
So this is KASAN shadow check for NULL address.
The previous taint is not relevant, it is:
[ 74.786477] ------------[ cut here ]------------
[ 74.786885] WARNING: CPU: 2 PID: 717 at lib/stackdepot.c:119
depot_save_stack+0x34f/0x5b0
[ 74.787196] Stack depot reached limit capacity
On commit 1a0a02d1efa066001fd315c1b4df583d939fa2c4 (Jun 30).