[syzbot] [mm?] general protection fault in __hugetlb_zap_begin

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+ec9435c038e451be48ff@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
	 linux-mm@kvack.org, llvm@lists.linux.dev,
	mike.kravetz@oracle.com,  muchun.song@linux.dev,
	nathan@kernel.org, ndesaulniers@google.com,  riel@surriel.com,
	syzkaller-bugs@googlegroups.com, trix@redhat.com
Subject: [syzbot] [mm?] general protection fault in __hugetlb_zap_begin
Date: Sun, 29 Oct 2023 10:09:18 -0700	[thread overview]
Message-ID: <0000000000006655c10608ddfb6d@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    3a568e3a961b Merge tag 'soc-fixes-6.7-3' of git://git.kern..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=159d9cdd680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=174a257c5ae6b4fd
dashboard link: https://syzkaller.appspot.com/bug?extid=ec9435c038e451be48ff
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14e433eb680000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16808d35680000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/70fcba190275/disk-3a568e3a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/65a6a954dd61/vmlinux-3a568e3a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e4d7963284af/bzImage-3a568e3a.xz

The issue was bisected to:

commit bf4916922c60f43efaa329744b3eef539aa6a2b2
Author: Rik van Riel <riel@surriel.com>
Date:   Fri Oct 6 03:59:07 2023 +0000

    hugetlbfs: extend hugetlb_vma_lock to private VMAs

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=17d92743680000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=14392743680000
console output: https://syzkaller.appspot.com/x/log.txt?x=10392743680000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ec9435c038e451be48ff@syzkaller.appspotmail.com
Fixes: bf4916922c60 ("hugetlbfs: extend hugetlb_vma_lock to private VMAs")

general protection fault, probably for non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000e8-0x00000000000000ef]
CPU: 1 PID: 5048 Comm: syz-executor261 Not tainted 6.6.0-rc7-syzkaller-00123-g3a568e3a961b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:__lock_acquire+0x10d/0x7f70 kernel/locking/lockdep.c:5004
Code: 85 75 18 00 00 83 3d fd 93 2c 0d 00 48 89 9c 24 10 01 00 00 0f 84 f8 0f 00 00 83 3d 5c 8c b2 0b 00 74 34 48 89 d0 48 c1 e8 03 <42> 80 3c 00 00 74 1a 48 89 d7 e8 24 c0 7b 00 48 8b 94 24 80 00 00
RSP: 0018:ffffc90003abf440 EFLAGS: 00010006
RAX: 000000000000001d RBX: 1ffff92000757eac RCX: 0000000000000000
RDX: 00000000000000e8 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: ffffc90003abf708 R08: dffffc0000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1d32d6e R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffff88807b34bb80
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbcd77db0d0 CR3: 0000000029b05000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire+0x1e3/0x520 kernel/locking/lockdep.c:5753
 down_write+0x3a/0x50 kernel/locking/rwsem.c:1573
 __hugetlb_zap_begin+0x2e0/0x380 mm/hugetlb.c:5447
 hugetlb_zap_begin include/linux/hugetlb.h:258 [inline]
 unmap_vmas+0x364/0x5c0 mm/memory.c:1733
 exit_mmap+0x297/0xc50 mm/mmap.c:3230
 __mmput+0x115/0x3c0 kernel/fork.c:1349
 exit_mm+0x21f/0x300 kernel/exit.c:567
 do_exit+0x9af/0x2650 kernel/exit.c:861
 __do_sys_exit kernel/exit.c:991 [inline]
 __se_sys_exit kernel/exit.c:989 [inline]
 __x64_sys_exit+0x40/0x40 kernel/exit.c:989
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbcd7764af9
Code: Unable to access opcode bytes at 0x7fbcd7764acf.
RSP: 002b:00007ffe3ee5cb58 EFLAGS: 00000246
 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbcd7764af9
RDX: 00007fbcd779e433 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000011f97 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe3ee5cc7c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x10d/0x7f70 kernel/locking/lockdep.c:5004
Code: 85 75 18 00 00 83 3d fd 93 2c 0d 00 48 89 9c 24 10 01 00 00 0f 84 f8 0f 00 00 83 3d 5c 8c b2 0b 00 74 34 48 89 d0 48 c1 e8 03 <42> 80 3c 00 00 74 1a 48 89 d7 e8 24 c0 7b 00 48 8b 94 24 80 00 00
RSP: 0018:ffffc90003abf440 EFLAGS: 00010006

RAX: 000000000000001d RBX: 1ffff92000757eac RCX: 0000000000000000
RDX: 00000000000000e8 RSI: 0000000000000000 RDI: 00000000000000e8
RBP: ffffc90003abf708 R08: dffffc0000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1d32d6e R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: ffff88807b34bb80
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fbcd77db0d0 CR3: 0000000029b05000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	85 75 18             	test   %esi,0x18(%rbp)
   3:	00 00                	add    %al,(%rax)
   5:	83 3d fd 93 2c 0d 00 	cmpl   $0x0,0xd2c93fd(%rip)        # 0xd2c9409
   c:	48 89 9c 24 10 01 00 	mov    %rbx,0x110(%rsp)
  13:	00
  14:	0f 84 f8 0f 00 00    	je     0x1012
  1a:	83 3d 5c 8c b2 0b 00 	cmpl   $0x0,0xbb28c5c(%rip)        # 0xbb28c7d
  21:	74 34                	je     0x57
  23:	48 89 d0             	mov    %rdx,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 80 3c 00 00       	cmpb   $0x0,(%rax,%r8,1) <-- trapping instruction
  2f:	74 1a                	je     0x4b
  31:	48 89 d7             	mov    %rdx,%rdi
  34:	e8 24 c0 7b 00       	call   0x7bc05d
  39:	48                   	rex.W
  3a:	8b                   	.byte 0x8b
  3b:	94                   	xchg   %eax,%esp
  3c:	24 80                	and    $0x80,%al


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2023-10-29 17:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-29 17:09 syzbot [this message]
2023-11-03 11:36 ` [syzbot] [PATCH] Test for 2030579113a1 syzbot
2024-01-09 18:17 ` [syzbot] [mm?] general protection fault in __hugetlb_zap_begin syzbot
     [not found] <tencent_E5C64B4991EEF2AEC68C80A7DF86E092CF06@qq.com>
2023-11-03 11:52 ` syzbot
2023-11-03 18:12   ` Mike Kravetz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0000000000006655c10608ddfb6d@google.com \
    --to=syzbot+ec9435c038e451be48ff@syzkaller.appspotmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=llvm@lists.linux.dev \
    --cc=mike.kravetz@oracle.com \
    --cc=muchun.song@linux.dev \
    --cc=nathan@kernel.org \
    --cc=ndesaulniers@google.com \
    --cc=riel@surriel.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=trix@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.