From: syzbot <syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, hughd@google.com, jannh@google.com,
jose.pekkarinen@foxhound.fi, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, syzkaller-bugs@googlegroups.com,
willy@infradead.org
Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in __pte_offset_map_lock
Date: Wed, 15 Nov 2023 23:59:04 -0800 [thread overview]
Message-ID: <000000000000ba0007060a40644f@google.com> (raw)
In-Reply-To: <c659f5c9-5e4f-0aac-7d1c-ee3be4740a0d@google.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in __pte_offset_map_lock
Unable to handle kernel paging request at virtual address dfff800000000004
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
Mem abort info:
ESR = 0x0000000096000005
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x05: level 1 translation fault
Data abort info:
ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
CM = 0, WnR = 0, TnD = 0, TagAccess = 0
GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000004] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 6731 Comm: syz-executor.5 Not tainted 6.7.0-rc1-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __lock_acquire+0x104/0x75e8 kernel/locking/lockdep.c:5004
lr : lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753
sp : ffff800097066d40
x29: ffff800097067000 x28: ffff8000808f70ac x27: ffff700012e0ce18
x26: 1ffff00011c64088 x25: 0000000000000000 x24: 0000000000000000
x23: ffff700012e0cdd0 x22: 0000000000000000 x21: 0000000000000000
x20: 0000000000000000 x19: 0000000000000022 x18: ffff800097067750
x17: ffff80008e31d000 x16: ffff80008a73b6ac x15: 0000000000000001
x14: ffff80008e320448 x13: ffff800097066e80 x12: dfff800000000000
x11: ffff80008031ef10 x10: ffff80008e320444 x9 : 00000000000000f3
x8 : 0000000000000004 x7 : ffff8000808f70ac x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000022
Call trace:
__lock_acquire+0x104/0x75e8 kernel/locking/lockdep.c:5004
lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__pte_offset_map_lock+0x154/0x360 mm/pgtable-generic.c:378
pte_offset_map_lock include/linux/mm.h:2946 [inline]
filemap_map_pages+0x5cc/0x112c mm/filemap.c:3531
do_fault_around mm/memory.c:4588 [inline]
do_read_fault mm/memory.c:4621 [inline]
do_fault mm/memory.c:4764 [inline]
do_pte_missing mm/memory.c:3732 [inline]
handle_pte_fault mm/memory.c:5040 [inline]
__handle_mm_fault mm/memory.c:5181 [inline]
handle_mm_fault+0x35ec/0x49f8 mm/memory.c:5346
faultin_page mm/gup.c:956 [inline]
__get_user_pages+0x3e0/0xa24 mm/gup.c:1239
populate_vma_page_range+0x254/0x328 mm/gup.c:1677
__mm_populate+0x240/0x3d8 mm/gup.c:1786
mm_populate include/linux/mm.h:3379 [inline]
vm_mmap_pgoff+0x2bc/0x3d4 mm/util.c:551
ksys_mmap_pgoff+0xd0/0x5b0 mm/mmap.c:1425
__do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
__se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
__arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
Code: 90070528 b9424108 34000208 d343fe68 (386c6908)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: 90070528 adrp x8, 0xe0a4000
4: b9424108 ldr w8, [x8, #576]
8: 34000208 cbz w8, 0x48
c: d343fe68 lsr x8, x19, #3
* 10: 386c6908 ldrb w8, [x8, x12] <-- trapping instruction
Tested on:
commit: b85ea95d Linux 6.7-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14cf3388e80000
kernel config: https://syzkaller.appspot.com/x/.config?x=fffc11e84313b7c6
dashboard link: https://syzkaller.appspot.com/bug?extid=89edd67979b52675ddec
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=136db347680000
next prev parent reply other threads:[~2023-11-16 7:59 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-26 15:48 [syzbot] [mm?] BUG: unable to handle kernel paging request in __pte_offset_map_lock syzbot
2023-10-27 6:07 ` Hugh Dickins
2023-10-27 6:07 ` Hugh Dickins
2023-11-15 19:39 ` Matthew Wilcox
2023-11-15 19:39 ` Matthew Wilcox
2023-11-14 11:30 ` [syzbot] " syzbot
2023-11-14 11:47 ` syzbot
2023-11-14 15:43 ` syzbot
2023-11-14 17:10 ` syzbot
2023-11-14 18:25 ` syzbot
2023-11-16 7:39 ` [syzbot] [mm?] " Hugh Dickins
2023-11-16 7:59 ` syzbot [this message]
2023-11-17 5:42 ` Hugh Dickins
2023-11-17 6:24 ` syzbot
[not found] <306c9c271642326cb02d59447b6fb4d6@foxhound.fi>
2023-11-14 11:57 ` syzbot
[not found] <82909cf60e85b216c14be8fa3ef036f0@foxhound.fi>
2023-11-14 12:16 ` syzbot
[not found] <58662b6bdb914d8c6411d0994e791d53@foxhound.fi>
2023-11-14 16:11 ` syzbot
[not found] <674a0d1a2b541f6d3c199b5bddda8db9@foxhound.fi>
2023-11-14 17:38 ` syzbot
[not found] <aa2ae5537093181aac903a420c029113@foxhound.fi>
2023-11-14 18:49 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=000000000000ba0007060a40644f@google.com \
--to=syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=hughd@google.com \
--cc=jannh@google.com \
--cc=jose.pekkarinen@foxhound.fi \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.