Re: general protection fault in __radix_tree_delete

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Biggers <ebiggers3@gmail.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: syzbot <syzbot+549decbd1891d501b6d5@syzkaller.appspotmail.com>,
	"Roman Kagan" <rkagan@virtuozzo.com>,
	"David Hildenbrand" <david@redhat.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"KVM list" <kvm@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Paolo Bonzini" <pbonzini@redhat.com>,
	"Radim Krčmář" <rkrcmar@redhat.com>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	"Thomas Gleixner" <tglx@linutronix.de>,
	"the arch/x86 maintainers" <x86@kernel.org>,
	"Matthew Wilcox" <mawilcox@microsoft.com>
Subject: Re: general protection fault in __radix_tree_delete
Date: Sat, 26 May 2018 09:44:25 -0700	[thread overview]
Message-ID: <20180526164425.GA758@sol.localdomain> (raw)
In-Reply-To: <CACT4Y+bJH+gy2x+jDNsAgbRTSpf_4ieP_AbSOHUsgzKWxyk+wA@mail.gmail.com>

On Sun, May 13, 2018 at 10:26:15AM +0200, 'Dmitry Vyukov' via syzkaller-bugs wrote:
> On Sun, Apr 29, 2018 at 7:00 PM, syzbot
> <syzbot+549decbd1891d501b6d5@syzkaller.appspotmail.com> wrote:
> > Hello,
> >
> > syzbot hit the following crash on upstream commit
> > cdface5209349930ae1b51338763c8e029971b97 (Sun Apr 29 03:07:21 2018 +0000)
> > Merge tag 'for_linus_stable' of
> > git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
> > syzbot dashboard link:
> > https://syzkaller.appspot.com/bug?extid=549decbd1891d501b6d5
> >
> > So far this crash happened 8 times on upstream.
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?id=6647588371562496
> > syzkaller reproducer:
> > https://syzkaller.appspot.com/x/repro.syz?id=4781854846615552
> > Raw console output:
> > https://syzkaller.appspot.com/x/log.txt?id=4580574157078528
> > Kernel config:
> > https://syzkaller.appspot.com/x/.config?id=7043958930931867332
> > compiler: gcc (GCC) 8.0.1 20180413 (experimental)
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+549decbd1891d501b6d5@syzkaller.appspotmail.com
> > It will help syzbot understand when the bug is fixed. See footer for
> > details.
> > If you forward the report, please keep this part and the footer.
> 
> 
> This crash was bisected as introduced by:
> 
> commit faeb7833eee0d6afe0ecb6bdfa6042556c2c352e
> Author: Roman Kagan <rkagan@virtuozzo.com>
> Date:   Thu Feb 1 16:48:32 2018 +0300
> 
>     kvm: x86: hyperv: guest->host event signaling via eventfd
> 
> https://gist.githubusercontent.com/dvyukov/df4971d7dfd1b37bedb5bfa0c95f9ebc/raw/ee8b7804788049f80625563e0322090c798c4544/gistfile1.txt
> 
> 
> 
> > kasan: CONFIG_KASAN_INLINE enabled
> > kasan: GPF could be caused by NULL-ptr deref or user memory access
> > general protection fault: 0000 [#1] SMP KASAN
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Modules linked in:
> > CPU: 0 PID: 4525 Comm: syz-executor786 Not tainted 4.17.0-rc2+ #23
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> > Google 01/01/2011
> > RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline]
> > RIP: 0010:__radix_tree_delete+0x74/0x230 lib/radix-tree.c:1989
> > RSP: 0018:ffff8801d9137108 EFLAGS: 00010206
> > RAX: 0000000000000003 RBX: dffffc0000000000 RCX: 1ffff1003b226e3e
> > RDX: 0000000000000000 RSI: ffffffff8768eeed RDI: ffff8801a7dac168
> > RBP: ffff8801d91371a8 R08: ffff8801d962c1c0 R09: ffffed0034fb5811
> > R10: ffff8801d91372b8 R11: ffff8801a7dac08f R12: 0000000000000000
> > R13: ffff8801a7dac168 R14: 0000000000000018 R15: ffff8801d9137230
> > FS:  0000000001df3880(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020000100 CR3: 00000001d9104000 CR4: 00000000001426f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  radix_tree_delete_item+0x148/0x2d0 lib/radix-tree.c:2050
> >  idr_remove+0x46/0x60 lib/idr.c:157
> >  kvm_hv_eventfd_deassign arch/x86/kvm/hyperv.c:1433 [inline]
> >  kvm_vm_ioctl_hv_eventfd+0x1df/0x24b arch/x86/kvm/hyperv.c:1451
> >  kvm_arch_vm_ioctl+0x155e/0x2690 arch/x86/kvm/x86.c:4563
> >  kvm_vm_ioctl+0x246/0x1d90 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3100
> >  vfs_ioctl fs/ioctl.c:46 [inline]
> >  file_ioctl fs/ioctl.c:500 [inline]
> >  do_vfs_ioctl+0x1cf/0x16a0 fs/ioctl.c:684
> >  ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
> >  __do_sys_ioctl fs/ioctl.c:708 [inline]
> >  __se_sys_ioctl fs/ioctl.c:706 [inline]
> >  __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
> >  do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0033:0x440069
> > RSP: 002b:00007ffcf0b02cd8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
> > RAX: ffffffffffffffda RBX: 6d766b2f7665642f RCX: 0000000000440069
> > RDX: 0000000020000000 RSI: 000000004018aebd RDI: 00000000000000a9
> > RBP: 00000000006cb018 R08: 00007ffcf0b02cf0 R09: 00007ffcf0b02cf0
> > R10: 00007ffcf0b02cf0 R11: 0000000000000217 R12: 00000000004018a0
> > R13: 0000000000401930 R14: 0000000000000000 R15: 0000000000000000
> > Code: 3f 9a 88 48 c7 45 88 80 ee 68 87 c7 00 f1 f1 f1 f1 c7 40 04 00 f2 f2
> > f2 c7 40 08 f3 f3 f3 f3 e8 a3 51 10 fa 4c 89 f0 48 c1 e8 03 <80> 3c 18 00 0f
> > 85 97 01 00 00 48 8d 55 d8 4c 8d 7a c0 49 8b 1e
> > RIP: __read_once_size include/linux/compiler.h:188 [inline] RSP:
> > ffff8801d9137108
> > RIP: __radix_tree_delete+0x74/0x230 lib/radix-tree.c:1989 RSP:
> > ffff8801d9137108
> > ---[ end trace 79327005f044daef ]---
> >
> >
> > ---
> > This bug is generated by a dumb bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for details.
> > Direct all questions to syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this bug report.
> > If you forgot to add the Reported-by tag, once the fix for this bug is
> > merged
> > into any tree, please reply to this email with:
> > #syz fix: exact-commit-title

This seems to have been another report of the IDR / radix tree bug now fixed by
commit 7a4deea1aa8b (thanks Matthew!):

#syz fix: idr: fix invalid ptr dereference on item delete

- Eric

     prev parent reply	other threads:[~2018-05-26 16:44 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-29 17:00 general protection fault in __radix_tree_delete syzbot
2018-05-13  8:26 ` Dmitry Vyukov
2018-05-26 16:44   ` Eric Biggers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180526164425.GA758@sol.localdomain \
    --to=ebiggers3@gmail.com \
    --cc=david@redhat.com \
    --cc=dvyukov@google.com \
    --cc=hpa@zytor.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mawilcox@microsoft.com \
    --cc=mingo@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=rkagan@virtuozzo.com \
    --cc=rkrcmar@redhat.com \
    --cc=syzbot+549decbd1891d501b6d5@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.