From: Sasha Levin <sasha.levin@oracle.com>
To: Michal Hocko <mhocko@suse.cz>,
Peter Zijlstra <peterz@infradead.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: mm: NULL ptr deref in free_pages_and_swap_cache
Date: Mon, 18 Apr 2016 10:44:20 -0400 [thread overview]
Message-ID: <5714F2C4.9010104@oracle.com> (raw)
Hi all,
I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:
[ 326.963405] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[ 326.963416] Modules linked in:
[ 326.963430] CPU: 0 PID: 10488 Comm: syz-executor Not tainted 4.6.0-rc3-next-20160412-sasha-00023-g0b02d6d-dirty #2998
[ 326.963437] task: ffff8800b6f91000 ti: ffff8801b5de0000 task.ti: ffff8801b5de0000
[ 326.963501] RIP: free_pages_and_swap_cache (./arch/x86/include/asm/bitops.h:311 (discriminator 3) include/linux/page-flags.h:320 (discriminator 3) mm/swap_state.c:242 (discriminator 3) mm/swap_state.c:269 (discriminator 3))
[ 326.963505] RSP: 0018:ffff8801b5de7878 EFLAGS: 00010202
[ 326.963510] RAX: 00000000000015b0 RBX: 0000000000000003 RCX: 0000000000000000
[ 326.963514] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffb989fa00
[ 326.963519] RBP: ffff8801b5de78b0 R08: 0000000000000000 R09: fffffffffffffff4
[ 326.963524] R10: 000000000014000a R11: ffffffffaa24a300 R12: dffffc0000000000
[ 326.963532] R13: 000000000000ad80 R14: ffff8800b5eef010 R15: 000000000000ad80
[ 326.963539] FS: 00007f01f5466700(0000) GS:ffff8801d4200000(0000) knlGS:0000000000000000
[ 326.963544] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 326.963549] CR2: 0000000000811000 CR3: 00000001b3c49000 CR4: 00000000000406f0
[ 326.963556] Stack:
[ 326.963566] ffff8801b5de7958 000001fe3911bddd ffff8800b5eef000 dffffc0000000000
[ 326.963574] ffff8800b5eef008 ffff8801b5de7958 00000000000001fe ffff8801b5de78f0
[ 326.963582] ffffffffa06d6ce7 ffff8801b5de7980 ffff8801b5bcc828 dffffc0000000000
[ 326.963583] Call Trace:
[ 326.963596] tlb_flush_mmu_free (mm/memory.c:259 (discriminator 4))
[ 326.963604] tlb_finish_mmu (mm/memory.c:283)
[ 326.963613] exit_mmap (mm/mmap.c:2730)
[ 326.963649] mmput (include/linux/compiler.h:222 kernel/fork.c:748 kernel/fork.c:715)
[ 326.963687] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:92 kernel/exit.c:437 kernel/exit.c:735)
[ 326.963712] do_group_exit (kernel/exit.c:862)
[ 326.963720] get_signal (kernel/signal.c:2307)
[ 326.963735] do_signal (arch/x86/kernel/signal.c:784)
[ 326.963859] exit_to_usermode_loop (arch/x86/entry/common.c:231)
[ 326.963868] syscall_return_slowpath (arch/x86/entry/common.c:274 arch/x86/entry/common.c:329)
[ 326.963877] ret_from_fork (arch/x86/entry/entry_64.S:404)
[ 326.963953] Code: 00 74 08 4c 89 ff e8 c5 88 05 00 4d 8b 2f 4d 85 ed 4d 89 ef 75 0e 31 f6 48 c7 c7 c0 58 56 ae e8 58 c6 99 01 4c 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ef e8 96 88 05 00 49 8b 45 00 f6 c4
All code
========
0: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
4: 89 ff mov %edi,%edi
6: e8 c5 88 05 00 callq 0x588d0
b: 4d 8b 2f mov (%r15),%r13
e: 4d 85 ed test %r13,%r13
11: 4d 89 ef mov %r13,%r15
14: 75 0e jne 0x24
16: 31 f6 xor %esi,%esi
18: 48 c7 c7 c0 58 56 ae mov $0xffffffffae5658c0,%rdi
1f: e8 58 c6 99 01 callq 0x199c67c
24: 4c 89 e8 mov %r13,%rax
27: 48 c1 e8 03 shr $0x3,%rax
2b:* 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 4c 89 ef mov %r13,%rdi
35: e8 96 88 05 00 callq 0x588d0
3a: 49 8b 45 00 mov 0x0(%r13),%rax
3e: f6 c4 00 test $0x0,%ah
Code starting with the faulting instruction
===========================================
0: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
5: 74 08 je 0xf
7: 4c 89 ef mov %r13,%rdi
a: e8 96 88 05 00 callq 0x588a5
f: 49 8b 45 00 mov 0x0(%r13),%rax
13: f6 c4 00 test $0x0,%ah
[ 326.963963] RIP free_pages_and_swap_cache (./arch/x86/include/asm/bitops.h:311 (discriminator 3) include/linux/page-flags.h:320 (discriminator 3) mm/swap_state.c:242 (discriminator 3) mm/swap_state.c:269 (discriminator 3))
[ 326.963965] RSP <ffff8801b5de7878>
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sasha.levin@oracle.com>
To: Michal Hocko <mhocko@suse.cz>,
Peter Zijlstra <peterz@infradead.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: mm: NULL ptr deref in free_pages_and_swap_cache
Date: Mon, 18 Apr 2016 10:44:20 -0400 [thread overview]
Message-ID: <5714F2C4.9010104@oracle.com> (raw)
Hi all,
I've hit the following while fuzzing with syzkaller inside a KVM tools guest
running the latest -next kernel:
[ 326.963405] general protection fault: 0000 [#1] PREEMPT SMP KASAN
[ 326.963416] Modules linked in:
[ 326.963430] CPU: 0 PID: 10488 Comm: syz-executor Not tainted 4.6.0-rc3-next-20160412-sasha-00023-g0b02d6d-dirty #2998
[ 326.963437] task: ffff8800b6f91000 ti: ffff8801b5de0000 task.ti: ffff8801b5de0000
[ 326.963501] RIP: free_pages_and_swap_cache (./arch/x86/include/asm/bitops.h:311 (discriminator 3) include/linux/page-flags.h:320 (discriminator 3) mm/swap_state.c:242 (discriminator 3) mm/swap_state.c:269 (discriminator 3))
[ 326.963505] RSP: 0018:ffff8801b5de7878 EFLAGS: 00010202
[ 326.963510] RAX: 00000000000015b0 RBX: 0000000000000003 RCX: 0000000000000000
[ 326.963514] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffb989fa00
[ 326.963519] RBP: ffff8801b5de78b0 R08: 0000000000000000 R09: fffffffffffffff4
[ 326.963524] R10: 000000000014000a R11: ffffffffaa24a300 R12: dffffc0000000000
[ 326.963532] R13: 000000000000ad80 R14: ffff8800b5eef010 R15: 000000000000ad80
[ 326.963539] FS: 00007f01f5466700(0000) GS:ffff8801d4200000(0000) knlGS:0000000000000000
[ 326.963544] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 326.963549] CR2: 0000000000811000 CR3: 00000001b3c49000 CR4: 00000000000406f0
[ 326.963556] Stack:
[ 326.963566] ffff8801b5de7958 000001fe3911bddd ffff8800b5eef000 dffffc0000000000
[ 326.963574] ffff8800b5eef008 ffff8801b5de7958 00000000000001fe ffff8801b5de78f0
[ 326.963582] ffffffffa06d6ce7 ffff8801b5de7980 ffff8801b5bcc828 dffffc0000000000
[ 326.963583] Call Trace:
[ 326.963596] tlb_flush_mmu_free (mm/memory.c:259 (discriminator 4))
[ 326.963604] tlb_finish_mmu (mm/memory.c:283)
[ 326.963613] exit_mmap (mm/mmap.c:2730)
[ 326.963649] mmput (include/linux/compiler.h:222 kernel/fork.c:748 kernel/fork.c:715)
[ 326.963687] do_exit (./arch/x86/include/asm/bitops.h:311 include/linux/thread_info.h:92 kernel/exit.c:437 kernel/exit.c:735)
[ 326.963712] do_group_exit (kernel/exit.c:862)
[ 326.963720] get_signal (kernel/signal.c:2307)
[ 326.963735] do_signal (arch/x86/kernel/signal.c:784)
[ 326.963859] exit_to_usermode_loop (arch/x86/entry/common.c:231)
[ 326.963868] syscall_return_slowpath (arch/x86/entry/common.c:274 arch/x86/entry/common.c:329)
[ 326.963877] ret_from_fork (arch/x86/entry/entry_64.S:404)
[ 326.963953] Code: 00 74 08 4c 89 ff e8 c5 88 05 00 4d 8b 2f 4d 85 ed 4d 89 ef 75 0e 31 f6 48 c7 c7 c0 58 56 ae e8 58 c6 99 01 4c 89 e8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ef e8 96 88 05 00 49 8b 45 00 f6 c4
All code
========
0: 00 74 08 4c add %dh,0x4c(%rax,%rcx,1)
4: 89 ff mov %edi,%edi
6: e8 c5 88 05 00 callq 0x588d0
b: 4d 8b 2f mov (%r15),%r13
e: 4d 85 ed test %r13,%r13
11: 4d 89 ef mov %r13,%r15
14: 75 0e jne 0x24
16: 31 f6 xor %esi,%esi
18: 48 c7 c7 c0 58 56 ae mov $0xffffffffae5658c0,%rdi
1f: e8 58 c6 99 01 callq 0x199c67c
24: 4c 89 e8 mov %r13,%rax
27: 48 c1 e8 03 shr $0x3,%rax
2b:* 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
30: 74 08 je 0x3a
32: 4c 89 ef mov %r13,%rdi
35: e8 96 88 05 00 callq 0x588d0
3a: 49 8b 45 00 mov 0x0(%r13),%rax
3e: f6 c4 00 test $0x0,%ah
Code starting with the faulting instruction
===========================================
0: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
5: 74 08 je 0xf
7: 4c 89 ef mov %r13,%rdi
a: e8 96 88 05 00 callq 0x588a5
f: 49 8b 45 00 mov 0x0(%r13),%rax
13: f6 c4 00 test $0x0,%ah
[ 326.963963] RIP free_pages_and_swap_cache (./arch/x86/include/asm/bitops.h:311 (discriminator 3) include/linux/page-flags.h:320 (discriminator 3) mm/swap_state.c:242 (discriminator 3) mm/swap_state.c:269 (discriminator 3))
[ 326.963965] RSP <ffff8801b5de7878>
next reply other threads:[~2016-04-18 14:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-18 14:44 Sasha Levin [this message]
2016-04-18 14:44 ` mm: NULL ptr deref in free_pages_and_swap_cache Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5714F2C4.9010104@oracle.com \
--to=sasha.levin@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.cz \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.