From: Dmitry Vyukov <dvyukov@google.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: syzbot <syzbot+3f84280d52be9b7083cc@syzkaller.appspotmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Williams <dan.j.williams@intel.com>,
Jerome Glisse <jglisse@redhat.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
ldufour@linux.vnet.ibm.com, LKML <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>, Michal Hocko <mhocko@suse.com>,
Minchan Kim <minchan@kernel.org>,
Ross Zwisler <ross.zwisler@linux.intel.com>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Matthew Wilcox <willy@infradead.org>,
ying.huang@intel.com
Subject: Re: kernel BUG at mm/memory.c:LINE!
Date: Mon, 9 Jul 2018 12:48:37 +0200 [thread overview]
Message-ID: <CACT4Y+a=8NOg+h6fBzpmVHiZ-vNUiG7SW4QgQvK3vD=KBqQ3_Q@mail.gmail.com> (raw)
In-Reply-To: <20180709101558.63vkwppwcgzcv3dg@kshutemo-mobl1>
On Mon, Jul 9, 2018 at 12:15 PM, Kirill A. Shutemov
<kirill@shutemov.name> wrote:
> On Sun, Jul 08, 2018 at 10:51:03PM -0700, syzbot wrote:
>> Hello,
>>
>> syzbot found the following crash on:
>>
>> HEAD commit: b2d44d145d2a Merge tag '4.18-rc3-smb3fixes' of git://git.s..
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=11d07748400000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=2ca6c7a31d407f86
>> dashboard link: https://syzkaller.appspot.com/bug?extid=3f84280d52be9b7083cc
>> compiler: gcc (GCC) 8.0.1 20180413 (experimental)
>>
>> Unfortunately, I don't have any reproducer for this crash yet.
>>
>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> Reported-by: syzbot+3f84280d52be9b7083cc@syzkaller.appspotmail.com
>>
>> next ffff8801ce5e7040 prev ffff8801d20eca50 mm ffff88019c1e13c0
>> prot 27 anon_vma ffff88019680cdd8 vm_ops 0000000000000000
>> pgoff 0 file ffff8801b2ec2d00 private_data 0000000000000000
>> flags: 0xff(read|write|exec|shared|mayread|maywrite|mayexec|mayshare)
>> ------------[ cut here ]------------
>> kernel BUG at mm/memory.c:1422!
>
> Looks like vma_is_anonymous() false-positive.
>
> Any clues what file is it? I would guess some kind of socket, but it's not
> clear from log which exactly.
>From the log it looks like it was this program (number 3 matches Comm:
syz-executor3):
08:39:32 executing program 3:
r0 = socket$nl_route(0x10, 0x3, 0x0)
bind$netlink(r0, &(0x7f00000002c0)={0x10, 0x0, 0x0, 0x100000}, 0xc)
getsockname(r0, &(0x7f0000000000)=@pppol2tpv3in6={0x0, 0x0, {0x0,
<r1=>0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0,
@loopback}}}, &(0x7f00000000c0)=0x3a)
mmap(&(0x7f0000e00000/0x200000)=nil, 0x200000, 0x7fdff, 0x11, r1, 0x0)
ioctl$FIBMAP(r0, 0x1, &(0x7f0000000100)=0x9)
r2 = socket$inet6(0xa, 0x1000000000002, 0x0)
ioctl(r2, 0x8912, &(0x7f00000001c0)="796d05ad441e829115ac7fd77200")
r3 = syz_open_dev$vcsa(&(0x7f0000000140)='/dev/vcsa#\x00', 0x3, 0x2)
ioctl$VHOST_SET_VRING_ENDIAN(r3, 0x4008af13, &(0x7f0000000180)={0x0, 0x8})
sendto$inet(0xffffffffffffffff, &(0x7f0000a88f88), 0xffffffffffffff31,
0x0, &(0x7f0000e68000)={0x2, 0x0, @multicast2=0xe0000002},
0xfffffffffffffeb3)
ftruncate(r1, 0x6)
mmap(&(0x7f0000e00000/0x200000)=nil, 0x200000, 0x0, 0x11, r0, 0x0)
setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x25, &(0x7f0000000080)=0x804, 0x4)
But take what happens here with a grain of salt, it can pretend that
it's doing one thing, but actually do something different.
So that r1 passed to ftruncate is something that getsockname returned
somewhere in the middle of address. And since the socket is not
actually ppp, it can be just some bytes in the middle of netlink
address, that than happened to be small and match some existing fd...
next prev parent reply other threads:[~2018-07-09 10:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-09 5:51 kernel BUG at mm/memory.c:LINE! syzbot
2018-07-09 10:15 ` Kirill A. Shutemov
2018-07-09 10:48 ` Dmitry Vyukov [this message]
2018-07-09 10:52 ` Dmitry Vyukov
2018-07-09 14:21 ` Kirill A. Shutemov
2018-07-09 15:25 ` Kirill A. Shutemov
2018-07-09 17:23 ` Dmitry Vyukov
2018-07-09 22:07 ` Kirill A. Shutemov
2018-07-10 10:02 ` Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACT4Y+a=8NOg+h6fBzpmVHiZ-vNUiG7SW4QgQvK3vD=KBqQ3_Q@mail.gmail.com' \
--to=dvyukov@google.com \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=jglisse@redhat.com \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=ldufour@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=minchan@kernel.org \
--cc=ross.zwisler@linux.intel.com \
--cc=syzbot+3f84280d52be9b7083cc@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willy@infradead.org \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).