linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
* Fwd: kernel BUG at lib/radix-tree.c:1008!
       [not found] <CACbyUSpTZBVa0MTvScqVmN3Mg8j0b9QDkzGZ08c7zQiH-wRy3g@mail.gmail.com>
@ 2017-06-08  2:31 ` Gene Blue
  2017-06-08  3:03   ` Matthew Wilcox
  0 siblings, 1 reply; 3+ messages in thread
From: Gene Blue @ 2017-06-08  2:31 UTC (permalink / raw)
  To: hughd, linux-mm, viro, linux-fsdevel; +Cc: syzkaller

[-- Attachment #1: Type: text/plain, Size: 3708 bytes --]

---------- Forwarded message ----------
From: Gene Blue <geneblue.mail@gmail.com>
Date: 2017-06-07 20:03 GMT+08:00
Subject: kernel BUG at lib/radix-tree.c:1008!
To: syzkaller@googlegroups.com


Hello:
  Another bug when fuzzing the kernel with syzkaller.

  My kernel version is  4.11.0-rc1 directly download from kernel.org.


************************************************************
*********************************
kernel BUG at lib/radix-tree.c:1008!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 7809 Comm: syz-executor2 Not tainted 4.11.0-rc1 #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006a1bdb40 task.stack: ffff88006b348000
RIP: 0010:__radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008
RSP: 0018:ffff88006b34f760 EFLAGS: 00010087
RAX: ffff88006a1bdb40 RBX: 1ffff1000d669eee RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff81bd50fb RDI: ffffc90004032000
RBP: ffff88006b34f838 R08: 00000000000000fa R09: 0000000000010000
R10: 0000000000000003 R11: ffff8800605b8ed0 R12: 0000000000000000
R13: 1ffff1000c0b71da R14: 0000000000000000 R15: ffff8800605b8ed0
FS:  00007f8722b38700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001ff4 CR3: 000000003c6d6000 CR4: 00000000000006e0
Call Trace:
 radix_tree_insert include/linux/radix-tree.h:297 [inline]
 shmem_add_to_page_cache+0x2fe/0x420 mm/shmem.c:591
 shmem_getpage_gfp.isra.49+0x110a/0x1c90 mm/shmem.c:1792
 shmem_fault+0x21f/0x690 mm/shmem.c:1985
 __do_fault+0x83/0x210 mm/memory.c:2888
 do_read_fault mm/memory.c:3270 [inline]
 do_fault mm/memory.c:3370 [inline]
 handle_pte_fault mm/memory.c:3600 [inline]
 __handle_mm_fault+0x8d5/0x1bc0 mm/memory.c:3714
 handle_mm_fault+0x1ea/0x4c0 mm/memory.c:3751
 __do_page_fault+0x508/0xb00 arch/x86/mm/fault.c:1397
 trace_do_page_fault+0x93/0x450 arch/x86/mm/fault.c:1490
 do_async_page_fault+0x14/0x60 arch/x86/kernel/kvm.c:264
 async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1014
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
RIP: 0010:strncpy_from_user+0xa9/0x2b0 lib/strncpy_from_user.c:117
RSP: 0018:ffff88006b34fdc0 EFLAGS: 00010246
RAX: ffff88006a1bdb40 RBX: 0000000000000fe4 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004032000
RBP: ffff88006b34fe00 R08: 0000000000000017 R09: 0000000000010000
R10: ffff88003a9568ff R11: ffffed000752ad20 R12: 0000000000000fe4
R13: 0000000020001ff4 R14: 0000000000000fe4 R15: fffffffffffffff2
 getname_flags+0x113/0x580 fs/namei.c:148
 getname+0x19/0x20 fs/namei.c:208
 do_sys_open+0x1c7/0x450 fs/open.c:1045
 SYSC_openat fs/open.c:1078 [inline]
 SyS_openat+0x30/0x40 fs/open.c:1072
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458d9
RSP: 002b:00007f8722b37b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 00000000004458d9
RDX: 0000000000010100 RSI: 0000000020001ff4 RDI: ffffffffffffff9c
RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f8722b389c0 R15: 00007f8722b38700
Code: 38 ca 7c 0d 45 84 c9 74 08 4c 89 ff e8 8f a5 97 ff 4c 8b 9d 30 ff ff
ff 41 8b 03 c1 e8 1a 85 c0 0f 84 8b fe ff ff e8 15 52 78 ff <0f> 0b e8 0e
52 78 ff 49 8d 7d 03 48 b9 00 00 00 00 00 fc ff df
RIP: __radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP:
ffff88006b34f760
---[ end trace c1b7be537b8a3b4a ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

[-- Attachment #2: Type: text/html, Size: 5311 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Fwd: kernel BUG at lib/radix-tree.c:1008!
  2017-06-08  2:31 ` Fwd: kernel BUG at lib/radix-tree.c:1008! Gene Blue
@ 2017-06-08  3:03   ` Matthew Wilcox
  2017-06-08  3:21     ` Gene Blue
  0 siblings, 1 reply; 3+ messages in thread
From: Matthew Wilcox @ 2017-06-08  3:03 UTC (permalink / raw)
  To: Gene Blue; +Cc: hughd, linux-mm, viro, linux-fsdevel, syzkaller

On Thu, Jun 08, 2017 at 10:31:39AM +0800, Gene Blue wrote:
> kernel BUG at lib/radix-tree.c:1008!

Well, that's interesting.  The BUG at that line is:

		BUG_ON(root_tags_get(root));

which indicates we just inserted an entry into the radix tree at root, and
found out that the entry was already tagged!

That shouldn't be happening.  We clear the tags (all the way up to the root)
when deleting entries from the tree.  Is this at all reproducible?

> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 7809 Comm: syz-executor2 Not tainted 4.11.0-rc1 #7
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff88006a1bdb40 task.stack: ffff88006b348000
> RIP: 0010:__radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008
> RSP: 0018:ffff88006b34f760 EFLAGS: 00010087
> RAX: ffff88006a1bdb40 RBX: 1ffff1000d669eee RCX: 0000000000000001
> RDX: 0000000000000000 RSI: ffffffff81bd50fb RDI: ffffc90004032000
> RBP: ffff88006b34f838 R08: 00000000000000fa R09: 0000000000010000
> R10: 0000000000000003 R11: ffff8800605b8ed0 R12: 0000000000000000
> R13: 1ffff1000c0b71da R14: 0000000000000000 R15: ffff8800605b8ed0
> FS:  00007f8722b38700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020001ff4 CR3: 000000003c6d6000 CR4: 00000000000006e0
> Call Trace:
>  radix_tree_insert include/linux/radix-tree.h:297 [inline]
>  shmem_add_to_page_cache+0x2fe/0x420 mm/shmem.c:591
>  shmem_getpage_gfp.isra.49+0x110a/0x1c90 mm/shmem.c:1792
>  shmem_fault+0x21f/0x690 mm/shmem.c:1985
>  __do_fault+0x83/0x210 mm/memory.c:2888
>  do_read_fault mm/memory.c:3270 [inline]
>  do_fault mm/memory.c:3370 [inline]
>  handle_pte_fault mm/memory.c:3600 [inline]
>  __handle_mm_fault+0x8d5/0x1bc0 mm/memory.c:3714
>  handle_mm_fault+0x1ea/0x4c0 mm/memory.c:3751
>  __do_page_fault+0x508/0xb00 arch/x86/mm/fault.c:1397
>  trace_do_page_fault+0x93/0x450 arch/x86/mm/fault.c:1490
>  do_async_page_fault+0x14/0x60 arch/x86/kernel/kvm.c:264
>  async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1014
> RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
> RIP: 0010:strncpy_from_user+0xa9/0x2b0 lib/strncpy_from_user.c:117
> RSP: 0018:ffff88006b34fdc0 EFLAGS: 00010246
> RAX: ffff88006a1bdb40 RBX: 0000000000000fe4 RCX: 0000000000000001
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004032000
> RBP: ffff88006b34fe00 R08: 0000000000000017 R09: 0000000000010000
> R10: ffff88003a9568ff R11: ffffed000752ad20 R12: 0000000000000fe4
> R13: 0000000020001ff4 R14: 0000000000000fe4 R15: fffffffffffffff2
>  getname_flags+0x113/0x580 fs/namei.c:148
>  getname+0x19/0x20 fs/namei.c:208
>  do_sys_open+0x1c7/0x450 fs/open.c:1045
>  SYSC_openat fs/open.c:1078 [inline]
>  SyS_openat+0x30/0x40 fs/open.c:1072
>  entry_SYSCALL_64_fastpath+0x1f/0xc2
> RIP: 0033:0x4458d9
> RSP: 002b:00007f8722b37b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000101
> RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 00000000004458d9
> RDX: 0000000000010100 RSI: 0000000020001ff4 RDI: ffffffffffffff9c
> RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f8722b389c0 R15: 00007f8722b38700
> Code: 38 ca 7c 0d 45 84 c9 74 08 4c 89 ff e8 8f a5 97 ff 4c 8b 9d 30 ff ff
> ff 41 8b 03 c1 e8 1a 85 c0 0f 84 8b fe ff ff e8 15 52 78 ff <0f> 0b e8 0e
> 52 78 ff 49 8d 7d 03 48 b9 00 00 00 00 00 fc ff df
> RIP: __radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP:
> ffff88006b34f760
> ---[ end trace c1b7be537b8a3b4a ]---
> Kernel panic - not syncing: Fatal exception
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> Kernel Offset: disabled
> Rebooting in 86400 seconds..

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Fwd: kernel BUG at lib/radix-tree.c:1008!
  2017-06-08  3:03   ` Matthew Wilcox
@ 2017-06-08  3:21     ` Gene Blue
  0 siblings, 0 replies; 3+ messages in thread
From: Gene Blue @ 2017-06-08  3:21 UTC (permalink / raw)
  To: Matthew Wilcox; +Cc: hughd, linux-mm, viro, linux-fsdevel, syzkaller

[-- Attachment #1: Type: text/plain, Size: 4097 bytes --]

Yes, this bug is reproducible.

2017-06-08 11:03 GMT+08:00 Matthew Wilcox <willy@infradead.org>:

> On Thu, Jun 08, 2017 at 10:31:39AM +0800, Gene Blue wrote:
> > kernel BUG at lib/radix-tree.c:1008!
>
> Well, that's interesting.  The BUG at that line is:
>
>                 BUG_ON(root_tags_get(root));
>
> which indicates we just inserted an entry into the radix tree at root, and
> found out that the entry was already tagged!
>
> That shouldn't be happening.  We clear the tags (all the way up to the
> root)
> when deleting entries from the tree.  Is this at all reproducible?
>
> > invalid opcode: 0000 [#1] SMP KASAN
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Modules linked in:
> > CPU: 1 PID: 7809 Comm: syz-executor2 Not tainted 4.11.0-rc1 #7
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
> 01/01/2011
> > task: ffff88006a1bdb40 task.stack: ffff88006b348000
> > RIP: 0010:__radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008
> > RSP: 0018:ffff88006b34f760 EFLAGS: 00010087
> > RAX: ffff88006a1bdb40 RBX: 1ffff1000d669eee RCX: 0000000000000001
> > RDX: 0000000000000000 RSI: ffffffff81bd50fb RDI: ffffc90004032000
> > RBP: ffff88006b34f838 R08: 00000000000000fa R09: 0000000000010000
> > R10: 0000000000000003 R11: ffff8800605b8ed0 R12: 0000000000000000
> > R13: 1ffff1000c0b71da R14: 0000000000000000 R15: ffff8800605b8ed0
> > FS:  00007f8722b38700(0000) GS:ffff88003ed00000(0000)
> knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020001ff4 CR3: 000000003c6d6000 CR4: 00000000000006e0
> > Call Trace:
> >  radix_tree_insert include/linux/radix-tree.h:297 [inline]
> >  shmem_add_to_page_cache+0x2fe/0x420 mm/shmem.c:591
> >  shmem_getpage_gfp.isra.49+0x110a/0x1c90 mm/shmem.c:1792
> >  shmem_fault+0x21f/0x690 mm/shmem.c:1985
> >  __do_fault+0x83/0x210 mm/memory.c:2888
> >  do_read_fault mm/memory.c:3270 [inline]
> >  do_fault mm/memory.c:3370 [inline]
> >  handle_pte_fault mm/memory.c:3600 [inline]
> >  __handle_mm_fault+0x8d5/0x1bc0 mm/memory.c:3714
> >  handle_mm_fault+0x1ea/0x4c0 mm/memory.c:3751
> >  __do_page_fault+0x508/0xb00 arch/x86/mm/fault.c:1397
> >  trace_do_page_fault+0x93/0x450 arch/x86/mm/fault.c:1490
> >  do_async_page_fault+0x14/0x60 arch/x86/kernel/kvm.c:264
> >  async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1014
> > RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline]
> > RIP: 0010:strncpy_from_user+0xa9/0x2b0 lib/strncpy_from_user.c:117
> > RSP: 0018:ffff88006b34fdc0 EFLAGS: 00010246
> > RAX: ffff88006a1bdb40 RBX: 0000000000000fe4 RCX: 0000000000000001
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004032000
> > RBP: ffff88006b34fe00 R08: 0000000000000017 R09: 0000000000010000
> > R10: ffff88003a9568ff R11: ffffed000752ad20 R12: 0000000000000fe4
> > R13: 0000000020001ff4 R14: 0000000000000fe4 R15: fffffffffffffff2
> >  getname_flags+0x113/0x580 fs/namei.c:148
> >  getname+0x19/0x20 fs/namei.c:208
> >  do_sys_open+0x1c7/0x450 fs/open.c:1045
> >  SYSC_openat fs/open.c:1078 [inline]
> >  SyS_openat+0x30/0x40 fs/open.c:1072
> >  entry_SYSCALL_64_fastpath+0x1f/0xc2
> > RIP: 0033:0x4458d9
> > RSP: 002b:00007f8722b37b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000101
> > RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 00000000004458d9
> > RDX: 0000000000010100 RSI: 0000000020001ff4 RDI: ffffffffffffff9c
> > RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00007f8722b389c0 R15: 00007f8722b38700
> > Code: 38 ca 7c 0d 45 84 c9 74 08 4c 89 ff e8 8f a5 97 ff 4c 8b 9d 30 ff
> ff
> > ff 41 8b 03 c1 e8 1a 85 c0 0f 84 8b fe ff ff e8 15 52 78 ff <0f> 0b e8 0e
> > 52 78 ff 49 8d 7d 03 48 b9 00 00 00 00 00 fc ff df
> > RIP: __radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP:
> > ffff88006b34f760
> > ---[ end trace c1b7be537b8a3b4a ]---
> > Kernel panic - not syncing: Fatal exception
> > Dumping ftrace buffer:
> >    (ftrace buffer empty)
> > Kernel Offset: disabled
> > Rebooting in 86400 seconds..
>

[-- Attachment #2: Type: text/html, Size: 5005 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-06-08  3:21 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CACbyUSpTZBVa0MTvScqVmN3Mg8j0b9QDkzGZ08c7zQiH-wRy3g@mail.gmail.com>
2017-06-08  2:31 ` Fwd: kernel BUG at lib/radix-tree.c:1008! Gene Blue
2017-06-08  3:03   ` Matthew Wilcox
2017-06-08  3:21     ` Gene Blue

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox