* Fwd: kernel BUG at lib/radix-tree.c:1008! [not found] <CACbyUSpTZBVa0MTvScqVmN3Mg8j0b9QDkzGZ08c7zQiH-wRy3g@mail.gmail.com> @ 2017-06-08 2:31 ` Gene Blue 2017-06-08 3:03 ` Matthew Wilcox 0 siblings, 1 reply; 3+ messages in thread From: Gene Blue @ 2017-06-08 2:31 UTC (permalink / raw) To: hughd, linux-mm, viro, linux-fsdevel; +Cc: syzkaller [-- Attachment #1: Type: text/plain, Size: 3708 bytes --] ---------- Forwarded message ---------- From: Gene Blue <geneblue.mail@gmail.com> Date: 2017-06-07 20:03 GMT+08:00 Subject: kernel BUG at lib/radix-tree.c:1008! To: syzkaller@googlegroups.com Hello: Another bug when fuzzing the kernel with syzkaller. My kernel version is 4.11.0-rc1 directly download from kernel.org. ************************************************************ ********************************* kernel BUG at lib/radix-tree.c:1008! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 7809 Comm: syz-executor2 Not tainted 4.11.0-rc1 #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88006a1bdb40 task.stack: ffff88006b348000 RIP: 0010:__radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP: 0018:ffff88006b34f760 EFLAGS: 00010087 RAX: ffff88006a1bdb40 RBX: 1ffff1000d669eee RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffff81bd50fb RDI: ffffc90004032000 RBP: ffff88006b34f838 R08: 00000000000000fa R09: 0000000000010000 R10: 0000000000000003 R11: ffff8800605b8ed0 R12: 0000000000000000 R13: 1ffff1000c0b71da R14: 0000000000000000 R15: ffff8800605b8ed0 FS: 00007f8722b38700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020001ff4 CR3: 000000003c6d6000 CR4: 00000000000006e0 Call Trace: radix_tree_insert include/linux/radix-tree.h:297 [inline] shmem_add_to_page_cache+0x2fe/0x420 mm/shmem.c:591 shmem_getpage_gfp.isra.49+0x110a/0x1c90 mm/shmem.c:1792 shmem_fault+0x21f/0x690 mm/shmem.c:1985 __do_fault+0x83/0x210 mm/memory.c:2888 do_read_fault mm/memory.c:3270 [inline] do_fault mm/memory.c:3370 [inline] handle_pte_fault mm/memory.c:3600 [inline] __handle_mm_fault+0x8d5/0x1bc0 mm/memory.c:3714 handle_mm_fault+0x1ea/0x4c0 mm/memory.c:3751 __do_page_fault+0x508/0xb00 arch/x86/mm/fault.c:1397 trace_do_page_fault+0x93/0x450 arch/x86/mm/fault.c:1490 do_async_page_fault+0x14/0x60 arch/x86/kernel/kvm.c:264 async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1014 RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline] RIP: 0010:strncpy_from_user+0xa9/0x2b0 lib/strncpy_from_user.c:117 RSP: 0018:ffff88006b34fdc0 EFLAGS: 00010246 RAX: ffff88006a1bdb40 RBX: 0000000000000fe4 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004032000 RBP: ffff88006b34fe00 R08: 0000000000000017 R09: 0000000000010000 R10: ffff88003a9568ff R11: ffffed000752ad20 R12: 0000000000000fe4 R13: 0000000020001ff4 R14: 0000000000000fe4 R15: fffffffffffffff2 getname_flags+0x113/0x580 fs/namei.c:148 getname+0x19/0x20 fs/namei.c:208 do_sys_open+0x1c7/0x450 fs/open.c:1045 SYSC_openat fs/open.c:1078 [inline] SyS_openat+0x30/0x40 fs/open.c:1072 entry_SYSCALL_64_fastpath+0x1f/0xc2 RIP: 0033:0x4458d9 RSP: 002b:00007f8722b37b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 00000000004458d9 RDX: 0000000000010100 RSI: 0000000020001ff4 RDI: ffffffffffffff9c RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f8722b389c0 R15: 00007f8722b38700 Code: 38 ca 7c 0d 45 84 c9 74 08 4c 89 ff e8 8f a5 97 ff 4c 8b 9d 30 ff ff ff 41 8b 03 c1 e8 1a 85 c0 0f 84 8b fe ff ff e8 15 52 78 ff <0f> 0b e8 0e 52 78 ff 49 8d 7d 03 48 b9 00 00 00 00 00 fc ff df RIP: __radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP: ffff88006b34f760 ---[ end trace c1b7be537b8a3b4a ]--- Kernel panic - not syncing: Fatal exception Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. [-- Attachment #2: Type: text/html, Size: 5311 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: kernel BUG at lib/radix-tree.c:1008! 2017-06-08 2:31 ` Fwd: kernel BUG at lib/radix-tree.c:1008! Gene Blue @ 2017-06-08 3:03 ` Matthew Wilcox 2017-06-08 3:21 ` Gene Blue 0 siblings, 1 reply; 3+ messages in thread From: Matthew Wilcox @ 2017-06-08 3:03 UTC (permalink / raw) To: Gene Blue; +Cc: hughd, linux-mm, viro, linux-fsdevel, syzkaller On Thu, Jun 08, 2017 at 10:31:39AM +0800, Gene Blue wrote: > kernel BUG at lib/radix-tree.c:1008! Well, that's interesting. The BUG at that line is: BUG_ON(root_tags_get(root)); which indicates we just inserted an entry into the radix tree at root, and found out that the entry was already tagged! That shouldn't be happening. We clear the tags (all the way up to the root) when deleting entries from the tree. Is this at all reproducible? > invalid opcode: 0000 [#1] SMP KASAN > Dumping ftrace buffer: > (ftrace buffer empty) > Modules linked in: > CPU: 1 PID: 7809 Comm: syz-executor2 Not tainted 4.11.0-rc1 #7 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > task: ffff88006a1bdb40 task.stack: ffff88006b348000 > RIP: 0010:__radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 > RSP: 0018:ffff88006b34f760 EFLAGS: 00010087 > RAX: ffff88006a1bdb40 RBX: 1ffff1000d669eee RCX: 0000000000000001 > RDX: 0000000000000000 RSI: ffffffff81bd50fb RDI: ffffc90004032000 > RBP: ffff88006b34f838 R08: 00000000000000fa R09: 0000000000010000 > R10: 0000000000000003 R11: ffff8800605b8ed0 R12: 0000000000000000 > R13: 1ffff1000c0b71da R14: 0000000000000000 R15: ffff8800605b8ed0 > FS: 00007f8722b38700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020001ff4 CR3: 000000003c6d6000 CR4: 00000000000006e0 > Call Trace: > radix_tree_insert include/linux/radix-tree.h:297 [inline] > shmem_add_to_page_cache+0x2fe/0x420 mm/shmem.c:591 > shmem_getpage_gfp.isra.49+0x110a/0x1c90 mm/shmem.c:1792 > shmem_fault+0x21f/0x690 mm/shmem.c:1985 > __do_fault+0x83/0x210 mm/memory.c:2888 > do_read_fault mm/memory.c:3270 [inline] > do_fault mm/memory.c:3370 [inline] > handle_pte_fault mm/memory.c:3600 [inline] > __handle_mm_fault+0x8d5/0x1bc0 mm/memory.c:3714 > handle_mm_fault+0x1ea/0x4c0 mm/memory.c:3751 > __do_page_fault+0x508/0xb00 arch/x86/mm/fault.c:1397 > trace_do_page_fault+0x93/0x450 arch/x86/mm/fault.c:1490 > do_async_page_fault+0x14/0x60 arch/x86/kernel/kvm.c:264 > async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1014 > RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline] > RIP: 0010:strncpy_from_user+0xa9/0x2b0 lib/strncpy_from_user.c:117 > RSP: 0018:ffff88006b34fdc0 EFLAGS: 00010246 > RAX: ffff88006a1bdb40 RBX: 0000000000000fe4 RCX: 0000000000000001 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004032000 > RBP: ffff88006b34fe00 R08: 0000000000000017 R09: 0000000000010000 > R10: ffff88003a9568ff R11: ffffed000752ad20 R12: 0000000000000fe4 > R13: 0000000020001ff4 R14: 0000000000000fe4 R15: fffffffffffffff2 > getname_flags+0x113/0x580 fs/namei.c:148 > getname+0x19/0x20 fs/namei.c:208 > do_sys_open+0x1c7/0x450 fs/open.c:1045 > SYSC_openat fs/open.c:1078 [inline] > SyS_openat+0x30/0x40 fs/open.c:1072 > entry_SYSCALL_64_fastpath+0x1f/0xc2 > RIP: 0033:0x4458d9 > RSP: 002b:00007f8722b37b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000101 > RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 00000000004458d9 > RDX: 0000000000010100 RSI: 0000000020001ff4 RDI: ffffffffffffff9c > RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 > R13: 0000000000000000 R14: 00007f8722b389c0 R15: 00007f8722b38700 > Code: 38 ca 7c 0d 45 84 c9 74 08 4c 89 ff e8 8f a5 97 ff 4c 8b 9d 30 ff ff > ff 41 8b 03 c1 e8 1a 85 c0 0f 84 8b fe ff ff e8 15 52 78 ff <0f> 0b e8 0e > 52 78 ff 49 8d 7d 03 48 b9 00 00 00 00 00 fc ff df > RIP: __radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP: > ffff88006b34f760 > ---[ end trace c1b7be537b8a3b4a ]--- > Kernel panic - not syncing: Fatal exception > Dumping ftrace buffer: > (ftrace buffer empty) > Kernel Offset: disabled > Rebooting in 86400 seconds.. -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a> ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: kernel BUG at lib/radix-tree.c:1008! 2017-06-08 3:03 ` Matthew Wilcox @ 2017-06-08 3:21 ` Gene Blue 0 siblings, 0 replies; 3+ messages in thread From: Gene Blue @ 2017-06-08 3:21 UTC (permalink / raw) To: Matthew Wilcox; +Cc: hughd, linux-mm, viro, linux-fsdevel, syzkaller [-- Attachment #1: Type: text/plain, Size: 4097 bytes --] Yes, this bug is reproducible. 2017-06-08 11:03 GMT+08:00 Matthew Wilcox <willy@infradead.org>: > On Thu, Jun 08, 2017 at 10:31:39AM +0800, Gene Blue wrote: > > kernel BUG at lib/radix-tree.c:1008! > > Well, that's interesting. The BUG at that line is: > > BUG_ON(root_tags_get(root)); > > which indicates we just inserted an entry into the radix tree at root, and > found out that the entry was already tagged! > > That shouldn't be happening. We clear the tags (all the way up to the > root) > when deleting entries from the tree. Is this at all reproducible? > > > invalid opcode: 0000 [#1] SMP KASAN > > Dumping ftrace buffer: > > (ftrace buffer empty) > > Modules linked in: > > CPU: 1 PID: 7809 Comm: syz-executor2 Not tainted 4.11.0-rc1 #7 > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs > 01/01/2011 > > task: ffff88006a1bdb40 task.stack: ffff88006b348000 > > RIP: 0010:__radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 > > RSP: 0018:ffff88006b34f760 EFLAGS: 00010087 > > RAX: ffff88006a1bdb40 RBX: 1ffff1000d669eee RCX: 0000000000000001 > > RDX: 0000000000000000 RSI: ffffffff81bd50fb RDI: ffffc90004032000 > > RBP: ffff88006b34f838 R08: 00000000000000fa R09: 0000000000010000 > > R10: 0000000000000003 R11: ffff8800605b8ed0 R12: 0000000000000000 > > R13: 1ffff1000c0b71da R14: 0000000000000000 R15: ffff8800605b8ed0 > > FS: 00007f8722b38700(0000) GS:ffff88003ed00000(0000) > knlGS:0000000000000000 > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > > CR2: 0000000020001ff4 CR3: 000000003c6d6000 CR4: 00000000000006e0 > > Call Trace: > > radix_tree_insert include/linux/radix-tree.h:297 [inline] > > shmem_add_to_page_cache+0x2fe/0x420 mm/shmem.c:591 > > shmem_getpage_gfp.isra.49+0x110a/0x1c90 mm/shmem.c:1792 > > shmem_fault+0x21f/0x690 mm/shmem.c:1985 > > __do_fault+0x83/0x210 mm/memory.c:2888 > > do_read_fault mm/memory.c:3270 [inline] > > do_fault mm/memory.c:3370 [inline] > > handle_pte_fault mm/memory.c:3600 [inline] > > __handle_mm_fault+0x8d5/0x1bc0 mm/memory.c:3714 > > handle_mm_fault+0x1ea/0x4c0 mm/memory.c:3751 > > __do_page_fault+0x508/0xb00 arch/x86/mm/fault.c:1397 > > trace_do_page_fault+0x93/0x450 arch/x86/mm/fault.c:1490 > > do_async_page_fault+0x14/0x60 arch/x86/kernel/kvm.c:264 > > async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1014 > > RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:44 [inline] > > RIP: 0010:strncpy_from_user+0xa9/0x2b0 lib/strncpy_from_user.c:117 > > RSP: 0018:ffff88006b34fdc0 EFLAGS: 00010246 > > RAX: ffff88006a1bdb40 RBX: 0000000000000fe4 RCX: 0000000000000001 > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90004032000 > > RBP: ffff88006b34fe00 R08: 0000000000000017 R09: 0000000000010000 > > R10: ffff88003a9568ff R11: ffffed000752ad20 R12: 0000000000000fe4 > > R13: 0000000020001ff4 R14: 0000000000000fe4 R15: fffffffffffffff2 > > getname_flags+0x113/0x580 fs/namei.c:148 > > getname+0x19/0x20 fs/namei.c:208 > > do_sys_open+0x1c7/0x450 fs/open.c:1045 > > SYSC_openat fs/open.c:1078 [inline] > > SyS_openat+0x30/0x40 fs/open.c:1072 > > entry_SYSCALL_64_fastpath+0x1f/0xc2 > > RIP: 0033:0x4458d9 > > RSP: 002b:00007f8722b37b58 EFLAGS: 00000292 ORIG_RAX: 0000000000000101 > > RAX: ffffffffffffffda RBX: 00000000007080a8 RCX: 00000000004458d9 > > RDX: 0000000000010100 RSI: 0000000020001ff4 RDI: ffffffffffffff9c > > RBP: 0000000000000046 R08: 0000000000000000 R09: 0000000000000000 > > R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 > > R13: 0000000000000000 R14: 00007f8722b389c0 R15: 00007f8722b38700 > > Code: 38 ca 7c 0d 45 84 c9 74 08 4c 89 ff e8 8f a5 97 ff 4c 8b 9d 30 ff > ff > > ff 41 8b 03 c1 e8 1a 85 c0 0f 84 8b fe ff ff e8 15 52 78 ff <0f> 0b e8 0e > > 52 78 ff 49 8d 7d 03 48 b9 00 00 00 00 00 fc ff df > > RIP: __radix_tree_insert+0x26b/0x2f0 lib/radix-tree.c:1008 RSP: > > ffff88006b34f760 > > ---[ end trace c1b7be537b8a3b4a ]--- > > Kernel panic - not syncing: Fatal exception > > Dumping ftrace buffer: > > (ftrace buffer empty) > > Kernel Offset: disabled > > Rebooting in 86400 seconds.. > [-- Attachment #2: Type: text/html, Size: 5005 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-06-08 3:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CACbyUSpTZBVa0MTvScqVmN3Mg8j0b9QDkzGZ08c7zQiH-wRy3g@mail.gmail.com>
2017-06-08 2:31 ` Fwd: kernel BUG at lib/radix-tree.c:1008! Gene Blue
2017-06-08 3:03 ` Matthew Wilcox
2017-06-08 3:21 ` Gene Blue
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox