From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C6980E77180 for ; Mon, 9 Dec 2024 13:36:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1A6E48D005B; Mon, 9 Dec 2024 08:36:09 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 06BDE8D0058; Mon, 9 Dec 2024 08:36:09 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E76818D005B; Mon, 9 Dec 2024 08:36:08 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id C9F058D0058 for ; Mon, 9 Dec 2024 08:36:08 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 468AC160431 for ; Mon, 9 Dec 2024 13:36:08 +0000 (UTC) X-FDA: 82875518376.06.71D8CED Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) by imf30.hostedemail.com (Postfix) with ESMTP id CB91C80004 for ; Mon, 9 Dec 2024 13:35:26 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=183x0R+A; spf=pass (imf30.hostedemail.com: domain of jannh@google.com designates 209.85.208.41 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733751345; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=P8AMX1CrWxs9b9WMntFK4gIBgEsJoPuRvd4jSSSD+Mw=; b=T7Iu5uBzVIdbh2QuhXEmnm1TDZud1iVltf/imMl3qj3dCPOoJnG+xY8buVO3+FrCeEmXhw bZ6723gAIrmKOdO4vsvF7KsNm1oupzKp1Y0RmA8DxHfbob4ie4g2KetGBIz+2UDzPouKeB RP7ecsuztlJU3t/oWNZ1fsY7VXcyPIE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733751345; a=rsa-sha256; cv=none; b=PkKgGakuTzCrnn0xb51Pv/3az0Q+FWXN1M8wvuHXoXXFzZBafIs8eyGzRrr5EaJaoQNXzQ 0hsIjUk4v2gtinS+oBQtishrkaCWwZVgm3yExH5qTJ6Q7y92baMdhEDo1Q9Q3pqC+TbJKD ENOsxPpE/avbVmnoBqewog1qjoWkptw= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=183x0R+A; spf=pass (imf30.hostedemail.com: domain of jannh@google.com designates 209.85.208.41 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-5d3cfdc7e4fso9539a12.0 for ; Mon, 09 Dec 2024 05:36:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1733751365; x=1734356165; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=P8AMX1CrWxs9b9WMntFK4gIBgEsJoPuRvd4jSSSD+Mw=; b=183x0R+AJSP946PMLh65CSSzwrMorqa+Uey7pVbZ+z4fKoLE7pw70xe1ypEAhiNTHQ NLJrWjyeE/OJ0uJOJbtcQBNXgpnxgRU81bI0Gpfx4Ln4m3qJ7YA9LCiU+k3yJ58Zo/YL JLOXqNTFMzzyTVIKNkUQduekYZN9Hqj3rcwsxruMJV8H6X5V/4lp/qhTkavid/EjuMvO 7RNSOT2AVXP/Jq/0d2lYbvBB77A5swwsi2U6lE5EF2ivw3Le2q/Mr6On1gx55xaiW9Qh +hdWf851G5pndtWDKsyS2MIRuoAO3U2iUxL8DqALd5D/LD8FBZgIZaunuUP1oCnLk2BS lblQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733751365; x=1734356165; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P8AMX1CrWxs9b9WMntFK4gIBgEsJoPuRvd4jSSSD+Mw=; b=s2EdbQhF6wgcx3ntJ/dPrn0tJWdNFK910Dog3JzSBEclx29WMfXXXvj2ATcs4tDjnS U4XvwoFzJtEZ98I0ZY2WHA1C6eDysEKnNthZ9BhD5zjGY0hQIIhZJsVY8BmaQsIcgk9g dIEpsRkU/fqGzdeVTONsRHb7n66Ms3gBfd4y5rfMSF7olYJMiEHvoSJ9pCjzxeSFlKMs r95vO0/eoeiC4LYKNH7JUjYmqgoKrh6fO0ffZkzhRS3SReEN/KkDmFwaCTfg/a+WSHaE TXQV+EMsvfjHZ+ezXZmqvpyvC07ZaPdQb6CL8S3j4UZyYt9qwYEMKsoEm9U5ttg8POIQ eyyw== X-Forwarded-Encrypted: i=1; AJvYcCUZ/rDLeQBVudlAgBCI9WNCc5VFgBdeFuh2/QUOgf4p9CIn8dca/HIFBI/hCaJRnP8nvNx7/oRtJA==@kvack.org X-Gm-Message-State: AOJu0Yy2WxrYAgULTeFzbgRugci1vf+FdNa+8pGLB2U2+c6T0Uao+TN8 jkBAM83g1x9kCf4TINlGYXsS65BgDIPLlMhDzSqYy0qQ0rUmnnjKyWcyHrP/en/X0TeF5Ljb5S0 0w8YJKOFx5/3vq/U4vQVAsUjxshCtiFkDtZla X-Gm-Gg: ASbGncvvB08cP2dF2mQMpWv4hZaRvX2xjtQpkT1J7rVEYU7XSKQZy8EZMRWXB/XWkMK PWiBkDKUBiP23GYyJCU8TSLcGb7iDKeqShr7ZDbKAqp8ZZwyRWgnN/tv+b9UYo94= X-Google-Smtp-Source: AGHT+IFCJJrBYRb+4atBVSPqtwkf5YigKbUAY1wQHuD1b5CngmSuHFOQEzHvkxVkPn8OtOhQfbUVLEA6NjXlDEUAJek= X-Received: by 2002:aa7:c507:0:b0:5d1:10a4:de9 with SMTP id 4fb4d7f45d1cf-5d3dd9e9216mr133103a12.7.1733751364159; Mon, 09 Dec 2024 05:36:04 -0800 (PST) MIME-Version: 1.0 References: <6756d273.050a0220.2477f.003d.GAE@google.com> <1b8b5d54-d667-4ca9-b831-bee4b4e74c40@lucifer.local> In-Reply-To: <1b8b5d54-d667-4ca9-b831-bee4b4e74c40@lucifer.local> From: Jann Horn Date: Mon, 9 Dec 2024 14:35:27 +0100 Message-ID: Subject: Re: [syzbot] [mm?] general protection fault in find_mergeable_anon_vma To: Lorenzo Stoakes Cc: syzbot , Liam.Howlett@oracle.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, vbabka@suse.cz Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: CB91C80004 X-Rspam-User: X-Rspamd-Server: rspam07 X-Stat-Signature: t5t147r85c396894ajiituiknix6a4fn X-HE-Tag: 1733751326-908422 X-HE-Meta: U2FsdGVkX18LX/a0cxSR3Q1DroAiRSgU6Q95xT/D+uLl6y04I/t24/evrqC/XyL1IA086as1UjZSwF1Ifc5kcZ8G2F9XrM1TrVF185z842jXnlxj+cyQAk/MKFnklyN2Z3qw++HzpRnItkWN/6hSLpPg5Pur5DgdQATU5G5Y/+yj6pX9CCtLl0LS8kse8itrr8uhX67dmZG2AUv1L5wiNYah8AE6Bs7XBnh1o0zpZBEUvBC5DPjg7FxhfKR8u4nl861ju+Rvts/zpvuN5khFLefWJ0OxUSY76Fbmv/RcquL43LsRd/NRDlGTuQ7/QgeBYf0vnKW4woTuM38SRcVPeVPpQh37IA8FHKCvYOGlwudj7sGWt5bIAi9s4Q9qCCB5euYDbQW/eUpCUyY8GxE29RpvtfJOIPWXPNbkIzDZM5piY2v4BDbGdR/Oj6bo3uhlmf0zuA7wa8Zg0NgN4Y0AZ4SK0oIYldNheXpgsQMUfaHRNlu4//dUvVGiARgCakMl3ssrqB/h2R/WvWxoB68zZ680KOFb3kMurUTTCmqNpsROZPhsdOTHCV2hWvEeFhJuCUeH18pG0/2BHCBM5ynieqgY9emS8j1kKRsBjNgLpbqMylrc92VKByTNazXu0YfSN4AusPof6aGarIh+WQgf62EcZ+yMhGSkxwy9ypZo0SVFw1DOEdXkOsBRj28ZJbugDJyIjGLxmnvgiOYUkFYQ/op/+p5WcIu7jhWKLI5eBG9hFtS6YfwUgtGcoBVwlaOAJczjwRIyRpq2H7pcRWeAKkD3ZbkUDERY7kwNMUko2rSsiLDeybtByvuhTUAccU99a14IPrJQgbijmHkPjphWoWHiD42Oxqm13qLqvUq3iMohsxx4E0+acixxmKKfi19dlTsry4eKZB0IKqrLTGug8Dol8M1fjSfQUMjZFjJ0EoKCKENW12LYF9p2+YTSflxR0hkNj6aL8rvwXrySi4s W25S1mUv omUpOEEHkFUiRQZh32jT5nrt1ODHYqSjZnQpbzkZM6Wr60+q4nDwWUrF9m05FZvxkUsOU762pAyKTDUZz206OVESwAxwHbub6pCLIxXDHRGmFYkjtZsjIv0jvcwbLnefYcOpZvVdk3XknNDy9Xe9h4/r19en4RC7ugI3BiXZ62stWzcopHTFcFYAUH3dC7gC7CVeUR4/ZAen9kq5cG2vIs3tNaf04TycUGvkaGQAxhhkA0ZQSUGE/Or5mTJD63fRRql3HSACfmpK1VowT9twfxX/d4+bynA5h+/EVPj+TaSTzPnx1LSeUMepqlCX2tqbnBq3k4YNYLgWbI4FraNGCxSERYLIQGA+L7WpLZA6RWR2XUKCtpsQ4xmR2qMIQOyB2EgZv35WboKUQFCK5jEvOKbBpFo4hpxD1Whe5uYrMD9K3mYs91Te8hg+4FGKV3hcPh2aYpSh3li0Ao4kVG/YRuYvt8lvTaud/o5kUXK0xK6UGW8cvCR8yOBXc9BTqm6Dy1PvOci4JeJlK5T+02ul6IzAw7nmVnHlcvGvncKS8pcYZK7tlBa8SF9bevufqX9d1QAxHqe3rsWYgZsDNP8WZlduJkp5qzu9Dd6OREK3gKdt5mUFwzbaK562m542madsINknUhDwfFtDI+1K2DhlWYuNP1DhAncgEFSWkB/UGnNoyT6cD/yW0bcdtQihczk/LLr1X2IQZPSCMWP3DkQz166nc3kUQ1pfFCaad+5BqtPIP/6LBi/cfS2472u2+eqxBboMcTEXvK4x/mCXnJT70H2AWvpQOda1DXTNmbIg55ZIOJzw1J57AF7GzFS/LcVASOemdKzW2j0gRS+ZT9b72eQbwHSngjzUggCSvnsEjjZjBOob1Um82Jmao7z34e086JaFHBycI4RE5gnKLbPRarEuSOLBlOf7c+OwX X-Bogosity: Ham, tests=bogofilter, spamicity=0.415837, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Dec 9, 2024 at 1:53=E2=80=AFPM Lorenzo Stoakes wrote: > On Mon, Dec 09, 2024 at 03:20:19AM -0800, syzbot wrote: > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: feffde684ac2 Merge tag 'for-6.13-rc1-tag' of git://git.= ker.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D17f85fc0580= 000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D50c7a61469c= e77e7 > > dashboard link: https://syzkaller.appspot.com/bug?extid=3D2d788f4f7cb66= 0dac4b7 > > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for D= ebian) 2.40 > > > > Unfortunately, I don't have any reproducer for this issue yet. > > Points to this being racey. > > > > > Downloadable assets: > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets= /7feb34a89c2a/non_bootable_disk-feffde68.raw.xz > > vmlinux: https://storage.googleapis.com/syzbot-assets/6135c7297e8e/vmli= nux-feffde68.xz > > kernel image: https://storage.googleapis.com/syzbot-assets/6c154fdcc9cb= /bzImage-feffde68.xz > > > > IMPORTANT: if you fix the issue, please add the following tag to the co= mmit: > > Reported-by: syzbot+2d788f4f7cb660dac4b7@syzkaller.appspotmail.com > > > > Oops: general protection fault, probably for non-canonical address 0xdf= fffc0000000080: 0000 [#1] PREEMPT SMP KASAN NOPTI > > KASAN: null-ptr-deref in range [0x0000000000000400-0x0000000000000407] > > This doesn't make a huge amount of sense to me, the VMA is not 0x400 (1,0= 24) > bytes in size... and the actual faulting offset seems to be 0xdffffc00000= 00080 > which is 0x80 off from some KASAN-specified value? If you look at the disassembly, you can see this: 13: 4d 89 ec mov %r13,%r12 16: 49 c1 ec 03 shr $0x3,%r12 1a: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 21: fc ff df * 24: 41 80 3c 04 00 cmpb $0x0,(%r12,%rax,1) <-- trapping instruct= ion R13 is 0000000000000406, that's the address we're about to access. This code is trying to read KASAN shadow memory for that address by reading from 0xdffffc0000000000+address>>3, which for real kernel addresses gives you an address in the "KASAN shadow memory" range (see https://kernel.org/doc/html/latest/arch/x86/x86_64/mm.html), but for addresses in the low half of the address space gives you non-canonical addresses starting with 0xdfff that cause #GP on access. The second line "KASAN: null-ptr-deref in range [0x0000000000000400-0x0000000000000407]" is basically computed by doing that calculation in reverse. > This would be vma->vm_file. But that also doesn't really make any sense. > > But I wonder... > > I see in the report at [0] that there's a failure injection in vm_area_du= p() on > fork: > > [ 73.842623][ T5318] ? kmem_cache_alloc_noprof+0x48/0x380 > [ 73.844725][ T5318] ? __pfx___might_resched+0x10/0x10 > [ 73.846687][ T5318] should_fail_ex+0x3b0/0x4e0 > [ 73.848496][ T5318] should_failslab+0xac/0x100 > [ 73.850232][ T5318] ? vm_area_dup+0x27/0x290 > [ 73.852017][ T5318] kmem_cache_alloc_noprof+0x70/0x380 > [ 73.854011][ T5318] vm_area_dup+0x27/0x290 > [ 73.855771][ T5318] copy_mm+0xc1d/0x1f90 > > I also see in the fork logic we have the following code on error path: > > mas_set_range(&vmi.mas, mpnt->vm_start, mpnt->vm_end - 1); > mas_store(&vmi.mas, XA_ZERO_ENTRY); > > And XA_ZERO_ENTRY is 0x406. That matches...