From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61F4AC7114C for ; Thu, 29 Aug 2024 00:06:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E08B36B00C4; Wed, 28 Aug 2024 20:06:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DB77C6B00D9; Wed, 28 Aug 2024 20:06:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C58936B00DA; Wed, 28 Aug 2024 20:06:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id A643C6B00C4 for ; Wed, 28 Aug 2024 20:06:16 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 56445C023C for ; Thu, 29 Aug 2024 00:06:16 +0000 (UTC) X-FDA: 82503340752.07.A26EC12 Received: from mx-lax3-1.ucr.edu (mx-lax3-1.ucr.edu [169.235.156.35]) by imf03.hostedemail.com (Postfix) with ESMTP id C5B152000C for ; Thu, 29 Aug 2024 00:06:11 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=ucr.edu header.s=selector3 header.b=Fg4NQ8Qr; dkim=pass header.d=ucr.edu header.s=rmail header.b=BQ8+K1Kf; dmarc=pass (policy=quarantine) header.from=ucr.edu; spf=temperror (imf03.hostedemail.com: error in processing during lookup of xli399@ucr.edu: DNS error) smtp.mailfrom=xli399@ucr.edu ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724889954; a=rsa-sha256; cv=none; b=gmVeEIhBOiqLfx+mf37NOGCt0ebNPHKSw/yscBc8m8nIBV989Gy/XPn5Yqac0yyf8E4n/x 3O/cGTjk7ycxGubXgVQ6Ah/PXCDK3tuC5Xa7bU5E3rg2DefmFB7i15GkTC1TNqkN/2Fe5r 19R+3z7w6EwmUIjHpcgbpQZU/DXfyxk= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=ucr.edu header.s=selector3 header.b=Fg4NQ8Qr; dkim=pass header.d=ucr.edu header.s=rmail header.b=BQ8+K1Kf; dmarc=pass (policy=quarantine) header.from=ucr.edu; spf=temperror (imf03.hostedemail.com: error in processing during lookup of xli399@ucr.edu: DNS error) smtp.mailfrom=xli399@ucr.edu ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724889954; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=/KDv218JfwSE4KqWN4TRL607w+LWwO+Z8K6rGXnXQtU=; b=fwuTI6E+hSZgCBf+0rnBDs9TrvWSAkt8GEgKC8Utn1/Xtv36qGX5LCulUlNCOLx5MgN9WA zqpIzfvEAmQCZSxO8zCla8dXTQP9g6q/jRNGqjMmn2mmZbZCZKYAIB1cN9RF2pL2irh/UW szQpKOqrDAW+n5fvcfeK6l5008ipPqk= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ucr.edu; i=@ucr.edu; q=dns/txt; s=selector3; t=1724889972; x=1756425972; h=dkim-signature:x-google-dkim-signature: x-forwarded-encrypted:x-gm-message-state: x-google-smtp-source:mime-version:from:date:message-id: subject:to:content-type:x-cse-connectionguid: x-cse-msgguid; bh=CApostZhCsoZR0Fr0XE3zPOiHWENzXckzTzTmkKcWWs=; b=Fg4NQ8QrLnw0CQNk6JooGhB5knQvNisv1cq8e9xBJcu1bO1xOgyGzUzx hvxwM2DmOZpA+BAKaJsGbbxwgCzSWDvHmOYqMCULpdlLSjB/kavmKe6ZE 2JoEcgPCJTx6vTd1kXB6yjuBGl7Yg6xFtsnSo3u34M02J0WLv4st2BO+8 Vp8AkzxOzye5sHCv1EcCa7X1kBqa9Ne4wXcd900d9Ln8YRiWA/YmbqIbX OcdYbrsASpkehK1i1/k0P7CKvZEOT9e7o7X2d95n2VqBmlSJgSVzZQKyG +EH/I4Y9FEUj9pOz+g49oembg/lil3V4tLQDMY8T5WrncuQSBajDqKzi1 w==; X-CSE-ConnectionGUID: mPHypHXOQoKrAgXgbjulnQ== X-CSE-MsgGUID: LYcZ+MrGRKyyb/9vUXnDGA== Received: from mail-il1-f197.google.com ([209.85.166.197]) by smtp-lax3-1.ucr.edu with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 28 Aug 2024 17:06:11 -0700 Received: by mail-il1-f197.google.com with SMTP id e9e14a558f8ab-39d55a00bd7so311275ab.1 for ; Wed, 28 Aug 2024 17:06:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucr.edu; s=rmail; t=1724889970; x=1725494770; darn=kvack.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=/KDv218JfwSE4KqWN4TRL607w+LWwO+Z8K6rGXnXQtU=; b=BQ8+K1KfDY+V1qNeRmBnsRl/7QdLy6LLE4hT8aZK9ZiDBJFTzWZ/RAvlI32LgHtQdJ 8ICjTgcjuE9Fi3GyJqpOBNuvYfuVSaRWzuAjZ2jngicfWwW7/pMlRPdH3wTMkNTgF97M o+NfHQI0uCTG9+Z34ULXKmSnmJ9eIx/UsIs0o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724889970; x=1725494770; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=/KDv218JfwSE4KqWN4TRL607w+LWwO+Z8K6rGXnXQtU=; b=LnTe9iyQjy0JJPOi9eCX1I3sB58joODZ5xE3CvfmFr/K30RXqzX5NZaI4HHNgcZDAo x/O4zBk6uEuEBjkJHNrBvnoS5EIRHl/kuzntBkGZSvhjInLjhWZUOzcb+OE5Hu9CKWdj UGs151hqjE37qsm8C4UIbPQ7O9TV82AlXvAh+TB9ujUZWog54a60TJWw0Ko/Rjj1BtRI hePQuzDzDxz1JpWhe0RwGFdvxMit5L9cmwKZQz3Ls/cBFPAPscGauXSYUBF45jIjcafW 1pRfvbBibyTh8S32FEPVvDjY5qS1jV2AkeqeVyc9+muRij4dC/kb8UXL7iUJT6+Bjp0K 2s7g== X-Forwarded-Encrypted: i=1; AJvYcCV+Mbn9YJL1t9sjG8KkgZ02lQDh4/ilsrzdfh2u9VtnOKZUlUZJh9Fna4WP34acCQXPaCEjq0HOQw==@kvack.org X-Gm-Message-State: AOJu0YzsK4a6G+yHLEKGys/eSNSL+6Wu9aCFRfgcqXAyJt4i/q2eA4PF uit/Pz3U4WUWVw1TdoEUFVAOTOc+8G19OKtp8Ed2R73TA3g/ip2XyfME90O2QbRLJ6UWWxTrdl7 sQLberK/WyS/Fu4LNQdAVrqEQyZT8H9zLhHy28RTaZHCHXhkoF6WgG6mqSBrhwXH/1n9uYsY+pf D8XESrgGgXotHsurAmArS6JklR X-Received: by 2002:a92:c26b:0:b0:39d:229d:864e with SMTP id e9e14a558f8ab-39f377ce3c4mr15964565ab.2.1724889969718; Wed, 28 Aug 2024 17:06:09 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFz6gerXn1kQFR1BZkmsB31mYFIsCe2sPcO3gbuzzyjgIIq06yxkEjv7JnQCAkKmMtLlGctOksNQbwklOkTR34= X-Received: by 2002:a92:c26b:0:b0:39d:229d:864e with SMTP id e9e14a558f8ab-39f377ce3c4mr15964315ab.2.1724889969330; Wed, 28 Aug 2024 17:06:09 -0700 (PDT) MIME-Version: 1.0 From: Xingyu Li Date: Wed, 28 Aug 2024 17:05:58 -0700 Message-ID: Subject: BUG: general protection fault in mtree_range_walk To: Liam.Howlett@oracle.com, akpm@linux-foundation.org, maple-tree@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Yu Hao Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Queue-Id: C5B152000C X-Rspamd-Server: rspam01 X-Stat-Signature: dr8zfmtd1xxsss9ryfw4ywqx1e13fhoi X-HE-Tag: 1724889971-369106 X-HE-Meta: U2FsdGVkX1/quzj2VzoXxQPQChlRWHoHNwLkYq61MXOnXeavhWX1AH04zwx6Gg/9QiZagOlf1nRV5ONFfqhqTPs7gLFPsdT+i/lK0O78xZAi+yNpQgPjrhY/lkxv1hB74KWUA+RRyVJO3eH5P4xQxoQVkfHRDhQP2NMEbj51BatcpL8ZgN9k8LlyUjiMgALOdYJ2Q9DaCams8ajcMkEd/pw7sP9MGIC0j0lIoxQmr3rZ2ndHB7gQg/mLxHrH3evz380GGzf9VKoPsRYwevV8+auxwvnOfCbe6gMrWXpmrWl8v0+mRaAe8PfyrZHspGX8l57uoT8QNotH3KGc4qqUWNGncFzpFWLVaLtckp8jaAUwZfow68mFYpO5O945FNYi3qky94lNdH09gPQHAJFyWUMKvIAecTEnSgg5ApAlmm2Ye5ppIT3fJqK0XW8cKs9P686BB0YojF2+B1ZoLSZYC2W8EcvccmyNQeeWs0GmdbXDdwuxuIay5xwkUlG1zdlqHRyHollWL83glkzv1g//5FN2j/n6mAQfIbfngUi6THwwpiHj5jhELnCPbX+wZLN2PmcLswIKhI3+2/6l/vsqvs8gJ59k0uBzonOlrGpF/5V6CvkCI6TSgrySq/maTwKDR85+CXeiQc7xlrLkVvP6hZ4lT2SrE/0f2apA6qttueIXg+wS9XKRbb4zD9YHwzvW/MSKH33XHnP+6JblpKw5R+ULt3FRWNLtmk6wsVHb5ac42QWvvaOnvshE0w48wgZEplJhJb51c6n9Saapmay2g4ArEAO8QT8GtlaBf4L1BVon4nx7bfuy7nU954IIFkqAVySXK2R+Mhjyjm95IayydN03armt2u88Lz6gGN609YwySOmtCX348qP+Qth3qC8zybiHPgcoLwVb+KEdk6KUKK9TDLl/370QITGMzXTyuwX4upBMkn+IB34fqtWtDG3RKBDSW8ZC/NFzMuDY5OC MyS3gn3o MS4F9FX3E72E/hKCwUGH/WHSx2c9SE23yVSmO4mNTdhGbGONX2IYD1D8sEhLqbKIq/VnfHnBkuAd6YZMz/HYzbzcv3wlEmL/C4oiOuCyb9g9gkn3TS+OCj279XcGQ3dv3uuBAxGXqJSm0E8d4MLNcXbBkh9Qa6ScJyLeVjqpIreayMUsFHQoZQD//m+T4uvpFddb8WUrnaQqKKOi/v3EYwWynlZhNttZsYLRI2SAAza4XMwn2GUALbZzwul4bJMwFtFlAzQjTdQGGIOA+SIBCwnpTxxoFljhbUGWlkLILEcwhIl/NaI5K0IQkWOQfmjJoLWVC X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, We found a bug in Linux 6.10 using syzkaller. It is possibly a null pointer dereference bug. The bug report is as follows, but unfortunately there is no generated syzkaller reproducer. Bug report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 4493 Comm: systemd-journal Not tainted 6.10.0 #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:mtree_range_walk+0x2e4/0x890 lib/maple_tree.c:2774 Code: 48 83 f8 01 0f 84 ba 00 00 00 e8 c7 0f a4 f6 49 83 c4 08 49 ff c6 48 8b 6c 24 10 eb a7 e8 b4 0f a4 f6 45 31 f6 e9 e5 00 00 00 <41> 80 3c 24 00 74 07 31 ff e8 be 1a 07 f7 4c 8b 2c 25 00 00 00 00 RSP: 0000:ffffc90002cc7c38 EFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff8f0c3620 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000005 R09: ffffffff8aed3fbd R10: 0000000000000003 R11: ffff8880202fbc00 R12: dffffc0000000000 R13: 0000000000000000 R14: ffffc90002cc7da8 R15: 0000000000000001 FS: 00007f9017010900(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9015c26c20 CR3: 00000000201f4000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mas_state_walk lib/maple_tree.c:3678 [inline] mas_walk+0x7e/0x270 lib/maple_tree.c:4909 lock_vma_under_rcu+0x22b/0x6d0 mm/memory.c:5841 do_user_addr_fault+0x2ef/0x1190 arch/x86/mm/fault.c:1329 handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x7a/0x120 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7f90177c60be Code: 40 38 00 00 00 00 4c 89 e8 48 f7 f1 48 8b 85 d8 00 00 00 48 c1 e2 04 48 01 d0 49 89 d5 48 8b 50 08 48 85 d2 0f 85 32 03 00 00 <4c> 89 00 48 8b 85 d8 00 00 00 4e 89 44 28 08 48 8b 85 d0 00 00 00 RSP: 002b:00007fffb2ac0810 EFLAGS: 00010246 RAX: 00007f9015c26c20 RBX: 00007fffb2ac0cf0 RCX: 000000000000acf8 RDX: 0000000000000000 RSI: 3833393d4449505f RDI: 00007f9015f76860 RBP: 000055d12aec0690 R08: 0000000000376820 R09: 0000000000376820 R10: 0000000000000002 R11: 7fffffffffffffff R12: 0000000000000009 R13: 0000000000025630 R14: 0000000000000000 R15: 00007fffb2ac0830 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:mtree_range_walk+0x2e4/0x890 lib/maple_tree.c:2774 Code: 48 83 f8 01 0f 84 ba 00 00 00 e8 c7 0f a4 f6 49 83 c4 08 49 ff c6 48 8b 6c 24 10 eb a7 e8 b4 0f a4 f6 45 31 f6 e9 e5 00 00 00 <41> 80 3c 24 00 74 07 31 ff e8 be 1a 07 f7 4c 8b 2c 25 00 00 00 00 RSP: 0000:ffffc90002cc7c38 EFLAGS: 00010297 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff8f0c3620 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000005 R09: ffffffff8aed3fbd R10: 0000000000000003 R11: ffff8880202fbc00 R12: dffffc0000000000 R13: 0000000000000000 R14: ffffc90002cc7da8 R15: 0000000000000001 FS: 00007f9017010900(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000563c4dcd61e0 CR3: 00000000201f4000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 48 83 f8 01 cmp $0x1,%rax 4: 0f 84 ba 00 00 00 je 0xc4 a: e8 c7 0f a4 f6 call 0xf6a40fd6 f: 49 83 c4 08 add $0x8,%r12 13: 49 ff c6 inc %r14 16: 48 8b 6c 24 10 mov 0x10(%rsp),%rbp 1b: eb a7 jmp 0xffffffc4 1d: e8 b4 0f a4 f6 call 0xf6a40fd6 22: 45 31 f6 xor %r14d,%r14d 25: e9 e5 00 00 00 jmp 0x10f * 2a: 41 80 3c 24 00 cmpb $0x0,(%r12) <-- trapping instruction 2f: 74 07 je 0x38 31: 31 ff xor %edi,%edi 33: e8 be 1a 07 f7 call 0xf7071af6 38: 4c 8b 2c 25 00 00 00 mov 0x0,%r13 3f: 00 -- Yours sincerely, Xingyu