From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05703C71150 for ; Wed, 28 Aug 2024 23:07:24 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 727706B007B; Wed, 28 Aug 2024 19:07:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6AFBB6B0083; Wed, 28 Aug 2024 19:07:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 529836B0085; Wed, 28 Aug 2024 19:07:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 311E96B007B for ; Wed, 28 Aug 2024 19:07:24 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 9229C401FA for ; Wed, 28 Aug 2024 23:07:23 +0000 (UTC) X-FDA: 82503192366.21.22B90B3 Received: from mx2.ucr.edu (mx.ucr.edu [138.23.62.3]) by imf15.hostedemail.com (Postfix) with ESMTP id EDE7AA001A for ; Wed, 28 Aug 2024 23:07:18 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=ucr.edu header.s=selector3 header.b=ZEbI3Qnu; dkim=pass header.d=ucr.edu header.s=rmail header.b=HvxnQ9dC; spf=temperror (imf15.hostedemail.com: error in processing during lookup of xli399@ucr.edu: DNS error) smtp.mailfrom=xli399@ucr.edu; dmarc=pass (policy=quarantine) header.from=ucr.edu ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724886352; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=r69KSwSvtdfgReOplWdtpyBR/WAgO5KSF4K15+N0o6w=; b=KTk54uFSPsHzjHI5YUxzAmfiO6YTUz6xCmQD/v1S5MRPwDcvN/AUypdFr8WQbTfzA/E+1S nkQ3rHGbgLGWYyfBginz7XV1oj5Fa5Aix611E6OviRVR/+rbTV6qiYJ1jdlWewfnXT0fES 13hGY9hK+j27L2NUU5d+kf3QmUf9ekY= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724886353; a=rsa-sha256; cv=none; b=D6Hyr3POX8BzavEWXMyLa5Zv+dZkNGpTrVQnzx2x0GLLk35msWgU/EFxP4wefbSfOtTJje JLrt5zWrBUe1BqikEAeLI/o2hbImoJoZE9jVuHh9xvzt3WoqnLuKXvlDTeftrQEjOK7SGM /4OAreI3K1dSfG+PMwTwJE3gdqRW35c= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=ucr.edu header.s=selector3 header.b=ZEbI3Qnu; dkim=pass header.d=ucr.edu header.s=rmail header.b=HvxnQ9dC; spf=temperror (imf15.hostedemail.com: error in processing during lookup of xli399@ucr.edu: DNS error) smtp.mailfrom=xli399@ucr.edu; dmarc=pass (policy=quarantine) header.from=ucr.edu DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ucr.edu; i=@ucr.edu; q=dns/txt; s=selector3; t=1724886438; x=1756422438; h=dkim-signature:x-google-dkim-signature: x-forwarded-encrypted:x-gm-message-state: x-google-smtp-source:mime-version:from:date:message-id: subject:to:cc:content-type:x-cse-connectionguid: x-cse-msgguid; bh=BAxwNyY8n8sD14z3VFSftBaW92dNQmN1QZPZMmXVuq8=; b=ZEbI3Qnu1QefIFe+i11O+mGchj3YOqJFS2h9geEG5/oHbTAHNR+AXT6V 7Fp6WumnRcFyaajj5/E8gXE6RVFZhm8RemPUOuD1eZ8wMhEC7YxU3GQad GUzhT5FDP3Q7IceNJ024DtAcZdy4hAs6ayfz4RgfaXe4UMRcog7G6+SYw 9StsyTlxLiG49kCDcE3AboF7tpUF9qVYPZCACkLHHeEMV2ZJlA1hH3vsD Nbi84vbyFxf7NoU9xPGru3ADbzVK1v6SsWWB5impXqaNbVCt1WuOguMWa DXOeEnhyFD5sP2r8+PzP+AV3OurKbDKABvIFIqgSApcRZUS9+8mak0HHe A==; X-CSE-ConnectionGUID: 53YosKnvRUiq5/cCElDkCg== X-CSE-MsgGUID: N26rF9J3R1eriR7qlOew2g== Received: from mail-pj1-f70.google.com ([209.85.216.70]) by smtp2.ucr.edu with ESMTP/TLS/TLS_AES_256_GCM_SHA384; 28 Aug 2024 16:07:17 -0700 Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-2cb5847ff53so35310a91.2 for ; Wed, 28 Aug 2024 16:07:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ucr.edu; s=rmail; t=1724886437; x=1725491237; darn=kvack.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=r69KSwSvtdfgReOplWdtpyBR/WAgO5KSF4K15+N0o6w=; b=HvxnQ9dCQGPdoeVVop6ACfKKPDjJMQtFl1z7X4AghUgI58LMeXdMz95SSg2dE8VtuR 8uKr09uu61CLP48gQv2FNDId75uC9MQ+v6dgvSSQ2tHclS3rTWxRRJ1opNLPQn1pkZSc ofdbdN4B56kUjHlrduFh8wN+ID2CE2HN2jhj4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724886437; x=1725491237; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=r69KSwSvtdfgReOplWdtpyBR/WAgO5KSF4K15+N0o6w=; b=YY6ZbdDtA9daSBfKEgPoYSgHDlTx9u65s9TtTLOjJUbsb32YYpG5z7cnQTUXy95EWg C36tqMxhd1JM0rPps+0JH4yAJ0MgRNCjh89NlgFPhMNUAUknZ6bTEVlalTHi9TcIbBM1 5+AaJAKcRoL5EYR8X59x138xNO82/+tcYvPeJEnVj75fT0gDiyY6ZqEVzo4zKtuOBMLJ 6xpC7WOyToftmGzVKlV7qo2wQQuZto6H/fULCf9BYcM+LfoBP5TqqUWrS0lqwxsX7kic ahGJU4JSH/sfAOZRTPac/3BbTdGhNSbNV3lges7VZzyNlhZgJXQn8kDMp1oUAC7CNhhA 0dbQ== X-Forwarded-Encrypted: i=1; AJvYcCUNaZIdXnrZtQh5S+VDuwylpcFt9wEpJoGaUMfdmFmFll1GfQgpPd9BFvSpyfbQ/X9+HZdhQBjnLA==@kvack.org X-Gm-Message-State: AOJu0YyPE5JNxWevjNb/x4tdPLPJTDhZyhSnf4BmUsNPv3rqlJiCBehp x6guQVyFmNWQdlxuzEq3hyH2OqwVtD6ywo5NbgQaAhwQWVjcDOkWwWiqkQpQi/FHykfrt/rHtyb JJDBqjxFPpreE+b1rVvKax5qEzUF8k3FnzJPD4Jsq8oAO/xvBn7xH/WnsESpeCpPPkSK6bxGg5W p8Gz1QHZQn6ghoxW11jQIDHupA X-Received: by 2002:a17:90a:9a91:b0:2c8:6bfa:bbf1 with SMTP id 98e67ed59e1d1-2d8561c8d43mr944537a91.23.1724886437196; Wed, 28 Aug 2024 16:07:17 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFwUuvWEGO9DWk8T9maSwiK7UXrBgf8YVXIonMy085ch756KYE6OTnnmNwIpUOaqBEHYzcRATjxLVsfxMnRUtY= X-Received: by 2002:a17:90a:9a91:b0:2c8:6bfa:bbf1 with SMTP id 98e67ed59e1d1-2d8561c8d43mr944510a91.23.1724886436873; Wed, 28 Aug 2024 16:07:16 -0700 (PDT) MIME-Version: 1.0 From: Xingyu Li Date: Wed, 28 Aug 2024 16:07:05 -0700 Message-ID: Subject: BUG: general protection fault in mmap_region To: akpm@linux-foundation.org, Liam.Howlett@oracle.com, vbabka@suse.cz, lorenzo.stoakes@oracle.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Yu Hao Content-Type: text/plain; charset="UTF-8" X-Stat-Signature: w8j6k4z9y198qgkpr3dntshjoafpyziq X-Rspamd-Queue-Id: EDE7AA001A X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1724886438-498677 X-HE-Meta: U2FsdGVkX1/++KSSwhaDGixJchlkfOXcSA/eotVLxX+vTuaqLoazqfV1VONKjW8k26Qr1+S5JdH7jwYhhZyYbLhYcS2yPPxePqy3YhVDMB73HMdQ1lU/sD9B8kjAALNA7NXu/rZE96XT0VqsbvEBNz3ehSrpM4OpN392bbBEYxcSke38BwMCIFofN7u4QDC4N3Dh7UiKSv3m3UApQtO/Wmg34fs/NMVyZjcTGA9OrlZPCghjiUPTYaOGSkm9ZN/9/mT1wXMzZTzyRxVFkfRa6wvI4qOf6m4f9wQ88oZYYQQumWjHW6YuTa6/ns7uc2unRbp871LMhZA76lKMa+CXMyKLKCezSw9N04dhtVuT3qoMBnxKQ0i+bSJRjqxT2Et0CgO95xY9Stmtj0tSB3uqllo7m1pg2NsDaAkVIeuOAQ9Ue3Hm4Mkd6ErY8S4w8UbnJcLm/cKi6sQEGGYU0qlvl0qWjnCtBC2yEhFqLmdqH4GXiPlkyvajNjDSqT6mhqtad6d5mLmv35v0gCdjt/49e3P0vdw8Fx5CGI3nMepNSd2fqGFK6wtI7F/5kVHrN6OAWbFRDVOixvrXPbFABV6P9uHQEFHRL5VowF/SLPcXZSJENLF0pSEbMso/ep5JRQ+OgptriYqYlGU4bB9DqTTBtRUEyVYEHLF7vDvwFwPxuGiLZ0Hns9IrNxVu91xkmsG+BEr5KjtW9Xmldk0mlrkVsk3VRCmsZ7XmyxdKIAo/GMVhuP8ZsKa/CTKVopjfGj8kmichl+s17FYQrarsCA4Qnf/wkQ2CMvux1aOmXkp9LIxjycjMHmyWe9CExTXTBsvkd5EA4iWqlZN1vEavP8gHV62LKZXXAIsbMti8Y1mYJuW7kRdt/tST0NAgqSDLpfllBWRQI56A8JSdYzbssepS+c1x+A2KlLfkurmQNCVnwg0yipEk+coJu7KmEfZPx1BI2xbcRWlN+gsgEdyjT5p Xm/tDOK/ 6kb9qZuC1nJKxq/DAMYmJOqjVkOiVYQi7OG8DdbWHQb+OIvZgoALh2aH7mbtf8mgotPpBXbLu6iS1cyw8vcd2Dj82h8mwg94YiIkvk7fJmrtzmO/e1xFmX6nsmjnbeLSf/bFCKJogtYPIZMioVprjIpZ+kuZDF61kz2akWLB9SadztLKQ5gro2cmoHNI4iIrOvQpIu1+dGU4TkMsWE/iJkAJTJEH6/n1oDGomiG0hS7VPpGlb03IvRPFEOIKRX9zvC0gN3KCkteMx339P0wIcIMXrneYJDG/0jqKRWXPTPQS+aTPgEjM7NYtQOo1b6Zjul3XwPnd/GbCDSEOnEyN2V1N/LQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, We found a bug in Linux 6.6 using syzkaller. It is possibly a null pointer dereference bug. The reprodcuer is https://gist.github.com/freexxxyyy/67b082078a6d4da117013f0f269bf7cc The bug report is: Syzkaller hit 'general protection fault in mmap_region' bug. general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 8267 Comm: apt-helper Not tainted 6.6.0 #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:__rb_insert lib/rbtree.c:115 [inline] RIP: 0010:__rb_insert_augmented+0x78/0x8e0 lib/rbtree.c:459 Code: ea 48 c1 ea 03 42 80 3c 2a 00 0f 85 7f 05 00 00 4c 8b 65 00 41 f6 c4 01 0f 85 2f 05 00 00 4d 8d 44 24 08 4c 89 c2 48 c1 ea 03 <42> 80 3c 2a 00 0f 85 6f 05 00 00 4d 8b 74 24 08 49 39 ee 0f 84 77 RSP: 0018:ffffc9000962f8b0 EFLAGS: 00010202 RAX: ffff888018b5add8 RBX: ffff88802e724e40 RCX: 1ffff11005ce49c8 RDX: 0000000000000001 RSI: ffff888018b5add8 RDI: ffff88802e724e40 RBP: ffff88802bf80f40 R08: 0000000000000008 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffff888024c55680 R15: ffffffff81c875b0 FS: 0000000000000000(0000) GS:ffff888063600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055622b1160c0 CR3: 000000002afe6000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mmap_region+0x1466/0x2800 mm/mmap.c:2846 do_mmap+0x86f/0xee0 mm/mmap.c:1374 vm_mmap_pgoff+0x1a8/0x3b0 mm/util.c:546 vm_mmap+0x96/0xc0 mm/util.c:565 elf_map+0x118/0x320 fs/binfmt_elf.c:395 load_elf_interp fs/binfmt_elf.c:637 [inline] load_elf_binary+0x32ab/0x50b0 fs/binfmt_elf.c:1249 search_binary_handler fs/exec.c:1739 [inline] exec_binprm fs/exec.c:1781 [inline] bprm_execve fs/exec.c:1856 [inline] bprm_execve+0x7f5/0x1990 fs/exec.c:1812 do_execveat_common.isra.0+0x5e8/0x760 fs/exec.c:1964 do_execve fs/exec.c:2038 [inline] __do_sys_execve fs/exec.c:2114 [inline] __se_sys_execve fs/exec.c:2109 [inline] __x64_sys_execve+0x8c/0xb0 fs/exec.c:2109 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x40/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6f/0xd9 RIP: 0033:0x7f507cc66c47 Code: Unable to access opcode bytes at 0x7f507cc66c1d. RSP: 002b:00007ffe880488a8 EFLAGS: 00000246 ORIG_RAX: 000000000000003b RAX: ffffffffffffffda RBX: 00005621cb93a230 RCX: 00007f507cc66c47 RDX: 00005621cba830b0 RSI: 00005621cb9ed600 RDI: 00005621cb911990 RBP: 00007ffe88048aa0 R08: 00005621cb8b13e0 R09: 0000000000000000 R10: 00005621cb93ef40 R11: 0000000000000246 R12: 00005621cb9ed600 R13: 0000000000000000 R14: 00005621cb961ba0 R15: 00005621cb9ed600 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__rb_insert lib/rbtree.c:115 [inline] RIP: 0010:__rb_insert_augmented+0x78/0x8e0 lib/rbtree.c:459 Code: ea 48 c1 ea 03 42 80 3c 2a 00 0f 85 7f 05 00 00 4c 8b 65 00 41 f6 c4 01 0f 85 2f 05 00 00 4d 8d 44 24 08 4c 89 c2 48 c1 ea 03 <42> 80 3c 2a 00 0f 85 6f 05 00 00 4d 8b 74 24 08 49 39 ee 0f 84 77 RSP: 0018:ffffc9000962f8b0 EFLAGS: 00010202 RAX: ffff888018b5add8 RBX: ffff88802e724e40 RCX: 1ffff11005ce49c8 RDX: 0000000000000001 RSI: ffff888018b5add8 RDI: ffff88802e724e40 RBP: ffff88802bf80f40 R08: 0000000000000008 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffff888024c55680 R15: ffffffff81c875b0 FS: 0000000000000000(0000) GS:ffff888063600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f012fc22f70 CR3: 000000002afe6000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 48 c1 ea 03 shr $0x3,%rdx 4: 42 80 3c 2a 00 cmpb $0x0,(%rdx,%r13,1) 9: 0f 85 7f 05 00 00 jne 0x58e f: 4c 8b 65 00 mov 0x0(%rbp),%r12 13: 41 f6 c4 01 test $0x1,%r12b 17: 0f 85 2f 05 00 00 jne 0x54c 1d: 4d 8d 44 24 08 lea 0x8(%r12),%r8 22: 4c 89 c2 mov %r8,%rdx 25: 48 c1 ea 03 shr $0x3,%rdx * 29: 42 80 3c 2a 00 cmpb $0x0,(%rdx,%r13,1) <-- trapping instruction 2e: 0f 85 6f 05 00 00 jne 0x5a3 34: 4d 8b 74 24 08 mov 0x8(%r12),%r14 39: 49 39 ee cmp %rbp,%r14 3c: 0f .byte 0xf 3d: 84 .byte 0x84 3e: 77 .byte 0x77 -- Yours sincerely, Xingyu