[syzbot] [mm?] general protection fault in mas_store_prealloc

[syzbot] [mm?] general protection fault in mas_store_prealloc

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com

 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6421 Comm: syz-executor374 Not tainted 6.12.0-rc7-syzkaller-g8e9a54d7181b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mt_slot_locked lib/maple_tree.c:795 [inline]
pc : mas_slot_locked lib/maple_tree.c:808 [inline]
pc : mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514
lr : mt_slot_locked lib/maple_tree.c:795 [inline]
lr : mas_slot_locked lib/maple_tree.c:808 [inline]
lr : mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514
sp : ffff8000a3e57440
x29: ffff8000a3e57560 x28: ffff8000a3e574c0 x27: dfff800000000000
x26: ffff7000147cae94 x25: 0000000000000008 x24: 0000000000000000
x23: 0000000000000008 x22: ffff0000daed1040 x21: 0000000000000008
x20: ffff8000a3e578e0 x19: 0000000000000000 x18: 0000000000000008
x17: 0000000000000000 x16: ffff800080585ea8 x15: 0000000000000009
x14: 1ffff000147cae99 x13: 0000000000000000 x12: 0000000000000000
x11: ffff7000147caea2 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000001
x5 : ffff8000a3e565f8 x4 : 0000000000000008 x3 : ffff80008b4208f0
x2 : ffffffffffffffc0 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
 mt_slot_locked lib/maple_tree.c:795 [inline] (P)
 mas_slot_locked lib/maple_tree.c:808 [inline] (P)
 mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514 (P)
 mt_slot_locked lib/maple_tree.c:795 [inline] (L)
 mas_slot_locked lib/maple_tree.c:808 [inline] (L)
 mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514 (L)
 vma_iter_store+0x2e8/0x81c mm/vma.h:476
 __mmap_region mm/mmap.c:1513 [inline]
 mmap_region+0x1650/0x1d44 mm/mmap.c:1603
 do_mmap+0x8c4/0xfac mm/mmap.c:496
 vm_mmap_pgoff+0x1a0/0x38c mm/util.c:588
 ksys_mmap_pgoff+0x3a4/0x5c8 mm/mmap.c:542
 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
 __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
 __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 393b2668 972c43de 8b180ef5 d343fea8 (387b6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	393b2668 	strb	w8, [x19, #3785]
   4:	972c43de 	bl	0xfffffffffcb10f7c
   8:	8b180ef5 	add	x21, x23, x24, lsl #3
   c:	d343fea8 	lsr	x8, x21, #3
* 10:	387b6908 	ldrb	w8, [x8, x27] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Lorenzo Stoakes]

On Sun, Nov 17, 2024 at 02:42:26AM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..

Will take a look properly tomorrow, but this commit doesn't exist in the
tree any more.

Let's try this again in the actual existing branch...

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci

> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com
>
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
>  el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> Unable to handle kernel paging request at virtual address dfff800000000001
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> Mem abort info:
>   ESR = 0x0000000096000005
>   EC = 0x25: DABT (current EL), IL = 32 bits
>   SET = 0, FnV = 0
>   EA = 0, S1PTW = 0
>   FSC = 0x05: level 1 translation fault
> Data abort info:
>   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
>   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [dfff800000000001] address between user and kernel address ranges
> Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 1 UID: 0 PID: 6421 Comm: syz-executor374 Not tainted 6.12.0-rc7-syzkaller-g8e9a54d7181b #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : mt_slot_locked lib/maple_tree.c:795 [inline]
> pc : mas_slot_locked lib/maple_tree.c:808 [inline]
> pc : mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514
> lr : mt_slot_locked lib/maple_tree.c:795 [inline]
> lr : mas_slot_locked lib/maple_tree.c:808 [inline]
> lr : mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514
> sp : ffff8000a3e57440
> x29: ffff8000a3e57560 x28: ffff8000a3e574c0 x27: dfff800000000000
> x26: ffff7000147cae94 x25: 0000000000000008 x24: 0000000000000000
> x23: 0000000000000008 x22: ffff0000daed1040 x21: 0000000000000008
> x20: ffff8000a3e578e0 x19: 0000000000000000 x18: 0000000000000008
> x17: 0000000000000000 x16: ffff800080585ea8 x15: 0000000000000009
> x14: 1ffff000147cae99 x13: 0000000000000000 x12: 0000000000000000
> x11: ffff7000147caea2 x10: 0000000000ff0100 x9 : 0000000000000000
> x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000001
> x5 : ffff8000a3e565f8 x4 : 0000000000000008 x3 : ffff80008b4208f0
> x2 : ffffffffffffffc0 x1 : 0000000000000001 x0 : 0000000000000000
> Call trace:
>  mt_slot_locked lib/maple_tree.c:795 [inline] (P)
>  mas_slot_locked lib/maple_tree.c:808 [inline] (P)
>  mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514 (P)
>  mt_slot_locked lib/maple_tree.c:795 [inline] (L)
>  mas_slot_locked lib/maple_tree.c:808 [inline] (L)
>  mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514 (L)
>  vma_iter_store+0x2e8/0x81c mm/vma.h:476
>  __mmap_region mm/mmap.c:1513 [inline]
>  mmap_region+0x1650/0x1d44 mm/mmap.c:1603
>  do_mmap+0x8c4/0xfac mm/mmap.c:496
>  vm_mmap_pgoff+0x1a0/0x38c mm/util.c:588
>  ksys_mmap_pgoff+0x3a4/0x5c8 mm/mmap.c:542
>  __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
>  __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
>  __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
>  el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> Code: 393b2668 972c43de 8b180ef5 d343fea8 (387b6908)
> ---[ end trace 0000000000000000 ]---
> ----------------
> Code disassembly (best guess):
>    0:	393b2668 	strb	w8, [x19, #3785]
>    4:	972c43de 	bl	0xfffffffffcb10f7c
>    8:	8b180ef5 	add	x21, x23, x24, lsl #3
>    c:	d343fea8 	lsr	x8, x21, #3
> * 10:	387b6908 	ldrb	w8, [x8, x27] <-- trapping instruction
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in mas_store_prealloc

 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Unable to handle kernel paging request at virtual address dfff800000000001
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000001] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 16112 Comm: syz.0.4215 Not tainted 6.12.0-rc7-syzkaller-00234-g887407160d72 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : mt_slot_locked lib/maple_tree.c:795 [inline]
pc : mas_slot_locked lib/maple_tree.c:808 [inline]
pc : mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514
lr : mt_slot_locked lib/maple_tree.c:795 [inline]
lr : mas_slot_locked lib/maple_tree.c:808 [inline]
lr : mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514
sp : ffff80009c667440
x29: ffff80009c667560 x28: ffff80009c6674c0 x27: dfff800000000000
x26: ffff7000138cce94 x25: 0000000000000008 x24: 0000000000000000
x23: 0000000000000008 x22: ffff0000dc74f840 x21: 0000000000000008
x20: ffff80009c6678e0 x19: 0000000000000000 x18: 0000000000000008
x17: 0000000000000000 x16: ffff800080585ea8 x15: 0000000000000009
x14: 1ffff000138cce99 x13: 0000000000000000 x12: 0000000000000000
x11: ffff7000138ccea2 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 00000000003bbda8
x5 : ffff80009c6665f8 x4 : 0000000000000008 x3 : ffff80008b4208f0
x2 : ffffffffffffffc0 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
 mt_slot_locked lib/maple_tree.c:795 [inline] (P)
 mas_slot_locked lib/maple_tree.c:808 [inline] (P)
 mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514 (P)
 mt_slot_locked lib/maple_tree.c:795 [inline] (L)
 mas_slot_locked lib/maple_tree.c:808 [inline] (L)
 mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514 (L)
 vma_iter_store+0x2e8/0x81c mm/vma.h:476
 __mmap_region mm/mmap.c:1513 [inline]
 mmap_region+0x1650/0x1d44 mm/mmap.c:1603
 do_mmap+0x8c4/0xfac mm/mmap.c:496
 vm_mmap_pgoff+0x1a0/0x38c mm/util.c:588
 ksys_mmap_pgoff+0x3a4/0x5c8 mm/mmap.c:542
 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
 __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
 __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
Code: 393b2668 972c43de 8b180ef5 d343fea8 (387b6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	393b2668 	strb	w8, [x19, #3785]
   4:	972c43de 	bl	0xfffffffffcb10f7c
   8:	8b180ef5 	add	x21, x23, x24, lsl #3
   c:	d343fea8 	lsr	x8, x21, #3
* 10:	387b6908 	ldrb	w8, [x8, x27] <-- trapping instruction


Tested on:

commit:         88740716 Merge remote-tracking branch 'iommu/arm/smmu'..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=15aed378580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Note: no patches were applied.

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Liam R. Howlett]

* syzbot <syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com> [241117 05:42]:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com

I was unable to get this reproducer to work on my own image, even using
the config and compiler specified in the report.  The injection was not
happening at the same location as the crash reports.

After using the provided disk (which was tricky), I was able to get it
to work.  Booting was painfully slow, and makes me wonder if there is a
better way for reproducing issues in the future.

I've been debating just abusing the bot to debug, but it will spam the
entire list, but I have it reproducing now.

Thanks,
Liam

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Liam R. Howlett]

* syzbot <syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com> [241117 05:42]:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..
> git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> userspace arch: arm64
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com

#syz test: http://git.infradead.org/users/jedix/linux-maple.git arm64_kernelci_20241117

> 
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
>  el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> Unable to handle kernel paging request at virtual address dfff800000000001
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> Mem abort info:
>   ESR = 0x0000000096000005
>   EC = 0x25: DABT (current EL), IL = 32 bits
>   SET = 0, FnV = 0
>   EA = 0, S1PTW = 0
>   FSC = 0x05: level 1 translation fault
> Data abort info:
>   ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
>   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [dfff800000000001] address between user and kernel address ranges
> Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 1 UID: 0 PID: 6421 Comm: syz-executor374 Not tainted 6.12.0-rc7-syzkaller-g8e9a54d7181b #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
> pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : mt_slot_locked lib/maple_tree.c:795 [inline]
> pc : mas_slot_locked lib/maple_tree.c:808 [inline]
> pc : mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514
> lr : mt_slot_locked lib/maple_tree.c:795 [inline]
> lr : mas_slot_locked lib/maple_tree.c:808 [inline]
> lr : mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514
> sp : ffff8000a3e57440
> x29: ffff8000a3e57560 x28: ffff8000a3e574c0 x27: dfff800000000000
> x26: ffff7000147cae94 x25: 0000000000000008 x24: 0000000000000000
> x23: 0000000000000008 x22: ffff0000daed1040 x21: 0000000000000008
> x20: ffff8000a3e578e0 x19: 0000000000000000 x18: 0000000000000008
> x17: 0000000000000000 x16: ffff800080585ea8 x15: 0000000000000009
> x14: 1ffff000147cae99 x13: 0000000000000000 x12: 0000000000000000
> x11: ffff7000147caea2 x10: 0000000000ff0100 x9 : 0000000000000000
> x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000001
> x5 : ffff8000a3e565f8 x4 : 0000000000000008 x3 : ffff80008b4208f0
> x2 : ffffffffffffffc0 x1 : 0000000000000001 x0 : 0000000000000000
> Call trace:
>  mt_slot_locked lib/maple_tree.c:795 [inline] (P)
>  mas_slot_locked lib/maple_tree.c:808 [inline] (P)
>  mas_store_prealloc+0x870/0x1068 lib/maple_tree.c:5514 (P)
>  mt_slot_locked lib/maple_tree.c:795 [inline] (L)
>  mas_slot_locked lib/maple_tree.c:808 [inline] (L)
>  mas_store_prealloc+0x778/0x1068 lib/maple_tree.c:5514 (L)
>  vma_iter_store+0x2e8/0x81c mm/vma.h:476
>  __mmap_region mm/mmap.c:1513 [inline]
>  mmap_region+0x1650/0x1d44 mm/mmap.c:1603
>  do_mmap+0x8c4/0xfac mm/mmap.c:496
>  vm_mmap_pgoff+0x1a0/0x38c mm/util.c:588
>  ksys_mmap_pgoff+0x3a4/0x5c8 mm/mmap.c:542
>  __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
>  __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
>  __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
>  __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
>  invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
>  el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
>  do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
>  el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
>  el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
>  el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
> Code: 393b2668 972c43de 8b180ef5 d343fea8 (387b6908) 
> ---[ end trace 0000000000000000 ]---
> ----------------
> Code disassembly (best guess):
>    0:	393b2668 	strb	w8, [x19, #3785]
>    4:	972c43de 	bl	0xfffffffffcb10f7c
>    8:	8b180ef5 	add	x21, x23, x24, lsl #3
>    c:	d343fea8 	lsr	x8, x21, #3
> * 10:	387b6908 	ldrb	w8, [x8, x27] <-- trapping instruction
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to checkout kernel repo http://git.infradead.org/users/jedix/linux-maple.git/arm64_kernelci_20241117: failed to run ["git" "fetch" "--force" "9c3e06581107b2a32da6dcbdfdaa1a523995a2c7" "arm64_kernelci_20241117"]: exit status 128
fatal: http://git.infradead.org/users/jedix/linux-maple.git/info/refs not valid: could not determine hash algorithm; is this a git repository?



Tested on:

commit:         [unknown 
git tree:       http://git.infradead.org/users/jedix/linux-maple.git arm64_kernelci_20241117
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
compiler:       
userspace arch: arm64

Note: no patches were applied.

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Liam R. Howlett]

* syzbot <syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com> [241117 23:26]:
> Hello,
> 
> syzbot tried to test the proposed patch but the build/boot failed:
> 
> failed to checkout kernel repo http://git.infradead.org/users/jedix/linux-maple.git/arm64_kernelci_20241117: failed to run ["git" "fetch" "--force" "9c3e06581107b2a32da6dcbdfdaa1a523995a2c7" "arm64_kernelci_20241117"]: exit status 128
> fatal: http://git.infradead.org/users/jedix/linux-maple.git/info/refs not valid: could not determine hash algorithm; is this a git repository?
> 

Try again..

#syz test: git://git.infradead.org/users/jedix/linux-maple.git arm64_kernelci_20241117

> 
> 
> Tested on:
> 
> commit:         [unknown 
> git tree:       http://git.infradead.org/users/jedix/linux-maple.git arm64_kernelci_20241117
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> compiler:       
> userspace arch: arm64
> 
> Note: no patches were applied.

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com
Tested-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com

Tested on:

commit:         83dc9151 mm/mmap: fix __mmap_region() error handling i..
git tree:       git://git.infradead.org/users/jedix/linux-maple.git arm64_kernelci_20241117
console output: https://syzkaller.appspot.com/x/log.txt?x=14533b5f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Aleksandr Nogikh]

Hi Liam,

On Mon, Nov 18, 2024 at 3:49 AM 'Liam R. Howlett' via syzkaller-bugs
<syzkaller-bugs@googlegroups.com> wrote:
>
> * syzbot <syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com> [241117 05:42]:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..
> > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> > dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > userspace arch: arm64
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com
>
> I was unable to get this reproducer to work on my own image, even using
> the config and compiler specified in the report.  The injection was not
> happening at the same location as the crash reports.
>
> After using the provided disk (which was tricky), I was able to get it
> to work.

Just in case: did you follow the official syzbot instructions on
reproducing the bugs from the attached assets? [1] If yes, what extra
information could have made the process simpler for you?

[1] https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md

> Booting was painfully slow, and makes me wonder if there is a
> better way for reproducing issues in the future.

I guess that unless you run it on an arm64 device with a nested
virtualization support, this bug's reproduction will be slow anyway :(

If you recompile the kernel image without CONFIG_KASAN and
CONFIG_KCOV, that should speed it up to some degree.

>
> I've been debating just abusing the bot to debug, but it will spam the
> entire list, but I have it reproducing now.

Syzbot only makes sure that linux-kernel@vger.kernel.org and
syzkaller-bugs@googlegroups.com are included, both are not really
assumed to be closely followed by human beings. So I think it should
be totally fine to debug with syzbot if you just Cc those two lists.

-- 
Aleksandr

>
> Thanks,
> Liam
>

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Liam R. Howlett]

* Aleksandr Nogikh <nogikh@google.com> [241118 08:13]:
> Hi Liam,
> 
> On Mon, Nov 18, 2024 at 3:49 AM 'Liam R. Howlett' via syzkaller-bugs
> <syzkaller-bugs@googlegroups.com> wrote:
> >
> > * syzbot <syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com> [241117 05:42]:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..
> > > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > userspace arch: arm64
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000
> > >
> > > Downloadable assets:
> > > disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com
> >
> > I was unable to get this reproducer to work on my own image, even using
> > the config and compiler specified in the report.  The injection was not
> > happening at the same location as the crash reports.
> >
> > After using the provided disk (which was tricky), I was able to get it
> > to work.
> 
> Just in case: did you follow the official syzbot instructions on
> reproducing the bugs from the attached assets? [1] If yes, what extra
> information could have made the process simpler for you?
> 
> [1] https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md

The instructions on getting the source we need (without adding yet
another remote and fetching the entire repo) would help, as well as
booting the kernel.

ie: --kernel <file> --append <root=...>

The missing part for me was that the commit listed was already gone, so
after Lorenzo responded and restested with code in the repo, I could
pull the kernel.  Maybe I could have just fetched the ref somehow?

So these instructions are good.  I didn't see them in the emails or on
the dashboard though?

Booting my own kernel ended up in panics about the rootfs missing, and
some fool around with that.

> 
> > Booting was painfully slow, and makes me wonder if there is a
> > better way for reproducing issues in the future.
> 
> I guess that unless you run it on an arm64 device with a nested
> virtualization support, this bug's reproduction will be slow anyway :(

The initial boot of arm64 seems to just sit around for a while thinking
about booting.  My installed vm was using uefi, which turned out to also
be a pain point.

> 
> If you recompile the kernel image without CONFIG_KASAN and
> CONFIG_KCOV, that should speed it up to some degree.

I think arm64 on amd64 is just slow, but thanks.  kasan seems necessary
a lot of the time.

Regards,
Liam

Re: [syzbot] [mm?] general protection fault in mas_store_prealloc

[Liam R. Howlett]

* Liam R. Howlett <Liam.Howlett@oracle.com> [241118 10:21]:
> * Aleksandr Nogikh <nogikh@google.com> [241118 08:13]:
> > Hi Liam,
> > 
> > On Mon, Nov 18, 2024 at 3:49 AM 'Liam R. Howlett' via syzkaller-bugs
> > <syzkaller-bugs@googlegroups.com> wrote:
> > >
> > > * syzbot <syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com> [241117 05:42]:
> > > > Hello,
> > > >
> > > > syzbot found the following issue on:
> > > >
> > > > HEAD commit:    8e9a54d7181b Merge remote-tracking branch 'iommu/arm/smmu'..
> > > > git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
> > > > console output: https://syzkaller.appspot.com/x/log.txt?x=17b0ace8580000
> > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a1eb85a42cb8ccec
> > > > dashboard link: https://syzkaller.appspot.com/bug?extid=bc6bfc25a68b7a020ee1
> > > > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > > > userspace arch: arm64
> > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=147521a7980000
> > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=102e14c0580000
> > > >
> > > > Downloadable assets:
> > > > disk image: https://storage.googleapis.com/syzbot-assets/ad658fb4d0a2/disk-8e9a54d7.raw.xz
> > > > vmlinux: https://storage.googleapis.com/syzbot-assets/1b7754fa8c67/vmlinux-8e9a54d7.xz
> > > > kernel image: https://storage.googleapis.com/syzbot-assets/50315382fefb/Image-8e9a54d7.gz.xz
> > > >
> > > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > > Reported-by: syzbot+bc6bfc25a68b7a020ee1@syzkaller.appspotmail.com
> > >
> > > I was unable to get this reproducer to work on my own image, even using
> > > the config and compiler specified in the report.  The injection was not
> > > happening at the same location as the crash reports.

One other point that could have helped find the issue faster (although
I was able to find it pretty fast with your tools already), would be to
include the injection portion in the email.  I was able to find it in
the logs on the dashboard and in my own testing, but if it was included
in the email it'd be nice.

> > >
> > > After using the provided disk (which was tricky), I was able to get it
> > > to work.
> > 
> > Just in case: did you follow the official syzbot instructions on
> > reproducing the bugs from the attached assets? [1] If yes, what extra
> > information could have made the process simpler for you?
> > 
> > [1] https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md
> 
> The instructions on getting the source we need (without adding yet
> another remote and fetching the entire repo) would help, as well as
> booting the kernel.
> 
> ie: --kernel <file> --append <root=...>
> 
> The missing part for me was that the commit listed was already gone, so
> after Lorenzo responded and restested with code in the repo, I could
> pull the kernel.  Maybe I could have just fetched the ref somehow?
> 
> So these instructions are good.  I didn't see them in the emails or on
> the dashboard though?
> 
> Booting my own kernel ended up in panics about the rootfs missing, and
> some fool around with that.
> 
> > 
> > > Booting was painfully slow, and makes me wonder if there is a
> > > better way for reproducing issues in the future.
> > 
> > I guess that unless you run it on an arm64 device with a nested
> > virtualization support, this bug's reproduction will be slow anyway :(
> 
> The initial boot of arm64 seems to just sit around for a while thinking
> about booting.  My installed vm was using uefi, which turned out to also
> be a pain point.
> 
> > 
> > If you recompile the kernel image without CONFIG_KASAN and
> > CONFIG_KCOV, that should speed it up to some degree.
> 
> I think arm64 on amd64 is just slow, but thanks.  kasan seems necessary
> a lot of the time.
> 
> Regards,
> Liam