lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 30 Jun 2014 09:49:57 -0400
From:	Sasha Levin <levinsasha928@...il.com>
To:	"linux-mm@...ck.org" <linux-mm@...ck.org>
CC:	Andrew Morton <akpm@...ux-foundation.org>,
	Dave Jones <davej@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>
Subject: mm: derefing NULL vma->vm_mm when unmapping

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel I've stumbled on the following spew:

[  761.704089] BUG: unable to handle kernel NULL pointer dereference at           (null)
[  761.704089] IP: mm_find_pmd (mm/rmap.c:570)
[  761.704089] PGD 51223067 PUD 50a09067 PMD 0
[  761.704089] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[  761.704089] Dumping ftrace buffer:
[  761.704089]    (ftrace buffer empty)
[  761.704089] Modules linked in:
[  761.704089] CPU: 4 PID: 20723 Comm: trinity-c131 Tainted: G        W      3.16.0-rc3-next-20140630-sasha-00023-g44434d4-dirty #756
[  761.704089] task: ffff88004e3c0000 ti: ffff88004e0b8000 task.ti: ffff88004e0b8000
[  761.704089] RIP: mm_find_pmd (mm/rmap.c:570)
[  761.704089] RSP: 0000:ffff88004e0bbaa8  EFLAGS: 00010246
[  761.704089] RAX: 0000000000000000 RBX: 0000000000a65000 RCX: ffff88004e0bbb30
[  761.704089] RDX: 0000000000000000 RSI: 0000000000a65000 RDI: ffff880000146000
[  761.704089] RBP: ffff88004e0bbaa8 R08: 0000000000000000 R09: 0000000000000000
[  761.704089] R10: ffff88004e3c0000 R11: 0000000000000000 R12: ffffea000d766e00
[  761.704089] R13: ffff88004e0bbb30 R14: ffff880000146000 R15: 0000000000000000
[  761.704089] FS:  00007f0293c61700(0000) GS:ffff880144e00000(0000) knlGS:0000000000000000
[  761.704089] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  761.704089] CR2: 0000000000000000 CR3: 000000004e3be000 CR4: 00000000000006a0
[  761.704089] Stack:
[  761.704089]  ffff88004e0bbae8 ffffffff9c2d0815 800000035d9b8805 ffff880000146000
[  761.704089]  ffffea000d766e00 ffff88000b4c4e58 ffff880034d7d200 0000000000000302
[  761.704089]  ffff88004e0bbb68 ffffffff9c2d1491 ffff88004e0bbb28 ffffffff9f57c58a
[  761.704089] Call Trace:
[  761.704089] __page_check_address (mm/rmap.c:618)
[  761.704089] try_to_unmap_one (mm/rmap.c:1133)
[  761.704089] ? down_read (kernel/locking/rwsem.c:45 (discriminator 2))
[  761.704089] ? page_lock_anon_vma_read (./arch/x86/include/asm/atomic.h:118 mm/rmap.c:491)
[  761.704089] ? page_lock_anon_vma_read (mm/rmap.c:448)
[  761.704089] rmap_walk (mm/rmap.c:1634 mm/rmap.c:1705)
[  761.704089] try_to_unmap (mm/rmap.c:1527)
[  761.704089] ? page_remove_rmap (mm/rmap.c:1124)
[  761.704089] ? invalid_migration_vma (mm/rmap.c:1483)
[  761.704089] ? try_to_unmap_one (mm/rmap.c:1391)
[  761.704089] ? anon_vma_prepare (mm/rmap.c:448)
[  761.704089] ? invalid_mkclean_vma (mm/rmap.c:1478)
[  761.704089] ? page_get_anon_vma (mm/rmap.c:405)
[  761.704089] migrate_pages (mm/migrate.c:912 mm/migrate.c:955 mm/migrate.c:1142)
[  761.704089] ? perf_trace_mm_numa_migrate_ratelimit (mm/migrate.c:1590)
[  761.704089] migrate_misplaced_page (mm/migrate.c:1750)
[  761.704089] __handle_mm_fault (mm/memory.c:3162 mm/memory.c:3212 mm/memory.c:3322)
[  761.704089] handle_mm_fault (include/linux/memcontrol.h:124 mm/memory.c:3348)
[  761.704089] ? __do_page_fault (arch/x86/mm/fault.c:1163)
[  761.704089] __do_page_fault (arch/x86/mm/fault.c:1230)
[  761.704089] ? vtime_account_user (kernel/sched/cputime.c:687)
[  761.704089] ? get_parent_ip (kernel/sched/core.c:2550)
[  761.704089] ? context_tracking_user_exit (include/linux/vtime.h:89 include/linux/jump_label.h:115 include/trace/events/context_tracking.h:47 kernel/context_tracking.c:180)
[  761.704089] ? preempt_count_sub (kernel/sched/core.c:2606)
[  761.704089] ? context_tracking_user_exit (kernel/context_tracking.c:184)
[  761.704089] ? __this_cpu_preempt_check (lib/smp_processor_id.c:63)
[  761.704089] ? trace_hardirqs_off_caller (kernel/locking/lockdep.c:2638 (discriminator 2))
[  761.704089] trace_do_page_fault (arch/x86/mm/fault.c:1313 include/linux/jump_label.h:115 include/linux/context_tracking_state.h:27 include/linux/context_tracking.h:45 arch/x86/mm/fault.c:1314)
[  761.704089] do_async_page_fault (arch/x86/kernel/kvm.c:264)
[  761.704089] async_page_fault (arch/x86/kernel/entry_64.S:1322)
[ 761.704089] Code: 00 48 8b 5d f0 4c 8b 65 f8 c9 c3 66 0f 1f 44 00 00 66 66 66 66 90 55 48 89 f2 48 8b 47 40 48 c1 ea 27 48 89 e5 81 e2 ff 01 00 00 <48> 8b 3c d0 40 f6 c7 01 75 0c 31 f6 e9 af 00 00 00 0f 1f 44 00
All code
========
   0:	00 48 8b             	add    %cl,-0x75(%rax)
   3:	5d                   	pop    %rbp
   4:	f0 4c 8b 65 f8       	lock mov -0x8(%rbp),%r12
   9:	c9                   	leaveq
   a:	c3                   	retq
   b:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  11:	66 66 66 66 90       	data32 data32 data32 xchg %ax,%ax
  16:	55                   	push   %rbp
  17:	48 89 f2             	mov    %rsi,%rdx
  1a:	48 8b 47 40          	mov    0x40(%rdi),%rax
  1e:	48 c1 ea 27          	shr    $0x27,%rdx
  22:	48 89 e5             	mov    %rsp,%rbp
  25:	81 e2 ff 01 00 00    	and    $0x1ff,%edx
  2b:*	48 8b 3c d0          	mov    (%rax,%rdx,8),%rdi		<-- trapping instruction
  2f:	40 f6 c7 01          	test   $0x1,%dil
  33:	75 0c                	jne    0x41
  35:	31 f6                	xor    %esi,%esi
  37:	e9 af 00 00 00       	jmpq   0xeb
  3c:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)

Code starting with the faulting instruction
===========================================
   0:	48 8b 3c d0          	mov    (%rax,%rdx,8),%rdi
   4:	40 f6 c7 01          	test   $0x1,%dil
   8:	75 0c                	jne    0x16
   a:	31 f6                	xor    %esi,%esi
   c:	e9 af 00 00 00       	jmpq   0xc0
  11:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
[  761.704089] RIP mm_find_pmd (mm/rmap.c:570)
[  761.704089]  RSP <ffff88004e0bbaa8>
[  761.704089] CR2: 0000000000000000

As I didn't see any code changes around that part I'm thinking that it's a locking
issue that got messed up somewhere rather then a missing '!= NULL' check.


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists