lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 8 Apr 2020 11:14:43 -0400
From:   Peter Xu <peterx@...hat.com>
To:     Thomas Gleixner <tglx@...utronix.de>
Cc:     syzbot <syzbot+a95c7753605c9d219466@...kaller.appspotmail.com>,
        akpm@...ux-foundation.org, bgeffon@...gle.com,
        dvhart@...radead.org, linux-kernel@...r.kernel.org,
        mingo@...hat.com, peterz@...radead.org,
        syzkaller-bugs@...glegroups.com, torvalds@...ux-foundation.org
Subject: Re: general protection fault in get_futex_key

On Wed, Apr 08, 2020 at 03:36:45PM +0200, Thomas Gleixner wrote:
> syzbot <syzbot+a95c7753605c9d219466@...kaller.appspotmail.com> writes:
> > syzbot found the following crash on:
> >
> > HEAD commit:    763dede1 Merge tag 'for-linus-5.7-rc1' of git://git.kernel..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=136a055de00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=12205d036cec317f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=a95c7753605c9d219466
> > compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1578287de00000
> >
> > The bug was bisected to:
> >
> > commit 4426e945df588f2878affddf88a51259200f7e29
> > Author: Peter Xu <peterx@...hat.com>
> > Date:   Thu Apr 2 04:08:49 2020 +0000
> >
> >     mm/gup: allow VM_FAULT_RETRY for multiple times
> >
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=1707878fe00000
> > final crash:    https://syzkaller.appspot.com/x/report.txt?x=1487878fe00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1087878fe00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+a95c7753605c9d219466@...kaller.appspotmail.com
> > Fixes: 4426e945df58 ("mm/gup: allow VM_FAULT_RETRY for multiple times")
> >
> > general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
> > CPU: 1 PID: 8869 Comm: syz-executor.1 Not tainted 5.6.0-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
> > RIP: 0010:compound_head include/linux/page-flags.h:174 [inline]
> > RIP: 0010:get_futex_key+0x2cd/0x1670 kernel/futex.c:574
> 
> This means that
> 
>      get_user_pages_fast(address, 1, FOLL_WRITE, &page)
> 
> returned 0, which is breaking the interface:
> 
>  * Returns number of pages pinned. This may be fewer than the number requested.
>  * If nr_pages is 0 or negative, returns 0. If no pages were pinned, returns
>  * -errno.
> 
> nr_pages is clearly 1. So if the call fails, the number of pinned pages
> is 0 and it should return a proper error number. It did before.
> 
> From a quick look at the commit in question I assume it's the
> 
> +               if (fatal_signal_pending(current))
> +                       break;
> 
> which can cause that to happen.

Right, sorry for the mess.

Hillf has posted a fix already in the other thread (with you CCed).
So I'm marking this one as a dup now.

#syz dup: WARNING in af_alg_make_sg

Thanks,

-- 
Peter Xu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ