lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJuCfpEh0byROe58H_FtL+NMLKAvSrQW0f0wd3QiVTBdRg5CTA@mail.gmail.com>
Date:   Thu, 20 Oct 2022 18:58:42 -0700
From:   Suren Baghdasaryan <surenb@...gle.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     syzbot <syzbot+b910411d3d253dab25d8@...kaller.appspotmail.com>,
        bigeasy@...utronix.de, bpf@...r.kernel.org, brauner@...nel.org,
        ebiederm@...ssion.com, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
        linux-mm@...ck.org, David Hildenbrand <david@...hat.com>
Subject: Re: [syzbot] BUG: sleeping function called from invalid context in vm_area_dup

On Thu, Oct 20, 2022 at 6:22 PM Andrew Morton <akpm@...ux-foundation.org> wrote:
>
> On Thu, 20 Oct 2022 05:40:43 -0700 syzbot <syzbot+b910411d3d253dab25d8@...kaller.appspotmail.com> wrote:
>
> > syzbot has found a reproducer for the following issue on:
>
> Thanks.
>
>
> > HEAD commit:    acee3e83b493 Add linux-next specific files for 20221020
> > git tree:       linux-next
> > console+strace: https://syzkaller.appspot.com/x/log.txt?x=170a8016880000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=c82245cfb913f766
> > dashboard link: https://syzkaller.appspot.com/bug?extid=b910411d3d253dab25d8
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=109e0372880000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1770d752880000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/98cc5896cded/disk-acee3e83.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/b3d3eb3aa10a/vmlinux-acee3e83.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+b910411d3d253dab25d8@...kaller.appspotmail.com
> >
> > BUG: sleeping function called from invalid context at include/linux/sched/mm.h:274
>
> This is happening under dup_anon_vma_name().
>
> I can't spot preemption being disabled on that call path, and I assume
> this code has been exercised for some time.

Indeed, it is unclear why copy_vma() would be called in atomic
context. I'll try to reproduce tomorrow. Maybe with lockdep enabled we
can get something interesting.

>
> I wonder if this could be fallout from the KSM locking error which
> https://lkml.kernel.org/r/8c86678a-3bfb-3854-b1a9-ae5969e730b8@redhat.com
> addresses.  Seems quite unlikely.
>
> > in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 3602, name: syz-executor107
> > preempt_count: 1, expected: 0
> > RCU nest depth: 0, expected: 0
> > INFO: lockdep is turned off.
> > Preemption disabled at:
> > [<0000000000000000>] 0x0
> > CPU: 0 PID: 3602 Comm: syz-executor107 Not tainted 6.1.0-rc1-next-20221020-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:88 [inline]
> >  dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> >  __might_resched.cold+0x222/0x26b kernel/sched/core.c:9890
> >  might_alloc include/linux/sched/mm.h:274 [inline]
> >  slab_pre_alloc_hook mm/slab.h:727 [inline]
> >  slab_alloc_node mm/slub.c:3323 [inline]
> >  slab_alloc mm/slub.c:3411 [inline]
> >  __kmem_cache_alloc_lru mm/slub.c:3418 [inline]
> >  kmem_cache_alloc+0x2e6/0x3c0 mm/slub.c:3427
> >  vm_area_dup+0x81/0x380 kernel/fork.c:466
> >  copy_vma+0x376/0x8d0 mm/mmap.c:3216
> >  move_vma+0x449/0xf60 mm/mremap.c:626
> >  __do_sys_mremap+0x487/0x16b0 mm/mremap.c:1075
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > RIP: 0033:0x7fd090fa5b29
> > Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007ffc2e90bd38 EFLAGS: 00000246 ORIG_RAX: 0000000000000019
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd090fa5b29
> > RDX: 0000000000001000 RSI: 0000000000004000 RDI: 00000000201c4000
> > RBP: 00007fd090f69cd0 R08: 00000000202ef000 R09: 0000000000000000
> > R10: 0000000000000003 R11: 0000000000000246 R12: 00007fd090f69d60
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> >  </TASK>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ