lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 15 Nov 2022 20:07:36 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     Andrew Morton <akpm@...ux-foundation.org>
Cc:     syzbot <syzbot+644848628d5e12d5438c@...kaller.appspotmail.com>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        syzkaller-bugs@...glegroups.com, kvm@...r.kernel.org
Subject: Re: [syzbot] kernel BUG in workingset_activation (2)

On Tue, Nov 15, 2022, Andrew Morton wrote:
> On Tue, 15 Nov 2022 08:23:44 -0800 syzbot <syzbot+644848628d5e12d5438c@...kaller.appspotmail.com> wrote:
> 
> > Hello,
> > 
> > syzbot found the following issue on:
> 
> Thanks.
> 
> > HEAD commit:    f4bc5bbb5fef Merge tag 'nfsd-5.17-2' of git://git.kernel.o..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=16c683d8700000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=5707221760c00a20
> > dashboard link: https://syzkaller.appspot.com/bug?extid=644848628d5e12d5438c
> > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1691d2c2700000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16cde752700000
> > 
> > Bisection is inconclusive: the issue happens on the oldest tested release.
> > 
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=174c8174700000
> > final oops:     https://syzkaller.appspot.com/x/report.txt?x=14cc8174700000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10cc8174700000
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+644848628d5e12d5438c@...kaller.appspotmail.com
> > 
> >  do_one_initcall+0x103/0x650 init/main.c:1300
> >  do_initcall_level init/main.c:1373 [inline]
> >  do_initcalls init/main.c:1389 [inline]
> >  do_basic_setup init/main.c:1408 [inline]
> >  kernel_init_freeable+0x6b1/0x73a init/main.c:1613
> >  kernel_init+0x1a/0x1d0 init/main.c:1502
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> > ------------[ cut here ]------------
> > kernel BUG at include/linux/memcontrol.h:470!
> 
> That's
> 
> 	VM_BUG_ON_FOLIO(folio_test_slab(folio), folio);
> 
> in folio_memcg_rcu().
> 
> I'll cc the KVM list.

Thanks!  Saw this internally, was waiting for it to hit the lists.

I haven't been able to repro the syzkaller test (abuses /dev/bus/usb crud), but
I believe the issue is that KVM attempts to mark a kmalloc'd page as accessed.
workingset_activation() doesn't expect this and invokes folio_memcg_rcu() on a
SLAB page, which triggers the VM_BUG.

I suspect this can be reproduced with a KVM selftest by mapping KVM's own vcpu->run
memory into the guest.  I'll give that a shot.

In the meantime...

#sys test https://github.com/sean-jc/linux.git x86/no_slab_accessed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ