lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000358f04060008984c@google.com>
Date:   Sun, 09 Jul 2023 00:12:53 -0700
From:   syzbot <syzbot+05a4b28d3ba52e73b4c6@...kaller.appspotmail.com>
To:     akpm@...ux-foundation.org, linux-kernel@...r.kernel.org,
        linux-mm@...ck.org, syzkaller-bugs@...glegroups.com
Subject: [syzbot] [mm?] general protection fault in filemap_release_folio

Hello,

syzbot found the following issue on:

HEAD commit:    123212f53f3e Add linux-next specific files for 20230707
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12cd9964a80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=15ec80b62f588543
dashboard link: https://syzkaller.appspot.com/bug?extid=05a4b28d3ba52e73b4c6
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/098f7ee2237c/disk-123212f5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/88defebbfc49/vmlinux-123212f5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d5e9343ec16a/bzImage-123212f5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+05a4b28d3ba52e73b4c6@...kaller.appspotmail.com

general protection fault, probably for non-canonical address 0xffdffc001fc10009: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xff000000fe080048-0xff000000fe08004f]
CPU: 0 PID: 17492 Comm: syz-executor.4 Not tainted 6.4.0-next-20230707-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
RIP: 0010:filemap_release_folio+0x1e6/0x2a0 mm/filemap.c:4082
Code: 48 c1 ea 03 80 3c 02 00 0f 85 ac 00 00 00 48 8b 9b e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 90 00 00 00 48 8b 5b 48 48 85 db 74 23 e8 a2 dd
RSP: 0018:ffffc900053f71b8 EFLAGS: 00010a06
RAX: dffffc0000000000 RBX: ff000000fe080001 RCX: ffffc9000c36a000
RDX: 1fe000001fc10009 RSI: ffffffff81b10a98 RDI: ff000000fe080049
RBP: ffffea0000c5af00 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000cc0 R14: 0000000000000000 R15: ffff88807d7950d1
FS:  00007f39a8bfa700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f39a8c19698 CR3: 0000000026575000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 shrink_folio_list+0x291e/0x3e60 mm/vmscan.c:2068
 reclaim_folio_list+0xd0/0x390 mm/vmscan.c:2801
 reclaim_pages+0x442/0x670 mm/vmscan.c:2837
 madvise_cold_or_pageout_pte_range+0x100e/0x1ee0 mm/madvise.c:533
 walk_pmd_range mm/pagewalk.c:140 [inline]
 walk_pud_range mm/pagewalk.c:218 [inline]
 walk_p4d_range mm/pagewalk.c:253 [inline]
 walk_pgd_range+0x9e7/0x1470 mm/pagewalk.c:290
 __walk_page_range+0x651/0x780 mm/pagewalk.c:392
 walk_page_range+0x311/0x4a0 mm/pagewalk.c:490
 madvise_pageout_page_range mm/madvise.c:591 [inline]
 madvise_pageout+0x2fe/0x560 mm/madvise.c:618
 madvise_vma_behavior+0x61a/0x21a0 mm/madvise.c:1039
 madvise_walk_vmas+0x1c7/0x2b0 mm/madvise.c:1268
 do_madvise.part.0+0x276/0x490 mm/madvise.c:1448
 do_madvise mm/madvise.c:1461 [inline]
 __do_sys_madvise mm/madvise.c:1461 [inline]
 __se_sys_madvise mm/madvise.c:1459 [inline]
 __x64_sys_madvise+0x117/0x150 mm/madvise.c:1459
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f39a7e8c389
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f39a8bfa168 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f39a7fac050 RCX: 00007f39a7e8c389
RDX: 0000000000000015 RSI: 0000000000600003 RDI: 0000000020000000
RBP: 00007f39a7ed7493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe1ce83f1f R14: 00007f39a8bfa300 R15: 0000000000022000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:filemap_release_folio+0x1e6/0x2a0 mm/filemap.c:4082
Code: 48 c1 ea 03 80 3c 02 00 0f 85 ac 00 00 00 48 8b 9b e8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 90 00 00 00 48 8b 5b 48 48 85 db 74 23 e8 a2 dd
RSP: 0018:ffffc900053f71b8 EFLAGS: 00010a06

RAX: dffffc0000000000 RBX: ff000000fe080001 RCX: ffffc9000c36a000
RDX: 1fe000001fc10009 RSI: ffffffff81b10a98 RDI: ff000000fe080049
RBP: ffffea0000c5af00 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000cc0 R14: 0000000000000000 R15: ffff88807d7950d1
FS:  00007f39a8bfa700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3c3a1831b8 CR3: 0000000026575000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	48 c1 ea 03          	shr    $0x3,%rdx
   4:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   8:	0f 85 ac 00 00 00    	jne    0xba
   e:	48 8b 9b e8 01 00 00 	mov    0x1e8(%rbx),%rbx
  15:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  1c:	fc ff df
  1f:	48 8d 7b 48          	lea    0x48(%rbx),%rdi
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1) <-- trapping instruction
  2e:	0f 85 90 00 00 00    	jne    0xc4
  34:	48 8b 5b 48          	mov    0x48(%rbx),%rbx
  38:	48 85 db             	test   %rbx,%rbx
  3b:	74 23                	je     0x60
  3d:	e8                   	.byte 0xe8
  3e:	a2                   	.byte 0xa2
  3f:	dd                   	.byte 0xdd


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to change bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ