| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e91da589-ad57-3969-d979-879bbd10dddd@huawei.com>
Date: Wed, 7 May 2025 21:06:34 +0800
From: Nanyong Sun <sunnanyong@...wei.com>
To: <bryan-bt.tan@...adcom.com>, <vishnu.dasa@...adcom.com>,
<bcm-kernel-feedback-list@...adcom.com>
CC: LKML <linux-kernel@...r.kernel.org>, <mawupeng1@...wei.com>
Subject: WARNING in try_grab_folio caused by vmw_vmci
Hello,
Our syzkaller report a problem in the lasted upstream caused by
vmw_vmci,it seems that when
vmci_host_setup_notify call get_user_pages_fast,the page's reference
count already decreased to 0.
Maybe concurrent with put_page in vmci_ctx_unset_notify?
------------[ cut here ]------------
WARNING: CPU: 0 PID: 2234 at mm/gup.c:142 try_grab_folio+0x225/0x2c0
mm/gup.c:142
Modules linked in:
CPU: 0 PID: 2234 Comm: syz.3.236 Not tainted 6.6.0+ #50
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:try_grab_folio+0x225/0x2c0 mm/gup.c:142
Code: 5d 41 5c 41 5d 41 5e c3 cc cc cc cc e8 24 78 b7 ff be 04 00 00 00
4c 89 e7 e8 e7 22 18 00 f0 44 01 6b 34 eb cd e8 0b 78 b7 ff <0f> 0b bb
f4 ff ff ff eb c1 e8 fd 77 b7 ff be 04 00 00 00 4c 89 e7
RSP: 0018:ffff88800364f838 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffffea0000530000 RCX: ffffffff9930ee05
RDX: ffff888010892340 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 0000000000210003 R08: 0000000000000000 R09: fffff940000a6006
R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0000530034
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
FS: 00007f71153246c0(0000) GS:ffff888119800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7115323fa8 CR3: 000000000f5e8004 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
follow_trans_huge_pmd+0x727/0x1290 mm/huge_memory.c:2151
follow_pmd_mask.isra.0+0x5ed/0xae0 mm/gup.c:648
follow_pud_mask mm/gup.c:677 [inline]
follow_p4d_mask.constprop.0+0x309/0x6e0 mm/gup.c:694
follow_page_mask+0x209/0x350 mm/gup.c:744
__get_user_pages+0x21e/0xc20 mm/gup.c:1165
__get_user_pages_locked mm/gup.c:1431 [inline]
__gup_longterm_locked+0x178/0x1360 mm/gup.c:2124
internal_get_user_pages_fast+0x2df/0x3b0 mm/gup.c:3232
get_user_pages_fast+0xad/0x100 mm/gup.c:3310
vmci_host_setup_notify drivers/misc/vmw_vmci/vmci_host.c:246 [inline]
vmci_host_do_set_notify drivers/misc/vmw_vmci/vmci_host.c:798 [inline]
vmci_host_unlocked_ioctl+0x3d8/0x15c0
drivers/misc/vmw_vmci/vmci_host.c:953
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x78/0xe2
Can reproduce with following syzkaller log in latest upstream:
0s ago: executing program 4 (id=414):
kexec_load(0x0, 0x1, &(0x7f0000001740)=[{0x0, 0x0, 0x0, 0x2000000}],
0x4) (async)
r0 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r0, 0x7a7, &(0x7f0000000080)=0x80000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r0, 0x7a0, &(0x7f0000000180)={@...al}) (async)
ioctl$IOCTL_VMCI_DATAGRAM_RECEIVE(r0, 0x7cb,
&(0x7f0000000040)={&(0x7f00000001c0)={{@...0x1}, {@...er}, 0x400,
"b27f0c7fac7b2b58bb0c2d60a35fa17e8d9e6687dc17565d50a0513736cf17a87d5258dec6a1b1504690b21862e189865885ef358a65b1b49291bad5b1f9fabc39d8aa399fba1aa269c986f57bb9d8333297da82457a7f63dc5c96e4b5641d90023c09ea4691fbe0b44b679634ac1125741501157e6121641e4975afea4631704276c8c0fd4a22fadc829908ce722077001b4a0828549a623c92d4ca4185609858a29f1d07bbcfe31d2b0291d5c10a14311f8f3b7004b550ed6aeff007cd0886f9efca0801f79d1cfe3f0c4c3d1bbc41464567004cb971ed6939e7022664a121298d737ebcd87e09bd85070382c8b2fcaeab407f44ae8a92ba9fdfbc6d2e691314846efa87d98a938d4034b51de9a036d57c819cb5043f77c58bf608ea58b53b8d83cc81e18e2795ecba0c054e896262ef5e37db3cbee41f82b1b58794794554718afcf64b2e25f46064d61c8346961a9622143993f1ed9f32e08c9b523acd7c427efc12982b1f93ef26be22fb91a476b075083c2ee370e0c4a4c34aaaf0f6643282cc5bc7ad58d15289bde617d5f0f558e7482050a8e7999c3e8e9bce1c3f20920ee01d00d90341c143ed42ed9e858ed608be4e02d95c280fc11a21ff6b6ffbf80c96c290da121bda783dd5d59fe922c61dd55725b7a1298c27ff5c15c279c6da7a7a6bc327a22ee6d15de543916cc4791dedd45c02c211b75803430d1d3b9c9a9880c7e8af22991b9006eff113008f5ff59d5cced6ca5e1f6492fc20624cabcfac4dfa6556236db6b3c0f15785007980b6e2b9fb5eca8672927ccdde6e254e70d718e42ad0c75abf5dcfe010824e5420ec7f52470523686e968725e81df54899a3a2c0b5be4aa9ab604130fbf3b95b1ba806d82aef887034405ef5f1123922c90953cfdedf34b77076bc252b33764ee921b757c07962ea620c5f6ee0129229ce0321e8db6a4b506323340a55a74f71b76c912698803cdf9e5827a2a60a2e88cae0f305e0feba117376584fcd1190e411f9211424b13f30654f27271c07102c998eded3a147b17eac2530cdcf353a7ae22483a3bf5d89dfc1ba9c9f6ba42ac566193bf4902ce5df3cbae9d90417326cbc2ad3f1cb9e000f040b810dbdfa99f97f29fe9e546cf3c99d2cb0cf18dda392f036ac99b3d7448da79eb5e755f8a72906f3349e927a67880b7995fe95916bd3f9b0575c93b46281f99f193d0e7a9662d98ee7072cd299b0a8a34ca40e8853cac51b3f57c5f4350f35a2682c88b02e47dee72ae7665185742a4046ad7e5475298000e48f8dc3ffb66826fd509e7088e7d9e5180385e66ec34e3928e2b5762d284be23cb4d9c90a7d31efbf8645222391efb47f2951b7142c055c7a23344b81dffdd21d21e850de7eb537c1023fc375c266dd55e9c27c8391b923363ffc0cfc6914e1af2e7b88e04ebc3bc1fee90e55cd"},
0x418, 0x4b}) (async)
ioctl$IOCTL_VMCI_SET_NOTIFY(r0, 0x7cb, &(0x7f0000000140))
socketpair$unix(0x1, 0x2, 0x0,
&(0x7f0000000040)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
r3 = dup2(r1, r2)
write$P9_RREMOVE(r3, 0x0, 0x65) (async)
ioctl$KVM_CAP_X86_APIC_BUS_CYCLES_NS(r3, 0x4068aea3,
&(0x7f00000000c0)={0xed, 0x0, 0x1e90}) (async)
r4 = socket$nl_generic(0x10, 0x3, 0x10) (async, rerun: 32)
sendmsg$nl_xfrm(r3, &(0x7f0000000840)={&(0x7f0000000600)={0x10, 0x0,
0x0, 0x80000000}, 0xc,
&(0x7f0000000800)={&(0x7f0000000640)=@...ae={0x1b0, 0x1f, 0x4, 0x70bd2c,
0x25dfdbfb, {{@in=@...pback, 0x4d5, 0x2, 0xff}, @in6=@...al, 0x2,
0x3503}, [@lifetime_val={0x24, 0x9, {0x2, 0x5, 0x2, 0x81}},
@lifetime_val={0x24, 0x9, {0xfffffffffffffffb, 0x10, 0x10000, 0x6fc}},
@sa={0xe4, 0x6, {{@...=@...al, @in6=@...vate0={0xfc, 0x0, '\x00', 0x93},
0x4e20, 0x84f, 0x4e23, 0x800, 0xa, 0xa0, 0x0, 0x3a, 0x0, 0xee01},
{@...=@...tdev={0xfe, 0x88, '\x00', 0x1, 0x0}, 0x4d2, 0x3c},
@in6=@...ty, {0x100000000, 0x5, 0x4, 0x3ff, 0x7, 0x80000000, 0xa, 0x8},
{0x8, 0x8, 0x745, 0x6}, {0x16, 0x6, 0x8}, 0x70bd2c, 0x34ff, 0xa, 0x0,
0x3, 0x2}}, @tmpl={0x44, 0x5, [{{@...=@...vate1, 0x4d6, 0x6c}, 0xa,
@in6=@...al, 0x3505, 0x4, 0x3, 0x7, 0xfffdf801, 0x3, 0x9}]}]}, 0x1b0},
0x1, 0x0, 0x0, 0x20000010}, 0x9b65ab93687f8eff) (async, rerun: 32)
r5 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000180),
0xffffffffffffffff)
sendmsg$MPTCP_PM_CMD_SET_LIMITS(r4, &(0x7f0000000940)={0x0, 0x0,
&(0x7f0000000900)={&(0x7f0000000880)=ANY=[@ANYBLOB="18000000",
@ANYRES16=r5,
@ANYBLOB="01d400000a00000004aaf299ec81e1e91be9d0b73bea05462c25f60180f30000000000003a853e014f626cef36b2afcfa4b1a96e5403ab2c8a04"],
0xfffffffffffffecd}}, 0x0) (async)
kexec_load(0x0, 0x0, &(0x7f0000000140), 0x150000)
441.49334ms ago: executing program 3 (id=409):
ioctl$TCSETAW(0xffffffffffffffff, 0x5407, &(0x7f0000000100)={0x0, 0x0,
0x0, 0x0, 0x0, "2c62506e4daaa49f"})
r0 = syz_open_dev$tty20(0xc, 0x4, 0x0)
ioctl$KDSETKEYCODE(r0, 0x4b4d, &(0x7f0000000080)={0x6, 0x941})
ioctl$KDGKBMODE(r0, 0x80045440, &(0x7f0000000600))
perf_event_open$cgroup(&(0x7f0000000140)={0x0, 0x80, 0x9, 0x0, 0xf3,
0x0, 0x0, 0x83, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x8, 0x8}, 0xffffffffffffffff,
0x0, 0xffffffffffffffff, 0x0)
r1 = syz_open_dev$sg(&(0x7f0000000000), 0x1, 0x0)
pipe(&(0x7f0000000000)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
writev(r3, &(0x7f0000000640)=[{&(0x7f0000000040)="f7", 0xfffffdef}], 0x1)
poll(&(0x7f0000000140)=[{r3}], 0x1, 0x3ff)
readv(r2, &(0x7f00000002c0)=[{&(0x7f0000000080)=""/104, 0xfffffdef}], 0x1)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r4, &(0x7f0000002d80)={0x0, 0x0,
&(0x7f0000000000)={&(0x7f0000000080)=ANY=[@ANYBLOB="14000000210001000010000000000007000000"],
0x14}}, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r1, 0x1,
&(0x7f0000000140)=ANY=[@ANYBLOB="c101000002000000a30c"])
io_setup(0x7fc, &(0x7f0000000140)=<r5=>0x0)
r6 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000000040), 0x0)
r7 = dup(r6)
io_submit(r5, 0x1, &(0x7f00000006c0)=[&(0x7f0000000340)={0x0, 0x0, 0x0,
0x5, 0x0, r7, 0x0}])
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r8, &(0x7f0000000280)={0x0, 0x0,
&(0x7f0000000000)={&(0x7f00000001c0)=ANY=[@ANYBLOB="1400000002060109000000000000001ea9048a0d88fd"],
0x14}}, 0x0)
syz_open_dev$tty20(0xc, 0x4, 0x1)
Powered by blists - more mailing lists