Hi,
We would like to report the following bug which has been found by our
modified version of syzkaller.
======================================================
description: general protection fault in mas_empty_area_rev
affected file: lib/maple_tree.c
kernel version: 6.9-rc4
kernel commit: 0bbac3facb5d6cc0171c45c9873a2dc96bea9680
git tree: upstream
kernel config: attached
crash reproducer: attached
======================================================
Crash log:
general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1
04/01/2014
RIP: 0010:ma_dead_node lib/maple_tree.c:560 [inline]
RIP: 0010:mas_data_end lib/maple_tree.c:1450 [inline]
RIP: 0010:mas_empty_area_rev+0x15ad/0x2320 lib/maple_tree.c:5114
Code: 83 fd 02 77 0f 45 85 ed 74 0a e8 ae b8 dc f6 49 8d 5c 24 08 e8 a4 b8
dc f6 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f
85 fc 08 00 00 49 8b 04 24 30 c0 49 39 c4 0f 84 92
RSP: 0018:ffffc9000fdff9b8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000005
RDX: 0000000000000000 RSI: ffffffff8aaf8efc RDI: 0000000000000007
RBP: 0000000000010000 R08: 0000000000000007 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffc9000fdffb24 R15: ffffc9000fdffae8
FS: 0000555581ad4480(0000) GS:ffff888063600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000118 CR3: 0000000040576000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
unmapped_area_topdown mm/mmap.c:1643 [inline]
vm_unmapped_area+0x2db/0xb30 mm/mmap.c:1682
arch_get_unmapped_area_topdown+0x384/0x750 arch/x86/kernel/sys_x86_64.c:212
thp_get_unmapped_area mm/huge_memory.c:864 [inline]
thp_get_unmapped_area+0x361/0x430 mm/huge_memory.c:854
get_unmapped_area+0x1db/0x3e0 mm/mmap.c:1845
do_mmap+0x282/0xef0 mm/mmap.c:1261
vm_mmap_pgoff+0x1a7/0x3b0 mm/util.c:573
ksys_mmap_pgoff+0x7d/0x5b0 mm/mmap.c:1431
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:86 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:79 [inline]
__x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:79
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xce/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7efd0e48ed67
Code: Unable to access opcode bytes at 0x7efd0e48ed3d.
RSP: 002b:00007fff4c4a2598 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007efd0e48ed67
RDX: 0000000000000000 RSI: 0000000000021000 RDI: 0000000000000000
RBP: 00007efd0d600640 R08: 00000000ffffffff R09: 0000000000000000
R10: 0000000000020022 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff4c4a2850 R14: 0000000000021000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:ma_dead_node lib/maple_tree.c:560 [inline]
RIP: 0010:mas_data_end lib/maple_tree.c:1450 [inline]
RIP: 0010:mas_empty_area_rev+0x15ad/0x2320 lib/maple_tree.c:5114
Code: 83 fd 02 77 0f 45 85 ed 74 0a e8 ae b8 dc f6 49 8d 5c 24 08 e8 a4 b8
dc f6 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f
85 fc 08 00 00 49 8b 04 24 30 c0 49 39 c4 0f 84 92
RSP: 0018:ffffc9000fdff9b8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000005
RDX: 0000000000000000 RSI: ffffffff8aaf8efc RDI: 0000000000000007
RBP: 0000000000010000 R08: 0000000000000007 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: ffffc9000fdffb24 R15: ffffc9000fdffae8
FS: 0000555581ad4480(0000) GS:ffff888063600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c01aa34000 CR3: 0000000040576000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 83 fd 02 cmp $0x2,%ebp
3: 77 0f ja 0x14
5: 45 85 ed test %r13d,%r13d
8: 74 0a je 0x14
a: e8 ae b8 dc f6 call 0xf6dcb8bd
f: 49 8d 5c 24 08 lea 0x8(%r12),%rbx
14: e8 a4 b8 dc f6 call 0xf6dcb8bd
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 4c 89 e2 mov %r12,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 fc 08 00 00 jne 0x930
34: 49 8b 04 24 mov (%r12),%rax
38: 30 c0 xor %al,%al
3a: 49 39 c4 cmp %rax,%r12
3d: 0f .byte 0xf
3e: 84 .byte 0x84
3f: 92 xchg %eax,%edx
======================================================
Wishing you a nice day!
Best,
Marius
* Marius Fleischer <[email protected]> [240420 16:08]:
> Hi,
>
>
> We would like to report the following bug which has been found by our
> modified version of syzkaller.
>
> ======================================================
>
> description: general protection fault in mas_empty_area_rev
>
> affected file: lib/maple_tree.c
>
> kernel version: 6.9-rc4
>
> kernel commit: 0bbac3facb5d6cc0171c45c9873a2dc96bea9680
>
> git tree: upstream
>
> kernel config: attached
>
> crash reproducer: attached
>
> ======================================================
Thank you for reporting this issue. I'm currently looking at what went
wrong.
It does not occur with my configuration against the reported kernel
version. I'll attempt to recreate it with your kernel config next -
with whatever modifications I need to get it to boot in my test
environment.
>
> Crash log:
>
> general protection fault, probably for non-canonical address
> 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
>
> KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
>
> CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
This indicates that you built with your own patches. Could you test an
unmodified 6.9.0-rc4 with your setup?
Thanks,
Liam
>
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1
> 04/01/2014
>
> RIP: 0010:ma_dead_node lib/maple_tree.c:560 [inline]
>
> RIP: 0010:mas_data_end lib/maple_tree.c:1450 [inline]
>
> RIP: 0010:mas_empty_area_rev+0x15ad/0x2320 lib/maple_tree.c:5114
>
..
> Call Trace:
>
> <TASK>
>
> unmapped_area_topdown mm/mmap.c:1643 [inline]
>
> vm_unmapped_area+0x2db/0xb30 mm/mmap.c:1682
>
> arch_get_unmapped_area_topdown+0x384/0x750 arch/x86/kernel/sys_x86_64.c:212
>
> thp_get_unmapped_area mm/huge_memory.c:864 [inline]
>
> thp_get_unmapped_area+0x361/0x430 mm/huge_memory.c:854
>
> get_unmapped_area+0x1db/0x3e0 mm/mmap.c:1845
>
> do_mmap+0x282/0xef0 mm/mmap.c:1261
>
> vm_mmap_pgoff+0x1a7/0x3b0 mm/util.c:573
..
Hi Liam,
Thank you so much for the response!
> >
> > Crash log:
> >
> > general protection fault, probably for non-canonical address
> > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> >
> > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> >
> > CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
>
> This indicates that you built with your own patches. Could you test an
> unmodified 6.9.0-rc4 with your setup?
>
I'm very sorry for this oversight. I had applied the patches for another bug
from this conversation
(https://lore.kernel.org/all/[email protected]/T/#m480f21ab850996395082d0faab7f624f45b83781)
I will test the reproducer without these patches and get back to you!
If there is any other information I can provide to help you, please let me know!
Wishing you a lovely start to the week!
Best,
Marius
* Marius Fleischer <[email protected]> [240422 11:11]:
> Hi Liam,
>
> Thank you so much for the response!
>
> > >
> > > Crash log:
> > >
> > > general protection fault, probably for non-canonical address
> > > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> > >
> > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > >
> > > CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
> >
> > This indicates that you built with your own patches. Could you test an
> > unmodified 6.9.0-rc4 with your setup?
> >
>
> I'm very sorry for this oversight. I had applied the patches for another bug
> from this conversation
> (https://lore.kernel.org/all/[email protected]/T/#m480f21ab850996395082d0faab7f624f45b83781)
> I will test the reproducer without these patches and get back to you!
After testing with your config, I can see that those fixes are needed to
boot.
I am going to try 6.9-rc5 with your configuration and see if I can
trigger the issue there.
>
> If there is any other information I can provide to help you, please let me know!
>
> Wishing you a lovely start to the week!
Thanks for the prompt response and information.
Regards,
Liam
* Liam R. Howlett <[email protected]> [240422 11:25]:
> * Marius Fleischer <[email protected]> [240422 11:11]:
> > Hi Liam,
> >
> > Thank you so much for the response!
> >
> > > >
> > > > Crash log:
> > > >
> > > > general protection fault, probably for non-canonical address
> > > > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> > > >
> > > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > >
> > > > CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
> > >
> > > This indicates that you built with your own patches. Could you test an
> > > unmodified 6.9.0-rc4 with your setup?
> > >
> >
> > I'm very sorry for this oversight. I had applied the patches for another bug
> > from this conversation
> > (https://lore.kernel.org/all/[email protected]/T/#m480f21ab850996395082d0faab7f624f45b83781)
> > I will test the reproducer without these patches and get back to you!
>
> After testing with your config, I can see that those fixes are needed to
> boot.
>
> I am going to try 6.9-rc5 with your configuration and see if I can
> trigger the issue there.
>
The reproducer does not trigger for me with your configuration and
reproducer.
Does it still happen for you in 6.9-rc5?
Thanks,
Liam
Hi Liam,
On Mon, 22 Apr 2024 at 10:05, Liam R. Howlett <[email protected]> wrote:
> * Liam R. Howlett <[email protected]> [240422 11:25]:
> > * Marius Fleischer <[email protected]> [240422 11:11]:
> > > Hi Liam,
> > >
> > > Thank you so much for the response!
> > >
> > > > >
> > > > > Crash log:
> > > > >
> > > > > general protection fault, probably for non-canonical address
> > > > > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> > > > >
> > > > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > > >
> > > > > CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
> > > >
> > > > This indicates that you built with your own patches. Could you test an
> > > > unmodified 6.9.0-rc4 with your setup?
> > > >
> > >
> > > I'm very sorry for this oversight. I had applied the patches for another bug
> > > from this conversation
> > > (https://lore.kernel.org/all/[email protected]/T/#m480f21ab850996395082d0faab7f624f45b83781)
> > > I will test the reproducer without these patches and get back to you!
> >
> > After testing with your config, I can see that those fixes are needed to
> > boot.
> >
> > I am going to try 6.9-rc5 with your configuration and see if I can
> > trigger the issue there.
> >
>
> The reproducer does not trigger for me with your configuration and
> reproducer.
>
> Does it still happen for you in 6.9-rc5?
>
You are right, indeed, I was not able to boot v6.9-rc4 without the fixes.
I tested the reproducer on 6.9-rc5 (ed30a4a51bb196781c8058073ea720133a65596f)
and it still triggers the crash in my setup. How can I help you
further troubleshoot
this issue?
Thanks,
Marius
* Marius Fleischer <[email protected]> [240422 14:07]:
> Hi Liam,
>
> On Mon, 22 Apr 2024 at 10:05, Liam R. Howlett <[email protected]> wrote:
> > * Liam R. Howlett <[email protected]> [240422 11:25]:
> > > * Marius Fleischer <[email protected]> [240422 11:11]:
> > > > Hi Liam,
> > > >
> > > > Thank you so much for the response!
> > > >
> > > > > >
> > > > > > Crash log:
> > > > > >
> > > > > > general protection fault, probably for non-canonical address
> > > > > > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> > > > > >
> > > > > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > > > >
> > > > > > CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
> > > > >
> > > > > This indicates that you built with your own patches. Could you test an
> > > > > unmodified 6.9.0-rc4 with your setup?
> > > > >
> > > >
> > > > I'm very sorry for this oversight. I had applied the patches for another bug
> > > > from this conversation
> > > > (https://lore.kernel.org/all/[email protected]/T/#m480f21ab850996395082d0faab7f624f45b83781)
> > > > I will test the reproducer without these patches and get back to you!
> > >
> > > After testing with your config, I can see that those fixes are needed to
> > > boot.
> > >
> > > I am going to try 6.9-rc5 with your configuration and see if I can
> > > trigger the issue there.
> > >
> >
> > The reproducer does not trigger for me with your configuration and
> > reproducer.
> >
> > Does it still happen for you in 6.9-rc5?
> >
> You are right, indeed, I was not able to boot v6.9-rc4 without the fixes.
>
> I tested the reproducer on 6.9-rc5 (ed30a4a51bb196781c8058073ea720133a65596f)
> and it still triggers the crash in my setup. How can I help you
> further troubleshoot
> this issue?
Can you try the attached patch and see if that stops the crash?
Thanks,
Liam
Hi Liam,
On Mon, 22 Apr 2024 at 11:53, Liam R. Howlett <[email protected]> wrote:
> * Marius Fleischer <[email protected]> [240422 14:07]:
> > Hi Liam,
> >
> > On Mon, 22 Apr 2024 at 10:05, Liam R. Howlett <[email protected]> wrote:
> > > * Liam R. Howlett <[email protected]> [240422 11:25]:
> > > > * Marius Fleischer <[email protected]> [240422 11:11]:
> > > > > Hi Liam,
> > > > >
> > > > > Thank you so much for the response!
> > > > >
> > > > > > >
> > > > > > > Crash log:
> > > > > > >
> > > > > > > general protection fault, probably for non-canonical address
> > > > > > > 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
> > > > > > >
> > > > > > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > > > > >
> > > > > > > CPU: 0 PID: 79545 Comm: syz-executor.0 Not tainted 6.9.0-rc4-dirty #3
> > > > > >
> > > > > > This indicates that you built with your own patches. Could you test an
> > > > > > unmodified 6.9.0-rc4 with your setup?
> > > > > >
> > > > >
> > > > > I'm very sorry for this oversight. I had applied the patches for another bug
> > > > > from this conversation
> > > > > (https://lore.kernel.org/all/[email protected]/T/#m480f21ab850996395082d0faab7f624f45b83781)
> > > > > I will test the reproducer without these patches and get back to you!
> > > >
> > > > After testing with your config, I can see that those fixes are needed to
> > > > boot.
> > > >
> > > > I am going to try 6.9-rc5 with your configuration and see if I can
> > > > trigger the issue there.
> > > >
> > >
> > > The reproducer does not trigger for me with your configuration and
> > > reproducer.
> > >
> > > Does it still happen for you in 6.9-rc5?
> > >
> > You are right, indeed, I was not able to boot v6.9-rc4 without the fixes.
> >
> > I tested the reproducer on 6.9-rc5 (ed30a4a51bb196781c8058073ea720133a65596f)
> > and it still triggers the crash in my setup. How can I help you
> > further troubleshoot
> > this issue?
>
> Can you try the attached patch and see if that stops the crash?
>
I tested your patch against 6.9-rc5. It stops the crash.
Best,
Marius