Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: 03c765b0e3b4 Linux 5.19-rc4
git tree: upstream
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/16ht-2pDp_nU_nXhobMfHaQraVt4qfzBK/view?usp=sharing
kernel config: https://drive.google.com/file/d/1lNGU17X6Ui1NDLE4XCRu3I6f9lzhCBcH/view?usp=sharing
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <[email protected]>
kernel BUG at include/linux/mm.h:1585!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 20332 Comm: syz-executor Not tainted 5.19.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
copy_hugetlb_page_range+0xc9d/0x1cc0
copy_page_range+0x424/0x1b40
dup_mmap+0xa72/0xf80
dup_mm+0x8c/0x310
copy_process+0x2b3b/0x60d0
kernel_clone+0x21a/0x7d0
__do_sys_fork+0x9e/0xf0
do_syscall_64+0x3d/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa373695c4d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa374805c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000039
RAX: ffffffffffffffda RBX: 00007fa3737bc0a0 RCX: 00007fa373695c4d
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007fa37370ed80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa3737bc0a0
R13: 00007ffc0a3c127f R14: 00007ffc0a3c1420 R15: 00007fa374805dc0
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 0000000000000000 ]---
RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
PKRU: 55555554
Best,
Wei
On Mon, Oct 10, 2022 at 08:25:58PM +0800, Wei Chen wrote:
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered:
We don't need more people running syzkaller. We need more people
investigating syzkaller reports.
On 10/10/22 14:25, Wei Chen wrote:
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered:
>
> HEAD commit: 03c765b0e3b4 Linux 5.19-rc4
That's a rather odd version to report against, now that there's v6.0 final?
(not to mention 5.19 final, months ago) Or is v5.19-rc4 just the first
affected tag and the bug persists until v6.0?
> git tree: upstream
> compiler: clang 12.0.0
> console output:
> https://drive.google.com/file/d/16ht-2pDp_nU_nXhobMfHaQraVt4qfzBK/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1lNGU17X6Ui1NDLE4XCRu3I6f9lzhCBcH/view?usp=sharing
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <[email protected]>
>
> kernel BUG at include/linux/mm.h:1585!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 20332 Comm: syz-executor Not tainted 5.19.0-rc4 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
> Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
> 0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
> e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
> RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
> RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
> RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
> RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
> R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
> R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
> FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
> DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> copy_hugetlb_page_range+0xc9d/0x1cc0
> copy_page_range+0x424/0x1b40
> dup_mmap+0xa72/0xf80
> dup_mm+0x8c/0x310
> copy_process+0x2b3b/0x60d0
> kernel_clone+0x21a/0x7d0
> __do_sys_fork+0x9e/0xf0
> do_syscall_64+0x3d/0x90
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
> RIP: 0033:0x7fa373695c4d
> Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fa374805c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000039
> RAX: ffffffffffffffda RBX: 00007fa3737bc0a0 RCX: 00007fa373695c4d
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 00007fa37370ed80 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa3737bc0a0
> R13: 00007ffc0a3c127f R14: 00007ffc0a3c1420 R15: 00007fa374805dc0
> </TASK>
> Modules linked in:
> Dumping ftrace buffer:
> (ftrace buffer empty)
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
> Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
> 0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
> e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
> RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
> RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
> RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
> RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
> R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
> R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
> FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
> DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> PKRU: 55555554
>
> Best,
> Wei
Dear Vlastimil,
Thank you for the reply. The bug persists in v6.0. Here is the
information. Luckily I got C reproducer this time.
HEAD commit: 4fe89d07 Linux v6.0
git tree: upstream
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/18oQROgRr2u8jzgV83i9xHmoCEXN7PQ8b/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/1g5DwpvjI_-I3bBkYrLeoQTFFcSBw2bvY/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1ZMiiTqx0Qh-7A9ucb-0kq0civg_sXB7X/view?usp=sharing
kernel config: https://drive.google.com/file/d/1ZHRxVTXHL9mENdAPmQYS1DtgbflZ9XsD/view?usp=sharing
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <[email protected]>
kernel BUG at include/linux/mm.h:1529!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 6605 Comm: syz-executor919 Not tainted 6.0.0 #35
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:page_needs_cow_for_dma include/linux/mm.h:1529 [inline]
RIP: 0010:page_try_dup_anon_rmap+0x703/0xc40 include/linux/rmap.h:253
Code: 31 ff e8 30 d6 b4 ff 4c 89 e0 48 25 ff 0f 00 00 0f 84 39 01 00
00 e8 6c d1 b4 ff 4c 8b 74 24 08 e9 b4 fa ff ff e8 5d d1 b4 ff <0f> 0b
4c 89 e7 be 08 00 00 00 e8 9e a0 05 00 4c 89 e0 48 c1 e8 03
RSP: 0018:ffffc900051ef270 EFLAGS: 00010293
RAX: ffffffff81d247c3 RBX: 0000000000000000 RCX: ffff888044b22440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 1ffff11003f580ef R08: ffffffff81d243d0 R09: fffff940000fe001
R10: fffff940000fe001 R11: 0000000000000000 R12: ffffea00007f0000
R13: dffffc0000000000 R14: 1ffffd40000fe001 R15: ffff88801fac0778
FS: 00005555564ba940(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200002c0 CR3: 0000000014ad2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
copy_hugetlb_page_range+0xc86/0x1eb0 mm/hugetlb.c:4846
copy_page_range+0x424/0x1b40 mm/memory.c:1288
dup_mmap+0xa72/0xf80 kernel/fork.c:699
dup_mm+0x8c/0x310 kernel/fork.c:1525
copy_mm kernel/fork.c:1577 [inline]
copy_process+0x2b92/0x6130 kernel/fork.c:2254
kernel_clone+0x21a/0x7d0 kernel/fork.c:2671
__do_sys_clone3 kernel/fork.c:2963 [inline]
__se_sys_clone3+0x357/0x400 kernel/fork.c:2947
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7efee9f6102d
Code: 28 c3 e8 66 2a 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff00b0558 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007ffff00b0568 RCX: 00007efee9f6102d
RDX: 00007efee9f6102d RSI: 0000000000000058 RDI: 00000000200002c0
RBP: 00007ffff00b0560 R08: 00007ffff00b0560 R09: 00007efee9f19460
R10: 00007ffff00b0560 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:page_needs_cow_for_dma include/linux/mm.h:1529 [inline]
RIP: 0010:page_try_dup_anon_rmap+0x703/0xc40 include/linux/rmap.h:253
Code: 31 ff e8 30 d6 b4 ff 4c 89 e0 48 25 ff 0f 00 00 0f 84 39 01 00
00 e8 6c d1 b4 ff 4c 8b 74 24 08 e9 b4 fa ff ff e8 5d d1 b4 ff <0f> 0b
4c 89 e7 be 08 00 00 00 e8 9e a0 05 00 4c 89 e0 48 c1 e8 03
RSP: 0018:ffffc900051ef270 EFLAGS: 00010293
RAX: ffffffff81d247c3 RBX: 0000000000000000 RCX: ffff888044b22440
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 1ffff11003f580ef R08: ffffffff81d243d0 R09: fffff940000fe001
R10: fffff940000fe001 R11: 0000000000000000 R12: ffffea00007f0000
R13: dffffc0000000000 R14: 1ffffd40000fe001 R15: ffff88801fac0778
FS: 00005555564ba940(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200002c0 CR3: 0000000014ad2000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Best,
Wei
On Fri, 14 Oct 2022 at 15:54, Vlastimil Babka <[email protected]> wrote:
>
> On 10/10/22 14:25, Wei Chen wrote:
> > Dear Linux Developer,
> >
> > Recently when using our tool to fuzz kernel, the following crash was triggered:
> >
> > HEAD commit: 03c765b0e3b4 Linux 5.19-rc4
>
> That's a rather odd version to report against, now that there's v6.0 final?
> (not to mention 5.19 final, months ago) Or is v5.19-rc4 just the first
> affected tag and the bug persists until v6.0?
>
> > git tree: upstream
> > compiler: clang 12.0.0
> > console output:
> > https://drive.google.com/file/d/16ht-2pDp_nU_nXhobMfHaQraVt4qfzBK/view?usp=sharing
> > kernel config: https://drive.google.com/file/d/1lNGU17X6Ui1NDLE4XCRu3I6f9lzhCBcH/view?usp=sharing
> >
> > Unfortunately, I don't have any reproducer for this crash yet.
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: Wei Chen <[email protected]>
> >
> > kernel BUG at include/linux/mm.h:1585!
> > invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 20332 Comm: syz-executor Not tainted 5.19.0-rc4 #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > 1.13.0-1ubuntu1.1 04/01/2014
> > RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
> > Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
> > 0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
> > e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
> > RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
> > RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
> > RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
> > RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
> > R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
> > R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
> > FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
> > DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > PKRU: 55555554
> > Call Trace:
> > <TASK>
> > copy_hugetlb_page_range+0xc9d/0x1cc0
> > copy_page_range+0x424/0x1b40
> > dup_mmap+0xa72/0xf80
> > dup_mm+0x8c/0x310
> > copy_process+0x2b3b/0x60d0
> > kernel_clone+0x21a/0x7d0
> > __do_sys_fork+0x9e/0xf0
> > do_syscall_64+0x3d/0x90
> > entry_SYSCALL_64_after_hwframe+0x46/0xb0
> > RIP: 0033:0x7fa373695c4d
> > Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> > 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007fa374805c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000039
> > RAX: ffffffffffffffda RBX: 00007fa3737bc0a0 RCX: 00007fa373695c4d
> > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> > RBP: 00007fa37370ed80 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa3737bc0a0
> > R13: 00007ffc0a3c127f R14: 00007ffc0a3c1420 R15: 00007fa374805dc0
> > </TASK>
> > Modules linked in:
> > Dumping ftrace buffer:
> > (ftrace buffer empty)
> > ---[ end trace 0000000000000000 ]---
> > RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
> > Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
> > 0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
> > e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
> > RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
> > RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
> > RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
> > RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
> > R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
> > R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
> > FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
> > DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > PKRU: 55555554
> >
> > Best,
> > Wei
>
On 10/21/22 00:21, Wei Chen wrote:
> Dear Vlastimil,
>
> Thank you for the reply. The bug persists in v6.0. Here is the
> information. Luckily I got C reproducer this time.
Ooh. Looks like the reproducer is doing a MADV_DONTNEED on a hugetlb mapping.
That support was added somewhat recently (5.18). Not sure if it is related in
any way. Have not looked at the code/implementation around write_protect_seq.
--
Mike Kravetz
>
> HEAD commit: 4fe89d07 Linux v6.0
> git tree: upstream
> compiler: clang 12.0.0
> console output:
> https://drive.google.com/file/d/18oQROgRr2u8jzgV83i9xHmoCEXN7PQ8b/view?usp=sharing
> Syzlang reproducer:
> https://drive.google.com/file/d/1g5DwpvjI_-I3bBkYrLeoQTFFcSBw2bvY/view?usp=sharing
> C reproducer: https://drive.google.com/file/d/1ZMiiTqx0Qh-7A9ucb-0kq0civg_sXB7X/view?usp=sharing
> kernel config: https://drive.google.com/file/d/1ZHRxVTXHL9mENdAPmQYS1DtgbflZ9XsD/view?usp=sharing
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <[email protected]>
>
> kernel BUG at include/linux/mm.h:1529!
> invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 6605 Comm: syz-executor919 Not tainted 6.0.0 #35
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> 1.13.0-1ubuntu1.1 04/01/2014
> RIP: 0010:page_needs_cow_for_dma include/linux/mm.h:1529 [inline]
> RIP: 0010:page_try_dup_anon_rmap+0x703/0xc40 include/linux/rmap.h:253
> Code: 31 ff e8 30 d6 b4 ff 4c 89 e0 48 25 ff 0f 00 00 0f 84 39 01 00
> 00 e8 6c d1 b4 ff 4c 8b 74 24 08 e9 b4 fa ff ff e8 5d d1 b4 ff <0f> 0b
> 4c 89 e7 be 08 00 00 00 e8 9e a0 05 00 4c 89 e0 48 c1 e8 03
> RSP: 0018:ffffc900051ef270 EFLAGS: 00010293
> RAX: ffffffff81d247c3 RBX: 0000000000000000 RCX: ffff888044b22440
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 1ffff11003f580ef R08: ffffffff81d243d0 R09: fffff940000fe001
> R10: fffff940000fe001 R11: 0000000000000000 R12: ffffea00007f0000
> R13: dffffc0000000000 R14: 1ffffd40000fe001 R15: ffff88801fac0778
> FS: 00005555564ba940(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000200002c0 CR3: 0000000014ad2000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
> <TASK>
> copy_hugetlb_page_range+0xc86/0x1eb0 mm/hugetlb.c:4846
> copy_page_range+0x424/0x1b40 mm/memory.c:1288
> dup_mmap+0xa72/0xf80 kernel/fork.c:699
> dup_mm+0x8c/0x310 kernel/fork.c:1525
> copy_mm kernel/fork.c:1577 [inline]
> copy_process+0x2b92/0x6130 kernel/fork.c:2254
> kernel_clone+0x21a/0x7d0 kernel/fork.c:2671
> __do_sys_clone3 kernel/fork.c:2963 [inline]
> __se_sys_clone3+0x357/0x400 kernel/fork.c:2947
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7efee9f6102d
> Code: 28 c3 e8 66 2a 00 00 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 c4 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffff00b0558 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
> RAX: ffffffffffffffda RBX: 00007ffff00b0568 RCX: 00007efee9f6102d
> RDX: 00007efee9f6102d RSI: 0000000000000058 RDI: 00000000200002c0
> RBP: 00007ffff00b0560 R08: 00007ffff00b0560 R09: 00007efee9f19460
> R10: 00007ffff00b0560 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:page_needs_cow_for_dma include/linux/mm.h:1529 [inline]
> RIP: 0010:page_try_dup_anon_rmap+0x703/0xc40 include/linux/rmap.h:253
> Code: 31 ff e8 30 d6 b4 ff 4c 89 e0 48 25 ff 0f 00 00 0f 84 39 01 00
> 00 e8 6c d1 b4 ff 4c 8b 74 24 08 e9 b4 fa ff ff e8 5d d1 b4 ff <0f> 0b
> 4c 89 e7 be 08 00 00 00 e8 9e a0 05 00 4c 89 e0 48 c1 e8 03
> RSP: 0018:ffffc900051ef270 EFLAGS: 00010293
> RAX: ffffffff81d247c3 RBX: 0000000000000000 RCX: ffff888044b22440
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> RBP: 1ffff11003f580ef R08: ffffffff81d243d0 R09: fffff940000fe001
> R10: fffff940000fe001 R11: 0000000000000000 R12: ffffea00007f0000
> R13: dffffc0000000000 R14: 1ffffd40000fe001 R15: ffff88801fac0778
> FS: 00005555564ba940(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000200002c0 CR3: 0000000014ad2000 CR4: 0000000000750ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
>
> Best,
> Wei
>
> On Fri, 14 Oct 2022 at 15:54, Vlastimil Babka <[email protected]> wrote:
> >
> > On 10/10/22 14:25, Wei Chen wrote:
> > > Dear Linux Developer,
> > >
> > > Recently when using our tool to fuzz kernel, the following crash was triggered:
> > >
> > > HEAD commit: 03c765b0e3b4 Linux 5.19-rc4
> >
> > That's a rather odd version to report against, now that there's v6.0 final?
> > (not to mention 5.19 final, months ago) Or is v5.19-rc4 just the first
> > affected tag and the bug persists until v6.0?
> >
> > > git tree: upstream
> > > compiler: clang 12.0.0
> > > console output:
> > > https://drive.google.com/file/d/16ht-2pDp_nU_nXhobMfHaQraVt4qfzBK/view?usp=sharing
> > > kernel config: https://drive.google.com/file/d/1lNGU17X6Ui1NDLE4XCRu3I6f9lzhCBcH/view?usp=sharing
> > >
> > > Unfortunately, I don't have any reproducer for this crash yet.
> > >
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: Wei Chen <[email protected]>
> > >
> > > kernel BUG at include/linux/mm.h:1585!
> > > invalid opcode: 0000 [#1] PREEMPT SMP KASAN
> > > CPU: 0 PID: 20332 Comm: syz-executor Not tainted 5.19.0-rc4 #1
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > > 1.13.0-1ubuntu1.1 04/01/2014
> > > RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
> > > Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
> > > 0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
> > > e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
> > > RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
> > > RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
> > > RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
> > > RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
> > > R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
> > > R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
> > > FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
> > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
> > > DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > > PKRU: 55555554
> > > Call Trace:
> > > <TASK>
> > > copy_hugetlb_page_range+0xc9d/0x1cc0
> > > copy_page_range+0x424/0x1b40
> > > dup_mmap+0xa72/0xf80
> > > dup_mm+0x8c/0x310
> > > copy_process+0x2b3b/0x60d0
> > > kernel_clone+0x21a/0x7d0
> > > __do_sys_fork+0x9e/0xf0
> > > do_syscall_64+0x3d/0x90
> > > entry_SYSCALL_64_after_hwframe+0x46/0xb0
> > > RIP: 0033:0x7fa373695c4d
> > > Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
> > > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> > > 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
> > > RSP: 002b:00007fa374805c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000039
> > > RAX: ffffffffffffffda RBX: 00007fa3737bc0a0 RCX: 00007fa373695c4d
> > > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
> > > RBP: 00007fa37370ed80 R08: 0000000000000000 R09: 0000000000000000
> > > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa3737bc0a0
> > > R13: 00007ffc0a3c127f R14: 00007ffc0a3c1420 R15: 00007fa374805dc0
> > > </TASK>
> > > Modules linked in:
> > > Dumping ftrace buffer:
> > > (ftrace buffer empty)
> > > ---[ end trace 0000000000000000 ]---
> > > RIP: 0010:page_try_dup_anon_rmap+0x927/0x1120
> > > Code: e6 ff 0f 00 00 31 ff e8 87 75 b2 ff 4c 89 e0 48 25 ff 0f 00 00
> > > 0f 84 0e 01 00 00 e8 c3 70 b2 ff e9 43 03 00 00 e8 b9 70 b2 ff <0f> 0b
> > > e8 b2 70 b2 ff 4c 89 e7 48 c7 c6 80 96 9e 8a e8 03 91 ee ff
> > > RSP: 0018:ffffc900088e7368 EFLAGS: 00010287
> > > RAX: ffffffff81d29967 RBX: 0000000000000000 RCX: 0000000000040000
> > > RDX: ffffc900084b9000 RSI: 00000000000023c4 RDI: 00000000000023c5
> > > RBP: ffff88802e3a0670 R08: ffffffff81d29420 R09: fffff9400011d001
> > > R10: fffff9400011d001 R11: 0000000000000000 R12: ffffea00008e8000
> > > R13: dffffc0000000000 R14: ffff88802e3a0670 R15: 1ffff11005c740ce
> > > FS: 00007fa374806700(0000) GS:ffff888063c00000(0000) knlGS:0000000000000000
> > > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: 00007fa3737b8000 CR3: 000000002f26f000 CR4: 0000000000750ef0
> > > DR0: 0000000020000080 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> > > PKRU: 55555554
> > >
> > > Best,
> > > Wei
> >
On 10/20/22 09:59, Mike Kravetz wrote:
> On 10/21/22 00:21, Wei Chen wrote:
> > Dear Vlastimil,
> >
> > Thank you for the reply. The bug persists in v6.0. Here is the
> > information. Luckily I got C reproducer this time.
>
> Ooh. Looks like the reproducer is doing a MADV_DONTNEED on a hugetlb mapping.
> That support was added somewhat recently (5.18). Not sure if it is related in
> any way. Have not looked at the code/implementation around write_protect_seq.
I verified that the new hugetlb MADV_DONTNEED is the root cause. :(
The reproducer calls madvise(MADV_DONTNEED) on the hugetlb mapping before
mapping any pages. madvise(MADV_DONTNEED) ends up calling:
zap_page_range
unmap_single_vma
__unmap_hugepage_range_final
__unmap_hugepage_range_final ends up clearing VM_MAYSHARE. This is
because it assumes the vma is going away and wants to prevent someone from
doing PMD sharing with the vma on it's way out. The causes confusion in
subsequent faults in the vma as sharing or private keys off VM_MAYSHARE.
We then end up with pages in the page table where page_mapping is NULL.
Somewhat good news is that I thought clearing of VM_MAYSHARE as done above
was kludgy and was able to remove it in 6.1 with the introduction of hugetlb
vma_lock for pmd sharing. So, should not be an issue in development
branches.
I'll come up with a way to fix for 5.18 to 6.0 kernels.
--
Mike Kravetz