Hello,
when using Syzkaller to fuzz the latest Linux Kernel arm64 version,
the following crash
was triggered on:
HEAD commit: 0dd3ee31125508cd67f7e7172247f05b7fd1753a (tag: v6.7)
git tree: upstream
console output: https://pastebin.com/raw/3NCyqPUn
kernel config: https://pastebin.com/raw/mXEg4abU
C reproducer: https://pastebin.com/raw/N0gEqk5x
Syzlang reproducer: https://pastebin.com/raw/mJKwrP6m
If you fix this issue, please add the following tag to the commit:
Reported-by: Qiang Zhang <[email protected]>
----------------------------------------------------------
WARNING: CPU: 0 PID: 711 at arch/arm64/kvm/mmu.c:1592
kvm_age_gfn+0x64/0xdc
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/mmu.c:1592
Modules linked in:
CPU: 0 PID: 711 Comm: syz-executor.0 Not tainted 6.1.61 #3
Hardware name: linux,dummy-virt (DT)
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : kvm_age_gfn+0x64/0xdc
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/mmu.c:1592
lr : kvm_age_gfn+0x64/0xdc
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/mmu.c:1592
sp : ffff80000a153350
x29: ffff80000a153350 x28: 0000000000000030 x27: ffffffffffffffe0
x26: 0000000000000fff x25: ffff3f0640df85a0 x24: 0000000000000000
x23: 0000000000000000 x22: ffff3f064205aa00 x21: ffff3f0640df8000
x20: ffff80000a153410 x19: 0000000000002000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000028
x14: 00000000000048c9 x13: 0000000000000005 x12: 0000000000000003
x11: 0000000000000000 x10: fffffffffffcbda8 x9 : ffffd1a886f24000
x8 : 0000000042b8808b x7 : 0000000000000053 x6 : 00000000000014f2
x5 : ffffd1a8859b7000 x4 : ffffd1a883a72ec8 x3 : ffffd1a883a00000
x2 : 0000000000000000 x1 : ffff3f0642374c80 x0 : 0000000000000000
Call trace:
kvm_age_gfn+0x64/0xdc
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/mmu.c:1592
__kvm_handle_hva_range
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/../../../virt/kvm/kvm_main.c:635
[inline]
kvm_handle_hva_range
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/../../../virt/kvm/kvm_main.c:672
[inline]
kvm_mmu_notifier_clear_flush_young+0x11c/0x300
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/../../../virt/kvm/kvm_main.c:870
__mmu_notifier_clear_flush_young+0xa0/0x110
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/mmu_notifier.c:377
mmu_notifier_clear_flush_young
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/./include/linux/mmu_notifier.h:423
[inline]
folio_referenced_one+0x334/0x3e4
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/rmap.c:846
rmap_walk_anon+0x1e0/0x3cc
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/rmap.c:2451
rmap_walk data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/rmap.c:2527
[inline]
rmap_walk data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/rmap.c:2522
[inline]
folio_referenced+0x1b4/0x270
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/rmap.c:933
folio_check_references
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/vmscan.c:1456
[inline]
shrink_folio_list+0x720/0x108c
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/vmscan.c:1789
reclaim_folio_list+0x94/0x194
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/vmscan.c:2688
reclaim_pages+0x128/0x1c0
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/vmscan.c:2724
madvise_cold_or_pageout_pte_range+0x5d8/0xc90
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:403
walk_pmd_range
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/pagewalk.c:128
[inline]
walk_pud_range
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/pagewalk.c:205
[inline]
walk_p4d_range
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/pagewalk.c:240
[inline]
walk_pgd_range+0x4c0/0x734
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/pagewalk.c:277
__walk_page_range+0x1c8/0x1d0
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/pagewalk.c:379
walk_page_range+0x1cc/0x240
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/pagewalk.c:477
madvise_pageout_page_range
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:552
[inline]
madvise_pageout+0x120/0x2f0
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:589
madvise_vma_behavior
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:1021
[inline]
madvise_walk_vmas
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:1250
[inline]
do_madvise+0x698/0x1310
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:1429
__do_sys_madvise
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:1442
[inline]
__se_sys_madvise
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:1440
[inline]
__arm64_sys_madvise+0x2c/0x40
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/mm/madvise.c:1440
__invoke_syscall
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/syscall.c:38
[inline]
invoke_syscall+0x5c/0x164
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/syscall.c:52
el0_svc_common.constprop.0+0x6c/0x15c
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/syscall.c:142
do_el0_svc+0x4c/0x100
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/syscall.c:206
el0_svc+0x48/0xc0
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0xf4/0x120
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/entry.S:585
irq event stamp: 1994
hardirqs last enabled at (1993): [<ffffd1a884ff0538>]
__exit_to_kernel_mode
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/entry-common.c:84
[inline]
hardirqs last enabled at (1993): [<ffffd1a884ff0538>]
exit_to_kernel_mode+0x38/0x140
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/entry-common.c:94
hardirqs last disabled at (1994): [<ffffd1a884fefd14>]
el1_dbg+0x24/0x90
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/entry-common.c:405
softirqs last enabled at (1962): [<ffffd1a883a178cc>]
__put_cpu_fpsimd_context
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/fpsimd.c:260
[inline]
softirqs last enabled at (1962): [<ffffd1a883a178cc>]
put_cpu_fpsimd_context+0x2c/0x74
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/fpsimd.c:272
softirqs last disabled at (1960): [<ffffd1a883a17834>]
get_cpu_fpsimd_context+0x0/0x6c
data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kernel/fpsimd.c:261
Hi,
On Wed, Mar 13, 2024 at 01:02:10PM +0800, cheung wall wrote:
> Hello,
>
> when using Syzkaller to fuzz the latest Linux Kernel arm64 version,
> the following crash
First, thank you. Glad to see folks are fuzzing KVM/arm64 now.
> was triggered on:
>
> HEAD commit: 0dd3ee31125508cd67f7e7172247f05b7fd1753a (tag: v6.7)
In order for these sorts of bug reports to be actionable, they really
need to be against a close-to-upstream tree. 6.8 is out now, and 6.9-rc1
is right around the corner.
Having said that, I think there might be an issue or two with your bot
because...
> git tree: upstream
>
> console output: https://pastebin.com/raw/3NCyqPUn
>
> kernel config: https://pastebin.com/raw/mXEg4abU
>
> C reproducer: https://pastebin.com/raw/N0gEqk5x
This reproducer doesn't work on upstream (tested kvmarm-6.9 tag), and
> WARNING: CPU: 0 PID: 711 at arch/arm64/kvm/mmu.c:1592
> kvm_age_gfn+0x64/0xdc
> data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/mmu.c:1592
The SHA1 in this path is suspiciously the same as 6.1.61. Are you
certain the bot is working on the correct tree? Nevertheless, I think
the WARN and associated bug were addressed in commit df6556adf27b
("KVM: arm64: Correctly handle page aging notifiers for unaligned
memslot").
Last thing -- I'm guessing your syzkaller runs will dredge up quite a bit
of low-hanging bugs given how little exposure this code has had. Could
you please aggregate the first batch of reports and send as a single
series of email? Makes it much easier to keep track of.
--
Thanks,
Oliver
Thanks Oliver, I have confirmed the situation about the sha1 in the
path that is my fault. I will test this crash in the latest new linux
arm version. Meanwhile, more batches of the reports will be provided
after validation on the new experiment.
Best,
Cheung Wall
On Wed, Mar 13, 2024 at 1:25 PM Oliver Upton <[email protected]> wrote:
>
> Hi,
>
> On Wed, Mar 13, 2024 at 01:02:10PM +0800, cheung wall wrote:
> > Hello,
> >
> > when using Syzkaller to fuzz the latest Linux Kernel arm64 version,
> > the following crash
>
> First, thank you. Glad to see folks are fuzzing KVM/arm64 now.
>
> > was triggered on:
> >
> > HEAD commit: 0dd3ee31125508cd67f7e7172247f05b7fd1753a (tag: v6.7)
>
> In order for these sorts of bug reports to be actionable, they really
> need to be against a close-to-upstream tree. 6.8 is out now, and 6.9-rc1
> is right around the corner.
>
> Having said that, I think there might be an issue or two with your bot
> because...
>
> > git tree: upstream
> >
> > console output: https://pastebin.com/raw/3NCyqPUn
> >
> > kernel config: https://pastebin.com/raw/mXEg4abU
> >
> > C reproducer: https://pastebin.com/raw/N0gEqk5x
>
> This reproducer doesn't work on upstream (tested kvmarm-6.9 tag), and
>
> > WARNING: CPU: 0 PID: 711 at arch/arm64/kvm/mmu.c:1592
> > kvm_age_gfn+0x64/0xdc
> > data/embfuzz/emblinux/linux-4a61839152cc3e9e00ac059d73a28d148d622b30/arch/arm64/kvm/mmu.c:1592
>
> The SHA1 in this path is suspiciously the same as 6.1.61. Are you
> certain the bot is working on the correct tree? Nevertheless, I think
> the WARN and associated bug were addressed in commit df6556adf27b
> ("KVM: arm64: Correctly handle page aging notifiers for unaligned
> memslot").
>
> Last thing -- I'm guessing your syzkaller runs will dredge up quite a bit
> of low-hanging bugs given how little exposure this code has had. Could
> you please aggregate the first batch of reports and send as a single
> series of email? Makes it much easier to keep track of.
>
> --
> Thanks,
> Oliver