Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp189903imu; Thu, 10 Jan 2019 21:37:51 -0800 (PST) X-Google-Smtp-Source: ALg8bN57UWwu/CDoboBgcGkKZvy4XhldOHkUgw82B0MUENFT8/Ee5hLpmt9azoq1qyyMoNIJsxSV X-Received: by 2002:a17:902:a6:: with SMTP id a35mr13341221pla.201.1547185071519; Thu, 10 Jan 2019 21:37:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547185071; cv=none; d=google.com; s=arc-20160816; b=hYLlDfrA6wUnfg699u8epKf3mKQlUA9PCGVZxgjjbD4Xd7FbM9Qb2VopLR6G+3tTNN IXPJpz10+9EQw6wpi1utvo8FsnAQ7ooZTSKd/1oXhRcEatSezO9AgV8AvfVBYG9cUNj8 LCH3C4S909/+Ikap2ZrsYAToFhSbtnQ1kGYOLLq266L3d3KezI3dOuhz2sjJ+gKn084V 9BZRiOXZN6WeCupfb+ofBDhWF8aNrmd3pvXXtF8By81eJrhG/9FwoIRLPDCN8Y4d4ABz ptvMEegO+uChZvBRE7FVjJ3opDARVv2Kr8BCIcFbObNv/3tGsPZccvvjixje0TJwVgvE mlRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=cF5lEhJO6uVDc9Kz2wuXL4EEkXm4N4swd99XwX/kuYA=; b=ltG48AC3txVBggHs25Hsb1OmQYbfmucTyog8rOarVmn6KGhgGG9T3BRo1TGpYXpJYE hsvJczbonJc8ahnTTDMMVhT6c+e/tjnZNz21YTfKswk18HSVjeTGQqioSPTpOYXDiyGD 6n6IZcX3lH+DleBtEw+W2RDslms3GM0x4Ku4/W7EGiElfUzwZcrcYC8ZvKpfIPhF8zRX yPeGY8/gAHlmjd8LDLJ30+Km/JbgotxqXruuNd40WOfWGEEDBVEK+AuebT1Kynfl6Eg5 srdIwlqU1+2+UwIoQaCsXd8ZTBuNFUSVl9yCvHlPOBSbmY2WCfx14pY4P6ZIJZS3UMNb 8w7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=WfcH6xVk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j187si18269710pfg.160.2019.01.10.21.37.36; Thu, 10 Jan 2019 21:37:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=WfcH6xVk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729573AbfAKExC (ORCPT + 99 others); Thu, 10 Jan 2019 23:53:02 -0500 Received: from mail-qt1-f195.google.com ([209.85.160.195]:36414 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726692AbfAKExC (ORCPT ); Thu, 10 Jan 2019 23:53:02 -0500 Received: by mail-qt1-f195.google.com with SMTP id t13so17084991qtn.3 for ; Thu, 10 Jan 2019 20:53:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=cF5lEhJO6uVDc9Kz2wuXL4EEkXm4N4swd99XwX/kuYA=; b=WfcH6xVkCR2w2IcLbvoEwCOtRleS09Drj8/xhIgT4WT7oVvoB1x02tsDHiXyQwweOa AjYBYGCXx+/LY4u4/0YYq3QAA7hzMfxzmMDkYxOZgm8YihQutKirbsAq0ek8ZYhposKM eURx2dA5UuZS1Z4klIGUaQe4+96Yiu5QPUFFUO9gbtZHHFrFdMikxxY9BNrHC8H2++hJ ezQwu3cEFjQL9DZbP3eOg2VA6ZO9bqAa6/LTkQ1ngab86d9l05jyWb0frPVzQg/3uW4Y /eRxgC/eP2r4JGRrRqgueSn/rFRPSNOtPKCyGIeAjbboMH/k098F4DuIPJZvzbQclnW3 3juw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=cF5lEhJO6uVDc9Kz2wuXL4EEkXm4N4swd99XwX/kuYA=; b=jgwLiIeQIsJgUvWa7bctIRJrxWbGPLjMoujjfMsGje+k0TKpDe9pl1jSahvnINdeE9 9tLUNvm1psq9xceNHRrtgg3JteRhu+A82QSoER7PIyRKNLv8Fi6cfdyyd38iQ7Tim+38 94EO6LZzXUaJqXJKPzia46A/3AzHdk0PW4rUmNClUdXpx7NPpXuXMiwGddHZT8CL8TPL otq5ucyMmJ1q2Ftl82rnjYg1T/V1Hh6i0veppdTLUaLHC02icu60WJzePMXhhgc2DWlA jNcVw3E+8QUAzDDu/Rh71SOgVmJrjxXv1QLEiIfbywyIUABGBiMV2YMEK+H83gOiqYoa zOEw== X-Gm-Message-State: AJcUukeFA5x1xEYS/2Vi5t8uah+NszjgpkLF7S/D8gjXesFA2m4DBAOL GZbR46HQo6ML0/ZRONPKcwZtjw== X-Received: by 2002:a0c:afa1:: with SMTP id s30mr12747954qvc.53.1547182380855; Thu, 10 Jan 2019 20:53:00 -0800 (PST) Received: from ovpn-120-55.rdu2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43]) by smtp.gmail.com with ESMTPSA id o22sm14079227qkk.93.2019.01.10.20.52.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Jan 2019 20:53:00 -0800 (PST) Subject: Re: PROBLEM: syzkaller found / pool corruption-overwrite / page in user-area or NULL To: Esme Cc: James Bottomley , "dgilbert@interlog.com" , "martin.petersen@oracle.com" , "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linux-mm@kvack.org" References: <1547150339.2814.9.camel@linux.ibm.com> <1547153074.6911.8.camel@lca.pw> <4u36JfbOrbu9CXLDErzQKvorP0gc2CzyGe60rBmZsGAGIw6RacZnIfoSsAF0I0TCnVx0OvcqCZFN6ntbgicJ66cWew9cOXRgcuWxSPdL3ko=@protonmail.ch> <1547154231.6911.10.camel@lca.pw> <1547159604.6911.12.camel@lca.pw> <7416c812-f452-9c23-9d0c-37eac0174231@lca.pw> From: Qian Cai Message-ID: <3b3184e0-d913-6519-0f9d-2f01ef795650@lca.pw> Date: Thu, 10 Jan 2019 23:52:58 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/10/19 10:15 PM, Esme wrote: >>> [ 75.793150] RIP: 0010:rb_insert_color+0x189/0x1480 >> >> What's in that line? Try, >> >> $ ./scripts/faddr2line vmlinux rb_insert_color+0x189/0x1480 > > rb_insert_color+0x189/0x1480: > __rb_insert at /home/files/git/linux/lib/rbtree.c:131 > (inlined by) rb_insert_color at /home/files/git/linux/lib/rbtree.c:452 > gparent = rb_red_parent(parent); tmp = gparent->rb_right; <-- GFP triggered here. It suggests gparent is NULL. Looks like it misses a check there because parent is the top node. >> >> What's steps to reproduce this? > > The steps is the kernel config provided (proc.config) and I double checked the attached C code from the qemu image (attached here). If the kernel does not immediately crash, a ^C will cause the fault to be noticed. The report from earlier is the report from the same code, my assumption was that the possible pool/redzone corruption is making it a bit tricky to pin down. > > If you would like alternative kernel settings please let me know, I can do that, also, my current test-bench has about 256 core's on x64, 64 of them are bare metal and 32 are arm64. Any possible preferred configuration tweaks I'm all ears, I'll be including some of these steps you suggested to me in any/additional upcoming threads (Thank you for that so far and future suggestions). > > Also, there is some occasionally varying stacks depending on the corruption, so this stack just now (another execution of test3.c); I am unable to reproduce any of those here. What's is the output of /proc/cmdline in your guest when this happens?