Re: general protection fault in _vm_normal_page
syzbot has bisected this bug to: commit 4a110365f1da9d5cabbd0a01796027c0a6d5e80b Author: Kirill A. Shutemov Date: Wed Jul 11 00:45:42 2018 + mm: drop unneeded ->vm_ops checks bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=10b0650f20 start commit: 98be4506 Add linux-next specific files for 20180711 git tree: linux-next final crash:https://syzkaller.appspot.com/x/report.txt?x=12b0650f20 console output: https://syzkaller.appspot.com/x/log.txt?x=14b0650f20 kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com Fixes: 4a110365f1da ("mm: drop unneeded ->vm_ops checks") For information about bisection process see: https://goo.gl/tpsmEJ#bisection
Re: general protection fault in _vm_normal_page
On Wed, Jul 11, 2018 at 02:04:49PM -0700, Andrew Morton wrote: > On Wed, 11 Jul 2018 09:49:01 -0700 syzbot > wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:98be45067040 Add linux-next specific files for 20180711 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=12496ac240 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 > > dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 > > Handy. /dev/ion from drivers/staging/android/ion/ion.c > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com > > > > R10: 04000812 R11: 0246 R12: 0005 > > R13: 004c0565 R14: 004cffb0 R15: 0005 > > ion_mmap: failure mapping buffer to userspace > > kasan: CONFIG_KASAN_INLINE enabled > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > general protection fault: [#1] SMP KASAN > > CPU: 0 PID: 4785 Comm: syz-executor0 Not tainted 4.18.0-rc4-next-20180711+ > > #4 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 > > Presumably has a NULL vma->vm_ops. Probably one of the now-removed > checks in mm-drop-unneeded-vm_ops-checks.patch would have avoided > this. > > Something for Kirill to think about ;) > Okay. Looks like we need vm_ops in the error path too :P Here's the fixup which should help. I'll post the new version of the patchset once figure out nommu issues. diff --git a/mm/mmap.c b/mm/mmap.c index 74d4d2a8fe08..eedac20735c1 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1776,6 +1776,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr, */ vma->vm_file = get_file(file); error = call_mmap(file, vma); + + /* All mappings must have ->vm_ops set */ + if (!vma->vm_ops) + vma->vm_ops = _vm_ops; + if (error) goto unmap_and_free_vma; @@ -1788,10 +1793,6 @@ unsigned long mmap_region(struct file *file, unsigned long addr, */ WARN_ON_ONCE(addr != vma->vm_start); - /* All mappings must have ->vm_ops set */ - if (!vma->vm_ops) - vma->vm_ops = _vm_ops; - addr = vma->vm_start; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { -- Kirill A. Shutemov
Re: general protection fault in _vm_normal_page
On Wed, Jul 11, 2018 at 02:04:49PM -0700, Andrew Morton wrote: > On Wed, 11 Jul 2018 09:49:01 -0700 syzbot > wrote: > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit:98be45067040 Add linux-next specific files for 20180711 > > git tree: linux-next > > console output: https://syzkaller.appspot.com/x/log.txt?x=12496ac240 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 > > dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 > > Handy. /dev/ion from drivers/staging/android/ion/ion.c > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com > > > > R10: 04000812 R11: 0246 R12: 0005 > > R13: 004c0565 R14: 004cffb0 R15: 0005 > > ion_mmap: failure mapping buffer to userspace > > kasan: CONFIG_KASAN_INLINE enabled > > kasan: GPF could be caused by NULL-ptr deref or user memory access > > general protection fault: [#1] SMP KASAN > > CPU: 0 PID: 4785 Comm: syz-executor0 Not tainted 4.18.0-rc4-next-20180711+ > > #4 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 > > Presumably has a NULL vma->vm_ops. Probably one of the now-removed > checks in mm-drop-unneeded-vm_ops-checks.patch would have avoided > this. > > Something for Kirill to think about ;) > Okay. Looks like we need vm_ops in the error path too :P Here's the fixup which should help. I'll post the new version of the patchset once figure out nommu issues. diff --git a/mm/mmap.c b/mm/mmap.c index 74d4d2a8fe08..eedac20735c1 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1776,6 +1776,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr, */ vma->vm_file = get_file(file); error = call_mmap(file, vma); + + /* All mappings must have ->vm_ops set */ + if (!vma->vm_ops) + vma->vm_ops = _vm_ops; + if (error) goto unmap_and_free_vma; @@ -1788,10 +1793,6 @@ unsigned long mmap_region(struct file *file, unsigned long addr, */ WARN_ON_ONCE(addr != vma->vm_start); - /* All mappings must have ->vm_ops set */ - if (!vma->vm_ops) - vma->vm_ops = _vm_ops; - addr = vma->vm_start; vm_flags = vma->vm_flags; } else if (vm_flags & VM_SHARED) { -- Kirill A. Shutemov
Re: general protection fault in _vm_normal_page
On Wed, 11 Jul 2018 09:49:01 -0700 syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:98be45067040 Add linux-next specific files for 20180711 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=12496ac240 > kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 > dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 Handy. /dev/ion from drivers/staging/android/ion/ion.c > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com > > R10: 04000812 R11: 0246 R12: 0005 > R13: 004c0565 R14: 004cffb0 R15: 0005 > ion_mmap: failure mapping buffer to userspace > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > CPU: 0 PID: 4785 Comm: syz-executor0 Not tainted 4.18.0-rc4-next-20180711+ > #4 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 Presumably has a NULL vma->vm_ops. Probably one of the now-removed checks in mm-drop-unneeded-vm_ops-checks.patch would have avoided this. Something for Kirill to think about ;)
Re: general protection fault in _vm_normal_page
On Wed, 11 Jul 2018 09:49:01 -0700 syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit:98be45067040 Add linux-next specific files for 20180711 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=12496ac240 > kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 > dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 Handy. /dev/ion from drivers/staging/android/ion/ion.c > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com > > R10: 04000812 R11: 0246 R12: 0005 > R13: 004c0565 R14: 004cffb0 R15: 0005 > ion_mmap: failure mapping buffer to userspace > kasan: CONFIG_KASAN_INLINE enabled > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: [#1] SMP KASAN > CPU: 0 PID: 4785 Comm: syz-executor0 Not tainted 4.18.0-rc4-next-20180711+ > #4 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 Presumably has a NULL vma->vm_ops. Probably one of the now-removed checks in mm-drop-unneeded-vm_ops-checks.patch would have avoided this. Something for Kirill to think about ;)
general protection fault in _vm_normal_page
Hello, syzbot found the following crash on: HEAD commit:98be45067040 Add linux-next specific files for 20180711 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=12496ac240 kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com R10: 04000812 R11: 0246 R12: 0005 R13: 004c0565 R14: 004cffb0 R15: 0005 ion_mmap: failure mapping buffer to userspace kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN CPU: 0 PID: 4785 Comm: syz-executor0 Not tainted 4.18.0-rc4-next-20180711+ #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 Code: 00 0f 85 3a 01 00 00 48 8b 85 70 ff ff ff 48 ba 00 00 00 00 00 fc ff df 48 8b 80 90 00 00 00 48 8d 78 70 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 17 01 00 00 48 8b 40 70 48 85 c0 48 89 85 60 ff RSP: 0018:8801d2d2f050 EFLAGS: 00010202 RAX: RBX: 00198700 RCX: 000e RDX: dc00 RSI: 81abf579 RDI: 0070 RBP: 8801d2d2f0f0 R08: 8801aab72040 R09: ed003a591216 R10: ed003a591216 R11: 8801d2c890b3 R12: 11003a5a5e0d R13: 8801d2d2f0c8 R14: 000198700320 R15: 0200 FS: 0118c940() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004e8664 CR3: 0001cb276000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: zap_pte_range mm/memory.c:1312 [inline] zap_pmd_range mm/memory.c:1443 [inline] zap_pud_range mm/memory.c:1472 [inline] zap_p4d_range mm/memory.c:1493 [inline] unmap_page_range+0xa6f/0x2220 mm/memory.c:1514 unmap_single_vma+0x1a0/0x310 mm/memory.c:1559 unmap_vmas+0x120/0x1f0 mm/memory.c:1589 unmap_region+0x353/0x570 mm/mmap.c:2583 mmap_region+0x18cc/0x1da0 mm/mmap.c:1840 do_mmap+0xa10/0x1220 mm/mmap.c:1540 do_mmap_pgoff include/linux/mm.h:2290 [inline] vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357 ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1590 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455e29 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffdd494a4b8 EFLAGS: 0246 ORIG_RAX: 0009 RAX: ffda RBX: 0118c914 RCX: 00455e29 RDX: RSI: 3060 RDI: 20ffd000 RBP: 0072bea0 R08: 0004 R09: R10: 04000812 R11: 0246 R12: 0005 R13: 004c0565 R14: 004cffb0 R15: 0005 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 161bdc8eda63d641 ]--- RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 Code: 00 0f 85 3a 01 00 00 48 8b 85 70 ff ff ff 48 ba 00 00 00 00 00 fc ff df 48 8b 80 90 00 00 00 48 8d 78 70 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 17 01 00 00 48 8b 40 70 48 85 c0 48 89 85 60 ff RSP: 0018:8801d2d2f050 EFLAGS: 00010202 RAX: RBX: 00198700 RCX: 000e RDX: dc00 RSI: 81abf579 RDI: 0070 RBP: 8801d2d2f0f0 R08: 8801aab72040 R09: ed003a591216 R10: ed003a591216 R11: 8801d2c890b3 R12: 11003a5a5e0d R13: 8801d2d2f0c8 R14: 000198700320 R15: 0200 FS: 0118c940() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004e8664 CR3: 0001cb276000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see:
general protection fault in _vm_normal_page
Hello, syzbot found the following crash on: HEAD commit:98be45067040 Add linux-next specific files for 20180711 git tree: linux-next console output: https://syzkaller.appspot.com/x/log.txt?x=12496ac240 kernel config: https://syzkaller.appspot.com/x/.config?x=3f3b3673fec35d01 dashboard link: https://syzkaller.appspot.com/bug?extid=120abb1c3f7bfdc523f7 compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12a4656840 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+120abb1c3f7bfdc52...@syzkaller.appspotmail.com R10: 04000812 R11: 0246 R12: 0005 R13: 004c0565 R14: 004cffb0 R15: 0005 ion_mmap: failure mapping buffer to userspace kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN CPU: 0 PID: 4785 Comm: syz-executor0 Not tainted 4.18.0-rc4-next-20180711+ #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 Code: 00 0f 85 3a 01 00 00 48 8b 85 70 ff ff ff 48 ba 00 00 00 00 00 fc ff df 48 8b 80 90 00 00 00 48 8d 78 70 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 17 01 00 00 48 8b 40 70 48 85 c0 48 89 85 60 ff RSP: 0018:8801d2d2f050 EFLAGS: 00010202 RAX: RBX: 00198700 RCX: 000e RDX: dc00 RSI: 81abf579 RDI: 0070 RBP: 8801d2d2f0f0 R08: 8801aab72040 R09: ed003a591216 R10: ed003a591216 R11: 8801d2c890b3 R12: 11003a5a5e0d R13: 8801d2d2f0c8 R14: 000198700320 R15: 0200 FS: 0118c940() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004e8664 CR3: 0001cb276000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: zap_pte_range mm/memory.c:1312 [inline] zap_pmd_range mm/memory.c:1443 [inline] zap_pud_range mm/memory.c:1472 [inline] zap_p4d_range mm/memory.c:1493 [inline] unmap_page_range+0xa6f/0x2220 mm/memory.c:1514 unmap_single_vma+0x1a0/0x310 mm/memory.c:1559 unmap_vmas+0x120/0x1f0 mm/memory.c:1589 unmap_region+0x353/0x570 mm/mmap.c:2583 mmap_region+0x18cc/0x1da0 mm/mmap.c:1840 do_mmap+0xa10/0x1220 mm/mmap.c:1540 do_mmap_pgoff include/linux/mm.h:2290 [inline] vm_mmap_pgoff+0x213/0x2c0 mm/util.c:357 ksys_mmap_pgoff+0x4da/0x660 mm/mmap.c:1590 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x455e29 Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7ffdd494a4b8 EFLAGS: 0246 ORIG_RAX: 0009 RAX: ffda RBX: 0118c914 RCX: 00455e29 RDX: RSI: 3060 RDI: 20ffd000 RBP: 0072bea0 R08: 0004 R09: R10: 04000812 R11: 0246 R12: 0005 R13: 004c0565 R14: 004cffb0 R15: 0005 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 161bdc8eda63d641 ]--- RIP: 0010:_vm_normal_page+0x1e5/0x330 mm/memory.c:828 Code: 00 0f 85 3a 01 00 00 48 8b 85 70 ff ff ff 48 ba 00 00 00 00 00 fc ff df 48 8b 80 90 00 00 00 48 8d 78 70 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 17 01 00 00 48 8b 40 70 48 85 c0 48 89 85 60 ff RSP: 0018:8801d2d2f050 EFLAGS: 00010202 RAX: RBX: 00198700 RCX: 000e RDX: dc00 RSI: 81abf579 RDI: 0070 RBP: 8801d2d2f0f0 R08: 8801aab72040 R09: ed003a591216 R10: ed003a591216 R11: 8801d2c890b3 R12: 11003a5a5e0d R13: 8801d2d2f0c8 R14: 000198700320 R15: 0200 FS: 0118c940() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 004e8664 CR3: 0001cb276000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: