syzbot


general protection fault in anon_vma_interval_tree_remove

Status: auto-closed as invalid on 2020/12/28 05:40
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+1a977da4a4ffcc20290d@syzkaller.appspotmail.com
First crash: 1431d, last: 1384d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in anon_vma_interval_tree_remove (2) mm 2 1141d 1154d 0/27 auto-closed as invalid on 2021/08/27 20:15

Sample crash report:
general protection fault, probably for non-canonical address 0xe0ee0aee00ee0101: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0x0770777007700808-0x077077700770080f]
CPU: 0 PID: 28354 Comm: syz-executor.0 Not tainted 5.9.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:vma_last_pgoff mm/interval_tree.c:20 [inline]
RIP: 0010:avc_last_pgoff mm/interval_tree.c:68 [inline]
RIP: 0010:__anon_vma_interval_tree_augment_compute_max mm/interval_tree.c:71 [inline]
RIP: 0010:__anon_vma_interval_tree_augment_propagate mm/interval_tree.c:71 [inline]
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:295 [inline]
RIP: 0010:rb_erase_augmented include/linux/rbtree_augmented.h:303 [inline]
RIP: 0010:rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
RIP: 0010:__anon_vma_interval_tree_remove mm/interval_tree.c:71 [inline]
RIP: 0010:anon_vma_interval_tree_remove+0x5dd/0xf40 mm/interval_tree.c:88
Code: d1 ff 48 8d 7b e0 48 89 f8 48 c1 e8 03 80 3c 28 00 0f 85 b0 06 00 00 4c 8b 63 e0 49 8d bc 24 98 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 9d 06 00 00 49 8d 7c 24 08 49 8b 94 24 98 00 00
RSP: 0018:ffffc90017a57910 EFLAGS: 00010202
RAX: 00ee0eee00ee0101 RBX: ffff8880001596b0 RCX: ffffffff81a4baf6
RDX: ffff88821703c580 RSI: ffffffff81a4b525 RDI: 0770777007700808
RBP: dffffc0000000000 R08: ffff8880476564b0 R09: ffff888047656417
R10: 0000000000000000 R11: 0000000000000000 R12: 0770777007700770
R13: ffff888000000000 R14: 0000000000000000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8880ae400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000118c000 CR3: 0000000009e8d000 CR4: 00000000001526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 unlink_anon_vmas+0x218/0x830 mm/rmap.c:402
 free_pgtables+0xe2/0x2f0 mm/memory.c:402
 exit_mmap+0x2c0/0x530 mm/mmap.c:3184
 __mmput+0x122/0x470 kernel/fork.c:1077
 mmput+0x53/0x60 kernel/fork.c:1098
 exit_mm kernel/exit.c:483 [inline]
 do_exit+0xa8b/0x29f0 kernel/exit.c:793
 do_group_exit+0x125/0x310 kernel/exit.c:903
 get_signal+0x428/0x1f00 kernel/signal.c:2757
 arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811
 exit_to_user_mode_loop kernel/entry/common.c:161 [inline]
 exit_to_user_mode_prepare+0x1ae/0x200 kernel/entry/common.c:192
 syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:267
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45dd99
Code: Bad RIP value.
RSP: 002b:00007f961c35dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: 0000000000000966 RBX: 0000000000027ec0 RCX: 000000000045dd99
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000003
RBP: 000000000118c010 R08: 0000000000000000 R09: 0000000000000000
R10: 0800000080004105 R11: 0000000000000246 R12: 000000000118bfd4
R13: 000000000169fb6f R14: 00007f961c35e9c0 R15: 000000000118bfd4
Modules linked in:
---[ end trace 9cf17afeefd7f743 ]---
RIP: 0010:vma_last_pgoff mm/interval_tree.c:20 [inline]
RIP: 0010:avc_last_pgoff mm/interval_tree.c:68 [inline]
RIP: 0010:__anon_vma_interval_tree_augment_compute_max mm/interval_tree.c:71 [inline]
RIP: 0010:__anon_vma_interval_tree_augment_propagate mm/interval_tree.c:71 [inline]
RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:295 [inline]
RIP: 0010:rb_erase_augmented include/linux/rbtree_augmented.h:303 [inline]
RIP: 0010:rb_erase_augmented_cached include/linux/rbtree_augmented.h:314 [inline]
RIP: 0010:__anon_vma_interval_tree_remove mm/interval_tree.c:71 [inline]
RIP: 0010:anon_vma_interval_tree_remove+0x5dd/0xf40 mm/interval_tree.c:88
Code: d1 ff 48 8d 7b e0 48 89 f8 48 c1 e8 03 80 3c 28 00 0f 85 b0 06 00 00 4c 8b 63 e0 49 8d bc 24 98 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 9d 06 00 00 49 8d 7c 24 08 49 8b 94 24 98 00 00
RSP: 0018:ffffc90017a57910 EFLAGS: 00010202
RAX: 00ee0eee00ee0101 RBX: ffff8880001596b0 RCX: ffffffff81a4baf6
RDX: ffff88821703c580 RSI: ffffffff81a4b525 RDI: 0770777007700808

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/29 05:39 upstream fb0155a09b02 1b88c6d5 .config console log report info ci-upstream-kasan-gce
2020/08/13 10:09 upstream fb893de323e2 bc15f7db .config console log report ci-upstream-kasan-gce
* Struck through repros no longer work on HEAD.