syzbot


general protection fault in khugepaged

Status: fixed on 2020/09/16 22:51
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+ed318e8b790ca72c5ad0@syzkaller.appspotmail.com
Fix commit: 594cced14ad3 khugepaged: fix null-pointer dereference due to race
First crash: 1389d, last: 1373d
Cause bisection: introduced by (bisect log) :
commit ffe945e633b527d5a4577b42cbadec3c7cbcf096
Author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Date: Wed Jun 3 23:00:09 2020 +0000

  khugepaged: do not stop collapse if less than half PTEs are referenced

Crash: general protection fault in collapse_huge_page (log)
Repro: C syz .config
  
Discussions (5)
Title Replies (including bot) Last reply
[PATCH 5.7 000/179] 5.7.11-rc1 review 187 (187) 2020/07/29 08:22
[PATCH 5.4 000/138] 5.4.54-rc1 review 143 (143) 2020/07/28 18:23
general protection fault in khugepaged 5 (7) 2020/07/24 11:06
[patch 09/15] khugepaged: fix null-pointer dereference due to race 1 (1) 2020/07/24 04:15
[PATCH] khugepaged: Fix null-pointer dereference due to race 3 (3) 2020/07/22 17:54
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in khugepaged (2) mm 1 149d 145d 0/26 auto-obsoleted due to no activity on 2024/01/27 04:37
linux-4.19 general protection fault in khugepaged 1 892d 892d 0/1 auto-closed as invalid on 2022/03/15 05:26
upstream general protection fault in khugepaged (3) mm 2 3d19h 78d 0/26 moderation: reported on 2024/02/07 00:07
Last patch testing requests (1)
Created Duration User Patch Repo Result
2020/07/22 08:47 17m bkkarthik@pesu.pes.edu patch https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master report log

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 1155 Comm: khugepaged Not tainted 5.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:anon_vma_lock_write include/linux/rmap.h:120 [inline]
RIP: 0010:collapse_huge_page mm/khugepaged.c:1110 [inline]
RIP: 0010:khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
RIP: 0010:khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
RIP: 0010:khugepaged_do_scan mm/khugepaged.c:2193 [inline]
RIP: 0010:khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238
Code: 01 00 00 48 8d bb 88 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 fa 0f 00 00 48 8b 9b 88 00 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 d4 0f 00 00 48 8b 3b 48 83 c7 08 e8 9f ff 30
RSP: 0018:ffffc90004be7c80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81a72d8b
RDX: ffff8880a69d8100 RSI: ffffffff81b7606b RDI: ffff88809f0577c0
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881ff213a7f
R10: 0000000000000080 R11: 0000000000000000 R12: ffffffff8aae6110
R13: ffffc90004be7de0 R14: dffffc0000000000 R15: 0000000020000000
FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001fe0cf000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 kthread+0x3b5/0x4a0 kernel/kthread.c:291
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
Modules linked in:
---[ end trace f1f03dbd2ea0777e ]---
RIP: 0010:anon_vma_lock_write include/linux/rmap.h:120 [inline]
RIP: 0010:collapse_huge_page mm/khugepaged.c:1110 [inline]
RIP: 0010:khugepaged_scan_pmd mm/khugepaged.c:1349 [inline]
RIP: 0010:khugepaged_scan_mm_slot mm/khugepaged.c:2110 [inline]
RIP: 0010:khugepaged_do_scan mm/khugepaged.c:2193 [inline]
RIP: 0010:khugepaged+0x3bba/0x5a10 mm/khugepaged.c:2238
Code: 01 00 00 48 8d bb 88 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 fa 0f 00 00 48 8b 9b 88 00 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 30 00 0f 85 d4 0f 00 00 48 8b 3b 48 83 c7 08 e8 9f ff 30
RSP: 0018:ffffc90004be7c80 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81a72d8b
RDX: ffff8880a69d8100 RSI: ffffffff81b7606b RDI: ffff88809f0577c0
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881ff213a7f
R10: 0000000000000080 R11: 0000000000000000 R12: ffffffff8aae6110
R13: ffffc90004be7de0 R14: dffffc0000000000 R15: 0000000020000000
FS:  0000000000000000(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004c00c8 CR3: 00000001f7ac5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/07/05 06:33 net-next-old e44f65fd666c 51095195 .config console log report syz C ci-upstream-net-kasan-gce
2020/07/05 21:47 net-old 1ca0fafd73c5 51095195 .config console log report ci-upstream-net-this-kasan-gce
2020/07/21 15:53 net-next-old 4f1b4da541db d88894e6 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.