syzbot

 sign-in | mailing list | source | docs
🐞 Open [996] Subsystems 🐞 Fixed [5242] 🐞 Invalid [12513] Missing Backports [84] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: unable to handle kernel paging request in vma_interval_tree_insert

Status: auto-closed as invalid on 2019/02/22 10:26
Subsystems: mm
[Documentation on labels]
Reported-by: syzbot+ba5f277c6f57816bc4e9@syzkaller.appspotmail.com
First crash: 2116d, last: 2116d

Sample crash report:
BUG: unable to handle kernel paging request at ffff8801c18448b0
PGD b4e1067 P4D b4e1067 PUD 1d9484063 PMD 1949e6063 PTE 0
kasan: CONFIG_KASAN_INLINE enabled
Oops: 0000 [#1] SMP KASAN
kasan: GPF could be caused by NULL-ptr deref or user memory access
CPU: 0 PID: 10250 Comm: blkid Not tainted 4.18.0-rc3+ #48
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:vma_interval_tree_insert+0xfe/0x2a0 mm/interval_tree.c:24
Code: 00 0f 85 51 01 00 00 49 8b 1e 48 85 db 74 7f e8 a8 12 d3 ff 48 8d 7b 18 48 89 f8 48 c1 e8 03 42 80 3c 20 00 0f 85 45 01 00 00 <4c> 8b 73 18 4c 89 ee 4c 89 f7 e8 33 13 d3 ff 4d 39 ee 73 09 e8 79 
RSP: 0018:ffff88019d7cf528 EFLAGS: 00010246
RAX: 1ffff10038308916 RBX: ffff8801c1844898 RCX: ffffffff81a8f986
RDX: 0000000000000000 RSI: ffffffff81a8f928 RDI: ffff8801c18448b0
RBP: ffff88019d7cf570 R08: ffff8801d8640180 R09: ffffed003a51ccd4
R10: ffffed003a51ccd4 R11: ffff8801d28e66a3 R12: dffffc0000000000
R13: 0000000000000221 R14: ffff8801ad05bd00 R15: ffff8801d44d8460
FS:  00007f82833b77a0(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801c18448b0 CR3: 00000001d8cd4000 CR4: 00000000001406f0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 __vma_link_file+0xe4/0x1b0 mm/mmap.c:599
 __vma_adjust+0x23b/0x1840 mm/mmap.c:807
 vma_adjust include/linux/mm.h:2214 [inline]
 __split_vma+0x46b/0x810 mm/mmap.c:2657
 do_munmap+0x2fe/0xf90 mm/mmap.c:2737
 vm_munmap+0x128/0x1b0 mm/mmap.c:2804
 elf_map+0x270/0x2b0 fs/binfmt_elf.c:376
 load_elf_interp fs/binfmt_elf.c:587 [inline]
 load_elf_binary+0x1ed6/0x5610 fs/binfmt_elf.c:1087
 search_binary_handler+0x17d/0x570 fs/exec.c:1653
 exec_binprm fs/exec.c:1695 [inline]
 __do_execve_file.isra.36+0x171d/0x2730 fs/exec.c:1819
 do_execveat_common fs/exec.c:1866 [inline]
 do_execve fs/exec.c:1883 [inline]
 __do_sys_execve fs/exec.c:1964 [inline]
 __se_sys_execve fs/exec.c:1959 [inline]
 __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f8282a9b207
Code: Bad RIP value.
RSP: 002b:00007fff59687a68 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00000000ffffffff RCX: 00007f8282a9b207
RDX: 0000000001dd6a00 RSI: 00007fff59687b60 RDI: 00007fff59688b70
RBP: 0000000000625500 R08: 0000000000000ad7 R09: 0000000000000ad7
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000001dd6a00
R13: 0000000000000007 R14: 0000000001dc5250 R15: 0000000000000005
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: ffff8801c18448b0
---[ end trace af0ba0d97c483bcc ]---
general protection fault: 0000 [#2] SMP KASAN
CPU: 1 PID: 10241 Comm: syz-executor5 Tainted: G      D           4.18.0-rc3+ #48
RIP: 0010:vma_interval_tree_insert+0xfe/0x2a0 mm/interval_tree.c:24
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Code: 
RIP: 0010:__x86_indirect_thunk_rax+0x10/0x20 arch/x86/lib/retpoline.S:32
00 
Code: 
0f 85 
------------[ cut here ]------------
51 01 
Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected to SLAB object 'TCPv6(65:syz5)' (offset 416, size 64)!
00 
==================================================================
00 49 
BUG: KASAN: slab-out-of-bounds in do_error_trap+0x3b6/0x4d0 arch/x86/kernel/traps.c:296
8b 
Read of size 8 at addr ffff880193421450 by task syz-executor5/10241
1e 

48 
CPU: 1 PID: 10241 Comm: syz-executor5 Tainted: G      D           4.18.0-rc3+ #48
85 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
db 
Call Trace:
74 

7f 
Allocated by task 1:
e8 
(stack is not available)
a8 

12 
Freed by task 0:
(stack is not available)
d3 

ff 
The buggy address belongs to the object at ffff880193420340
 which belongs to the cache names_cache of size 4096
48 
The buggy address is located 272 bytes to the right of
 4096-byte region [ffff880193420340, ffff880193421340)
The buggy address belongs to the page:
8d 
page:ffffea00064d0800 count:1 mapcount:0 mapping:ffff8801da987dc0 index:0x0
7b 18 
 compound_mapcount: 0
48 
89 
flags: 0x2fffc0000008100(slab|head)
f8 
raw: 02fffc0000008100 ffffea0006599f88 ffffea00064d0908 ffff8801da987dc0
48 
raw: 0000000000000000 ffff880193420340 0000000100000001 0000000000000000
c1 e8 
page dumped because: kasan: bad access detected
03 

42 
Memory state around the buggy address:
 ffff880193421300: fb fb fb fb fb fb fb fb f3 f3 f3 f3 fc fc fc fc
80 
 ffff880193421380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
3c 
>ffff880193421400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
20 
                                                 ^
00 
 ffff880193421480: fc fc fc fc fc f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2
0f 
 ffff880193421500: f2 f8 f2 f2 f2 fc fc fc fc fc fc fc fc fc fc fc
85 
==================================================================
45

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/07/11 14:26 bpf-next d90c936fb318 2e0e3130 .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.