syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

BUG: unable to handle kernel NULL pointer dereference in __remove_shared_vm_struct

Status: fixed on 2017/10/23 20:15
Fix commit: b65b6ac52e0f fork: fix incorrect fput of ->exe_file causing use-after-free
First crash: 2453d, last: 2453d

Sample crash report:
IP: [<ffffffff814dad4d>] __remove_shared_vm_struct+0x6d/0xe0 mm/mmap.c:137
PGD 1d00c7067 [   52.393305] PUD 1d00c6067 
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 5411 Comm: syzkaller263586 Not tainted 4.9.44-gc2e2621 #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d8b4e000 task.stack: ffff8801d8b50000
RIP: 0010:[<ffffffff814dad4d>]  [<ffffffff814dad4d>] __remove_shared_vm_struct+0x6d/0xe0 mm/mmap.c:137
RSP: 0018:ffff8801d8b57b60  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8801d7ffcc28 RCX: 0000000000000000
RDX: 1ffff1003a346284 RSI: ffff8801d1a31400 RDI: ffff8801d1a31420
RBP: ffff8801d8b57b88 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffff1003b16af3c R12: ffff8801d62037c0
R13: 0000000000000875 R14: ffff8801d6203810 R15: ffff8801d1a31400
FS:  0000000000c00880(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001d8 CR3: 00000001d00c3000 CR4: 00000000001406f0
Stack:
 ffff8801d1a31400 ffff8801d62037c0 ffff8801d7ffcc88 ffff8801d7ffcc28
 00000000000000b1 ffff8801d8b57bb8 ffffffff814dcab3 ffff8801d62037c0
 ffff8801d62038b8 dffffc0000000000 ffff8801d8b57c48 ffff8801d8b57c10
Call Trace:
 [<ffffffff814dcab3>] unlink_file_vma+0x83/0xb0 mm/mmap.c:157
 [<ffffffff814c560f>] free_pgtables+0xef/0x330 mm/memory.c:553
 [<ffffffff814e267a>] exit_mmap+0x21a/0x400 mm/mmap.c:2986
 [<ffffffff81128103>] __mmput kernel/fork.c:863 [inline]
 [<ffffffff81128103>] mmput+0xf3/0x2d0 kernel/fork.c:885
 [<ffffffff8113ced1>] exit_mm kernel/exit.c:514 [inline]
 [<ffffffff8113ced1>] do_exit+0x751/0x2a50 kernel/exit.c:820
 [<ffffffff81143698>] do_group_exit+0x108/0x320 kernel/exit.c:937
 [<ffffffff811438cd>] SYSC_exit_group kernel/exit.c:948 [inline]
 [<ffffffff811438cd>] SyS_exit_group+0x1d/0x20 kernel/exit.c:946
 [<ffffffff838a6805>] entry_SYSCALL_64_fastpath+0x23/0xc6
Code: c5 00 08 00 00 74 47 e8 92 f3 e8 ff 49 8d 7f 20 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 61 49 8b 47 20 <f0> ff 80 d8 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 
RIP  [<ffffffff814dad4d>] __remove_shared_vm_struct+0x6d/0xe0 mm/mmap.c:137
 RSP <ffff8801d8b57b60>
CR2: 00000000000001d8
---[ end trace 6988daddf2b309b3 ]---
BUG: unable to handle kernel NULL pointer dereference at 00000000000001d8
IP: [<ffffffff8112e1fe>] atomic_dec arch/x86/include/asm/atomic.h:103 [inline]
IP: [<ffffffff8112e1fe>] dup_mmap kernel/fork.c:629 [inline]
IP: [<ffffffff8112e1fe>] dup_mm kernel/fork.c:1135 [inline]
IP: [<ffffffff8112e1fe>] copy_mm kernel/fork.c:1189 [inline]
IP: [<ffffffff8112e1fe>] copy_process.part.50+0x468e/0x5d40 kernel/fork.c:1655
PGD 1d605e067 
PUD 1d68ec067 
PMD 0 

Oops: 0002 [#2] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 5470 Comm: syzkaller263586 Tainted: G      D         4.9.44-gc2e2621 #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d6bbb000 task.stack: ffff8801d7340000
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] atomic_dec arch/x86/include/asm/atomic.h:103 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] dup_mmap kernel/fork.c:629 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] dup_mm kernel/fork.c:1135 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] copy_mm kernel/fork.c:1189 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] copy_process.part.50+0x468e/0x5d40 kernel/fork.c:1655
RSP: 0018:ffff8801d7347c18  EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffff8801d606f9b0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801d1a315b0
RBP: ffff8801d7347da8 R08: ffffed003ae68f22 R09: ffff8801d7347970
R10: 0000000000000008 R11: ffffed003ae68f21 R12: ffff8801d6e044d8
R13: ffff8801d606fa00 R14: ffff8801d736b480 R15: ffff8801d1a31400
FS:  00007fe9c66bc700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001d8 CR3: 00000001d6e2b000 CR4: 00000000001406e0
Stack:
 0000000000000000 0000000000000000 ffffed003ae6d69c ffff8801d736b4e0
 0000000000000000 0000000000000000 ffff8801d736b488 ffff8801d736b520
 ffff8801d6205ae0 ffff8801d606f9c8 ffff8801d736b5c0 ffff8801d7350470
Call Trace:
 [<ffffffff8112fd40>] copy_process kernel/fork.c:1482 [inline]
 [<ffffffff8112fd40>] _do_fork+0x1c0/0xd70 kernel/fork.c:1940
 [<ffffffff811309c7>] SYSC_clone kernel/fork.c:2050 [inline]
 [<ffffffff811309c7>] SyS_clone+0x37/0x50 kernel/fork.c:2044
 [<ffffffff81006527>] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
 [<ffffffff838a68cd>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 00 00 00 fc ff df 4c 89 e8 48 c1 e8 03 80 3c 30 00 74 08 4c 89 ef e8 32 ea 40 00 f6 43 51 08 74 11 e8 c7 be 23 00 48 8b 44 24 20 <f0> ff 88 d8 01 00 00 e8 b6 be 23 00 48 8b 44 24 70 48 83 c0 60 
RIP  [<ffffffff8112e1fe>] atomic_dec arch/x86/include/asm/atomic.h:103 [inline]
RIP  [<ffffffff8112e1fe>] dup_mmap kernel/fork.c:629 [inline]
RIP  [<ffffffff8112e1fe>] dup_mm kernel/fork.c:1135 [inline]
RIP  [<ffffffff8112e1fe>] copy_mm kernel/fork.c:1189 [inline]
RIP  [<ffffffff8112e1fe>] copy_process.part.50+0x468e/0x5d40 kernel/fork.c:1655
 RSP <ffff8801d7347c18>
CR2: 00000000000001d8
BUG: unable to handle kernel NULL pointer dereference at 00000000000001d8
IP: [<ffffffff8112e1fe>] atomic_dec arch/x86/include/asm/atomic.h:103 [inline]
IP: [<ffffffff8112e1fe>] dup_mmap kernel/fork.c:629 [inline]
IP: [<ffffffff8112e1fe>] dup_mm kernel/fork.c:1135 [inline]
IP: [<ffffffff8112e1fe>] copy_mm kernel/fork.c:1189 [inline]
IP: [<ffffffff8112e1fe>] copy_process.part.50+0x468e/0x5d40 kernel/fork.c:1655
PGD 1cf588067 
PUD 1d68ea067 
PMD 0 

Oops: 0002 [#3] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 5473 Comm: syzkaller263586 Tainted: G      D         4.9.44-gc2e2621 #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d7351800 task.stack: ffff8801d8520000
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] atomic_dec arch/x86/include/asm/atomic.h:103 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] dup_mmap kernel/fork.c:629 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] dup_mm kernel/fork.c:1135 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] copy_mm kernel/fork.c:1189 [inline]
RIP: 0010:[<ffffffff8112e1fe>]  [<ffffffff8112e1fe>] copy_process.part.50+0x468e/0x5d40 kernel/fork.c:1655
RSP: 0018:ffff8801d8527c18  EFLAGS: 00010297
RAX: 0000000000000000 RBX: ffff8801d606fc98 RCX: 0000000000000000
RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff8801d1a315b0
RBP: ffff8801d8527da8 R08: ffffed003b0a4f22 R09: ffff8801d8527970
R10: 0000000000000008 R11: ffffed003b0a4f21 R12: ffff8801d6e02d90
R13: ffff8801d606fce8 R14: ffff8801d736b9c0 R15: ffff8801d1a31400
FS:  00007fe9c66bc700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001d8 CR3: 00000001d2393000 CR4: 00000000001406e0
Stack:
 0000000000000000 0000000000000000 ffffed003ae6d744 ffff8801d736ba20
 0000000000000000 0000000000000000 ffff8801d736b9c8 ffff8801d736ba60
 ffff8801d62055a0 ffff8801d606fcb0 ffff8801d736bb00 ffff8801d7353470
Call Trace:
 [<ffffffff8112fd40>] copy_process kernel/fork.c:1482 [inline]
 [<ffffffff8112fd40>] _do_fork+0x1c0/0xd70 kernel/fork.c:1940
 [<ffffffff811309c7>] SYSC_clone kernel/fork.c:2050 [inline]
 [<ffffffff811309c7>] SyS_clone+0x37/0x50 kernel/fork.c:2044
 [<ffffffff81006527>] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
 [<ffffffff838a68cd>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 00 00 00 fc ff df 4c 89 e8 48 c1 e8 03 80 3c 30 00 74 08 4c 89 ef e8 32 ea 40 00 f6 43 51 08 74 11 e8 c7 be 23 00 48 8b 44 24 20 <f0> ff 88 d8 01 00 00 e8 b6 be 23 00 48 8b 44 24 70 48 83 c0 60 
RIP  [<ffffffff8112e1fe>] atomic_dec arch/x86/include/asm/atomic.h:103 [inline]
RIP  [<ffffffff8112e1fe>] dup_mmap kernel/fork.c:629 [inline]
RIP  [<ffffffff8112e1fe>] dup_mm kernel/fork.c:1135 [inline]
RIP  [<ffffffff8112e1fe>] copy_mm kernel/fork.c:1189 [inline]
RIP  [<ffffffff8112e1fe>] copy_process.part.50+0x468e/0x5d40 kernel/fork.c:1655
 RSP <ffff8801d8527c18>
CR2: 00000000000001d8
---[ end trace 6988daddf2b309b4 ]---

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/08/21 18:22 https://android.googlesource.com/kernel/common android-4.9 c2e26216b788 f238fbd4 .config console log report syz C ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.