syzbot


general protection fault in try_grab_compound_head

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+a3fcd59df1b372066f5a@syzkaller.appspotmail.com
Fix commit: d08af0a59684 mm/hugetlb: fix refs calculation from unaligned @vaddr
First crash: 593d, last: 547d

Cause bisection: introduced by (bisect log) :
commit 997acaf6b4b59c6a9c259740312a69ea549cc684
Author: Mark Rutland <mark.rutland@arm.com>
Date: Mon Jan 11 15:37:07 2021 +0000

  lockdep: report broken irq restoration

Crash: WARNING in kvm_wait (log)
Repro: C syz .config
Last patch testing requests:
Created Duration User Patch Repo Result
2021/07/03 21:38 17m ayush@disroot.org patch upstream error

Sample crash report:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 8484 Comm: syz-executor116 Tainted: G        W         5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:page_zonenum include/linux/mm.h:1121 [inline]
RIP: 0010:is_zone_movable_page include/linux/mm.h:1140 [inline]
RIP: 0010:is_pinnable_page include/linux/mm.h:1556 [inline]
RIP: 0010:try_grab_compound_head mm/gup.c:126 [inline]
RIP: 0010:try_grab_compound_head+0x686/0x8f0 mm/gup.c:113
Code: e9 16 fe ff ff e8 0a fe cc ff 0f 0b 45 31 e4 e9 07 fe ff ff e8 fb fd cc ff 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 44 02 00 00 48 8b 2b bf 03 00 00 00 49 bc 00 00
RSP: 0018:ffffc900017df7e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81a88c35 RDI: 0000000000000003
RBP: 0000000000010000 R08: 0000000000000000 R09: 0000000000000003
R10: ffffffff81a8862b R11: 000000000000003f R12: 0000000000040000
R13: ffff88803ac03ff8 R14: 0000000000000000 R15: dffffc0000000000
FS:  00000000005a5300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000084 CR3: 0000000021f85000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 follow_hugetlb_page+0x7bf/0x12c0 mm/hugetlb.c:5248
 __get_user_pages+0x5d8/0x1490 mm/gup.c:1137
 __get_user_pages_locked mm/gup.c:1352 [inline]
 __gup_longterm_locked+0x216/0xfa0 mm/gup.c:1745
 pin_user_pages+0x84/0xc0 mm/gup.c:2900
 io_sqe_buffer_register+0x24e/0x1350 fs/io_uring.c:8381
 io_sqe_buffers_register+0x29c/0x620 fs/io_uring.c:8508
 __io_uring_register fs/io_uring.c:10129 [inline]
 __do_sys_io_uring_register+0x1049/0x2880 fs/io_uring.c:10254
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43ef49
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffea3542188 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000043ef49
RDX: 00000000200001c0 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000402f30 R08: 0000000010000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000402fc0
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
Modules linked in:
---[ end trace e3fc885187db8a03 ]---
RIP: 0010:page_zonenum include/linux/mm.h:1121 [inline]
RIP: 0010:is_zone_movable_page include/linux/mm.h:1140 [inline]
RIP: 0010:is_pinnable_page include/linux/mm.h:1556 [inline]
RIP: 0010:try_grab_compound_head mm/gup.c:126 [inline]
RIP: 0010:try_grab_compound_head+0x686/0x8f0 mm/gup.c:113
Code: e9 16 fe ff ff e8 0a fe cc ff 0f 0b 45 31 e4 e9 07 fe ff ff e8 fb fd cc ff 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 44 02 00 00 48 8b 2b bf 03 00 00 00 49 bc 00 00
RSP: 0018:ffffc900017df7e8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff81a88c35 RDI: 0000000000000003
RBP: 0000000000010000 R08: 0000000000000000 R09: 0000000000000003
R10: ffffffff81a8862b R11: 000000000000003f R12: 0000000000040000
R13: ffff88803ac03ff8 R14: 0000000000000000 R15: dffffc0000000000
FS:  00000000005a5300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000084 CR3: 0000000021f85000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (5):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce 2021/07/03 15:40 upstream 3dbdb38e2869 55aa55c2 .config console log report syz C general protection fault in try_grab_compound_head
ci-upstream-kasan-gce 2021/07/03 15:24 upstream 3dbdb38e2869 55aa55c2 .config console log report info general protection fault in try_grab_compound_head
ci-upstream-kasan-gce 2021/06/15 14:12 upstream 009c9aa5be65 58636922 .config console log report info general protection fault in try_grab_compound_head
ci-upstream-kmsan-gce 2021/07/31 16:39 https://github.com/google/kmsan.git master dfab4dc3af38 6c236867 .config console log report info KMSAN: uninit-value in try_grab_compound_head
ci-upstream-kmsan-gce-386 2021/07/31 16:40 https://github.com/google/kmsan.git master dfab4dc3af38 6c236867 .config console log report info KMSAN: uninit-value in try_grab_compound_head
* Struck through repros no longer work on HEAD.