bad page state due to PF_ALG socket

From: Dmitry Vyukov
Date: Thu Dec 17 2015 - 07:59:00 EST

Next message: Dmitry Vyukov: "GPF in lrw_crypt"
Previous message: Dmitry Vyukov: "use-after-free in skcipher_sock_destruct"
Next in thread: Cong Wang: "Re: bad page state due to PF_ALG socket"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The following program triggers multiple bugs including bad page state
warnings and GPFs:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <syscall.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>

void foo()
{
long r0 = syscall(SYS_socket, 0x26ul, 0x5ul, 0x0ul, 0, 0, 0);
long r1 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul,
0x32ul, 0xfffffffffffffffful, 0x0ul);
*(uint16_t*)0x20001000 = 0x26;
memcpy((void*)0x20001002,
"\x73\x6b\x63\x69\x70\x68\x65\x72\x00\x00\x00\x00\x00\x00", 14);
*(uint32_t*)0x20001010 = 0xf;
*(uint32_t*)0x20001014 = 0x100;
memcpy((void*)0x20001018,
"\x65\x63\x62\x28\x73\x65\x72\x70\x65\x6e\x74\x29\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
64);
long r7 = syscall(SYS_bind, r0, 0x20001000ul, 0x58ul, 0, 0, 0);
long r8 = syscall(SYS_accept4, r0, 0x0ul, 0x200023fdul, 0x800ul, 0, 0);
memcpy((void*)0x20000000,
"\xfd\x3b\x7e\x65\x54\x47\x9f\xeb\x2a\x2b\xa6\xe7\x7e\x08\x57\x53\x8c\x93\x67\xf0\x97\x45\xca\x56\xd0\x77\xd7\x50\xed\xaf\xaf\xe5\x36\x66\xcf\xa4\x8f\xf6\xfb\x50\xa3\x56\xcb\x23\x17\xcc\x01\xca\xc5\x37\xc2\x32\x6c\x75\x2a\x9d\x25\xf8\x56\xd9\x84\xf2\x83\x52\xb3\x54\x62\x6f\xaf\x03\x4e\x55\x3f\xb9\xb3\xcf\xa3\x75\xc8\xd6\x57\x87\x5b\xd7\x06\x81\xf8\x7e\x6d\x8d\x30\x2a\x75\xf7\xf7\x16\xd5\x1e\x60\x37\xd9\x36\xf2\xab\x89\x2c\x2e\x56\xac\xe8\xf8\x23\xeb\x18\xa9\x0e\x58\xdd\x38\xbc\xa0\xc8\xfe\xac\x31\x59\xf7\x36\xe1\x7e\xfd\xe1\x18\x4a\x5c\x39\x08\x96\xe3\xbb\x0d\x20\x01\xeb\x50\xf4\x9a\xd3\xdb\xee\xe8\x14\x7b\xba\x1b\xc6\x19\xb1\xa9\xff\xdc\x4a\x69\x4d\x6f\x87\x67\xdd\x3d\xd0\x5c\xd0\xf5\xb1\x74\xba\x4f\x4e\x69\xcc\x63\xa9\xef\x32\x0e\xdc\x4b\x74\x74\x26\xf4\x4b\x15\xae\x2b\x1f\x45\xe4\xf9\xcf\x90\xc3\xcd\xa9\x8a\xfa\x65\xc5\x70\x79\x9d\xfa\x0d\x49\xcf\x83\x2b\x31\x6b\x56\x38\xd4\xfd\xae\x6f\x6d\xfc\xac\x41\x37\x2a\x5d\xe6\x65\xca\xef\xac\xc8\x7e\x4e\x1e\x14\xe4\x7e\xaf\x2d\xb8\x67\xef\xe4\xa9\xdd\x70\x69\xb2\xd7\x09\x35\x1e\x1b\xde\x87\xd3\x18\x3c\x50\x72\x33\xc9\xc7\xac\x09\xc4\xca\xc6\xb1\x44\x48\x64\x85\xc2\x07\x2e\xfe\xf2\xc1\xd2\x80\xdd\x9a\xf8\x01\xe4\xad\x77\xe1\x5e\x6c\xc1\x0f\xe7\x8c\x0e\xbe\x6d\x4d\xda\xeb\x05\x37\x35\xd1\xf4\x65\x81\xd9\x8e\x44\x7d\x3d\xad\x4f\xcd\x20\x46\xb4\xb6\x84\x2b\x9e\x08\x9b\xf2\x5b\x0f\x0b\x70\xbf\xf1\x2e\x6c\x87\x69\x6d\x6c\x96\xca\x33\x97\x7f\x69\xe5\xb0\xd5\x2b\xfb\x6e\xe9\x9b\x67\xc2\xef\x89\x9f\x56\x6d\x15\x9a\x2d\x3c\x45\x6a\xbc\xed\x65\xfb\xe9\x83\x41\xe1\xf3\x0a\x69\x99\x47\x4b\xc8\xf8\x4a\x7d\xc0\x08\x02\x25\xf6\xc2\xec\xdb\x6f\xb8\xe0\x67\x3c\xcc\x7b\x40\x3d\xfc\xb2\x50\x3a\x48\xf5\xbe\xa5\x6a\xb4\x0f\xc6\x2b\x62\x3c\x28\x96\xe1\x98\xa1\x0a\x24\xf8\x4d\xc6\x5c\x2e\xf3\x92\xf2\x96\xe1\x5f\xa0\x67\x80\x72\xca\x05\xbd\xf1\x77\x87\xda\xa8\xf4\xdb\x9e\x38\xf6\x6f\x75\x7a\x9a\xc6\x27\xe0\x23\x0e\xb3\x89\x34\x5d\x08\xa1\xa2\xd1\x1d\x17\xae\xf7\x41\x73\x64\x04\xff\x1f\xb4\x42\xc8\x60\xc2\x6d\x6f\x1c\x5f\xd4\xf3\x8e\x6b\x5c\x68\x69\x77\x14\x17\x5f\x2b\x6f\x92\x55\x9d\x38\xba\x5
7\x08\x17\xbf\xb5\x08\x4c\x00\x01\xc7\xb1\x2c\x08\xe2\x60\x10\x90\x76\x76\xc7\x6c\xb7\x9a\x46\x93\x37\x49\x26\x80\x15\x17\xf9\xbb\xc2\x9b\x46\x95\x96\xac\x34\x0e\xdf\xcc\x01\x0c\x86\x7b\x60\x75\x1e\xa2\x0c\x92\x28\x24\x70\x03\xec\x1c\x3f\xa2\x0b\x07\xe1\x57\x0f\x93\x96\xb1\x82\xf9\x29\x90\xfe\xf6\xe6\x3d\xc8\xc7\xfb\x1e\xd1\xb6\x27\x38\xe5\x28\x74\xdc\xcd\x3d\x9d\x63\x8f\xc0\x72\x0c\x47\xef\x24\x46\x75\x0c\x73\x94\x99\x12\x7d\x48\x3c\xee\xd3\xf6\x79\x17\xc6\xc3\x40\x39\x3f\x6c\xde\x99\x3f\x76\x4f\x05\x52\x4c\x00\xfd\xe1\xd5\x60\xb7\x3e\x08\x51\xb4\xa7\x58\xad\xf5\xd4\x2e\xd0\x0a\x7e\x34\x6d\x74\x1b\xe5\x00\x59\xfe\x7a\xb4\x6f\x2d\x22\x0c\x43\xd7\xeb\xd0\xca\x96\x7d\xb6\x66\x1f\xdd\xbd\xbd\x95\xfd\xf2\x0f\xe7\xcc\xad\x5b\xbb\x95\x24\x11\xc2\x17\x01\x1c\x0e\x23\xe5\xbd\x65\xcd\xc9\xe4\x41\x6a\x8c\xcf\xbd\x2d\x5a\xc3\x28\xa8\x09\x20\x95\x32\x86\x2c\x97\x3f\x00\xf5\x1b\xa6\xd3\x91\xfc\x09\x5e\x21\xef\xcc\xd3\x90\x97\x10\x38\x86\x8c\x2b\x37\xb0\xe2\x91\x68\xff\xd7\xdb\x0d\x9c\x56\x44\x1a\xdd\x34\x88\xce\x09\xd4\xcf\xd8\xd4\xaa\xd8\xf0\xdf\xf2\x55\x2f\x87\x40\x87\x06\x11\xf3\x09\xa5\x72\xe4\x23\x5e\xf7\x7e\x0e\xdd\x12\x26\xa1\x2f\xd7\xab\x25\x3f\xa1\x96\x0c\x50\xb1\x69\xd6\x56\x04\xf2\xb1\x7a\x7b\xdd\x69\x35\x5f\x95\x54\xde\x65\x30\x5f\x40\x4b\x23\x39\xe0\x83\x2a\xcf\xe3\x1a\x4f\x4d\xc9\x53\x81\x56\x69\xb7\x0b\xec\x6b\x89\x56\x00\x6c\xf4\x12\x45\xde\x3b\x60\x18\x74\xa7\xd4\x57\xa6\x7a\x9e\x05\x54\xf0\xd1\x06\xc0\xb9\x40\xb0\x2d\x3f\x71\x66\x2b\x3c\xca\x37\xd6\x0e\xa0\x68\x8e\xda\x91\x35\x9b\xc8\x11\x6f\x0a\x0f\x6f\xb0\x90\x72\x18\xab\x70\xb7\x1b\x9e\xd9\xa0\xa9\x27\x03\x5d\xc4\xbf\x9a\xdb\xe9\xe6\x0d\x95\x89\x33\x6d\xd3\x8e\x36\x9c\x2b\x32\x81\x7d\x9e\x2a\xc4\xe8\x24\xf9\x46\x83\x08\xf4\xf0\xd5\xc3\x7b\x9e\xe1\xfe\x71\x43\x73\x3a\x37\x03\x13\x80\x9a\xb6\x5c\x27\xa2\x45\xd3\x1e\x0a\x55\xb6\x49\xc2\x7e\x85\xad\xb1\x19\x84\x16\xb6\x3c\x5f\x2b\x27\x21\xbb\x2e\xdf\x2a\xee\xcd\xb0\xb1\x37\xc4\x5c\x6f\xf4\xd1\x18\xe0\xaf\x46\x35\x9a\x64\xf7\xb7\x07\x82\x42\x49\xdd\x70\x9b\xee\x6b\x0d\x11\x8d\x4a\x60\x73\xce\x81\xea\xdd\x1a\x9
7\xa0\x2e\x2a\x3a\x17\x36\x33\x37\xdc\xbb\xe7\x59\x80\x1b\xd0\x31\xfd\xcc\x67\x9c\x6e\xd1\x3e\x92\xbc\xb0\xfa\x0a\x8d\xc4\x03\x6a\x91\x7f\x1b\xd8\xfe\xfd\x2f\x75\x7d\x52\x8d\xc0\x67\x57\xb8\xcf\x34\xf3\x2b\xca\x6a\x59\x53\x0c\xa7\x74\x1b\xa1\xa9\xbc\xee\x41\x6d\x34\x7e\x49\x96\xa7\xc5\xf2\xcd\xaf\x67\x83\x0e\xd4\x12\x95\x2c\x4b\x83\xc7\x62\xe1\xb3\xad\xc6\xfb\x0c\xa9\x25\x26\xe1\x5f\x17\x2b\xaa\x1a\x92\xde\x3c\x27\xca\xa1\xb0\xb7\xb7\xb7\x0b\x14\x7b\x1b\x5c\x89\xa0\x07\x4c\x77\xfa\x53\xc0\x87\x7d\x24\xf7\x8c\xd2\x1d\xa3\x36\x15\xc2\xe9\x71\x02\x9d\xd4\x97\xeb\x6a\x85\x8d\x52\x9d\x04\x41\xcf\xe1\xbb\x07\xbb\x18\x43\xb4\x2f\xe5\xb5\xd3\x53\x30\x8c\x6c\xdf\x36\x26\x87\x29\x54\x10\x56\xfd\x98\x49\x03\x37\xa5\xd6\x10\xec\x5c\x00\xc6\x84\x20\x6c\x84\xb1\x48\xd0\xc2\x8d\x06\x44\xe7\x50\xe6\xce\xd1\x16\x90\xc9\xd7\xa5\x30\x1d\x1c\x5d\x99\xe1\x4a\x8e\xf6\xb5\xa1\x18\xc4\x24\x01\x1e\xd7\x63\xb6\x39\x41\x00\x88\xd9\xf9\x37\x31\xdf\x95\x26\x5e\xa6\x0b\xf2\x2c\x7a\x72\x06\x86\x55\xca\x2b\x35\xf3\x62\x72\x6c\x77\xb0\x65\x56\x20\x47\x87\xbe\x35\xa4\x8e\x43\xb1\x7f\x50\x8c\x3f\x7f\xda\x0d\xa6\x87\xfb\xd7\x95\xd3\xcc\x58\x49\x9f\xd2\xe8\x75\x8f\x3f\xb5\xef\x63\x99\x30\x80\xaf\x3c\xca\x61\x7a\xdd\x55\xce\xb5\x6c\x0d\x8b\x26\xb2\xa1\x05\x95\x3c\x30\x6a\x99\xf9\x60\x51\x64\x60\x16\xf0\x23\xbf\xfe\x5b\x02\x6a\x8c\x92\x34\x9f\x53\x51\x8b\x4d\x57\x40\x45\x0f\x8c\xe6\xec\xec\xe0\xcf\x01\x38\x36\x8c\xe2\xa3\xea\x69\xd6\x23\x74\xa6\x54\x36\xe3\x35\x06\x83\x13\xba\x18\x30\x86\xd1\xfb\x4f\x08\x11\x10\xed\x1a\x3a\xf0\x42\xdf\x8e\x62\xdd\x4a\xb6\x12\x28\xad\x3b\x09\xdd\xa2\x7c\xec\x05\x3b\x02\x5b\x8d\x2d\xec\x67\x71\x82\x9b\x45\x22\x29\xbc\x26\xd7\xb5\x1b\x15\x3a\x69\xa7\xa2\xeb\xce\x95\x51\x38\x25\xbf\xc7\x04\xaf\x3e\x86\xe5\x21\xc8\x65\x76\x6b\xa7\x40\x4f\x9b\x2e\xfe\xab\xb7\xd0\x9c\x9d\x9d\xf3\x09\xac\x97\xc9\x2d\x0d\x2d\x06\xf6\x86\x98\xc0\x7b\x80\xa7\xd0\x2d\x6f\xd3\xc1\xe1\x1c\x6a\x99\x27\x00\xd3\xe6\x14\xe0\xae\x8e\x76\x44\x51\x02\xaa\x94\x8e\x41\xc1\xec\x27\x5e\xe2\x97\xfd\x91\x23\x28\x0d\x1e\x63\x2c\xa4\x04\x6d\xcb\xc3\x89\xd9\x8d\x7
0\xca\xa5\x37\xee\xab\x4e\x11\xaf\x3e\xe7\x53\x47\x30\xf3\x4e\x47\x54\x92\x8b\xfb\xf8\x6d\xa7\xa1\xc3\x4b\x36\xad\xb3\xe2\xc4\xad\x2b\xb1\xdd\xb1\x20\x58\x51\x51\x06\xfb\xb8\x57\xff\x2b\xcb\x9f\xe1\x17\x85\x54\x5f\x5f\xd9\x2a\x98\x12\x2b\x15\x19\x2a\x25\x61\xdf\xa3\x06\x62\xe7\x3a\x2f\xa1\x27\x21\xa1\x7c\xa2\x9b\x41\xd1\xb2\xde\x8e\xcd\x0f\xe8\x4c\xcb\xff\x60\xb6\x89\x31\x6c\x22\xee\x86\x6b\x7f\x27\xc3\x1a\x24\xc9\x9b\xb6\x5a\xb9\x51\x5d\x13\xa1\xb7\xd0\x72\x92\x46\xe5\xe7\xf3\x93\x2f\x11\x10\xd7\xbe\x83\xc1\x06\xed\xd4\x4d\x06\x41\x85\x6b\x6d\xc7\xb1\xaa\x37\x46\x32\x11\x3d\xe2\xdd\x93\x07\x8e\x15\x85\x17\x98\x8d\xae\xf7\xf1\x9d\xfb\x62\x6b\xb1\x07\x2a\x61\x37\xf0\xd8\x24\xa9\xe5\x89\x2d\xaa\x67\xb4\x2b\x69\x4d\xb0\x48\xfe\xfe\x20\xcc\x70\x29\xd5\x1f\xe5\xfd\x4d\x72\x80\x08\x4a\xe4\x67\x19\x3d\xdf\xb6\x62\x6e\xdc\xb0\x19\xb9\x50\x93\x4c\x9e\x15\xa4\x07\x81\xc6\x7d\x04\xbc\xb7\x07\x52\xc4\x74\x64\x84\x95\xaa\x52\x1f\x07\x6e\xbf\xeb\x3e\x6c\xa1\x33\x4b\x93\xb7\x14\x32\xbe\xb1\x50\xa7\x85\x75\x1c\x0d\x13\xb6\xeb\x2d\x1e\x8f\x08\x44\x45\xea\x56\xf9\x14\xc3\xc8\x5b\xd2\xdc\xc5\x15\xa1\xb5\x23\x4a\xac\x15\x95\xd0\xab\x6c\x04\x90\x00\xb6\xdc\x4d\x99\x79\xdc\xe2\xc7\x3e\xbd\x32\x8c\x22\xdc\xdd\xd0\xfe\x21\x47\x0c\xfc\x6c\xa7\xd6\xf9\x69\x16\x2a\xfc\xd7\x2f\x62\xe1\x05\xe0\xe1\x9f\x5e\x4e\x96\x90\xb8\xbf\xbf\x70\xd1\x20\x0b\x57\x9f\xd4\xe5\x2a\x5b\x2d\x13\x70\x22\x04\x99\x8d\x19\x2c\x07\xf2\x62\x19\x39\x9d\xc4\x71\x9e\x2b\xfd\x4b\x4f\xed\xf5\x08\x0b\x79\xc9\x76\x81\x43\x14\xfa\x8f\x72\x6e\x68\x6e\x9f\xd0\x48\x91\x13\x02\x04\x50\x01\xf3\x41\x82\xaf\x49\x6d\x71\x85\xdf\xc6\x44\xcb\x0e\xe8\xb9\x8e\xd9\xe3\x43\x71\xf0\x04\x67\x28\x03\x0e\x98\x5d\x22\x35\xfd\xe0\x38\x95\x71\x1b\xa8\xb9\xb6\xeb\xde\x39\x44\x49\xdd\x40\x71\xf7\x98\xf4\x16\x42\x06\xf1\x10\x5a\x36\xc8\x2c\x18\x14\x3d\xd8\x9f\x10\xa2\xe6\x2b\x33\x04\xa4\xdf\x2b\x42\x05\xa6\xb7\xf9\x9c\x7b\x91\x19\x37\xfe\xa2\x0a\x80\xbe\x44\xc5\x4b\x26\x67\x2b\xe2\xfe\xce\x56\x7c\xb8\x20\xf3\x86\x01\x80\x60\x4a\xe5\xf3\xba\x35\xf7\x00\xc9\xb8\xd3\x0f\x45\xde\x23\xdb\x01\x79\xd5\x4
9\xd5\x37\x61\x4c\x65\x6b\xe3\x71\x17\xab\x34\xb3\xa2\xf2\x35\x7e\x51\xa4\x89\x36\x48\x93\xe1\x19\x55\xa5\xcc\x94\x64\xf9\x70\xd0\xce\xc2\x39\x7e\x50\x57\xd9\x1b\x8b\x57\x43\x2c\x7f\x10\xa7\x87\x09\xbd\x6c\x3b\xbd\xfe\x31\xd7\xe5\x32\x60\x09\xf0\xbe\x7e\x8c\x98\x8b\x5e\xff\x16\x3c\x64\x3b\x2a\x02\x52\x5b\xba\xc7\x60\x73\x28\x08\xef\xbe\xc2\x7b\x3b\x95\x25\x8a\x82\xf9\xab\xae\x7b\x22\x44\x0b\xd3\xd5\xaa\x3e\xc3\xae\x0a\x57\xe1\xbd\x0c\x7b\x4e\x47\xf4\xa5\x34\x95\x31\x18\x3f\xef\x49\x81\xfd\xa0\xd7\xcd\xb9\xa5\x7b\x53\x32\x64\x6c\x4c\xe0\x79\x6a\x21\xc6\x9f\xfb\x13\x30\xf4\x19\x89\xa5\x61\x53\x1b\xac\x48\x5b\x98\x86\x9e\x0a\xec\xa5\xaa\xb2\xef\x1b\x76\x14\x12\xe4\x99\x11\xa6\xe3\xca\x9f\x4f\x69\x10\x01\xc4\xca\xf0\x20\xe2\x3c\x1a\x09\x6f\x40\x1d\x4a\x5c\x33\xcf\x49\xc0\x99\xbb\xb2\x19\xdf\xdd\xbd\x4c\xc9\xac\x93\xdb\xcd\xcf\xe5\xb0\x6a\xe6\xf5\x89\xd9\xbe\x63\x15\xb5\xb7\xe9\xc6\xc7\xac\xa5\xcd\xea\x81\xd2\x9f\xa3\x6c\x6a\xbc\x2a\xf6\x8b\xf8\x5d\x64\x49\x08\x75\x06\x5d\x6c\x01\xcf\xb9\x80\x34\xf9\x71\xfd\x46\x47\x5f\x6c\x3c\x22\x61\x01\xa8\xac\x34\xef\xc4\xac\x08\xac\xe0\x8a\x74\x3f\x84\x11\x95\x63\x69\x03\x3d\x87\xd5\x09\xd3\x87\xf0\x83\xf0\xd1\xac\xd4\x1a\xb0\xad\x1e\xf8\x0b\x08\x3a\x70\x15\x12\x2a\x21\x62\x0e\xd7\x94\xf5\x5f\x5b\xe2\x09\x5b\xff\xe4\x87\x63\x6b\xfc\x6d\x41\x02\xe5\x10\x1d\x39\x46\xa5\x1e\x9f\x75\x92\xf1\xca\x1f\x50\x9f\x91\xbd\xc8\x8c\x0b\xc0\xa0\x1e\x5f\x6f\x71\xb2\x8d\x92\xb7\x10\x33\x04\xac\xd1\x35\xaa\xe9\x53\xde\xcc\x87\x73\x91\xc4\xfa\x2e\x1e\x81\xbf\xd4\x93\x59\x76\x5b\x72\xbe\xc2\x57\x9c\xe0\x6d\x81\x17\x5c\x6f\xd6\x72\x7b\x6c\x5d\xda\x70\xd6\xef\x00\xb1\x78\xc0\xda\x3a\x66\xb5\xf6\xa4\x66\xf9\xf6\x02\xdd\x18\x11\xd5\xb9\xe8\xf3\xf8\xe4\xd4\x6c\x07\xcb\x6a\xa6\xaa\x61\x8c\x79\x8f\xdd\x4b\x48\x8a\x84\x35\xe9\x33\x9f\xbf\x10\xd2\x91\xb2\x83\x4a\x9e\x88\x3b\x8e\x4c\xe0\x88\x6a\xf6\x65\x48\x29\xc4\x26\xa9\x50\x8c\xd5\x94\x4a\x25\x87\x48\x4c\x5d\x1d\x12\x3e\xa6\xde\xd2\x20\xe6\xa3\xac\x68\xa5\xd2\x47\x2f\xe8\xf5\x7c\xfb\xb4\xd5\xaf\x66\x34\xa7\xcd\xc5\x44\x8f\xa8\xd3\x92\xbf\x38\x8e\xe9\x1b\x9
2\x61\x2a\x41\x0b\x77\x78\x14\xbb\x86\xa5\x5f\x6e\x3e\xbb\xdb\x86\xb9\x57\x04\x31\x38\xa3\x08\x9a\xbd\x8f\x26\x8c\xd9\x21\xc0\x1e\x62\x14\x50\x26\xf8\xc0\x97\x6d\xa8\x1d\xb3\x18\x0f\x79\x3f\xe9\x20\x6b\x63\xc5\x0c\x19\x52\xb8\x9e\xb7\x50\xcd\x86\x97\x7d\x3e\x0c\x20\x31\x65\x53\x4d\x16\x52\xe2\xe3\x89\xbb\x4a\xc9\x7b\x1e\xa1\xf3\x6d\x0a\xbb\xb9\x20\x63\x17\x69\x80\x20\x19\x4a\xdb\xc7\x01\x81\x9d\x04\xfc\xa0\x39\xa4\xb7\xf4\x54\xc0\x52\xa4\xef\x04\x32\x1c\xee\x59\xc7\xe5\xc6\x26\xda\x76\x7e\xb8\xd8\x3d\x58\x42\x53\xfd\x79\x7e\x76\x5b\xdb\x5f\xea\x9c\xa3\xdb\x83\x65\x49\x61\x59\x4d\xa8\x3f\x15\x8e\x47\xbb\xa5\xdc\x76\x4e\x98\xef\x62\x87\x8c\x10\x77\xd6\x16\x9e\xa2\xe0\xf9\xf6\xc1\xb3\xbd\x62\x51\x40\x1a\xc5\x78\xaa\x6e\x34\x79\xfa\xf7\x8a\xc5\x15\x55\x26\x83\xd1\x85\x63\xb2\xf5\x87\x4d\x33\x40\x40\x15\x5d\xcb\x8c\x21\xd8\xa6\x28\x7f\x34\xb9\x53\xce\x3b\x29\x09\x67\x96\x3d\x16\xe3\x69\xa2\xfc\x83\xf0\x42\xe1\x2b\x9e\xf1\x6a\x13\xfc\x18\x25\x6e\x9b\xf8\x5b\xc5\x48\xf6\xc7\x15\xed\x2d\xdf\xb5\x87\xff\x69\xa1\x5f\x88\x9f\x81\xaa\xbb\xe0\xaa\xdd\xa0\x4e\xb7\x5c\x5e\x88\xf8\xfa\x1c\x56\x2c\x1a\x61\xed\xb4\x93\x1d\x2b\xc6\xc2\xaa\xcb\x71\x8a\x24\x47\x53\x12\xb7\x4a\x18\x81\xc5\xe7\x87\x3b\xb9\x67\xa7\xf1\xa5\xcf\xcd\xfa\x45\xb0\xd2\x7f\xfb\x83\x5e\xd4\x9c\xdf\xd6\x26\xe4\xb7\x0b\xed\x35\x64\xaf\x85\xbc\x74\xc8\xad\xdb\xc6\xe4\xfc\xc6\x47\x81\x26\x8e\xd1\x55\x1c\xcf\xd3\x17\xdd\xfb\xb9\x90\x10\xda\x8a\xde\x15\xcf\x0c\x63\x66\x54\x52\xdc\x16\x88\xcc\xf9\xd4\x50\x07\x85\x93\x32\x68\x65\xa4\x77\x2c\x8d\xfe\x27\x48\x42\x28\xe0\xd5\xde\xf0\x09\x09\x74\x04\xbf\x31\xe2\xb1\xee\xcd\xeb\x67\x7a\xa4\x62\xd5\x0e\x74\xd5\xb7\xbd\x68\x46\x9c\x87\x62\xe6\xd1\x45\xcf\x9b\x4f\x8e\x50\x33\xc7\x8d\x60\xc3\x7c\xeb\xe0\x8a\xb9\x82\xd7\x2b\xa2\x35\x9f\xa3\xaa\x63\x81\x18\x56\x30\x24\x6f\xf0\xe3\xf8\x2b\xf8\x7c\x57\x40\x69\x23\xe3\x4a\x69\x92\x9d\xc8\xb8\x47\xcc\xb3\x81\x33\xb5\x5b\xe1\x8d\xb7\x9b\x87\x1b\x8e\xe3\xbd\xb9\x14\xaa\x96\x90\x29\x29\x40\xb7\x96\x67\x42\x07\x13\x05\xe3\x1b\x1b\xbc\x5e\x2a\xa8\x96\x22\x42\x58\x63\x09\xfe\xf6\x3e\x80\x7
0\xb1\x43\xb9\x40\xda\x9c\x81\xf5\xf9\x4a\x5c\x32\x60\xf5\x1b\xee\x65\xea\xca\x35\x3f\x15\x93\x11\x40\x0d\xc7\x2f\xf0\x3a\x7b\x44\xbb\xdf\x67\xa9\xae\xcd\x3c\xfd\x14\x90\x0f\xeb\x6e\xf2\x1a\xdb\xb1\x1c\xe7\x5c\xdc\xd2\x61\xce\x22\x04\x99\x79\x60\x46\x79\x11\x8c\x72\x7a\x62\xea\x82\x19\xae\xe4\x78\xda\xd0\x50\xb4\x86\x8c\x18\x5e\xd8\xb2\x7a\xf4\x57\x59\x4f\x34\x01\x3c\xc5\xe1\x77\x5d\xf0\x88\x8c\x9e\x07\xe6\x11\xa2\x74\x32\x86\x1b\xb6\x94\x17\xca\x31\x8e\x0f\x4e\x73\x14\xfe\x24\xe3\x79\x68\xf0\xaa\x8c\x18\x37\x64\x57\xac\x8b\xf2\x00\xd3\x4d\x94\xdf\xa6\x0d\xa1\x88\x2c\x49\x4b\x38\xa4\xfc\x23\x5b\x2c\xa3\x77\x81\xb0\x38\x86\x4a\x29\x73\x9b\xd5\xc7\x28\x5b\x8a\x27\x99\xa1\xf2\x02\xe7\x50\xdd\x05\x73\x39\x3d\xa5\x0a\x48\x70\x97\xdf\xf7\xe0\xe3\x95\x36\xbc\x51\xba\x03\x74\x30\x9e\xd6\xd9\x47\x62\x57\xd5\xd9\xa9\xd5\x14\x74\x22\xff\xe7\x84\xbf\x61\x1d\x67\x43\x99\x61\x02\x41\xcf\xf6\x0a\x0b\x45\x45\x32\xf7\x8f\x90\xba\xcb\x29\x5a\x76\x0b\x81\xd8\x44\x17\x06\xbd\xe9\xab\x1f\x70\xe5\xe5\x93\x0c\xb5\xdb\xf6\x75\x8d\x70\x2b\x92\x93\x75\xc9\x4b\x77\x1c\x39\x1a\x17\xc6\x61\x48\x7f\x9a\x36\x29\xed\x28\x74\x54\x96\x78\x7f\xbf\x60\xb1\x58\xe4\xc7\xa0\x52\x17\xdf\x51\x83\x72\x56\xd3\x26\x9d\xd8\x53\x50\xc9\xe1\xa4\xc3\xef\x98\xbb\x77\xe9\xf7\x46\x65\xaa\xce\x25\xce\xd7\x95\x17\x5e\xa1\x5e\xc8\x88\x7b\xc3\xcc\xe2\x1f\x1d\xbf\xe8\xfb\x3e\xd5\xd7\xd4\x69\x42\x78\xd8\xb0\xf9\x64\x6b\x78\x43\x71\xb0\x3d\x25\x0d\xc3\x19\xb8\x5c\x58\x94\xa5\x10\xac\x93\x89\x34\xbf\xfd\xcd\x8a\x0b\xea\x7a\x53\x9a\x03\x3c\x69\x36\xdc\x52\x8c\x41\xb8\x5e\x1d\x43\x45\x5a\x67\xf5\xd9\xe5\xab\x1f\x32\xd0\x97\x9b\x31\xe7\x05\x5f\x9d\x5c\x5d\x71\xfb\x57\xab\x69\x7b\x85\xe4\xc7\x6d\xe3\x54\x39\x6e\x09\xab\xa9\x18\xa1\x6c\x25\x5d\x76\x1c\x82\x11\x70\xf5\xc1\x64\x99\x7e\x78\x59\xfb\xb0\x7e\xee\xbb\x77\x61\xb8\x8f\x51\x4f\x0c\xb2\x6e\xaf\xc5\xe9\xbb\x0d\x69\xaf\x8f\x0b\x0c\x58\x40\x96\xa6\x99\x04\x7a\x50\x74\xef\x56\xfd\x22\xec\xfe\xf4\x49\x01\xf0\xf1\x8d\x34\x66\xdd\x99\x26\x4b\x50\xd0\x2c\x37\x71\xae\x6e\x1a\x53\xa6\xcd\x46\x4d\x23\x11\xc6\xe1\xd9\xf1\x53\x1e\x1
4\xb2\x56\x4c\x3a\xdf\xe7\xfe\x45\xa9\x10\xf8\x96\x66\xb0\xf8\x64\x9c\xcd\xc8\x32\x18\x74\xae\xf8\x34\x90\x4b\x3c\x36\x51\x2b\x78\xc6\x2f\xa6\x44\x68\xdd\x77\x7a\xc3\xe9\x51\xfd\x79\x10\x2c\x93\x54\xd4\x4b\x95\xac\x64\xff\x0d\x6f\xae\xb9\x67\x37\x0e\x82\xf5\x4f\x59\x80\xc1\xe5\xb8\xa0\x8d\xae\xa8\xb2\xe1\x2b\xb2\xf2\xb0\xd4\xbc\xcc\x07\x5f\xaa\xbe\x1c\x2f\xeb\x1e\x13\xfd\x69\x6c\xf0\x19\x90\x14\x44\xde\xf9\xcd\xa9\x44\xc1\x9e\xd8\x39\x8d\x9f\xa2\x0f\xd7\xf9\x59\xce\xef\x69\xd5\xb2\xd8\xdb\x83\xc3\xb0\x04\xb9\xad\xf1\xb4\x98\x48\x90\x98\x17\xcd\x78\x22\x4b\x45\xa7\x1c\x6a\x7b\x04\xa0\x22\x2c\xc9\xc3\xfc\xea\x45\x99\x93\x16\x11\xad\xbe\x5a\x80\xc2\x88\xdf\x77\x20\xdf\xd0\x85\x39\xcc\x39\x6b\x53\x85\x42\x2c\xeb\xe8\xfd\x03\x02\x67\xd5\x6d\x61\x23\x57\x93\xe0\x02\xf9\x82\x60\x6b\x7f\x8f\x1a\xce\x2e\x37\x99\xa4\x4f\x8e\x2b\xe9\x1e\x61\x9e\x80\xc6\x6d\xd3\xa9\x62\x23\xfe\x14\x3c\xa7\x43\x71\xb0\xed\x22\x99\x9a\xd8\xc8\xe5\x53\x95\x63\x9e\xaa\x18\x47\x40\x82\xa6\xec\x14\xe9\x61\x09\x55\x1b\xd6\x83\xd6\x1b\x56\xab\x0c\x83\x35\x42\xae\x31\xf5\xdf\xef\x16\x14\xad\x32\xb6\xf7\xc6\x57\x51\x58\x61\x94\xab\x76\xc6\xf5\x26\x8d\xa5\x2e\x52\xb7\x6a\xfb\xd9\xcd\x6c\x9e\x0c\x60\xd6\x06\xce\x0d\x39\x21\x50\xab\x74\x2b\x5f\x4a\xee\x08\x62\xcf\x21\x11\xdb\xc6\x2a\x21\xf4\x84\x1c\x71\xd9\x86\xcc\xda\x25\x67\x30\x29\x68\xe5\xb9\x3a\x3f\x7c\x26\x89\xb2\x38\x05\x9f\x32\xca\x9d\x34\x99\x64\x83\xa9\x57\xb8\x22\x1e\x43\x68\x32\x96\x52\xd7\xc6\xf7\x36\x47\xb2\x7f\x5b\x7d\x04\xa2\x1a\x06\xb8\x88\x99\x74\x72\x4d\x69\xa4\x73\xf6\xbc\x01\x2d\xf1\xba\xef\x29\x7c\xcc\x24\xc3\x90\x72\x8b\x2c\x2c\x4c\xa4\x54\xc7\xa8\x45\xac\x2c\x81\x3f\xd7\xfe\xc2\x9b\x9e\xf1\x22\xda\xbe\x7b\x0b\xd9\xcd\x29\x9d\xf0\x95\xa6\x1c\x07\x04\x81\x8f\x54\xe6\x84\x92\xc4\xc2\x3a\x60\x8f\x71\x85\x4b\x48\xc9\xab\x7c\x77\x91\x61\x49\x5c\xe5\x48\x40\x92\xa8\x13\x13\x69\xf6\x96\xe3\x55\x61\x6a\x0d\xe3\xfc\xb4\x06\x82\xcc\x84\x04\x0b\x89\x26\xe5\x08\xed\x48\x2d\x63\xbb\x05\x75\x9f\x52\x7e\xc9\x95\xf4\x95\xaf\x6e\x8f\x49\xd0\x4d\x49\x80\x0b\x95\x2f\x73\x4e\xcf\x1b\x48\x65\x17\xfc\x9
c",
4096);
memcpy((void*)0x20000000, "\x04\x00", 2);
long r11 = syscall(SYS_sendto, r8, 0x20000000ul, 0x1000ul,
0x4004ul, 0x20000000ul, 0x2ul);
memcpy((void*)0x20000ff9,
"\x01\x00\x2e\x2f\x66\x69\x6c\x65\x30\x00", 10);
long r13 = syscall(SYS_recvfrom, r8, 0x20002fbcul, 0x5aul,
0x10040ul, 0x20000ff9ul, 0xaul);
}

int main()
{
int i;
for (i = 0; i < 10; i++) {
if (fork() == 0)
foo();
}
}

BUG: Bad page state in process stress pfn:65d71
page:ffffea0001975c40 count:-1 mapcount:0 mapping: (null) index:0x0
flags: 0x5fffc0000000000()
page dumped because: nonzero _count
Modules linked in:
CPU: 3 PID: 6985 Comm: stress Not tainted 4.4.0-rc3+ #151
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
0000000000000003 ffff8800631a7430 ffffffff82e0f4b8 0000000041b58ab3
ffffffff87a9a265 ffffffff82e0f406 0000000000000000 0000000000000000
ffffffff86bc6e80 ffffea0001975c5c ffff8800631a7430 ffffffff817b53a5
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82e0f4b8>] dump_stack+0xb2/0xfa lib/dump_stack.c:50
[<ffffffff81725cc5>] bad_page+0x1c5/0x250 mm/page_alloc.c:438
[< inline >] check_new_page mm/page_alloc.c:1358
[< inline >] prep_new_page mm/page_alloc.c:1371
[<ffffffff81736bb3>] get_page_from_freelist+0xbb3/0x2790 mm/page_alloc.c:2584
[<ffffffff81738d31>] __alloc_pages_nodemask+0x2a1/0x1ad0 mm/page_alloc.c:3225
[<ffffffff81827aad>] alloc_pages_current+0xfd/0x3a0 mm/mempolicy.c:2055
[< inline >] alloc_pages include/linux/gfp.h:451
[< inline >] pmd_alloc_one ./arch/x86/include/asm/pgalloc.h:84
[<ffffffff817c1e88>] __pmd_alloc+0x28/0x390 mm/memory.c:3490
[< inline >] pmd_alloc include/linux/mm.h:1496
[< inline >] copy_pmd_range mm/memory.c:958
[< inline >] copy_pud_range mm/memory.c:999
[<ffffffff817c8738>] copy_page_range+0x12d8/0x1990 mm/memory.c:1061
[< inline >] dup_mmap kernel/fork.c:505
[< inline >] dup_mm kernel/fork.c:929
[< inline >] copy_mm kernel/fork.c:983
[<ffffffff8136efec>] copy_process+0x4f1c/0x6a90 kernel/fork.c:1450
[<ffffffff81370e5b>] _do_fork+0x14b/0xf00 kernel/fork.c:1727
[< inline >] SYSC_clone kernel/fork.c:1836
[<ffffffff81371ce7>] SyS_clone+0x37/0x50 kernel/fork.c:1830
[<ffffffff86a89fb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Disabling lock debugging due to kernel taint
BUG: Bad page state in process stress pfn:64f0d
page:ffffea000193c340 count:-1 mapcount:0 mapping: (null) index:0x0
flags: 0x5fffc0000000000()
page dumped because: nonzero _count
Modules linked in:
CPU: 2 PID: 7163 Comm: stress Tainted: G B 4.4.0-rc3+ #151
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
0000000000000002 ffff880036f2f6a0 ffffffff82e0f4b8 0000000041b58ab3
ffffffff87a9a265 ffffffff82e0f406 0000000000000000 0000000000000000
ffffffff86bc6e80 ffffea000193c35c ffff880036f2f6a0 ffffffff817b53a5
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff82e0f4b8>] dump_stack+0xb2/0xfa lib/dump_stack.c:50
[<ffffffff81725cc5>] bad_page+0x1c5/0x250 mm/page_alloc.c:438
[< inline >] check_new_page mm/page_alloc.c:1358
[< inline >] prep_new_page mm/page_alloc.c:1371
[<ffffffff81736bb3>] get_page_from_freelist+0xbb3/0x2790 mm/page_alloc.c:2584
[<ffffffff81738d31>] __alloc_pages_nodemask+0x2a1/0x1ad0 mm/page_alloc.c:3225
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 3 PID: 7168 Comm: a.out Tainted: G B 4.4.0-rc3+ #151
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003712ad00 ti: ffff8800331d8000 task.ti: ffff8800331d8000
RIP: 0010:[<ffffffff82d2d812>] [<ffffffff82d2d812>]
skcipher_recvmsg+0x82/0x1f10
RSP: 0018:ffff8800331dfb80 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff88006b98f300 RCX: 0000000000010040
RDX: 0000000000000002 RSI: ffff8800331dfdc0 RDI: 0000000000000016
RBP: ffff8800331dfc80 R08: ffff8800331dfdd0 R09: 000000000000000a
R10: 0000000000010040 R11: 0000000000000246 R12: 0000000000000006
R13: ffff8800331dfdc0 R14: ffff8800331dfdc0 R15: 0000000000010040
FS: 0000000002630880(0063) GS:ffff88006cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 000000c8200d73b0 CR3: 0000000064c58000 CR4: 00000000000006e0
Stack:
ffff88006aba6024 ffff88006ab24520 ffff88006ab24510 ffff88006aba67e0
ffff88006aba602c ffffed000d574cfc 0000000000000000 ffff88006ab24518
ffff88006aba602d 0000000000001000 ffff88006ab24500 ffff88006aba6a48
Call Trace:
[< inline >] sock_recvmsg_nosec net/socket.c:712
[<ffffffff856b1c8a>] sock_recvmsg+0xaa/0xe0 net/socket.c:720
[<ffffffff856b2424>] SYSC_recvfrom+0x1e4/0x370 net/socket.c:1707
[<ffffffff856b7570>] SyS_recvfrom+0x40/0x50 net/socket.c:1681
[<ffffffff86a89fb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: 8b 45 c8 4c 8b 60 50 4d 85 e4 0f 84 0f 0a 00 00 e8 c4 a7 8d fe
49 8d 7c 24 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 ea 16 00 00 49 83 7c 24 10 00 0f 84 de 09 00
RIP [< inline >] is_sync_kiocb include/linux/fs.h:333
RIP [<ffffffff82d2d812>] skcipher_recvmsg+0x82/0x1f10
crypto/algif_skcipher.c:705
RSP <ffff8800331dfb80>
---[ end trace a867d3766397dba1 ]---
[<ffffffff81827aad>] alloc_pages_current+0xfd/0x3a0 mm/mempolicy.c:2055
[< inline >] alloc_pages include/linux/gfp.h:451
[<ffffffff8129e017>] pte_alloc_one+0x17/0xb0 arch/x86/mm/pgtable.c:28
[<ffffffff817bdbcd>] __pte_alloc+0x2d/0x450 mm/memory.c:568
[< inline >] __handle_mm_fault mm/memory.c:3400
[<ffffffff817c3aeb>] handle_mm_fault+0x18fb/0x4100 mm/memory.c:3442
[<ffffffff8129093c>] __do_page_fault+0x2ec/0x970 arch/x86/mm/fault.c:1238
[<ffffffff812910a3>] trace_do_page_fault+0xb3/0x3c0 arch/x86/mm/fault.c:1331
[<ffffffff81280584>] do_async_page_fault+0x14/0x70 arch/x86/kernel/kvm.c:264
[<ffffffff86a8bf18>] async_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:977

On upstream commit 31ade3b83e1821da5fbb2f11b5b3d4ab2ec39db8 (Nov 29).
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dmitry Vyukov: "GPF in lrw_crypt"
Previous message: Dmitry Vyukov: "use-after-free in skcipher_sock_destruct"
Next in thread: Cong Wang: "Re: bad page state due to PF_ALG socket"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]