Linux-Kernel Archive: WARNING in get_pat

Hi,

We would like to report the following bug which has been found by our modified version of syzkaller.

======================================================

description: WARNING in get_pat_info

affected file: arch/x86/mm/pat/memtype.c

kernel version: 5.15.156

kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd

git tree: upstream

kernel config: attached

crash reproducer: attached

======================================================

Crash log:

WARNING: CPU: 0 PID: 100140 at arch/x86/mm/pat/memtype.c:1020 get_pat_info+0x212/0x270 arch/x86/mm/pat/memtype.c:1020

Modules linked in:

CPU: 0 PID: 100140 Comm: syz-executor.3 Not tainted 5.15.156 #1

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014

RIP: 0010:get_pat_info+0x212/0x270 arch/x86/mm/pat/memtype.c:1020

Code: c1 ea 03 80 3c 02 00 75 71 49 89 1e eb 92 e8 25 68 42 00 0f 0b e9 9b fe ff ff 41 bc ea ff ff ff e9 7b ff ff ff e8 0e 68 42 00 <0f> 0b 41 bc ea ff ff ff e9 69 ff ff ff 4c 89 ff e8 d9 67 8a 00 e9

RSP: 0018:ffffc900044cf718 EFLAGS: 00010216

RAX: 000000000002315b RBX: ffff88801994db58 RCX: ffffc90004571000

RDX: 0000000000040000 RSI: ffffffff81355ee2 RDI: 0000000000000007

RBP: ffffc900044cf7d0 R08: 0000000000000000 R09: ffffc900044cf6a0

R10: 0000000000000020 R11: 0000000000086082 R12: 0000000000000028

R13: 1ffff92000899ee3 R14: 0000000000000000 R15: ffff88801994dba8

FS: 00007f786237e640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000c045391000 CR3: 000000001ee0c000 CR4: 0000000000750ef0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000

DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400

PKRU: 55555554

Call Trace:

<TASK>

untrack_pfn+0xdc/0x240 arch/x86/mm/pat/memtype.c:1122

unmap_single_vma+0x1bc/0x310 mm/memory.c:1589

unmap_vmas+0x16d/0x2f0 mm/memory.c:1642

exit_mmap+0x1d0/0x620 mm/mmap.c:3186

__mmput+0x122/0x4b0 kernel/fork.c:1126

mmput+0x58/0x60 kernel/fork.c:1147

dup_mm kernel/fork.c:1481 [inline]

copy_mm kernel/fork.c:1517 [inline]

copy_process+0x7ca5/0x8730 kernel/fork.c:2206

kernel_clone+0xe7/0x9f0 kernel/fork.c:2604

__do_sys_clone+0xc8/0x110 kernel/fork.c:2721

do_syscall_x64 arch/x86/entry/common.c:50 [inline]

do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80

entry_SYSCALL_64_after_hwframe+0x66/0xd0

RIP: 0033:0x7f7863e0ed2d

Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f786237dfd8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038

RAX: ffffffffffffffda RBX: 00007f7863f4bf80 RCX: 00007f7863e0ed2d

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000024080

RBP: 00007f786237e0a0 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002

R13: 000000000000000b R14: 00007f7863f4bf80 R15: 00007f786235e000

</TASK>

======================================================

Please note, I used the crashing location to identify relevant maintainers/mailing lists. I hope that is the correct approach in this case. I apologize in case it is not and would appreciate your help in getting the report to the right people/mailing list.

From a very brief look, it appears as if one of the two anon_vma_chain_alloc calls in mm/rmap.c fails which leads to this warning. I was not able to understand the connection between this allocation failure and the resulting warning though.

The attached reproducer is in syzlang format. Please find instructions on how to execute the reproducer here: https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md

Here is also the command we used to execute the reproducer:

./syz-execprog -executor=./syz-executor -procs=8 -repeat=0 repro.syz

Kind regards,

Marius