Re: WARNING in get_pat_info

From: Marius Fleischer
Date: Tue Oct 15 2024 - 14:59:42 EST


Hi,

Hope you are doing well!

Quick update from our side: The reproducer from the previous email
still triggers a WARNING on v5.15 (commit hash
3a5928702e7120f83f703fd566082bfb59f1a57e). Happy to also test on
other kernel versions if that helps.

Please let us know if there is any other helpful information we can provide.

Wishing you a nice day!

Best,
Marius

On Thu, 18 Apr 2024 at 13:11, Marius Fleischer
<fleischermarius@xxxxxxxxx> wrote:
>
> Hi,
>
>
> We would like to report the following bug which has been found by our modified version of syzkaller.
>
>
> ======================================================
>
> description: WARNING in get_pat_info
>
> affected file: arch/x86/mm/pat/memtype.c
>
> kernel version: 5.15.156
>
> kernel commit: c52b9710c83d3b8ab63bb217cc7c8b61e13f12cd
>
> git tree: upstream
>
> kernel config: attached
>
> crash reproducer: attached
>
> ======================================================
>
> Crash log:
>
> WARNING: CPU: 0 PID: 100140 at arch/x86/mm/pat/memtype.c:1020 get_pat_info+0x212/0x270 arch/x86/mm/pat/memtype.c:1020
>
> Modules linked in:
>
> CPU: 0 PID: 100140 Comm: syz-executor.3 Not tainted 5.15.156 #1
>
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>
> RIP: 0010:get_pat_info+0x212/0x270 arch/x86/mm/pat/memtype.c:1020
>
> Code: c1 ea 03 80 3c 02 00 75 71 49 89 1e eb 92 e8 25 68 42 00 0f 0b e9 9b fe ff ff 41 bc ea ff ff ff e9 7b ff ff ff e8 0e 68 42 00 <0f> 0b 41 bc ea ff ff ff e9 69 ff ff ff 4c 89 ff e8 d9 67 8a 00 e9
>
> RSP: 0018:ffffc900044cf718 EFLAGS: 00010216
>
> RAX: 000000000002315b RBX: ffff88801994db58 RCX: ffffc90004571000
>
> RDX: 0000000000040000 RSI: ffffffff81355ee2 RDI: 0000000000000007
>
> RBP: ffffc900044cf7d0 R08: 0000000000000000 R09: ffffc900044cf6a0
>
> R10: 0000000000000020 R11: 0000000000086082 R12: 0000000000000028
>
> R13: 1ffff92000899ee3 R14: 0000000000000000 R15: ffff88801994dba8
>
> FS: 00007f786237e640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000
>
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>
> CR2: 000000c045391000 CR3: 000000001ee0c000 CR4: 0000000000750ef0
>
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>
> DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
>
> PKRU: 55555554
>
> Call Trace:
>
> <TASK>
>
> untrack_pfn+0xdc/0x240 arch/x86/mm/pat/memtype.c:1122
>
> unmap_single_vma+0x1bc/0x310 mm/memory.c:1589
>
> unmap_vmas+0x16d/0x2f0 mm/memory.c:1642
>
> exit_mmap+0x1d0/0x620 mm/mmap.c:3186
>
> __mmput+0x122/0x4b0 kernel/fork.c:1126
>
> mmput+0x58/0x60 kernel/fork.c:1147
>
> dup_mm kernel/fork.c:1481 [inline]
>
> copy_mm kernel/fork.c:1517 [inline]
>
> copy_process+0x7ca5/0x8730 kernel/fork.c:2206
>
> kernel_clone+0xe7/0x9f0 kernel/fork.c:2604
>
> __do_sys_clone+0xc8/0x110 kernel/fork.c:2721
>
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>
> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
>
> entry_SYSCALL_64_after_hwframe+0x66/0xd0
>
> RIP: 0033:0x7f7863e0ed2d
>
> Code: c3 e8 97 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
>
> RSP: 002b:00007f786237dfd8 EFLAGS: 00000202 ORIG_RAX: 0000000000000038
>
> RAX: ffffffffffffffda RBX: 00007f7863f4bf80 RCX: 00007f7863e0ed2d
>
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000024080
>
> RBP: 00007f786237e0a0 R08: 0000000000000000 R09: 0000000000000000
>
> R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000002
>
> R13: 000000000000000b R14: 00007f7863f4bf80 R15: 00007f786235e000
>
> </TASK>
>
> ======================================================
>
>
> Please note, I used the crashing location to identify relevant maintainers/mailing lists. I hope that is the correct approach in this case. I apologize in case it is not and would appreciate your help in getting the report to the right people/mailing list.
>
>
> From a very brief look, it appears as if one of the two anon_vma_chain_alloc calls in mm/rmap.c fails which leads to this warning. I was not able to understand the connection between this allocation failure and the resulting warning though.
>
>
> The attached reproducer is in syzlang format. Please find instructions on how to execute the reproducer here: https://github.com/google/syzkaller/blob/master/docs/executing_syzkaller_programs.md
>
> Here is also the command we used to execute the reproducer:
>
> ./syz-execprog -executor=./syz-executor -procs=8 -repeat=0 repro.syz
>
>
> Kind regards,
>
> Marius