Re: [BUG] kernel BUG at fs/userfaultfd.c:385 after 04f5866e41fb

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Kefeng,

On 08/13, Kefeng Wang wrote:
>
> Syzkaller reproducer:
> # {Threaded:true Collide:true Repeat:false RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 EnableTun:true EnableNetDev:true EnableNetReset:false EnableCgroups:false EnableBinfmtMisc:true EnableCloseFds:true UseTmpDir:true HandleSegv:true Repro:false Trace:false}
> r0 = userfaultfd(0x80800)
> ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000200))
> ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ff2000/0xe000)=nil, 0xe000}, 0x1})
> ioctl$UFFDIO_COPY(r0, 0xc028aa03, 0x0)
> ioctl$UFFDIO_COPY(r0, 0xc028aa03, &(0x7f0000000000)={&(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffd000/0x2000)=nil, 0x3000})
> syz_execute_func(&(0x7f00000000c0)="4134de984013e80f059532058300000071f3c4e18dd1ce5a65460f18320ce0b9977d8f64360f6e54e3a50fe53ff30fb837c42195dc42eddb8f087ca2a4d2c4017b708fa878c3e600f3266440d9a200000000c4016c5bdd7d0867dfe07f00f20f2b5f0009404cc442c102282cf2f20f51e22ef2e1291010f2262ef045814cb39700000000f32e3ef0fe05922f79a4000030470f3b58c1312fe7460f50ce0502338d00858526660f346253f6010f0f801d000000470f0f2c0a90c7c7df84feefff3636260fe02c98c8b8fcfc81fc51720a40400e700064660f71e70d2e0f57dfe819d0253f3ecaf06ad647608c41ffc42249bccb430f9bc8b7a042420f8d0042171e0f95ca9f7f921000d9fac4a27d5a1fc4a37961309de9000000003171460fc4d303c466410fd6389dc4426c456300c4233d4c922d92abf90ac6c34df30f5ee50909430f3a15e7776f6e866b0fdfdfc482797841cf6ffc842d9b9a516dc2e52ef2ac2636f20f114832d46231bffd4834eaeac4237d09d0003766420f160182c4a37d047882007f108f2808a6e68fc401505d6a82635d1467440fc7ba0c000000d4c482359652745300")
> poll(&(0x7f00000000c0)=[{}], 0x1, 0x0)
> 
> ./syz-execprog -executor=./syz-executor -repeat=0 -procs=16 -cover=0 repofile

I tried to reproduce using the C code provided by Tetsuo but it doesn't work
for me.

Could you run this test-case with the patch below? (on top of the fix you have
already tested).

Oleg.

--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -882,6 +882,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
 	unsigned long new_flags;
 	bool still_valid;
 
+	file->private_data = (void*)0x6666;
+
 	WRITE_ONCE(ctx->released, true);
 
 	if (!mmget_not_zero(mm))
@@ -1859,6 +1861,8 @@ static long userfaultfd_ioctl(struct file *file, unsigned cmd,
 	int ret = -EINVAL;
 	struct userfaultfd_ctx *ctx = file->private_data;
 
+	BUG_ON(ctx == (void*)0x6666);
+
 	if (cmd != UFFDIO_API && ctx->state == UFFD_STATE_WAIT_API)
 		return -EINVAL;
 
@@ -1882,6 +1886,8 @@ static long userfaultfd_ioctl(struct file *file, unsigned cmd,
 		ret = userfaultfd_zeropage(ctx, arg);
 		break;
 	}
+
+	BUG_ON(ctx != file->private_data);
 	return ret;
 }
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux