Re: [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read

xingwei lee <xrivendell7@xxxxxxxxx> · Thu, 16 Nov 2023 15:53:34 +0800

Hello, since I found there is no reproduce from then to now. I try to reproduce this bug to generate repro.c.

Maybe this bug is the same bug as [syzbot] [mm?] general protection fault in hugetlb_vma_lock_write I guess...

But no matter what, with the reproduce.c, we can quickly fix this bug or check the correctness of our fix.

#define _GNU_SOURCE

#include <dirent.h>

#include <endian.h>

#include <errno.h>

#include <fcntl.h>

#include <sched.h>

#include <signal.h>

#include <stdarg.h>

#include <stdbool.h>

#include <stdint.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <sys/prctl.h>

#include <sys/stat.h>

#include <sys/syscall.h>

#include <sys/types.h>

#include <sys/wait.h>

#include <time.h>

#include <unistd.h>

#ifndef __NR_memfd_create

#define __NR_memfd_create 319

#endif

static void sleep_ms(uint64_t ms)

{

    usleep(ms * 1000);

}

static uint64_t current_time_ms(void)

{

    struct timespec ts;

    if (clock_gettime(CLOCK_MONOTONIC, &ts))

    exit(1);

    return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;

}

static bool write_file(const char* file, const char* what, ...)

{

    char buf[1024];

    va_list args;

    va_start(args, what);

    vsnprintf(buf, sizeof(buf), what, args);

    va_end(args);

    buf[sizeof(buf) - 1] = 0;

    int len = strlen(buf);

    int fd = open(file, O_WRONLY | O_CLOEXEC);

    if (fd == -1)

        return false;

    if (write(fd, buf, len) != len) {

        int err = errno;

        close(fd);

        errno = err;

        return false;

    }

    close(fd);

    return true;

}

static void kill_and_wait(int pid, int* status)

{

    kill(-pid, SIGKILL);

    kill(pid, SIGKILL);

    for (int i = 0; i < 100; i++) {

        if (waitpid(-1, status, WNOHANG | __WALL) == pid)

            return;

        usleep(1000);

    }

    DIR* dir = opendir("/sys/fs/fuse/connections");

    if (dir) {

        for (;;) {

            struct dirent* ent = readdir(dir);

            if (!ent)

                break;

            if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)

                continue;

            char abort[300];

            snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);

            int fd = open(abort, O_WRONLY);

            if (fd == -1) {

                continue;

            }

            if (write(fd, abort, 1) < 0) {

            }

            close(fd);

        }

        closedir(dir);

    } else {

    }

    while (waitpid(-1, status, __WALL) != pid) {

    }

}

static void setup_test()

{

    prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);

    setpgrp();

    write_file("/proc/self/oom_score_adj", "1000");

}

#define USLEEP_FORKED_CHILD (3 * 50 *1000)

static long handle_clone_ret(long ret)

{

    if (ret != 0) {

        return ret;

    }

    usleep(USLEEP_FORKED_CHILD);

    syscall(__NR_exit, 0);

    while (1) {

    }

}

static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len,

              volatile long ptid, volatile long ctid, volatile long tls)

{

    long sp = (stack + stack_len) & ~15;

    long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);

    return handle_clone_ret(ret);

}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)

{

    int iter = 0;

    for (;; iter++) {

        int pid = fork();

        if (pid < 0)

    exit(1);

        if (pid == 0) {

            setup_test();

            execute_one();

            exit(0);

        }

        int status = 0;

        uint64_t start = current_time_ms();

        for (;;) {

            if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)

                break;

            sleep_ms(1);

            if (current_time_ms() - start < 5000)

                continue;

            kill_and_wait(pid, &status);

            break;

        }

    }

}

uint64_t r[2] = {0xffffffffffffffff, 0x0};

void execute_one(void)

{

        intptr_t res = 0;

memcpy((void*)0x20000800, 
"\001\375\256.+\246\214\266?2\0319\224S,|x?Ue[\275\341!\0033\274\'#\377\027\233%\363[d 

\227\365G\227A\302\330\360Uq\346+\245l\224\v\266\a\027\\\373\004!\344\304\261\262\034\377C;\224Q\r\266}\234\354C\v\317\353\344\232R\345,\202\003\000\031\215\350\306\271\344\264\231\212\031P\270\214x\b\231\004R\005\257\242\3525\f\314\032\233\000Uf\245\367\200Tgi\264\300\346\264\357\250i\330\242\322(\230\233A\217\023\353\364b/\357!\217\366]-\351k\2662\211gEv\023\364\307\262\365\\\027\220\265\246\250\270o\017\342

\347\234$\327\362@\367cdv[\t\000\215\363\3141\r$\036\377\360P\262\227\270\274\353\221\207\213u\277\324\'\377\037\f\0016\235Q\356T\350\bY\000\262\006\246\276l\233.o\276\200\235x\325O\326h\\I\311\215\a\035\311\017\202\333s\307\203L\236\242\321\263\254\215\330\264\264\352\220Q\330\307\353%\213Op\032b\226\317\273\025\317\374N\355\000\000\000\000\000\000\000\000\000\000\000\000\000s\257\242\024]p+\226\036i|n\332\356\\\256\226*\202*\270j\332\252\024\037\035\370\370\256\374H\304\263j\350\317O\357\016\257e\265*\211\030\262w\226\b\033y\352T\335\263g6\274\205\262Y\314v\006\000\000\000\305e\220\3051\237\v_#
 \b\245\274P,|\351\326s\037\037\276\323\200\261\250 
\316|df\2203\v\002\352.\003X\265\344,8\267\255EI\334A\247\314\327\371n\033\225\370\021Z\346:\003\316\376\002\214tdy~_oC\236\357\360\242K\351;\216:\001\003C\222\353\026\000\000\000\000\314Uxhg\377\344\a\203\246z\377\001\235
 o_{!O\252jU\204 
\351\2659r\234w\030Z\323\315\016\272\\\333\360\341\206\340\037\373\322\247\2040\216\n\275^\005\300\316uC}\250\307\255\206\327\025&\271]1\005J\226\360\204\301\f\246p\226\270\002\023pA\031\tf\022\210\310\234\311Cn\324\2447V\'+\314\277\r\251\020\035\317\353Klb\345:\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000G\337\273\300_\231F\364n]\024\274\315\323\237\237e\305\346\350Mb\306\202\202\314\312Xe\341\242\252\002\206\270\030\342C\353\251\027&\001&\'w\241t0\200\360\223\200\237\233\340\237\352\271\236D]#V\332\222\312\306\372.\326\3431\376\350\002\353X\220@\352\224\237a/\242-E\337\030yoSYua\031\357\363I\001\361\266\222gl7\361\035\027\027\361\313\217]\351Z\263q\365N\207\326q\300\320\213\273+\205\v\335n2lV\260]\254T\2636J\352\324\236\357L^
 \301\364\374\000\000\000\000\000\000\000\000\000\000\000", 746);

    res = syscall(__NR_memfd_create, /*name=*/0x20000800ul, /*flags=*/5ul);

    if (res != -1)

        r[0] = res;

    syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x4000ul, /*prot=*/0xeul, /*flags=*/0x12ul, /*fd=*/r[0], /*offset=*/0ul);

    syscall(__NR_socketpair, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0, /*fds=*/0x200008c0ul);

    res = -1;

res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);

    if (res != -1)

        r[1] = res;

*(uint64_t*)0x20000f80 = 0;

*(uint64_t*)0x20000f88 = 0;

    syscall(__NR_process_vm_writev, /*pid=*/r[1], /*loc_vec=*/0ul, 
/*loc_vlen=*/0ul, /*rem_vec=*/0x20000f80ul, /*rem_vlen=*/1ul, 
/*flags=*/0ul);

}

int main(void)

{

        syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);

    syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);

    syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);

            loop();

    return 0;

}

r0 = memfd_create(&(0x7f0000000800)='\x01\xfd\xae.+\xa6\x8c\xb6?2\x199\x94S,|x?Ue[\xbd\xe1!\x033\xbc\'#\xff\x17\x9b%\xf3[d  \x97\xf5G\x97A\xc2\xd8\xf0Uq\xe6+\xa5l\x94\v\xb6\a\x17\\\xfb\x04!\xe4\xc4\xb1\xb2\x1c\xffC;\x94Q\r\xb6}\x9c\xecC\v\xcf\xeb\xe4\x9aR\xe5,\x82\x03\x00\x19\x8d\xe8\xc6\xb9\xe4\xb4\x99\x8a\x19P\xb8\x8cx\b\x99\x04R\x05\xaf\xa2\xea5\f\xcc\x1a\x9b\x00Uf\xa5\xf7\x80Tgi\xb4\xc0\xe6\xb4\xef\xa8i\xd8\xa2\xd2(\x98\x9bA\x8f\x13\xeb\xf4b/\xef!\x8f\xf6]-\xe9k\xb62\x89gEv\x13\xf4\xc7\xb2\xf5\\\x17\x90\xb5\xa6\xa8\xb8o\x0f\xe2 \xe7\x9c$\xd7\xf2@\xf7cdv[\t\x00\x8d\xf3\xcc1\r$\x1e\xff\xf0P\xb2\x97\xb8\xbc\xeb\x91\x87\x8bu\xbf\xd4\'\xff\x1f\f\x016\x9dQ\xeeT\xe8\bY\x00\xb2\x06\xa6\xbel\x9b.o\xbe\x80\x9dx\xd5O\xd6h\\I\xc9\x8d\a\x1d\xc9\x0f\x82\xdbs\xc7\x83L\x9e\xa2\xd1\xb3\xac\x8d\xd8\xb4\xb4\xea\x90Q\xd8\xc7\xeb%\x8bOp\x1ab\x96\xcf\xbb\x15\xcf\xfcN\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s\xaf\xa2\x14]p+\x96\x1ei|n\xda\xee\\\xae\x96*\x82*\xb8j\xda\xaa\x14\x1f\x1d\xf8\xf8\xae\xfcH\xc4\xb3j\xe8\xcfO\xef\x0e\xafe\xb5*\x89\x18\xb2w\x96\b\x1by\xeaT\xdd\xb3g6\xbc\x85\xb2Y\xccv\x06\x00\x00\x00\xc5e\x90\xc51\x9f\v_# \b\xa5\xbcP,|\xe9\xd6s\x1f\x1f\xbe\xd3\x80\xb1\xa8 \xce|df\x903\v\x02\xea.\x03X\xb5\xe4,8\xb7\xadEI\xdcA\xa7\xcc\xd7\xf9n\x1b\x95\xf8\x11Z\xe6:\x03\xce\xfe\x02\x8ctdy~_oC\x9e\xef\xf0\xa2K\xe9;\x8e:\x01\x03C\x92\xeb\x16\x00\x00\x00\x00\xccUxhg\xff\xe4\a\x83\xa6z\xff\x01\x9d o_{!O\xaajU\x84 \xe9\xb59r\x9cw\x18Z\xd3\xcd\x0e\xba\\\xdb\xf0\xe1\x86\xe0\x1f\xfb\xd2\xa7\x840\x8e\n\xbd^\x05\xc0\xceuC}\xa8\xc7\xad\x86\xd7\x15&\xb9]1\x05J\x96\xf0\x84\xc1\f\xa6p\x96\xb8\x02\x13pA\x19\tf\x12\x88\xc8\x9c\xc9Cn\xd4\xa47V\'+\xcc\xbf\r\xa9\x10\x1d\xcf\xebKlb\xe5:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00G\xdf\xbb\xc0_\x99F\xf4n]\x14\xbc\xcd\xd3\x9f\x9fe\xc5\xe6\xe8Mb\xc6\x82\x82\xcc\xcaXe\xe1\xa2\xaa\x02\x86\xb8\x18\xe2C\xeb\xa9\x17&\x01&\'w\xa1t0\x80\xf0\x93\x80\x9f\x9b\xe0\x9f\xea\xb9\x9eD]#V\xda\x92\xca\xc6\xfa.\xd6\xe31\xfe\xe8\x02\xebX\x90@\xea\x94\x9fa/\xa2-E\xdf\x18yoSYua\x19\xef\xf3I\x01\xf1\xb6\x92gl7\xf1\x1d\x17\x17\xf1\xcb\x8f]\xe9Z\xb3q\xf5N\x87\xd6q\xc0\xd0\x8b\xbb+\x85\v\xddn2lV\xb0]\xacT\xb36J\xea\xd4\x9e\xefL^ \xc1\xf4\xfc\x00'/746, 0x5)
mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0xe, 0x12, r0, 0x0)
socketpair$unix(0x2, 0x2, 0x0, &(0x7f00000008c0))
r1 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
process_vm_writev(r1, 0x0, 0x0, &(0x7f0000000f80)=[{0x0}], 0x1, 0x0)
Attachment:
repro.c

Description: Binary data