Re: [syzbot] [mm?] general protection fault in hugetlb_vma_lock_read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello, since I found there is no reproduce from then to now. I try to reproduce this bug to generate repro.c.
Maybe this bug is the same bug as [syzbot] [mm?] general protection fault in hugetlb_vma_lock_write I guess...
But no matter what, with the reproduce.c, we can quickly fix this bug or check the correctness of our fix.

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif

static void sleep_ms(uint64_t ms)
{
    usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
    struct timespec ts;
    if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
    return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
    char buf[1024];
    va_list args;
    va_start(args, what);
    vsnprintf(buf, sizeof(buf), what, args);
    va_end(args);
    buf[sizeof(buf) - 1] = 0;
    int len = strlen(buf);
    int fd = open(file, O_WRONLY | O_CLOEXEC);
    if (fd == -1)
        return false;
    if (write(fd, buf, len) != len) {
        int err = errno;
        close(fd);
        errno = err;
        return false;
    }
    close(fd);
    return true;
}

static void kill_and_wait(int pid, int* status)
{
    kill(-pid, SIGKILL);
    kill(pid, SIGKILL);
    for (int i = 0; i < 100; i++) {
        if (waitpid(-1, status, WNOHANG | __WALL) == pid)
            return;
        usleep(1000);
    }
    DIR* dir = opendir("/sys/fs/fuse/connections");
    if (dir) {
        for (;;) {
            struct dirent* ent = readdir(dir);
            if (!ent)
                break;
            if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
                continue;
            char abort[300];
            snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
            int fd = open(abort, O_WRONLY);
            if (fd == -1) {
                continue;
            }
            if (write(fd, abort, 1) < 0) {
            }
            close(fd);
        }
        closedir(dir);
    } else {
    }
    while (waitpid(-1, status, __WALL) != pid) {
    }
}

static void setup_test()
{
    prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
    setpgrp();
    write_file("/proc/self/oom_score_adj", "1000");
}

#define USLEEP_FORKED_CHILD (3 * 50 *1000)

static long handle_clone_ret(long ret)
{
    if (ret != 0) {
        return ret;
    }
    usleep(USLEEP_FORKED_CHILD);
    syscall(__NR_exit, 0);
    while (1) {
    }
}

static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len,
              volatile long ptid, volatile long ctid, volatile long tls)
{
    long sp = (stack + stack_len) & ~15;
    long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
    return handle_clone_ret(ret);
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
    int iter = 0;
    for (;; iter++) {
        int pid = fork();
        if (pid < 0)
    exit(1);
        if (pid == 0) {
            setup_test();
            execute_one();
            exit(0);
        }
        int status = 0;
        uint64_t start = current_time_ms();
        for (;;) {
            if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
                break;
            sleep_ms(1);
            if (current_time_ms() - start < 5000)
                continue;
            kill_and_wait(pid, &status);
            break;
        }
    }
}

uint64_t r[2] = {0xffffffffffffffff, 0x0};

void execute_one(void)
{
        intptr_t res = 0;
memcpy((void*)0x20000800, "\001\375\256.+\246\214\266?2\0319\224S,|x?Ue[\275\341!\0033\274\'#\377\027\233%\363[d  \227\365G\227A\302\330\360Uq\346+\245l\224\v\266\a\027\\\373\004!\344\304\261\262\034\377C;\224Q\r\266}\234\354C\v\317\353\344\232R\345,\202\003\000\031\215\350\306\271\344\264\231\212\031P\270\214x\b\231\004R\005\257\242\3525\f\314\032\233\000Uf\245\367\200Tgi\264\300\346\264\357\250i\330\242\322(\230\233A\217\023\353\364b/\357!\217\366]-\351k\2662\211gEv\023\364\307\262\365\\\027\220\265\246\250\270o\017\342 \347\234$\327\362@\367cdv[\t\000\215\363\3141\r$\036\377\360P\262\227\270\274\353\221\207\213u\277\324\'\377\037\f\0016\235Q\356T\350\bY\000\262\006\246\276l\233.o\276\200\235x\325O\326h\\I\311\215\a\035\311\017\202\333s\307\203L\236\242\321\263\254\215\330\264\264\352\220Q\330\307\353%\213Op\032b\226\317\273\025\317\374N\355\000\000\000\000\000\000\000\000\000\000\000\000\000s\257\242\024]p+\226\036i|n\332\356\\\256\226*\202*\270j\332\252\024\037\035\370\370\256\374H\304\263j\350\317O\357\016\257e\265*\211\030\262w\226\b\033y\352T\335\263g6\274\205\262Y\314v\006\000\000\000\305e\220\3051\237\v_# \b\245\274P,|\351\326s\037\037\276\323\200\261\250 \316|df\2203\v\002\352.\003X\265\344,8\267\255EI\334A\247\314\327\371n\033\225\370\021Z\346:\003\316\376\002\214tdy~_oC\236\357\360\242K\351;\216:\001\003C\222\353\026\000\000\000\000\314Uxhg\377\344\a\203\246z\377\001\235 o_{!O\252jU\204 \351\2659r\234w\030Z\323\315\016\272\\\333\360\341\206\340\037\373\322\247\2040\216\n\275^\005\300\316uC}\250\307\255\206\327\025&\271]1\005J\226\360\204\301\f\246p\226\270\002\023pA\031\tf\022\210\310\234\311Cn\324\2447V\'+\314\277\r\251\020\035\317\353Klb\345:\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000G\337\273\300_\231F\364n]\024\274\315\323\237\237e\305\346\350Mb\306\202\202\314\312Xe\341\242\252\002\206\270\030\342C\353\251\027&\001&\'w\241t0\200\360\223\200\237\233\340\237\352\271\236D]#V\332\222\312\306\372.\326\3431\376\350\002\353X\220@\352\224\237a/\242-E\337\030yoSYua\031\357\363I\001\361\266\222gl7\361\035\027\027\361\313\217]\351Z\263q\365N\207\326q\300\320\213\273+\205\v\335n2lV\260]\254T\2636J\352\324\236\357L^ \301\364\374\000\000\000\000\000\000\000\000\000\000\000", 746);
    res = syscall(__NR_memfd_create, /*name=*/0x20000800ul, /*flags=*/5ul);
    if (res != -1)
        r[0] = res;
    syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x4000ul, /*prot=*/0xeul, /*flags=*/0x12ul, /*fd=*/r[0], /*offset=*/0ul);
    syscall(__NR_socketpair, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0, /*fds=*/0x200008c0ul);
    res = -1;
res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
    if (res != -1)
        r[1] = res;
*(uint64_t*)0x20000f80 = 0;
*(uint64_t*)0x20000f88 = 0;
    syscall(__NR_process_vm_writev, /*pid=*/r[1], /*loc_vec=*/0ul, /*loc_vlen=*/0ul, /*rem_vec=*/0x20000f80ul, /*rem_vlen=*/1ul, /*flags=*/0ul);

}
int main(void)
{
        syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
    syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
    syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
            loop();
    return 0;

}



r0 = memfd_create(&(0x7f0000000800)='\x01\xfd\xae.+\xa6\x8c\xb6?2\x199\x94S,|x?Ue[\xbd\xe1!\x033\xbc\'#\xff\x17\x9b%\xf3[d  \x97\xf5G\x97A\xc2\xd8\xf0Uq\xe6+\xa5l\x94\v\xb6\a\x17\\\xfb\x04!\xe4\xc4\xb1\xb2\x1c\xffC;\x94Q\r\xb6}\x9c\xecC\v\xcf\xeb\xe4\x9aR\xe5,\x82\x03\x00\x19\x8d\xe8\xc6\xb9\xe4\xb4\x99\x8a\x19P\xb8\x8cx\b\x99\x04R\x05\xaf\xa2\xea5\f\xcc\x1a\x9b\x00Uf\xa5\xf7\x80Tgi\xb4\xc0\xe6\xb4\xef\xa8i\xd8\xa2\xd2(\x98\x9bA\x8f\x13\xeb\xf4b/\xef!\x8f\xf6]-\xe9k\xb62\x89gEv\x13\xf4\xc7\xb2\xf5\\\x17\x90\xb5\xa6\xa8\xb8o\x0f\xe2 \xe7\x9c$\xd7\xf2@\xf7cdv[\t\x00\x8d\xf3\xcc1\r$\x1e\xff\xf0P\xb2\x97\xb8\xbc\xeb\x91\x87\x8bu\xbf\xd4\'\xff\x1f\f\x016\x9dQ\xeeT\xe8\bY\x00\xb2\x06\xa6\xbel\x9b.o\xbe\x80\x9dx\xd5O\xd6h\\I\xc9\x8d\a\x1d\xc9\x0f\x82\xdbs\xc7\x83L\x9e\xa2\xd1\xb3\xac\x8d\xd8\xb4\xb4\xea\x90Q\xd8\xc7\xeb%\x8bOp\x1ab\x96\xcf\xbb\x15\xcf\xfcN\xed\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00s\xaf\xa2\x14]p+\x96\x1ei|n\xda\xee\\\xae\x96*\x82*\xb8j\xda\xaa\x14\x1f\x1d\xf8\xf8\xae\xfcH\xc4\xb3j\xe8\xcfO\xef\x0e\xafe\xb5*\x89\x18\xb2w\x96\b\x1by\xeaT\xdd\xb3g6\xbc\x85\xb2Y\xccv\x06\x00\x00\x00\xc5e\x90\xc51\x9f\v_# \b\xa5\xbcP,|\xe9\xd6s\x1f\x1f\xbe\xd3\x80\xb1\xa8 \xce|df\x903\v\x02\xea.\x03X\xb5\xe4,8\xb7\xadEI\xdcA\xa7\xcc\xd7\xf9n\x1b\x95\xf8\x11Z\xe6:\x03\xce\xfe\x02\x8ctdy~_oC\x9e\xef\xf0\xa2K\xe9;\x8e:\x01\x03C\x92\xeb\x16\x00\x00\x00\x00\xccUxhg\xff\xe4\a\x83\xa6z\xff\x01\x9d o_{!O\xaajU\x84 \xe9\xb59r\x9cw\x18Z\xd3\xcd\x0e\xba\\\xdb\xf0\xe1\x86\xe0\x1f\xfb\xd2\xa7\x840\x8e\n\xbd^\x05\xc0\xceuC}\xa8\xc7\xad\x86\xd7\x15&\xb9]1\x05J\x96\xf0\x84\xc1\f\xa6p\x96\xb8\x02\x13pA\x19\tf\x12\x88\xc8\x9c\xc9Cn\xd4\xa47V\'+\xcc\xbf\r\xa9\x10\x1d\xcf\xebKlb\xe5:\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00G\xdf\xbb\xc0_\x99F\xf4n]\x14\xbc\xcd\xd3\x9f\x9fe\xc5\xe6\xe8Mb\xc6\x82\x82\xcc\xcaXe\xe1\xa2\xaa\x02\x86\xb8\x18\xe2C\xeb\xa9\x17&\x01&\'w\xa1t0\x80\xf0\x93\x80\x9f\x9b\xe0\x9f\xea\xb9\x9eD]#V\xda\x92\xca\xc6\xfa.\xd6\xe31\xfe\xe8\x02\xebX\x90@\xea\x94\x9fa/\xa2-E\xdf\x18yoSYua\x19\xef\xf3I\x01\xf1\xb6\x92gl7\xf1\x1d\x17\x17\xf1\xcb\x8f]\xe9Z\xb3q\xf5N\x87\xd6q\xc0\xd0\x8b\xbb+\x85\v\xddn2lV\xb0]\xacT\xb36J\xea\xd4\x9e\xefL^ \xc1\xf4\xfc\x00'/746, 0x5)
mmap(&(0x7f0000000000/0x4000)=nil, 0x4000, 0xe, 0x12, r0, 0x0)
socketpair$unix(0x2, 0x2, 0x0, &(0x7f00000008c0))
r1 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
process_vm_writev(r1, 0x0, 0x0, &(0x7f0000000f80)=[{0x0}], 0x1, 0x0)

Attachment: repro.c
Description: Binary data


[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux