(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

Could the KASAN people please help interpret this one?

On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=200095
> 
>             Bug ID: 200095
>            Summary: kasan: GPF could be caused by NULL-ptr deref or user
>                     memory access
>            Product: Alternate Trees
>            Version: 2.5
>     Kernel Version: v4.17
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: mm
>           Assignee: akpm@linux-foundation.org
>           Reporter: icytxw@gmail.com
>         Regression: No
> 
> Created attachment 276605 [details]
>   --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
> log0
> 
> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN PTI
> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0
> 02
> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41 
> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> Call Trace:
> Modules linked in:
> Dumping ftrace buffer:
>    (ftrace buffer empty)
> ---[ end trace 650893cd43a30701 ]---
> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c
> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0
> 02
> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41 
> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> 
> -- 
> You are receiving this mail because:
> You are the assignee for the bug.

In the end of log file, contains the output information before the kernel crashed. In this one, the log file contain following information:


[  274.316398] kasan: CONFIG_KASAN_INLINE enabled
[  274.317959] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  274.320300] general protection fault: 0000 [#1] SMP KASAN PTI
[  274.322050] CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
[  274.324142] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
[  274.328048] RIP: 0010:__insert_vmap_area+0x8c/0x3c0
[  274.329844] Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41 
[  274.335945] RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
[  274.337561] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
[  274.339796] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
[  274.342043] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
[  274.344269] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
[  274.346529] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
[  274.348754] FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
[  274.351334] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  274.353095] CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
[  274.355420] DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
[  274.357694] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  274.359917] Call Trace:
[  274.360774]  ? alloc_vmap_area+0x552/0x760
[  274.362082]  ? kasan_unpoison_shadow+0x31/0x40
[  274.363568]  ? purge_vmap_area_lazy+0x30/0x30
[  274.364943]  ? kmem_cache_alloc_node_trace+0x127/0x1b0
[  274.366537]  ? __get_vm_area_node+0xab/0x330
[  274.367976]  ? __get_vm_area_node+0xe5/0x330
[  274.369332]  ? mutex_unlock+0x18/0x40
[  274.370501]  ? __vmalloc_node_range+0xa9/0x650
[  274.371911]  ? alloc_counters.isra.10+0x65/0x4a0
[  274.373352]  ? cred_has_capability+0x11e/0x280
[  274.374844]  ? cred_has_capability+0x130/0x280
[  274.376241]  ? alloc_counters.isra.10+0x65/0x4a0
[  274.377675]  ? vzalloc+0x6a/0x80
[  274.378730]  ? alloc_counters.isra.10+0x65/0x4a0
[  274.380281]  ? alloc_counters.isra.10+0x65/0x4a0
[  274.381733]  ? xt_find_table_lock+0x105/0x3e0
[  274.383306]  ? do_ipt_get_ctl+0x40b/0x720
[  274.384828]  ? __inode_wait_for_writeback+0x162/0x1c0
[  274.386380]  ? get_info+0x420/0x420
[  274.387521]  ? avc_has_perm+0x238/0x390
[  274.388742]  ? kasan_unpoison_shadow+0x31/0x40
[  274.390239]  ? _cond_resched+0x12/0x60
[  274.391435]  ? mutex_lock+0x83/0xd0
[  274.392600]  ? __mutex_lock_slowpath+0x10/0x10
[  274.393980]  ? mutex_unlock+0x18/0x40
[  274.395302]  ? nf_sockopt_find+0x19b/0x210
[  274.396596]  ? nf_getsockopt+0x6e/0xd0
[  274.397795]  ? ip_getsockopt+0xda/0x130
[  274.399118]  ? do_ip_getsockopt+0x1220/0x1220
[  274.400603]  ? sock_alloc_file+0x1bb/0x310
[  274.401985]  ? tcp_getsockopt+0x7e/0xc0
[  274.403215]  ? __sys_getsockopt+0x117/0x1e0
[  274.404639]  ? kernel_setsockopt+0x1c0/0x1c0
[  274.405976]  ? __sys_socket+0x130/0x1b0
[  274.407194]  ? task_work_run+0xf4/0x1c0
[  274.408519]  ? __x64_sys_getsockopt+0xba/0x150
[  274.409931]  ? __x64_sys_socket+0x6f/0xb0
[  274.411390]  ? do_syscall_64+0xa0/0x2c0
[  274.412693]  ? prepare_exit_to_usermode+0xbc/0x150
[  274.414188]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  274.416001] Modules linked in:
[  274.417540] Dumping ftrace buffer:
[  274.419414]    (ftrace buffer empty)
[  274.421116] ---[ end trace 650893cd43a30701 ]---
[  274.422842] RIP: 0010:__insert_vmap_area+0x8c/0x3c0
[  274.424791] Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00 4c 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0 02 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41 
[  274.432676] RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
[  274.434378] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
[  274.436627] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
[  274.438895] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
[  274.441275] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
[  274.443514] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
[  274.445779] FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
[  274.448573] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  274.450811] CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
[  274.453248] DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
[  274.455560] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  274.457820] Kernel panic - not syncing: Fatal exception
[  274.459993] Dumping ftrace buffer:
[  274.461080]    (ftrace buffer empty)
[  274.462253] Kernel Offset: disabled
[  274.463392] Rebooting in 86400 seconds..


unfortunately, I can't repro this bug. But today I got another crash:

[  287.726122] ata1: lost interrupt (Status 0x50)
[  287.727316] ata1.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x6 frozen
[  287.728985] ata1.00: failed command: READ DMA
[  287.730056] ata1.00: cmd c8/00:00:00:00:00/00:00:00:00:00/e0 tag 0 dma 131072 in
[  287.730056]          res 40/00:01:00:00:00/00:00:00:00:00/a0 Emask 0x4 (timeout)
[  287.734378] ata1.00: status: { DRDY }
[  287.735563] ata1: soft resetting link
[  287.889941] ata1.00: configured for MWDMA2
[  287.890928] ata1: EH complete
[  287.896385] stack segment: 0000 [#1] SMP KASAN PTI
[  287.897469] CPU: 0 PID: 990 Comm: kworker/0:2 Not tainted 4.17.0 #1
[  287.898857] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
[  287.901405] Workqueue: events ata_scsi_dev_rescan
[  287.902482] RIP: 0010:kmem_cache_alloc+0x78/0x190
[  287.903590] Code: 4c 03 05 83 97 af 7e 49 83 78 10 00 49 8b 28 0f 84 e0 00 00 00 48 85 ed 0f 84 d7 00 00 00 41 8b 45 20 48 8d 4a 01 49 8b 7d 00 <48> 8b 5c 05 00 48 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 48 85 
[  287.908634] RSP: 0018:ffff88006a2df560 EFLAGS: 00010006
[  287.909785] RAX: 0000000000000000 RBX: ffff88006b7cd500 RCX: 0000000000000be9
[  287.911350] RDX: 0000000000000be8 RSI: 0000000000491220 RDI: 0000000000030d40
[  287.912949] RBP: 0018001c0018000c R08: ffff88006d430d40 R09: ffff8800552c6f28
[  287.914505] R10: 0000000000000002 R11: ffffed000aa58de6 R12: 0000000000491220
[  287.916056] R13: ffff88006b70aa00 R14: ffffffff8141aa74 R15: ffff88006b7cd508
[  287.917603] FS:  0000000000000000(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
[  287.919709] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  287.921250] CR2: ffffffffff600400 CR3: 0000000003e0e000 CR4: 00000000000006f0
[  287.923045] DR0: 00000000200000c0 DR1: 00000000200000c0 DR2: 0000000000000000
[  287.924639] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  287.926198] Call Trace:
[  287.926811]  ? mempool_alloc+0xf4/0x2a0
[  287.927685]  ? mempool_destroy+0x30/0x30
[  287.928554]  ? kasan_unpoison_shadow+0x31/0x40
[  287.929545]  ? get_page_from_freelist+0x55e/0x2e70
[  287.930601]  ? __sg_alloc_table+0x219/0x340
[  287.931520]  ? sg_free_table_chained+0x80/0x80
[  287.932513]  ? sg_alloc_table_chained+0x5c/0x1c0
[  287.933530]  ? scsi_init_sgtable+0xc2/0x2e0
[  287.934459]  ? scsi_device_from_queue+0x100/0x100
[  287.935500]  ? scsi_init_io+0x111/0x3f0
[  287.936352]  ? scsi_init_command+0x362/0x620
[  287.937291]  ? scsi_setup_cmnd+0x33f/0x660
[  287.938269]  ? scsi_prep_fn+0x152/0x420
[  287.939126]  ? scsi_init_command+0x620/0x620
[  287.940065]  ? blk_peek_request+0x2b1/0xae0
[  287.940986]  ? scsi_request_fn+0x96/0x1670
[  287.941888]  ? bio_phys_segments+0x42/0xa0
[  287.942814]  ? blk_rq_map_kern+0x450/0x450
[  287.943710]  ? __blk_run_queue+0x110/0x1d0
[  287.944614]  ? blk_execute_rq_nowait+0x1b7/0x330
[  287.945620]  ? blk_execute_rq+0xb5/0xf0
[  287.946472]  ? blk_execute_rq_nowait+0x330/0x330
[  287.947563]  ? scsi_initialize_rq+0x16/0xb0
[  287.948481]  ? scsi_mq_exit_request+0xa0/0xa0
[  287.949437]  ? blk_get_request+0xeb/0x4f0
[  287.950323]  ? scsi_execute+0x2aa/0x5e0
[  287.951184]  ? scsi_vpd_inquiry+0xcb/0x190
[  287.952088]  ? scsi_change_queue_depth+0xd0/0xd0
[  287.953121]  ? kasan_unpoison_shadow+0x31/0x40
[  287.954094]  ? scsi_get_vpd_page+0x170/0x1c0
[  287.955104]  ? sd_revalidate_disk+0x2381/0x65f0
[  287.956178]  ? scsi_vpd_inquiry+0xcb/0x190
[  287.957147]  ? sd_done+0xb90/0xb90
[  287.957958]  ? scsi_change_queue_depth+0xd0/0xd0
[  287.959061]  ? kasan_kmalloc+0xa6/0xd0
[  287.959957]  ? _cond_resched+0x12/0x60
[  287.960844]  ? __kasan_slab_free+0x147/0x180
[  287.961854]  ? scsi_attach_vpd+0x21d/0x2a0
[  287.962889]  ? kfree+0x8c/0x1a0
[  287.963867]  ? scsi_attach_vpd+0x21d/0x2a0
[  287.965103]  ? sd_done+0xb90/0xb90
[  287.966143]  ? allow_restart_store+0x1c0/0x1c0
[  287.967372]  ? revalidate_disk+0x6f/0x140
[  287.968348]  ? scsi_rescan_device+0x161/0x210
[  287.969370]  ? ata_scsi_dev_rescan+0x13b/0x210
[  287.970441]  ? process_one_work+0x938/0x1360
[  287.971450]  ? worker_thread+0x9c/0x1150
[  287.972447]  ? rescuer_thread+0xd10/0xd10
[  287.973378]  ? kthread+0x2b4/0x3b0
[  287.974175]  ? kthread_destroy_worker+0xb0/0xb0
[  287.975245]  ? ret_from_fork+0x35/0x40
[  287.976127] Modules linked in:
[  287.976858] Dumping ftrace buffer:
[  287.977735]    (ftrace buffer empty)
[  287.978596] ---[ end trace 918beed9e0422a63 ]---
[  287.979676] RIP: 0010:kmem_cache_alloc+0x78/0x190
[  287.980775] Code: 4c 03 05 83 97 af 7e 49 83 78 10 00 49 8b 28 0f 84 e0 00 00 00 48 85 ed 0f 84 d7 00 00 00 41 8b 45 20 48 8d 4a 01 49 8b 7d 00 <48> 8b 5c 05 00 48 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 74 b8 48 85 
[  287.985120] RSP: 0018:ffff88006a2df560 EFLAGS: 00010006
[  287.986345] RAX: 0000000000000000 RBX: ffff88006b7cd500 RCX: 0000000000000be9
[  287.988115] RDX: 0000000000000be8 RSI: 0000000000491220 RDI: 0000000000030d40
[  287.989759] RBP: 0018001c0018000c R08: ffff88006d430d40 R09: ffff8800552c6f28
[  287.991414] R10: 0000000000000002 R11: ffffed000aa58de6 R12: 0000000000491220
[  287.993064] R13: ffff88006b70aa00 R14: ffffffff8141aa74 R15: ffff88006b7cd508
[  287.994711] FS:  0000000000000000(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
[  287.996575] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  287.997920] CR2: ffffffffff600400 CR3: 0000000003e0e000 CR4: 00000000000006f0
[  287.999690] DR0: 00000000200000c0 DR1: 00000000200000c0 DR2: 0000000000000000
[  288.001619] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
[  288.003281] Kernel panic - not syncing: Fatal exception
[  288.004781] Dumping ftrace buffer:
[  288.005595]    (ftrace buffer empty)
[  288.006440] Kernel Offset: disabled
[  288.007260] Rebooting in 86400 seconds..

I am trying to reproduce this.

On Tue, Jun 19, 2018 at 1:25 AM, Andrew Morton
<akpm@linux-foundation.org> wrote:
>
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
>
> Could the KASAN people please help interpret this one?

Most of the time this just means a NULL deref. Under KASAN it happens
on shadow address for NULL rather than on NULL itself, and so it's
diagnosed differently.

icytxw, what kernel commit is this? I see a recent ""mm/vmalloc: keep
track of free blocks for allocation"" that touches this function.
Also, why all frames are questionable? Do you have frame pointers enabled?



> On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org wrote:
>
>> https://bugzilla.kernel.org/show_bug.cgi?id=200095
>>
>>             Bug ID: 200095
>>            Summary: kasan: GPF could be caused by NULL-ptr deref or user
>>                     memory access
>>            Product: Alternate Trees
>>            Version: 2.5
>>     Kernel Version: v4.17
>>           Hardware: All
>>                 OS: Linux
>>             Status: NEW
>>           Severity: normal
>>           Priority: P1
>>          Component: mm
>>           Assignee: akpm@linux-foundation.org
>>           Reporter: icytxw@gmail.com
>>         Regression: No
>>
>> Created attachment 276605 [details]
>>   --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
>> log0
>>
>> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0
>> kasan: CONFIG_KASAN_INLINE enabled
>> kasan: GPF could be caused by NULL-ptr deref or user memory access
>> general protection fault: 0000 [#1] SMP KASAN PTI
>> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
>> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
>> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
>> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00
>> 4c
>> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0
>> 02
>> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
>> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
>> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
>> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
>> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
>> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
>> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
>> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
>> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>> Call Trace:
>> Modules linked in:
>> Dumping ftrace buffer:
>>    (ftrace buffer empty)
>> ---[ end trace 650893cd43a30701 ]---
>> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
>> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00 00
>> 4c
>> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f 85 a0
>> 02
>> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
>> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
>> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
>> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
>> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
>> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
>> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
>> FS:  0000000002619940(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
>> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
>>
>> --
>> You are receiving this mail because:
>> You are the assignee for the bug.

Created attachment 276685 [details]
attachment-19053-0.html

It's Linux 4.17, last commit:
https://github.com/torvalds/linux/commit/29dcea88779c856c7dc92040a0c01233263101d4

"have frame pointers enabled" do you mean "CONFIG_FRAME_POINTER"? I don't
enabled it, I will pay attention to it next time. I also noticed that many
of the bugs I submitted were difficult to reproduce, which caused great
trouble to developers，just like Theodore Tso said here:
https://bugzilla.kernel.org/show_bug.cgi?id=200109.

In the coming time, if time permits, I will devote to improve syzkaller's
crash report.


2018-06-19 13:12 GMT+08:00 <bugzilla-daemon@bugzilla.kernel.org>:

> https://bugzilla.kernel.org/show_bug.cgi?id=200095
>
> --- Comment #3 from Dmitry Vyukov (dvyukov@google.com) ---
> On Tue, Jun 19, 2018 at 1:25 AM, Andrew Morton
> <akpm@linux-foundation.org> wrote:
> >
> > (switched to email.  Please respond via emailed reply-to-all, not via the
> > bugzilla web interface).
> >
> > Could the KASAN people please help interpret this one?
>
> Most of the time this just means a NULL deref. Under KASAN it happens
> on shadow address for NULL rather than on NULL itself, and so it's
> diagnosed differently.
>
> icytxw, what kernel commit is this? I see a recent ""mm/vmalloc: keep
> track of free blocks for allocation"" that touches this function.
> Also, why all frames are questionable? Do you have frame pointers enabled?
>
>
>
> > On Sun, 17 Jun 2018 03:10:59 +0000 bugzilla-daemon@bugzilla.kernel.org
> wrote:
> >
> >> https://bugzilla.kernel.org/show_bug.cgi?id=200095
> >>
> >>             Bug ID: 200095
> >>            Summary: kasan: GPF could be caused by NULL-ptr deref or user
> >>                     memory access
> >>            Product: Alternate Trees
> >>            Version: 2.5
> >>     Kernel Version: v4.17
> >>           Hardware: All
> >>                 OS: Linux
> >>             Status: NEW
> >>           Severity: normal
> >>           Priority: P1
> >>          Component: mm
> >>           Assignee: akpm@linux-foundation.org
> >>           Reporter: icytxw@gmail.com
> >>         Regression: No
> >>
> >> Created attachment 276605 [details]
> >>   --> https://bugzilla.kernel.org/attachment.cgi?id=276605&action=edit
> >> log0
> >>
> >> $ cat ../949034f0ecf05fba42df7e5f51a55453eba53e06/report0
> >> kasan: CONFIG_KASAN_INLINE enabled
> >> kasan: GPF could be caused by NULL-ptr deref or user memory access
> >> general protection fault: 0000 [#1] SMP KASAN PTI
> >> CPU: 0 PID: 7388 Comm: syz-executor1 Not tainted 4.17.0 #1
> >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> >> rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
> >> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> >> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00
> 00
> >> 4c
> >> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f
> 85 a0
> >> 02
> >> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
> >> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> >> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> >> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> >> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> >> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> >> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> >> FS:  0000000002619940(0000) GS:ffff88006d400000(0000)
> knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> >> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> >> Call Trace:
> >> Modules linked in:
> >> Dumping ftrace buffer:
> >>    (ftrace buffer empty)
> >> ---[ end trace 650893cd43a30701 ]---
> >> RIP: 0010:__insert_vmap_area+0x8c/0x3c0 mm/vmalloc.c:373
> >> Code: 76 e8 78 3f e5 ff 4c 89 e0 48 c1 e8 03 80 3c 28 00 0f 85 c7 02 00
> 00
> >> 4c
> >> 8d 6b e8 4d 8b 3c 24 49 8d 7d 08 48 89 fa 48 c1 ea 03 <80> 3c 2a 00 0f
> 85 a0
> >> 02
> >> 00 00 4c 3b 7b f0 72 9d e8 3f 3f e5 ff 41
> >> RSP: 0018:ffff8800550778c0 EFLAGS: 00010207
> >> RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
> >> RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
> >> RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
> >> R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
> >> R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000
> >> FS:  0000000002619940(0000) GS:ffff88006d400000(0000)
> knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 0000000002622978 CR3: 0000000055078000 CR4: 00000000000006f0
> >> DR0: 0000000020000ac0 DR1: 0000000020000ac0 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
> >>
> >> --
> >> You are receiving this mail because:
> >> You are the assignee for the bug.
>
> --
> You are receiving this mail because:
> You reported the bug.
>

On 06/19/2018 02:25 AM, Andrew Morton wrote:
> 
> (switched to email.  Please respond via emailed reply-to-all, not via the
> bugzilla web interface).
> 
> Could the KASAN people please help interpret this one?
> 

[  274.337561] RAX: 1ffff1000d80fd40 RBX: 0000041600000406 RCX: ffffffff8324e1de
[  274.339796] RDX: 00000082c000007e RSI: ffffffff814d6dd8 RDI: 00000416000003f6
[  274.342043] RBP: dffffc0000000000 R08: 1ffffffff08cf184 R09: fffffbfff08cf184
[  274.344269] R10: 0000000000000001 R11: fffffbfff08cf184 R12: ffff88006c07ea00
[  274.346529] R13: 00000416000003ee R14: ffffed000d80fd41 R15: ffffc90000712000


All code
========
   0:   76 e8                   jbe    0xffffffffffffffea
   2:   78 3f                   js     0x43
   4:   e5 ff                   in     $0xff,%eax
   6:   4c 89 e0                mov    %r12,%rax
   9:   48 c1 e8 03             shr    $0x3,%rax
   d:   80 3c 28 00             cmpb   $0x0,(%rax,%rbp,1)
  11:   0f 85 c7 02 00 00       jne    0x2de
  17:   4c 8d 6b e8             lea    -0x18(%rbx),%r13
  1b:   4d 8b 3c 24             mov    (%r12),%r15
  1f:   49 8d 7d 08             lea    0x8(%r13),%rdi
  23:   48 89 fa                mov    %rdi,%rdx
  26:   48 c1 ea 03             shr    $0x3,%rdx
  2a:*  80 3c 2a 00             cmpb   $0x0,(%rdx,%rbp,1)               <-- trapping instruction
  2e:   0f 85 a0 02 00 00       jne    0x2d4
  34:   4c 3b 7b f0             cmp    -0x10(%rbx),%r15
  38:   72 9d                   jb     0xffffffffffffffd7
  3a:   e8 3f 3f e5 ff          callq  0xffffffffffe53f7e
  3f:   41                      rex.B


cmpb   $0x0,(%rdx,%rbp,1) is shadow check for  -0x10(%rbx) address (this address is also in %rdi).
So this is attempt to dereference 0x00000416000003f6 address.

%rbx seems contains 'parent' pointer, -0x10(%rbx) is tmp_va->va_end

		tmp_va = rb_entry(parent, struct vmap_area, rb_node);
		if (va->va_start < tmp_va->va_end)