From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 38096C072A2 for ; Fri, 17 Nov 2023 05:42:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3A6CB6B03CC; Fri, 17 Nov 2023 00:42:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 356B76B03D1; Fri, 17 Nov 2023 00:42:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 21E0A6B03E2; Fri, 17 Nov 2023 00:42:43 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 106016B03CC for ; Fri, 17 Nov 2023 00:42:43 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id DDB19B6076 for ; Fri, 17 Nov 2023 05:42:42 +0000 (UTC) X-FDA: 81466351764.16.6494E24 Received: from mail-yw1-f174.google.com (mail-yw1-f174.google.com [209.85.128.174]) by imf18.hostedemail.com (Postfix) with ESMTP id 07CD31C0014 for ; Fri, 17 Nov 2023 05:42:40 +0000 (UTC) Authentication-Results: imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=fz2XNwhM; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of hughd@google.com designates 209.85.128.174 as permitted sender) smtp.mailfrom=hughd@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1700199761; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=WIp7b7G7feVghl3ruBbzX+GxdSfTt87zbci3ckpMTrM=; b=wDQmVWVbvi7Q0avsmOvFNFbAQsJULOeQ3YL3ILXqw/iqTPzOLdlhFYRPvOyxtwqzg4qIoU hw8Sw71N308VRIIJ+C6//FzqpPv1nMMjCyHeaeSYn4fH03bKu5Cba6YA4CYpTSYYtnEw8O ODOs4aSLiF9QWMGa6nWSixP4QB2TBj4= ARC-Authentication-Results: i=1; imf18.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=fz2XNwhM; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf18.hostedemail.com: domain of hughd@google.com designates 209.85.128.174 as permitted sender) smtp.mailfrom=hughd@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1700199761; a=rsa-sha256; cv=none; b=FkAbdFwfPKbxETmzMtMZWQ5Nkirao2eJQPKx1J9gYVgDeq05zra8nbgoUQpG5Mxme48vig 69y2AC93Su2b5oTURRVFCqeVXz4MGZFMMCUXYprAAS/fZAb6EjnwsoD9RloO+3aUFHUDGV rIxi/UFRZZWUtMPQ+dRX4yQwxBfeC0I= Received: by mail-yw1-f174.google.com with SMTP id 00721157ae682-5a7eef0b931so17854517b3.0 for ; Thu, 16 Nov 2023 21:42:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1700199760; x=1700804560; darn=kvack.org; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=WIp7b7G7feVghl3ruBbzX+GxdSfTt87zbci3ckpMTrM=; b=fz2XNwhMxvpXTKUvbD2x3zBZ5D82+yizX/K4ZXTrze//OX7qSAGZxAnqWjKYiqWkT7 pRqgr9GAY725UKv1B8l2qfMR8fUB2cuxRM3C6udS/1xjHKCMya4yAQEkGFU0lkGlsLw5 IECO+yKSvK1pBBUqX5q/J+oqznIjFitBpUiStquA5i/v+M7nDXjKB4fKFz6OFaQhHxGQ otVa0AAE/htG4CMQCfBGMEpPRqAgxvTzaeBN8kKEmWGDjjABWX0j+rAlDmEhsmZLNe6a PtqNXSXN/upbFvkOMJjMnDhheV+wqKL8fn8H/MTjKTdma6EmFQ9+PTeEr9dszTZZcdEC NLPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700199760; x=1700804560; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=WIp7b7G7feVghl3ruBbzX+GxdSfTt87zbci3ckpMTrM=; b=C5mcOts8fVVPhAWP03Hi/HKChBH9SyivJ9wbERdf7PODNECcrD3eR0YxgN1ybgS7Ts Fs3GQOVCj8XbkUsyl2QQywgEJAga3/daEZ0vp2ozoxYakqF7KT7Zri1tCyybUM2yY17+ 5pF4bkhMYMBMzC9QZ9r1CvC6V7GVxeLL1UPLyh/xohynCFdaceh8o5ZRKbL+SLr8xpMx AgwL+cSPnmgejGuzcbKptx7HQ83UhmxTMPN/8xMfFRgUdf3/MVAIhGgtydNEIj/3g/rl yr4PiW5x2yCEh8XHsGxzsD/Y2LioJXjbhk3UqTJefSDhRP++MjlQ7RAPQ+GRQSby/TzV +Jrw== X-Gm-Message-State: AOJu0YxKPDx1KsJCvMosAXhM6WBdEBfn8worTiTz+cdoUiIAQoxj2u1n H4tNQUe5886K03Wxacyznng+Mg== X-Google-Smtp-Source: AGHT+IG9DJhOhTmDkCtAK8IY/XznMrEOkihXR83dQZC9JzRYp9mZ1zdLxx4jFyS8oQJ931NLTTAe0w== X-Received: by 2002:a0d:cd46:0:b0:5a7:aece:7e59 with SMTP id p67-20020a0dcd46000000b005a7aece7e59mr17826264ywd.50.1700199759975; Thu, 16 Nov 2023 21:42:39 -0800 (PST) Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id g189-20020a0df6c6000000b005a7f676f305sm304910ywf.106.2023.11.16.21.42.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 21:42:39 -0800 (PST) Date: Thu, 16 Nov 2023 21:42:27 -0800 (PST) From: Hugh Dickins X-X-Sender: hugh@ripple.attlocal.net To: syzbot cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, jose.pekkarinen@foxhound.fi, willy@infradead.org, jannh@google.com, hughd@google.com Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in __pte_offset_map_lock In-Reply-To: <0000000000005e44550608a0806c@google.com> Message-ID: <180788a2-b714-ebf3-962c-8aabdeff0c45@google.com> References: <0000000000005e44550608a0806c@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 07CD31C0014 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: ct3b3rqa4zy64a7guuuzdqj5x8jhabq9 X-HE-Tag: 1700199760-799555 X-HE-Meta: U2FsdGVkX194pqJC6Llc2QGZH0A3BaHuFG+b8S1bFpRtrBywSSmamD0dwCJpbXBiA64lTSkZHAA0h1M/END7okepxIma5t4XC4sBNWKseDFlrLF3zLtjAcwp0Anrv56sG62ZTjYODL/iDZ3nfSpuyz2e5F56LPCogJSb1J8VDBmMl/iJ6XZwztLKuxSU7a8qUBicGtTEbHCN1dibFaxI8SNfbiUTzV+VVN6qcqmqy6TZfEy6D7TcKKIRdJyF+b0PZjf6ntr18GbwKiZEJ4jMl5SOxyMWQ+FyC+nHvcVLrnjmDqinomS+gQammH4LcY2Vep458oIgU9NvpBnU3ZPwjxTutttYVr4x2rJbcVbGEO+zf+kbVXBGNf4GvwS2+mKiPbaCj64JL1kCLyOz41ps8QYksLoqnUBAa9DhdWZ5A9L/NC/Ydk+tPM7Ocl1nyrBssgtTIfP3gqM2H4Xif4FoRAwYWPSXtQUpxuy2/MQ8uqVABH3rrfPXEaLS9++SlXh/nLhCRVVx/JNrGpxHpKL4aIjUac8dL8DHhgTsZ6TrAqGInJFLEhkBN0xNfPEEbpkAhoT+lJc5ZklKCbkmppe737AZ4C1SHfu9ysld/lxQDbFETG+IXRpcjI5pM4vvI73L9WJTPs7rSo/VAG9fyCZmRutnP+RMkurQh+JeNGotYLWsXjZLlUJzbenZ0PEQPVCWA0bkcAzYSaWbxQATGqRpAnP3nCXsvX+j0MgcygfctY1I0PzqiKklgCiZiK/Z3CqhLYrI+wVZ99DYWbD6WA7AVjgY/+xXW5U3aw9PEae6enBL/Gix12VTi568QqtrgDFQXzQiiKxpZjjGej+OjSnUYCdCSJ6d2ie3GdsoiXWesGng8DHxuSStclhjCtdI+tgswSbtAqSQcqMEEXFOwX/X8IKUJ4npchDCqB2XDGbgl3N2n25ePVshV4QfaXaxHD16OpF3d+8nV5f8J8pvxzQ ViAo1oEv BKMbInU6KGKC81ncArhs9UwywQQvYt1ny2fghGM9fqJNBBnkN95NgtkNlc6VqrA3MkT8+h2szNkItM9XiuChQ6J77LAt+xRcG9CE2npw2sVdR8iYeqx1JS0ENcc3oCuE4DTIrr1JlYI+oFCwx9jyAmHmYs98Q/TwjOdGtmw5dxitNXagAXvSZ0BxBxlV1a7ParhxjgHnWEKOsCyUTSsyzlMr99tjsNfLlFSyFg0tajuV6QWjbDdYRJzJBtdfpWZvLbsj3JYJvVMG7BpmMv6XHfB908bVPMoC0yG0CLqipxaCzRwX8X+HCNPjfC222jlT6OnlVGKL414fgvukFc1SQkHwRCsjl4eIUP14NpXep6JV/8cISCn1sXADn5KU86rrAg9vFOM93GGnyZOfoSkFCTw3FoU9Q6dw1kQqSfSX7VGd2X0B0C0GT5y7XRW5foktWELqGJAMVKVzjiT4XcUiDhF3o+mtam+fqu/M/KxXHRLU0fPXLTEobxVbzfFFT+/6g/7GxSbMId8aYQNHtTVKeosYbSLGVT47zpi6to8jzagekuD88iixWsRjjBkQEOcZPFrR3dE2S9KqmuDeThx21EfYqBBkBwScQ72VjOBvXcJEP3M/w16W1FntfshFuk4TtKjw5x0aztHn/gE5rkUnMubazs3r3mnM7Kbj+ekQrMaGbiCCi+qbkN4u5XSeB36SliWuthFMUmTJDT9Nor6nFMTM6/cRx8SclKzb8Ua2O2LhDxPPKtPUx3p4A0ngkFDN8JmdZ6LP2EZ5jqhLJxyXPwvzpPylBflA7km2c3KyNFSr6Q3HKNhv5KpxjrrdvAoFOs4OaI0Orn+xdR784sQkvJXt27zJfdlNYx1BxB2RnItA2LjkJ/RR/acISrPfBIaiHlKwesXjBJl3xYVeR9URwgvuVfAmq/LvaOxQPgcfgnxDcMlwsBFziaowioOXa4FHseJpN//YiCuBIKtCPo6UfEdxBGmrD 6yukJiwO GjBYXTH7PMaLo/56eDiv2/OkTnAyln5JFKSiEi21852EQpqWh+Qp/aajn+TiaDyHTnyAoze69b29EiJCmd6Cv+yvmxMh5g/AKJ9ahaWPS51q9CcSbrprgqlfOcB67B/zmM2CdHalI0eyF4Mr8J6g/NVt+9IbJhqSoUHTW439dR/27m7/HmKPJM07wpytuvq5GwUqRq1giSq5Z0Zu4vVijj3tvIV0UjHTNW+erkbpris= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, 26 Oct 2023, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 78124b0c1d10 Merge branch 'for-next/core' into for-kernelci > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > console output: https://syzkaller.appspot.com/x/log.txt?x=111b0e71680000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f27cd6e68911e026 > dashboard link: https://syzkaller.appspot.com/bug?extid=89edd67979b52675ddec > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: arm64 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b8e671680000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125a9df5680000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/bd512de820ae/disk-78124b0c.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/a47a437b1d4f/vmlinux-78124b0c.xz > kernel image: https://storage.googleapis.com/syzbot-assets/3ae8b966bcd7/Image-78124b0c.gz.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com > > Unable to handle kernel paging request at virtual address dfff800000000004 > KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] > Mem abort info: > ESR = 0x0000000096000005 > EC = 0x25: DABT (current EL), IL = 32 bits > SET = 0, FnV = 0 > EA = 0, S1PTW = 0 > FSC = 0x05: level 1 translation fault > Data abort info: > ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 > CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > [dfff800000000004] address between user and kernel address ranges > Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP > Modules linked in: > CPU: 0 PID: 7952 Comm: syz-executor682 Not tainted 6.6.0-rc6-syzkaller-g78124b0c1d10 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 > pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : __lock_acquire+0x104/0x75e8 kernel/locking/lockdep.c:5004 > lr : lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753 > sp : ffff800098f26d40 > x29: ffff800098f27000 x28: ffff8000808df4bc x27: ffff7000131e4e18 > x26: 1ffff00011c340b9 x25: 0000000000000000 x24: 0000000000000000 > x23: ffff7000131e4dd0 x22: 0000000000000000 x21: 0000000000000000 > x20: 0000000000000000 x19: 0000000000000022 x18: ffff800098f27750 > x17: 0000ffff833dafff x16: ffff80008a632120 x15: 0000000000000001 > x14: ffff80008e1a05d0 x13: ffff800098f26e80 x12: dfff800000000000 > x11: ffff800080319468 x10: ffff80008e1a05cc x9 : 00000000000000f3 > x8 : 0000000000000004 x7 : ffff8000808df4bc x6 : 0000000000000000 > x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 > x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000022 > Call trace: > __lock_acquire+0x104/0x75e8 kernel/locking/lockdep.c:5004 > lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753 > __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] > _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 > spin_lock include/linux/spinlock.h:351 [inline] > __pte_offset_map_lock+0x154/0x360 mm/pgtable-generic.c:373 > pte_offset_map_lock include/linux/mm.h:2939 [inline] > filemap_map_pages+0x698/0x11f0 mm/filemap.c:3582 > do_fault_around mm/memory.c:4525 [inline] > do_read_fault mm/memory.c:4558 [inline] > do_fault mm/memory.c:4705 [inline] > do_pte_missing mm/memory.c:3669 [inline] > handle_pte_fault mm/memory.c:4978 [inline] > __handle_mm_fault mm/memory.c:5119 [inline] > handle_mm_fault+0x326c/0x49fc mm/memory.c:5284 > faultin_page mm/gup.c:956 [inline] > __get_user_pages+0x3e0/0xa24 mm/gup.c:1239 > populate_vma_page_range+0x254/0x328 mm/gup.c:1666 > __mm_populate+0x240/0x3d8 mm/gup.c:1775 > mm_populate include/linux/mm.h:3305 [inline] > vm_mmap_pgoff+0x2bc/0x3d4 mm/util.c:551 > ksys_mmap_pgoff+0xd0/0x5b0 mm/mmap.c:1400 > __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] > __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] > __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 > __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] > invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 > el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 > do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 > el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 > el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 > el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 > Code: b006f948 b943a108 34000208 d343fe68 (386c6908) > ---[ end trace 0000000000000000 ]--- > ---------------- > Code disassembly (best guess): > 0: b006f948 adrp x8, 0xdf29000 > 4: b943a108 ldr w8, [x8, #928] > 8: 34000208 cbz w8, 0x48 > c: d343fe68 lsr x8, x19, #3 > * 10: 386c6908 ldrb w8, [x8, x12] <-- trapping instruction > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the bug is already fixed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite bug's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the bug is a duplicate of another bug, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup I expect syzbot to approve of this one... #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b85ea95d086471afb4ad062012a4d73cd328fa86 [PATCH] mm: fix oops when filemap_map_pmd() without prealloc_pte [text to be filled in a little later] Fixes: f9ce0be71d1f ("mm: Cleanup faultaround and finish_fault() codepaths") Signed-off-by: Hugh Dickins --- mm/filemap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm/filemap.c b/mm/filemap.c index 9710f43a89ac..3d4dae9d1070 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -3371,7 +3371,7 @@ static bool filemap_map_pmd(struct vm_fault *vmf, struct folio *folio, } } - if (pmd_none(*vmf->pmd)) + if (pmd_none(*vmf->pmd) && vmf->prealloc_pte) pmd_install(mm, vmf->pmd, &vmf->prealloc_pte); return false; -- 2.35.3