From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22B0EECAAD3 for ; Wed, 7 Sep 2022 10:09:06 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A33546B0072; Wed, 7 Sep 2022 06:09:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9E2CD6B0073; Wed, 7 Sep 2022 06:09:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8D1888D0002; Wed, 7 Sep 2022 06:09:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 7F4786B0072 for ; Wed, 7 Sep 2022 06:09:05 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 52322A114A for ; Wed, 7 Sep 2022 10:09:05 +0000 (UTC) X-FDA: 79884866250.18.2D50235 Received: from out2.migadu.com (out2.migadu.com [188.165.223.204]) by imf25.hostedemail.com (Postfix) with ESMTP id AAA5DA007F for ; Wed, 7 Sep 2022 10:09:04 +0000 (UTC) Date: Wed, 7 Sep 2022 19:08:55 +0900 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1662545342; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=Ts6P2gGsYohrzi7lliJwY85cXXxcPFG5Oh7KeLxi3kk=; b=wOv0xvxAF/3lVciD8mM2gS6T76GjbqD+hObZzZXkdz2qF6L50QGT62emAFYqfvqr3cLktr ou2uGrxmzo5jMNNJ8OXVH6avD+pQJk8zQsXns0UKE1XqAqRyFwXI7K+8rs1GE6EcRX/I+5 fT0E/6rpFY2OQO2F1vC3Nv1iPFYxe5o= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Naoya Horiguchi To: linux-mm@kvack.org Cc: Andrew Morton , David Hildenbrand , Muchun Song , Miaohe Lin , Matthew Wilcox , Michal Hocko , Yang Shi , Naoya Horiguchi Subject: [BUG report] kernel NULL pointer dereference in split_huge_page with offlined memory block Message-ID: <20220907100855.GA2894785@ik1-406-35019.vs.sakura.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1662545345; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Ts6P2gGsYohrzi7lliJwY85cXXxcPFG5Oh7KeLxi3kk=; b=aj2D1Wpt91OmAi4+LZDuSUBGud35sKdbON60Se+Pg2N8Besb1Zw2XOb2aO9dLzjF+lm07Z 5LKQufzPCBgKwBF5EFDJbMQmPY+fdKSZo1RdBXkjWwTn4TMJ+FIOan6a7pW412K068qGSl i+coheCZc1ifuKkH4xSmRVeE5/EAZ2E= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=wOv0xvxA; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf25.hostedemail.com: domain of naoya.horiguchi@linux.dev designates 188.165.223.204 as permitted sender) smtp.mailfrom=naoya.horiguchi@linux.dev ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1662545345; a=rsa-sha256; cv=none; b=KJwLZutMbvfi+LkUHSaRtCuqk48x23yFilziF7l00FthOh0GdgRM5/UyvBE7WV90sSfqyu PIKDbuizbHKPzeSdtqHBhyKtK+T0Y+HJF1xuQclp8EAtwQfwke4aqx/lOvG4QpMKCunGjk gciXuXfTrceBeLskz3Yw/ghJs6KQbgI= X-Rspam-User: Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=linux.dev header.s=key1 header.b=wOv0xvxA; dmarc=pass (policy=none) header.from=linux.dev; spf=pass (imf25.hostedemail.com: domain of naoya.horiguchi@linux.dev designates 188.165.223.204 as permitted sender) smtp.mailfrom=naoya.horiguchi@linux.dev X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: AAA5DA007F X-Stat-Signature: 5hjqhn9uyzyb3xbp6agdigtcgqhtajfh X-HE-Tag: 1662545344-525531 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi MM folks, When I'm testing memory hotremove with various settings, I found the following NULL-pointer dereference. It reproduces easily with the folloing steps: $ echo offline > /sys/devices/system/memory/memoryN/state $ echo 1 > /sys/kernel/debug/split_huge_pages I don't check in which commit this was introduced yet (at least v6.0-rc1, v6.0-rc4 and mm-everything-2022-09-05-23-30 are affected), but I expect that someone might have clear idea about this, so let me share first. Thanks, Naoya Horiguchi --- [ 309.947421] BUG: kernel NULL pointer dereference, address: 0000000000000032 [ 309.949600] #PF: supervisor read access in kernel mode [ 309.951220] #PF: error_code(0x0000) - not-present page [ 309.952819] PGD 0 P4D 0 [ 309.953649] Oops: 0000 [#1] PREEMPT SMP PTI [ 309.954999] CPU: 1 PID: 846 Comm: bash Tainted: G E N 6.0.0-rc1-v6.0-rc1-220815-2254-000-rc1+ #62 [ 309.958170] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014 [ 309.960759] RIP: 0010:split_huge_pages_write.part.0+0x40c/0xe70 [ 309.962684] Code: 00 00 00 4d 8b ae 90 00 00 00 49 01 dd 4c 39 eb 72 47 eb c8 48 8b 41 08 a8 01 0f 85 57 08 00 00 0f 1f 44 00 00 0f 1f 44 00 00 <41> 8b 47 34 85 c0 0f 84 1c 09 00 00 f0 41 ff 4f 34 0f 94 c0 0f 1f [ 309.968381] RSP: 0018:ffffb4d201d6bbd0 EFLAGS: 00010202 [ 309.970067] RAX: ffffffffffffffff RBX: 0000000000230000 RCX: ffffd6fac8c00000 [ 309.972262] RDX: 00000000000003ff RSI: 0000000000000014 RDI: ffffd6fac4fff300 [ 309.974475] RBP: ffffb4d201d6bc12 R08: 0000000000000054 R09: ffffd6fac46b7f88 [ 309.976725] R10: 00000000ffffffff R11: ffffff8000000000 R12: 0000000000001454 [ 309.978980] R13: 0000000000248000 R14: ffff93ce3ffd5d80 R15: fffffffffffffffe [ 309.981267] FS: 00007fe2cd337740(0000) GS:ffff93ce3bc80000(0000) knlGS:0000000000000000 [ 309.983842] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 309.985672] CR2: 0000000000000032 CR3: 00000001018fc005 CR4: 0000000000170ee0 [ 309.987909] Call Trace: [ 309.988794] [ 309.989461] ? _raw_spin_lock+0x13/0x40 [ 309.990578] ? __mark_inode_dirty+0x113/0x390 [ 309.991933] ? terminate_walk+0x90/0x100 [ 309.993186] ? path_openat+0x440/0x1070 [ 309.994421] ? do_filp_open+0x9f/0x130 [ 309.995610] full_proxy_write+0x53/0x80 [ 309.996820] vfs_write+0xb7/0x3a0 [ 309.997902] ? _raw_spin_unlock+0x15/0x30 [ 309.999190] ksys_write+0x4f/0xd0 [ 310.000249] do_syscall_64+0x3b/0x90 [ 310.001418] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 310.002938] RIP: 0033:0x7fe2cd1018b7 [ 310.004143] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 310.009871] RSP: 002b:00007ffc625f63f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 310.012060] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe2cd1018b7 [ 310.014250] RDX: 0000000000000002 RSI: 000055c1a80afc50 RDI: 0000000000000001 [ 310.016533] RBP: 000055c1a80afc50 R08: 0000000000000000 R09: 00007fe2cd1b64e0 [ 310.018782] R10: 00007fe2cd1b63e0 R11: 0000000000000246 R12: 0000000000000002 [ 310.021086] R13: 00007fe2cd1fb5a0 R14: 0000000000000002 R15: 00007fe2cd1fb7a0 [ 310.023169] [ 310.023844] Modules linked in: nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) ip_set(E) rfkill(E) nf_tables(E) nfnetlink(E) qrtr(E) sunrpc(E) 9p(E) fscache(E) netfs(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) virtio_balloon(E) rapl(E) 9pnet_virtio(E) i2c_piix4(E) 9pnet(E) joydev(E) pcspkr(E) fuse(E) zram(E) ip_tables(E) xfs(E) crc32c_intel(E) serio_raw(E) virtio_blk(E) e1000(E) ata_generic(E) pata_acpi(E) floppy(E) qemu_fw_cfg(E) [ 310.040426] CR2: 0000000000000032 [ 310.041715] ---[ end trace 0000000000000000 ]--- [ 310.043196] RIP: 0010:split_huge_pages_write.part.0+0x40c/0xe70 [ 310.044953] Code: 00 00 00 4d 8b ae 90 00 00 00 49 01 dd 4c 39 eb 72 47 eb c8 48 8b 41 08 a8 01 0f 85 57 08 00 00 0f 1f 44 00 00 0f 1f 44 00 00 <41> 8b 47 34 85 c0 0f 84 1c 09 00 00 f0 41 ff 4f 34 0f 94 c0 0f 1f [ 310.050051] RSP: 0018:ffffb4d201d6bbd0 EFLAGS: 00010202 [ 310.051593] RAX: ffffffffffffffff RBX: 0000000000230000 RCX: ffffd6fac8c00000 [ 310.053664] RDX: 00000000000003ff RSI: 0000000000000014 RDI: ffffd6fac4fff300 [ 310.056165] RBP: ffffb4d201d6bc12 R08: 0000000000000054 R09: ffffd6fac46b7f88 [ 310.059144] R10: 00000000ffffffff R11: ffffff8000000000 R12: 0000000000001454 [ 310.062033] R13: 0000000000248000 R14: ffff93ce3ffd5d80 R15: fffffffffffffffe [ 310.069111] FS: 00007fe2cd337740(0000) GS:ffff93ce3bc80000(0000) knlGS:0000000000000000 [ 310.077141] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 310.079988] CR2: 0000000000000032 CR3: 00000001018fc005 CR4: 0000000000170ee0 [ 310.083292] Kernel panic - not syncing: Fatal exception [ 310.086117] Kernel Offset: 0x1a000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 310.090607] Rebooting in 2 seconds..