From: "Liam R. Howlett" <Liam.Howlett@Oracle.com>
To: Hugh Dickins <hughd@google.com>
Cc: David Hildenbrand <david@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Sanan Hasanov <sanan.hasanov@knights.ucf.edu>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"contact@pgazz.com" <contact@pgazz.com>,
"syzkaller@googlegroups.com" <syzkaller@googlegroups.com>,
Huang Ying <ying.huang@intel.com>
Subject: Re: kernel BUG in page_add_anon_rmap
Date: Mon, 30 Jan 2023 14:26:32 -0500 [thread overview]
Message-ID: <20230130192632.lk6w5fhi2nbm3lpz@revolver> (raw)
In-Reply-To: <9d8fb9c-1b81-67cd-e55b-34517388e1ab@google.com>
* Hugh Dickins <hughd@google.com> [230129 01:49]:
> On Fri, 27 Jan 2023, Hugh Dickins wrote:
> > On Fri, 27 Jan 2023, David Hildenbrand wrote:
> > > On 26.01.23 19:57, Matthew Wilcox wrote:
> > > > On Wed, Jan 25, 2023 at 11:59:16PM +0000, Sanan Hasanov wrote:
> > > >> Good day, dear maintainers,
> > > >>
> > > >> We found a bug using a modified kernel configuration file used by syzbot.
> > > >>
> > > >> We enhanced the coverage of the configuration file using our tool,
> > > >> klocalizer.
> > > >>
> > > >> Kernel Branch: 6.2.0-rc5-next-20230124
> > > >> Kernel
> > > >> config: https://drive.google.com/file/d/1MZSgIF4R9QfikEuF5siUIZVPce-GiJQK/view?usp=sharing
> > > >> Reproducer: https://drive.google.com/file/d/1H5KWkT9VVMWTUVVgIaZi6J-fmukRx-BM/view?usp=sharing
> > > >>
> > > >> Thank you!
> > > >>
> > > >> Best regards,
> > > >> Sanan Hasanov
>
> This is a very interesting find: the thanks go to you.
>
...
> Upstream's fine; on next-20230127 (with David's repro) it bisects to
> 5ddaec50023e ("mm/mmap: remove __vma_adjust()"). I think I'd better
> hand on to Liam, rather than delay you by puzzling over it further myself.
Thanks Hugh!
...
> > > Indeed, the mapcount of the subpage is 2 instead of 1. The subpage is only
> > > mapped into a single
> > > page table (no fork() or similar).
>
> Yes, that mapcount:2 is weird; and what's also weird is the index:0x20003:
> what is remove_migration_pte(), in an mbind(0x20002000,...), doing with
> index:0x20003?
>
> My guess is that the remove-__vma_adjust() commit is not properly updating
> vm_pgoff into non_vma in some case: so that when remove_migration_pte()
> looks for where to insert the new pte, it's off by one page.
That looks to be exactly correct. I am setting the vm_pgoff to the
wrong value in case 8 (for lack of a better name).
>
> > >
> > > I created this reduced reproducer that triggers 100%:
>
> Very helpful, thank you.
Yes, thank you very much for find this bug and the reproducer.
...
Thanks,
Liam
prev parent reply other threads:[~2023-01-30 19:26 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 23:59 Sanan Hasanov
2023-01-26 0:13 ` Andrew Morton
2023-01-26 18:57 ` Matthew Wilcox
2023-01-26 19:00 ` Sanan Hasanov
2023-01-27 11:44 ` David Hildenbrand
2023-01-27 17:02 ` Hugh Dickins
2023-01-29 6:49 ` Hugh Dickins
2023-01-30 9:03 ` David Hildenbrand
2023-01-30 9:26 ` David Hildenbrand
2023-01-30 16:11 ` Matthew Wilcox
2023-01-31 1:16 ` Hillf Danton
2023-01-30 19:20 ` Yang Shi
2023-01-30 19:26 ` Liam R. Howlett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230130192632.lk6w5fhi2nbm3lpz@revolver \
--to=liam.howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=contact@pgazz.com \
--cc=david@redhat.com \
--cc=hughd@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=sanan.hasanov@knights.ucf.edu \
--cc=syzkaller@googlegroups.com \
--cc=willy@infradead.org \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox