From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12912C74A5B for ; Wed, 29 Mar 2023 21:53:09 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 65D476B0072; Wed, 29 Mar 2023 17:53:09 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 60D106B0074; Wed, 29 Mar 2023 17:53:09 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4D4756B0075; Wed, 29 Mar 2023 17:53:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 3E05D6B0072 for ; Wed, 29 Mar 2023 17:53:09 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id E83B8C0E11 for ; Wed, 29 Mar 2023 21:53:08 +0000 (UTC) X-FDA: 80623286856.12.4E6571E Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf03.hostedemail.com (Postfix) with ESMTP id 26D1120010 for ; Wed, 29 Mar 2023 21:53:06 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=A3yz2lkG; dmarc=none; spf=pass (imf03.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1680126787; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=S90P8xzYeIzHKk/RiJk1+WxrASIQrDlWoVdvLFrdj9Q=; b=navKJoGHCDy2EWtSP21OhOKhfY+qThBNKR7PyXRwnKJEOPsT0cGnDVGiDf9bh6dQdRLWhl hWWqinQiyoVrH/O78725gLXs8AHA1AvPgNJPwNTZP7QCDsN4vaPjHH8PvrRU3fpIF6DHSK R+JfeU7wScoKnw5rFxnjwpv7xXmQQEM= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=A3yz2lkG; dmarc=none; spf=pass (imf03.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1680126787; a=rsa-sha256; cv=none; b=Yg8dDDNiRnY9Q5ga1UUtr/hhW9gxr0lvArKdK+hRrgSVaEVK4teITED4b9GccEZcDnLgvr PYvSGGQtkdyQI/qINPOdJU2ozkoSKOL1goJvRuRl/gYxcVwR9Gq6IXTn0ONElubLvjNF45 qA+++neUZ8v48Xmmzk72+P8OulfkInY= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E664161E68; Wed, 29 Mar 2023 21:53:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1E790C433EF; Wed, 29 Mar 2023 21:53:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1680126785; bh=K6T/IUGj1Ip/Ty8DVHp0rPk4TkR7iO4ih/+pi3zhJr4=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=A3yz2lkGPRZU49PZGaqeYtfe9HCc4NoysxY7NDUOLf+/PuUUj+ZUi5aK3V4FpnweQ js+tEfEZg0UPhJBfWbvPsYpE6JA/G4PaOkSnytvbSdl8QN+HUo9WOo2HoUMqtO6p2w RU/XO7vveNmgZKiO2aKzzL1nZyx68F5EBFA8Gtdk= Date: Wed, 29 Mar 2023 14:53:04 -0700 From: Andrew Morton To: Ivan Orlov Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, himadrispandya@gmail.com, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com Subject: Re: [PATCH] mm: khugepaged: Fix kernel BUG in hpage_collapse_scan_file Message-Id: <20230329145304.66add47ba9b9fafb71b1e13d@linux-foundation.org> In-Reply-To: <20230329145330.23191-1-ivan.orlov0322@gmail.com> References: <20230329145330.23191-1-ivan.orlov0322@gmail.com> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 26D1120010 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: qhkw3mudej4rcdpiefefpgzkbh67xmz8 X-HE-Tag: 1680126786-277234 X-HE-Meta: U2FsdGVkX1+h+pP6BIfTyVXALOf3FAghJJng+FGQFG9SeolKMkhLxgUyWtjslflcS4fOHUveQu70rJEvq/wsXYoF4xmBR0f04AthMTtFlmMyadx5GrRzf33b2VH3lnxJpTwTKbqgOVjq/BJMPrRTDgcirYxi60J24yEQDehzUYzMi7zAD9oCqPVXpDax+vaqvwbQxb1hERyac0WbWMXeloi0ejJr1VYQsRS55Vo4JQVX4q1IHjP5eUmE0/km3mPyFPDMqU6dq+D/9jeU7qvoMSWTiiENmquEzUSdApHAUIWhhyLN3EkzdoArkOoAfKHvZanAS+q358oHSFUxH6IFAHAbVLgwda0QrM6Te85ULjPGVGJSTbMRdw121cHj0oA/NihFeRJJTFoZ4n2Q6IdUyPp1cDqfi8oXYg92Fy9yV1mAYB39oRktLHSajXRhkMhsocspP0CLTgLjB4idNCAz31/r8Oxj43jD2HIUGXDIPfhBe4Nj8L/ZUKd0F5fmWk6QdUGNslXqSWMvNYtfJlm9Ckr4ki6eEaJ5O585ESs+0e4VUS39Iewjzdy19Loup7w0invR4ZOBMCWI9iiIosW+zCPndMnjLxLkYw/7z/UpaPFLcP9H/PkDyjk4Glnsh+56DdKfyVE/RB5ioXsa+Dnszthl3HWjFV7OocdA+V2bI/u6fE6W08woMAFjP7sCwDvRlzcba8XEXGYp33z+a52zDEQlUNJHLmdH5tABP+WjyD9h6omUjQe70+9eU012GP2YweDKnvgURShSNzvDVRLBfDFpSTGdcvZ+S+290FI8aD6o1Y6ord2cxP8WxKG73XuCVfyqzYUBZaqbyIkPSUK0+Qctz0/yG59EaBHofovYBFJmtG5KDVQWg7wyDTtG3wPQE0r4aOSqrtd1QzgBOBlCuFwJcoJauw+CuJIZ9+VsZYVC+k0mXlLjX2+ZnRKWEBRj1i0Gk73d4KQxED+3dEp EocbpP69 pIhuT72f2udpAPisjQeExKBuPiyFocyb2YOqrnVA2AyNA6nkzc6K78npc9yQXg4qtu3Ml4T/YIGLlbxb7P3vdlPl8sUpWpc8z/eJmCbkchXIjes+62XOoSklXy0gveREuV7fpmp2RTSqCDubYRdhqnCChLBAYbHpwjl5Gi6xUSkHYUYVAOC5zsSPIeRGy9q3l2+ZPr0jz5R/tPmPMqZlZpEPmFRCFQ55KkuHLAzuFV4rJOL/56HtfmgapOSOaXm2VpbrYLhnXxcSdHt/5T5h85IvouDnZ+6NGrjVFtwfgt2soAszrBv1T4QEp4AmfiJQ50YRZuI8rylFYirLUCDpcQllDyn67PtfrOyENgVoAUFubIh+gkEniAxQUmRmmCYEjrFu1DeCVwgAURKiqlNdMv/dwxcjh2rXG7HOlE8rdPbw+jySgmMYtyTlfWAmFiTgqIX8hQONjRqRVWSMlVcWpA/TdRBjBUn8I8QFC9oiCBi4UyrfL1BEBHjjCD2/9R5vvuIytNxpw+eRQilkYDzsPsWypDs+T2DPXuvU//BgbmeG7UvW1lEZbzM6I/jXziJg0O0WqWb4PaS96yB1xcYDJuuV/B19O+9mo1GIw5zZA9+/qTxFcQzLZNLI9Sg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 29 Mar 2023 18:53:30 +0400 Ivan Orlov wrote: > Syzkaller reported the following issue: > > ... > > The 'xas_store' call during page cache scanning can potentially > translate 'xas' into the error state (with the reproducer provided > by the syzkaller the error code is -ENOMEM). However, there are no > further checks after the 'xas_store', and the next call of 'xas_next' > at the start of the scanning cycle doesn't increase the xa_index, > and the issue occurs. > > This patch will add the xarray state error checking after the > 'xas_store' and the corresponding result error code. > > Tested via syzbot. > > Reported-by: syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?id=7d6bb3760e026ece7524500fe44fb024a0e959fc > Signed-off-by: Ivan Orlov > --- > mm/khugepaged.c | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/mm/khugepaged.c b/mm/khugepaged.c > index 92e6f56a932d..4d9850d9ea7f 100644 > --- a/mm/khugepaged.c > +++ b/mm/khugepaged.c > @@ -55,6 +55,7 @@ enum scan_result { > SCAN_CGROUP_CHARGE_FAIL, > SCAN_TRUNCATED, > SCAN_PAGE_HAS_PRIVATE, > + SCAN_STORE_FAILED, > }; > > #define CREATE_TRACE_POINTS > @@ -1840,6 +1841,15 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, > goto xa_locked; > } > xas_store(&xas, hpage); > + if (xas_error(&xas)) { > + /* revert shmem_charge performed > + * in the previous condition > + */ > + mapping->nrpages--; > + shmem_uncharge(mapping->host, 1); > + result = SCAN_STORE_FAILED; > + goto xa_locked; > + } > nr_none++; > continue; > } Needs this, I assume. --- a/include/trace/events/huge_memory.h~mm-khugepaged-fix-kernel-bug-in-hpage_collapse_scan_file-fix +++ a/include/trace/events/huge_memory.h @@ -36,7 +36,8 @@ EM( SCAN_ALLOC_HUGE_PAGE_FAIL, "alloc_huge_page_failed") \ EM( SCAN_CGROUP_CHARGE_FAIL, "ccgroup_charge_failed") \ EM( SCAN_TRUNCATED, "truncated") \ - EMe(SCAN_PAGE_HAS_PRIVATE, "page_has_private") \ + EM( SCAN_PAGE_HAS_PRIVATE, "page_has_private") \ + EMe(SCAN_STORE_FAILED, "store_failed") #undef EM #undef EMe _