From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A02E1C74A5B for ; Wed, 29 Mar 2023 14:53:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 16046900003; Wed, 29 Mar 2023 10:53:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 110C0900002; Wed, 29 Mar 2023 10:53:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F19F9900003; Wed, 29 Mar 2023 10:53:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E234D900002 for ; Wed, 29 Mar 2023 10:53:46 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id 8831840C20 for ; Wed, 29 Mar 2023 14:53:46 +0000 (UTC) X-FDA: 80622230052.24.3F88F69 Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) by imf07.hostedemail.com (Postfix) with ESMTP id 985964001C for ; Wed, 29 Mar 2023 14:53:44 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=XjLsCsvn; spf=pass (imf07.hostedemail.com: domain of ivan.orlov0322@gmail.com designates 209.85.167.43 as permitted sender) smtp.mailfrom=ivan.orlov0322@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1680101624; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=mEfOw359GRtKE8JCHIM8Osck0I4+SZuJBzUhnN6nlo8=; b=Q0CX8jLodwOd/pm7pg5uwK+qmNmpaspFZWF1XI+3ku7beTA8HpiW6U8F1cyc7GtkIX/udv q0ux8ZWmBq1SQMh2/YYluk5URzKeDX41HkTbk1Wa3/uEpd4gHIxDm9xp2++3zZ3ZrJ/Xwz ELY0QGAHdCvttXeBu9ulay+Ieda73cs= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=XjLsCsvn; spf=pass (imf07.hostedemail.com: domain of ivan.orlov0322@gmail.com designates 209.85.167.43 as permitted sender) smtp.mailfrom=ivan.orlov0322@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1680101624; a=rsa-sha256; cv=none; b=1DjiDhZhIVjFkBzhil/4vyxs8Une8JClzqTaYswe3U4SJu5h788GqaUS1lmo+aLIg8JBW8 FehnM9GOdaljGcjMdOvXA8Srfr5exxe0dip8zShwO90Bv1/cQ1Kls1N4ArXkS32aUb2dlg mKWqgYwPsQH0gayfVzFvHaq/K5c7IZY= Received: by mail-lf1-f43.google.com with SMTP id k37so20632908lfv.0 for ; Wed, 29 Mar 2023 07:53:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680101623; x=1682693623; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=mEfOw359GRtKE8JCHIM8Osck0I4+SZuJBzUhnN6nlo8=; b=XjLsCsvn2a3ktcgvoxrI3m6Hds0ImD4++hcwbtY5mAvMFbIWA1qd/u9qZrBYzOUF/9 q6a1SeSR4o2oggFekN91HgYcXltH9kFil7hJPOgM7O0Q+f0FEYLjtaJH7E32blYe+SPp aizgMdw/+R/V1Dn3RZZSWl947luOD2oEDYbM+ETcn97+ILXUsu+RHoDgjNfT4OfpNx/v wwXjOxPbzvLokpL57HHdji8y8Gk7A4NnbHmwV/xw6fXV7wGB0RTz4UU2eNtqMgnCdwDA HsBGknsOSkR0xQTcxN0Txg+FL1aRhenfL42rKtq1BsmHtadmhBiklX4RIlPf40Yo4Qw4 G19g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680101623; x=1682693623; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mEfOw359GRtKE8JCHIM8Osck0I4+SZuJBzUhnN6nlo8=; b=b7O8VgKQ0WLb8cDMisgwYUeufoq+uOktGYF0sygC8yw3NjgOgHdXR5M24a0wc0eaGO ay3j7PlRp4mEauk1SSkjieC3mJPPbIoIRnUavTeyq63enddMqunHze5LOIiI+82/yUxA GjHUCS1+48vm68gG/VvQ4EnlhMxRS8RKruaVXfZhx5KMP3zinSnxVbZtdv4fhEZIuEZn +369I9s9mchSI2dD8KwpsbduRuSdwr4mov7Ez7yEB4V2UJcUuUBveUcnRaVUWZd0yhwi nHSq7Q3uN6w0fdmYOUKp3AcI5fDqxuTkBmvrwnY5rO4im6Nen1EY2Xns4Z8NlytxL/+I 5eQw== X-Gm-Message-State: AAQBX9eO4jRElIoz3tGjk4mR7QzLW6aPfmsamS7QOh5mUiWuyArF8J4m tSSc0wFh8PxAosLYLuPehL4= X-Google-Smtp-Source: AKy350YdsUKflXAEBl1vJ9VDW1DfapsI013xZTK3XHhLffq3SlUJND31lkuQM3vbpQwCIOiQ/dDjJA== X-Received: by 2002:ac2:5989:0:b0:4dd:a025:d87 with SMTP id w9-20020ac25989000000b004dda0250d87mr4805726lfn.0.1680101622641; Wed, 29 Mar 2023 07:53:42 -0700 (PDT) Received: from ivan-HLYL-WXX9.. ([178.160.196.94]) by smtp.gmail.com with ESMTPSA id b3-20020ac25623000000b004eb0c51780bsm1619723lff.29.2023.03.29.07.53.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 29 Mar 2023 07:53:42 -0700 (PDT) From: Ivan Orlov To: akpm@linux-foundation.org Cc: Ivan Orlov , linux-mm@kvack.org, linux-kernel@vger.kernel.org, himadrispandya@gmail.com, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com Subject: [PATCH] mm: khugepaged: Fix kernel BUG in hpage_collapse_scan_file Date: Wed, 29 Mar 2023 18:53:30 +0400 Message-Id: <20230329145330.23191-1-ivan.orlov0322@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 985964001C X-Stat-Signature: go9rosry5fknaqkap75mpj4dgtknpmsi X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1680101624-558363 X-HE-Meta: U2FsdGVkX19ckj7+lrNW3UauK4D0ZknSh51AyBq70nOhafHBYUvHDazJPeQ4I3RBF5hLcRRXqnxu4aWfRn+ZXiM3TVYrI6Cz9iXtkDcRV3FU1dG71cuqSfFZiRVZSMpzrlav49SSLgsJoyy1bi4JMghhH30fzDzJvUp/YtTE+9+oYZnGTaaKukUHvryTGeuRj4frnSfsQXSzInDxwqveUuxNKhIVm4R0K1D/GX6vqtL99eaQmR6AKLb71yKsiP1WW3IjvVgnHUUnyBVauAqP2ANeHECT+O437zlxjVyarxJvkE0Ok1OBqJJo+C9sibTGomAVUIo31epLpqU6MzRmwDvzK2PTzKMoikTdC9F35HpTxAbco2wuZ8+K1cekP39Jxb0QCuDEcXRwiurkXgZiQLDrFXnhTpHIWZ7GlUiahnlQbadDZZjHQ5y9Q8ofP1grEbKsEAXhkemULMKzoT3X3oQlu6yCgedOzbby9LHzxj9rAHG0V5ShypqzxjsoB/woYvxkAaaLSIlThWEwII+bVhe+6P1KyCkPfdzBf5EFvAtzRbN276NxMTyMC6cQn1WBlvsrXUnGZeWig3JFDfKkTOeApQk6A/SGfJETS++f/gmb91MhiN3QxQu+hnVmTq9puUWWGMjSs3S8lQrk446C8NNEQBT57Qno2NKlbHnXbr9+zz2nfEuDImVBZzlRekUzN5ZcTuI5DTh0af0fBfOVm2T5Rulargj9AuS5W17Hb0nR9v6oy0qe1FataC3YWqZmDKL+YRtnANW3HAeLNXtiXqXUahXSRsvsQ84UjOUC5ncKng45FrF4xHAdp7hrobeg5Md7bbKtc6vG+/0QC5fskA+6NsbgAm2Y6MG5q2SvMoqFgKavH9P4iwNmcz7nhWpXESfHmSWWrOZq3MsNxZtkJafKbdDpTdfPPPMxhA+tsshhVHv2nqbMsqyd0ve5su3IAfIhojoskTCMh5oIwRG OjfMYGqf K+/m17BZk7noTAQlFfRw9QFHGBM185kBBtWMmSKZMWhz5CqicgADSzFlhx97IKmfUbXuGFvkhPjd+DFcjzdHSUkwfpL/4hqC9Vs6zYfrvmcxodxr0jYSEXmDjR9CQikIqK5OSrACjHXjULQdF4Uuo7tu/nntRqzJC31P2bbHFV8bFDiqWZjim1aJfvprpEZ8WAAOhm9qI7LLl1OjL/IPK6F/LSIOrdaMwCte0mIeeGT4e1EQgBEH0jiOkOqpfAbhii2BmJ9DiHZOD2YdDddx4jLnm8ncMLqwxloqrSQCZfR41UqkFZBKkGid52poGa85q3nPmSarlaIT1dRw6moxm9Dh0YmCqR4WlSQKKyMq656Wf5LWdvqpnztu6gy9vfh1DYmrnd9RQt300snr3g7ABlz4hRIhNcx6nEAPtm8xGPb7cqi+3eVlOZfQh1cGZfLj438dh2w6CQFeVF717fuFzcNDypD5ntL+RNYAt34RN3FdrHW0dhyyBsS3zk9U/6qO8DovHtcn7WYIqfHd+uDJY/JS7Wvt3xqPepeicvFOSNYAebNAs/MDOcLTWQZbrD2lqKhobZOzIHVONtljtMaeNdcJ81bG0r+qf9uaqNtMS3jUlUQ6Fmya3KU/YOTUyypQVZXHo5nkNzm7cbTlSSI+8ScfbMikBsSJW6IFN64Y+Ql2YimrA6YVSjyOzZI0FN8DaMM2EyL/UYI26jq+hHQbuNhEKdfK0SQEEz+Bjy0enTZVaxmi3kCzXD/oIsjxBQOKYqvEW X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Syzkaller reported the following issue: kernel BUG at mm/khugepaged.c:1823! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 5097 Comm: syz-executor220 Not tainted 6.2.0-syzkaller-13154-g857f1268a591 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 RIP: 0010:collapse_file mm/khugepaged.c:1823 [inline] RIP: 0010:hpage_collapse_scan_file+0x67c8/0x7580 mm/khugepaged.c:2233 Code: 00 00 89 de e8 c9 66 a3 ff 31 ff 89 de e8 c0 66 a3 ff 45 84 f6 0f 85 28 0d 00 00 e8 22 64 a3 ff e9 dc f7 ff ff e8 18 64 a3 ff <0f> 0b f3 0f 1e fa e8 0d 64 a3 ff e9 93 f6 ff ff f3 0f 1e fa 4c 89 RSP: 0018:ffffc90003dff4e0 EFLAGS: 00010093 RAX: ffffffff81e95988 RBX: 00000000000001c1 RCX: ffff8880205b3a80 RDX: 0000000000000000 RSI: 00000000000001c0 RDI: 00000000000001c1 RBP: ffffc90003dff830 R08: ffffffff81e90e67 R09: fffffbfff1a433c3 R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 R13: ffffc90003dff6c0 R14: 00000000000001c0 R15: 0000000000000000 FS: 00007fdbae5ee700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbae6901e0 CR3: 000000007b2dd000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: madvise_collapse+0x721/0xf50 mm/khugepaged.c:2693 madvise_vma_behavior mm/madvise.c:1086 [inline] madvise_walk_vmas mm/madvise.c:1260 [inline] do_madvise+0x9e5/0x4680 mm/madvise.c:1439 __do_sys_madvise mm/madvise.c:1452 [inline] __se_sys_madvise mm/madvise.c:1450 [inline] __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1450 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The 'xas_store' call during page cache scanning can potentially translate 'xas' into the error state (with the reproducer provided by the syzkaller the error code is -ENOMEM). However, there are no further checks after the 'xas_store', and the next call of 'xas_next' at the start of the scanning cycle doesn't increase the xa_index, and the issue occurs. This patch will add the xarray state error checking after the 'xas_store' and the corresponding result error code. Tested via syzbot. Reported-by: syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=7d6bb3760e026ece7524500fe44fb024a0e959fc Signed-off-by: Ivan Orlov --- mm/khugepaged.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 92e6f56a932d..4d9850d9ea7f 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -55,6 +55,7 @@ enum scan_result { SCAN_CGROUP_CHARGE_FAIL, SCAN_TRUNCATED, SCAN_PAGE_HAS_PRIVATE, + SCAN_STORE_FAILED, }; #define CREATE_TRACE_POINTS @@ -1840,6 +1841,15 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, goto xa_locked; } xas_store(&xas, hpage); + if (xas_error(&xas)) { + /* revert shmem_charge performed + * in the previous condition + */ + mapping->nrpages--; + shmem_uncharge(mapping->host, 1); + result = SCAN_STORE_FAILED; + goto xa_locked; + } nr_none++; continue; } -- 2.34.1