From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2250AC6FD1D for ; Thu, 30 Mar 2023 15:53:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 80DC26B0071; Thu, 30 Mar 2023 11:53:13 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7BE236B0072; Thu, 30 Mar 2023 11:53:13 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6865A6B0074; Thu, 30 Mar 2023 11:53:13 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 596176B0071 for ; Thu, 30 Mar 2023 11:53:13 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 2DDA781081 for ; Thu, 30 Mar 2023 15:53:13 +0000 (UTC) X-FDA: 80626008666.04.66CDB1F Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) by imf15.hostedemail.com (Postfix) with ESMTP id 5B172A0021 for ; Thu, 30 Mar 2023 15:53:10 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=ROBarmsc; spf=pass (imf15.hostedemail.com: domain of ivan.orlov0322@gmail.com designates 209.85.208.45 as permitted sender) smtp.mailfrom=ivan.orlov0322@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1680191590; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=ikZyF37hU9YDO+GQB/GUbHTmkdXciWAtoxo0PEHvqgY=; b=NZHSN8dh15irgsle72lF636SSWQmWmgkN/nVbdkA84h1XzqcojiY2yPZem6qdtO9cCRfTI knMYBDOqx4/VhPq5u0SfzyxyfK+av/OGY/nTXEreyaYIyFlJkJjQZiQSOXgzwktSexsBpp 2ZNDu/AuuaX0SPU1HvV0q+oxTl0/xuM= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b=ROBarmsc; spf=pass (imf15.hostedemail.com: domain of ivan.orlov0322@gmail.com designates 209.85.208.45 as permitted sender) smtp.mailfrom=ivan.orlov0322@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1680191590; a=rsa-sha256; cv=none; b=p5zBTLBzZup1CvHCgVICKpg4QNxWz3os2eZLLLKNttWIVSxyNp48+WPqtKnJgq91/W8JkC xIFJdChTMfxrJtNbL2HmlEY8jvJ96MJohp46L/ZwGt7chxnqN0rAFxwnkjkhGYmrb55tk9 +kLCJ2dnuUa74GYzqO8gMmm+/SlsuJU= Received: by mail-ed1-f45.google.com with SMTP id eh3so78238093edb.11 for ; Thu, 30 Mar 2023 08:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680191589; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ikZyF37hU9YDO+GQB/GUbHTmkdXciWAtoxo0PEHvqgY=; b=ROBarmsc9FRDQk/abfcUvYA25l2Bl8IEyF1WgfDPAx4A5JuDBqHyeCrwreeMJyenNA v/OJvRZVjGKu2bWHM+Y28FtVAY6hyB6C03uv4iS0cfRSbz/rNPzTHClz1dEfTIq8hAo/ E2RjDsaqtmGYV8cQslOaONDxnL3O6+LRmtpvoq1XA6o4BxiTC15ritsL82jR1iGCzY7C 3D2+R8sk27Dp51zWeHJx80dTawRIABmezauk948tCUgvfgwcei/0sLl0SuFo6h3Ofh6d U55bwxxMHRJLYAxH4nI8QpYP6r39xLfRaF8nWV7+OZhpkXsY2QUuxWRnvwrdCzq/CGqE aKiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680191589; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ikZyF37hU9YDO+GQB/GUbHTmkdXciWAtoxo0PEHvqgY=; b=yjTg4G4BgPAtSdhrRN9xRpaxDKfeAT0Uxwu68njjGAFCPzZhrgY9PNJW1CUYcbLG4n BRm+Y3IytzUtZ4453ouPA1lV459/OteIbl30/Z5hv/bl8G1O4O9R18yrMiEbXuHOqCjg zlZ1ASGto+K97rzaxnXGjufL4uuM4Fig2eQOxxbhEnPXqdL2XAlVD/8oSgTh6atSg5ym rYc5gbdbGJ2KLVajNcf3r1WqtWOQz0tLt5XHN9AnSg6ZpzviyqFjmockJVxzoF9BDtqg ZpanXUElmYLV+a60HQt1ZrtHtB7P4amjutxlz4a3XVpWV65zakkoVLLXHkQseovlli4X FdTQ== X-Gm-Message-State: AAQBX9dd9WUI6xqnqUbviWbsQb+5E2Ye+nJIDC42UKxznV2RuIrIjPTn 043BoQc5whZnmBqNg9ssk3A= X-Google-Smtp-Source: AKy350bonleupkdfcCxOXzFGjgMB/RZ0SXYhmfxsTBkQyFAwaTdJDflIKAwbXhgwxlO9d0UptITKhQ== X-Received: by 2002:a17:906:2098:b0:8d2:78c5:1d4e with SMTP id 24-20020a170906209800b008d278c51d4emr2497476ejq.5.1680191588594; Thu, 30 Mar 2023 08:53:08 -0700 (PDT) Received: from ivan-HLYL-WXX9.. ([37.252.81.51]) by smtp.gmail.com with ESMTPSA id e7-20020a170906248700b0093408d33875sm15027305ejb.49.2023.03.30.08.53.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Mar 2023 08:53:08 -0700 (PDT) From: Ivan Orlov To: akpm@linux-foundation.org Cc: Ivan Orlov , linux-mm@kvack.org, linux-kernel@vger.kernel.org, himadrispandya@gmail.com, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, shy828301@gmail.com, zokeefe@google.com, syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com Subject: [PATCH v2] mm: khugepaged: Fix kernel BUG in hpage_collapse_scan_file Date: Thu, 30 Mar 2023 19:53:05 +0400 Message-Id: <20230330155305.423051-1-ivan.orlov0322@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 5B172A0021 X-Stat-Signature: q49uus3sh5ckeq56szwqp3rk9tnnecs7 X-HE-Tag: 1680191590-866476 X-HE-Meta: U2FsdGVkX1+lXBSBCwjSsOQ6Wcr9yubO7ffWVVuLLBnIL/3XcyRpawFSUloI8vJJXHIwDv1rPFDnNsa4rsE8fXG7VkRqpgDDe8m/WFLSaYJ9QY4u91HhCH33r2dBTgkRJjtCOnCez5Vh63zc9tolFQMH3wmTT7Etc2XgMSi8b5t0npEZ851VNFSMvujLBZNStMn+6WH1QnProIruFNoiAJUaWDzHyddr8GJw648AIIQZEpMMqj7OxgSEYJFg1N1l5jvOngkPg91qT/evuHYaZ+OFfyTr5ZDvH9xbBydVdTh/0HgKD9M8RsQQWWNXYO1UUtOYvzfwHUZsnHFh6+FuqV4m4fz4P6cZwJvhzFHoJ7V8RcbFJqhXrAqwvMp/ETATaJuSJLibJJuueORZh+fN99mQtRSHKpskt2tC0tS/ArSkppXYVD1Tb7LjeWETp22SB37rpZRC6VeFh5LBkjTJ7KJReO8eAqbGuKRVpglbg1EoXk3tzY3+nAkDinxJPAKdlOlkZxuF8h5s3+eTy7zEdSZIqYD3+Ew+3YIN8NAVYS8yZyNEwljaE4BIysjEjkfydp9XXdh3vcO2URquVe/NOA3t1VPhs8ESP2QnW6M3cindBcmTVhculroPL/eJymwyR6UiNFOK43HdzvwEop8pB4Pqzf7VLGvk8UtI6ycSixQPmnBFWnIv7eUyiCI7+cs4A7lQ8s9VH4xGNGnIs40kuoLdaF5EgSGl14YT5UW4JyPIDkZQPJ50ab+nRrKx9mpOAnkwa+O8a+5OKIF5WT6K3XkOvuxe5BfQxvXi1PxpdbF15GiDN36WbwVFP4zK0xJoXQ+7OYGvrKwcmd8ZmqBWe7nzifQyezqiU54CxIl2M/6TAecr+NT0ewnSbsdV2SlI6BSmldSlgrpnl4UZ/r3xxCJbFvZYup7ih1MA/X81WguSqpx6YHqJBQ3N/rk22rgdIbIGWqFlQch7tUxd2UU Qy2XtefQ b/fnm1uE4aXahBg3R2W5vTPfraaIfOoFpS7V9ilKfxCtkG2J4RIe4dJpab3WNhogFMVx8VBae/vFHD38XUhnoGODuLDmuOqxoi4lM9Qn9bfG2gJcV7dqLGYBH5QcBBkPAw5W6m4OtFYH4xzCl44esfwwqv5kCCp97ZUWjoteMqAQcptgqKIONAjI2qy7pHIJi70J16pVDG06M0FwMrxyFhzflZyFqo0yjjvIOi+PwhQSc7k3GV7iJ0vDWjIijwzzr4QB3KLaxnhpeLGg9O3zFXhMABnseAdRvDzAHfYh78Bx6KRtZfBKUkOn+F9JC++fVSxMpt95PeD8C3ikKAlOrw4xalnXlmGK+TWdGD5lsQnmOCfGHIYZVHU1kyfOMeS4dDjzwwLwgIJGzwaRpGcf2vGL+fw/54IjmgLLsSqMWY0JkvznDWaMAMk5fHJqCoSxhY6rpeF5rDPuZc1ZtHHDML/lcVGJImFdBJXiP4g31id1HeVBnKM/5NK4qPkSz1VLws2CKhJGxg+IQ/tnbZAslthyQqHUPc52MIA7Cbt1RQucLdy2LBf4pYNrMEmIzk1hfEmRmf69AUH8hseVO6X1MI8s6e/uyAPsO/+RUpnnHWA6iIG8gwTsObfA21StCxlZp+7p4/ki/UB8+fQYWbUNdakwC3MYRNIjQhqqH8TpyCeXFzyXmruKwfDGHF7d2jG8Q1Ubc6PgHZGAyHOPHrabvRFvn3J2xdv6bDWB8ceCY0k4x2yuNNQ6Opa/smZoETec4voRE X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Syzkaller reported the following issue: kernel BUG at mm/khugepaged.c:1823! invalid opcode: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 5097 Comm: syz-executor220 Not tainted 6.2.0-syzkaller-13154-g857f1268a591 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023 RIP: 0010:collapse_file mm/khugepaged.c:1823 [inline] RIP: 0010:hpage_collapse_scan_file+0x67c8/0x7580 mm/khugepaged.c:2233 Code: 00 00 89 de e8 c9 66 a3 ff 31 ff 89 de e8 c0 66 a3 ff 45 84 f6 0f 85 28 0d 00 00 e8 22 64 a3 ff e9 dc f7 ff ff e8 18 64 a3 ff <0f> 0b f3 0f 1e fa e8 0d 64 a3 ff e9 93 f6 ff ff f3 0f 1e fa 4c 89 RSP: 0018:ffffc90003dff4e0 EFLAGS: 00010093 RAX: ffffffff81e95988 RBX: 00000000000001c1 RCX: ffff8880205b3a80 RDX: 0000000000000000 RSI: 00000000000001c0 RDI: 00000000000001c1 RBP: ffffc90003dff830 R08: ffffffff81e90e67 R09: fffffbfff1a433c3 R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 R13: ffffc90003dff6c0 R14: 00000000000001c0 R15: 0000000000000000 FS: 00007fdbae5ee700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdbae6901e0 CR3: 000000007b2dd000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: madvise_collapse+0x721/0xf50 mm/khugepaged.c:2693 madvise_vma_behavior mm/madvise.c:1086 [inline] madvise_walk_vmas mm/madvise.c:1260 [inline] do_madvise+0x9e5/0x4680 mm/madvise.c:1439 __do_sys_madvise mm/madvise.c:1452 [inline] __se_sys_madvise mm/madvise.c:1450 [inline] __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1450 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The 'xas_store' call during page cache scanning can potentially translate 'xas' into the error state (with the reproducer provided by the syzkaller the error code is -ENOMEM). However, there are no further checks after the 'xas_store', and the next call of 'xas_next' at the start of the scanning cycle doesn't increase the xa_index, and the issue occurs. This patch will add the xarray state error checking after the 'xas_store' and the corresponding result error code. It will also add xarray state error checking via WARN_ON_ONCE macros, to be sure that ENOMEM or other possible errors don't occur at the places they shouldn't. Tested via syzbot. Reported-by: syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=7d6bb3760e026ece7524500fe44fb024a0e959fc Signed-off-by: Ivan Orlov --- V1 -> V2: Add WARN_ON_ONCE error checking and comments mm/khugepaged.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/mm/khugepaged.c b/mm/khugepaged.c index 92e6f56a932d..8b6580b13339 100644 --- a/mm/khugepaged.c +++ b/mm/khugepaged.c @@ -55,6 +55,7 @@ enum scan_result { SCAN_CGROUP_CHARGE_FAIL, SCAN_TRUNCATED, SCAN_PAGE_HAS_PRIVATE, + SCAN_STORE_FAILED, }; #define CREATE_TRACE_POINTS @@ -1840,6 +1841,15 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, goto xa_locked; } xas_store(&xas, hpage); + if (xas_error(&xas)) { + /* revert shmem_charge performed + * in the previous condition + */ + mapping->nrpages--; + shmem_uncharge(mapping->host, 1); + result = SCAN_STORE_FAILED; + goto xa_locked; + } nr_none++; continue; } @@ -1992,6 +2002,11 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, /* Finally, replace with the new page. */ xas_store(&xas, hpage); + /* We can't get an ENOMEM here (because the allocation happened before) + * but let's check for errors (XArray implementation can be + * changed in the future) + */ + WARN_ON_ONCE(xas_error(&xas)); continue; out_unlock: unlock_page(page); @@ -2029,6 +2044,11 @@ static int collapse_file(struct mm_struct *mm, unsigned long addr, /* Join all the small entries into a single multi-index entry */ xas_set_order(&xas, start, HPAGE_PMD_ORDER); xas_store(&xas, hpage); + /* Here we can't get an ENOMEM (because entries were + * previously allocated) But let's check for errors + * (XArray implementation can be changed in the future) + */ + WARN_ON_ONCE(xas_error(&xas)); xa_locked: xas_unlock_irq(&xas); xa_unlocked: -- 2.34.1