From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22CB8C48BC4 for ; Fri, 23 Feb 2024 04:44:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 519526B007B; Thu, 22 Feb 2024 23:44:04 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4C9136B007D; Thu, 22 Feb 2024 23:44:04 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3693C6B007E; Thu, 22 Feb 2024 23:44:04 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 23FC06B007B for ; Thu, 22 Feb 2024 23:44:04 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id BD4B340F51 for ; Fri, 23 Feb 2024 04:44:03 +0000 (UTC) X-FDA: 81821826366.20.FE5A2C8 Received: from mail-pf1-f179.google.com (mail-pf1-f179.google.com [209.85.210.179]) by imf22.hostedemail.com (Postfix) with ESMTP id 15814C000A for ; Fri, 23 Feb 2024 04:44:01 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=IwNVY5By; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf22.hostedemail.com: domain of senozhatsky@chromium.org designates 209.85.210.179 as permitted sender) smtp.mailfrom=senozhatsky@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1708663442; a=rsa-sha256; cv=none; b=lp4n8/TzhFrGL/1P/sZP2nd6SsqWGIiOtJmKgXDAurU6baPfrFHqsvWw0CxOnnl2sBJjBx iUWSCJ1SJd+y/qWgtt9wB+ouYDVedBKFPuVGS2EceQVhOPhh+Hf46caGnnz3UQrXozrI1Q O8fBBeXSy62OA8isoeeJWepSipxZhCQ= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=IwNVY5By; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf22.hostedemail.com: domain of senozhatsky@chromium.org designates 209.85.210.179 as permitted sender) smtp.mailfrom=senozhatsky@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1708663442; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=kqFNXAwyLMsrC8A8kfSu4KSE/uu5HdW8pZAdHB4iXcg=; b=Nnfe8/PC+LjAWd0iEpMF/DEennL2PIeSyeNxrULtd0Z0umyzXNwE1V2L5GDLu8Y59iJo1m Qb9ppZKUaixX3ZA4LUezwpmywdkvIDf1R2kcyK7yg4X1NqIaK+0XiZU8CRP76Qx/kjwg2g VJ2ZWr0XDcdAPy0Q0FMVODjD5dqX6ZE= Received: by mail-pf1-f179.google.com with SMTP id d2e1a72fcca58-6e46db0cf82so285910b3a.0 for ; Thu, 22 Feb 2024 20:44:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1708663441; x=1709268241; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=kqFNXAwyLMsrC8A8kfSu4KSE/uu5HdW8pZAdHB4iXcg=; b=IwNVY5ByS9HF4e2qPguI7TJ4v8ExcaQACkkYwpXS0BYt/Bk/g6VUp86mtn1QvVNW55 I9TlUvg2NZq2eXsfwjPrP3agDUXEf/rSGpsrkGRGXqfmEavS+IVNiD/+RW4BpSLLACln 55RbwqwBN2L0PmuK5ZHTj7iM/JQTAU8a/E0SU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708663441; x=1709268241; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kqFNXAwyLMsrC8A8kfSu4KSE/uu5HdW8pZAdHB4iXcg=; b=CCsU99weCJ7gNT77/SZ5AfQOsJp1KNoboO+c9IPfaq7qHKHJhQs1h5L18ViZFhrlrk RC5Q1xZ4b33H5xCNjU9gdHL47RgekkUIsU2P4SnbP6H9CFL8xTn9lwJeXuKW2sCibOY9 OYhGBKjES8D8mH0Bke6scOkp/37VsaAfaLGzxjWfu0WXK07Sd7jD+1WYnji11hSVFvhn bWSF35xrXIARmhMHEdL5k47/f/MTvFvRQGIlqTWJhvD98XJWgmpkfsTAlGY1YaXUpljj Ltaq8fdHnvJ1REPMt3UCWugSPQctauUQ6STESkt1YP+LFwLzteqIpQ82Q7pHLfVe+21X WwDQ== X-Forwarded-Encrypted: i=1; AJvYcCUIENSEBBHVTOFECJHnq/P80NhRwgSuo6I+t/1QmhUBZ2zSut15nt4vpMbZaUqnObvLUoa4dJOpGapdJvPTK/zKcpE= X-Gm-Message-State: AOJu0YygdlUimXaXQH7ExpaJg/S0sHhwuVcHnV2xZn4X+CuKudvK2DmH eNyA5pNRS6BZvkHn2nMDcbl9WqQUBDvNmJcjzfsgT19asMbGKT70kfw7xR2xcA== X-Google-Smtp-Source: AGHT+IG+D4taaRAb2EnWAm5sxCm+s/30gZ2ifzK4tmkWwjvyWfmzJsRbSsHpqPkeNJR1rofryppElA== X-Received: by 2002:a05:6a21:3942:b0:1a0:e179:3889 with SMTP id ac2-20020a056a21394200b001a0e1793889mr622272pzc.56.1708663440905; Thu, 22 Feb 2024 20:44:00 -0800 (PST) Received: from google.com ([2401:fa00:8f:203:b194:4f71:568a:eeb0]) by smtp.gmail.com with ESMTPSA id q18-20020a170902c9d200b001db3bffd1a8sm10758541pld.42.2024.02.22.20.43.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Feb 2024 20:44:00 -0800 (PST) Date: Fri, 23 Feb 2024 13:43:56 +0900 From: Sergey Senozhatsky To: Tetsuo Handa Cc: Johannes Weiner , Yosry Ahmed , Nhat Pham , Minchan Kim , Sergey Senozhatsky , linux-mm Subject: Re: [mm/page_alloc or mm/vmscan or mm/zswap] use-after-free in obj_malloc() Message-ID: <20240223044356.GJ11472@google.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 15814C000A X-Stat-Signature: tkzwaqamzczhj3h9dttwaszau73t7uoa X-HE-Tag: 1708663441-250118 X-HE-Meta: U2FsdGVkX1+7TCuZsESkBwckVm1EbsemImsPyObrmiVfjHZG7TVbgbEBGBvbfu00aaP8iU1vmd66sijGJ/6bWaqBhAbTZtzHinKMbDpti8RVU2vAN5XmNhD1Zq5lmXx2M/mAlmuzBmi2yFJXChUznotjm+Sqqedatg+iVePd8rahI77MrCGoAM4m3c3zVkNiBZRKe0BoKGtHb/aGOLtiMHQAYUsEUQVzMmFqGzNpNDe7spi1aQRZr5aRdjJw8g/anrdjLPBB5qtHEVEU4IP/io02PUOjEdRhZl613s1eJyIgv3sYC3xHTZ6R6PxytNNeE3LuGlGgEaTNt/uUCwnU2OOOcwqnnZCoWg5rI4jKc3xL+lU6HF3u5Gg8hsC9XPI4N2waW61v2+lQDxlGVG5yZnuvJC7Et9ICn+1xoUs7PiiMvEhCVUW6rHQUK2qM5T2HW1StbjYXTz6AyrdaE07GwZEkvU8lhqQoGKSCirffvXttGNNlnUTdQkquq1NbOt8Lb5UXkuMNqjGuinPqLqx6zsOP+BH6zsMnU6fnBE4oZMbSit4IX28OFrGO1pfmLToplttRxQTtIbz3hRLkuIbAl+fJsVgZq+fJPnLYaL3wAuU1CC/OSLYbz+BOxQfLViMYmBSJIO8s6BsG+sOxvhlEvUnGB21NDB+1BK+5ZxcrbbgotnfadwJ6VWjpdbp6E+oMfT+DtET1gDLpRoiGv5VgUr0rDBn9VQN9nM/ll67GPAc6RiU/WCu6HDA8xcagrvJSo0GaXxmtuGfyJ3Xkz951NieUSBNPFRFgNQSlBQKU4cS2bxrSIi1T1h6CwJ+pP6Dkd+YW8NPtRGc5iras2Y7wEeXB7RX886J5qhCF0kmUx+fP+FW8pLFgulP+0D1tO7JXMkL0gzgGr+sx01Q+W3K01ElIDzNcNglnAyhbaitJgli69yTyY/WxHFjBeU3p9shyXadLopZAZx38jkAbERo 86ZjuZT5 1O2G9R9oJTSP6WV1u2hT2fuJFHtHrDk/Y1B5TpqqCGVc1jsIezJ67+/gYjunlKWEDPP7x/js6F9PTIiPoMIyaWJkEhQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On (24/02/23 11:10), Tetsuo Handa wrote: > > I can observe this bug during evict_folios() from 6.7.0 to 6.8.0-rc5-00163-gffd2cb6b718e. > Since I haven't observed with 6.6.0, this bug might be introduced in 6.7 cycle. Can we please run a bisect? There are some zsmalloc patches for 6.8 (mm-unstable), I don't recall anything in 6.7. > ---------------------------------------- > [ 0.000000][ T0] Linux version 6.8.0-rc5-00163-gffd2cb6b718e (root@ubuntu) (Ubuntu clang version 14.0.0-1ubuntu1.1, Ubuntu LLD 14.0.0) #1094 SMP PREEMPT_DYNAMIC Fri Feb 23 01:45:21 UTC 2024 > [ 50.026544][ T2974] ===================================================== > [ 50.030627][ T2974] BUG: KMSAN: use-after-free in obj_malloc+0x6cc/0x7b0 > [ 50.034611][ T2974] obj_malloc+0x6cc/0x7b0 > obj_malloc at mm/zsmalloc.c:0 > [ 50.037250][ T2974] zs_malloc+0xdbd/0x1400 > zs_malloc at mm/zsmalloc.c:0 > [ 50.039852][ T2974] zs_zpool_malloc+0xa5/0x1b0 > zs_zpool_malloc at mm/zsmalloc.c:372 > [ 50.044707][ T2974] zpool_malloc+0x110/0x150 > zpool_malloc at mm/zpool.c:258 > [ 50.049607][ T2974] zswap_store+0x2bbb/0x3d30 > zswap_store at mm/zswap.c:1637 > [ 50.054463][ T2974] swap_writepage+0x15b/0x4f0 > swap_writepage at mm/page_io.c:198 > [ 50.059392][ T2974] pageout+0x41d/0xef0 > pageout at mm/vmscan.c:654 > [ 50.064057][ T2974] shrink_folio_list+0x4d7a/0x7480 > shrink_folio_list at mm/vmscan.c:1316 > [ 50.069176][ T2974] evict_folios+0x30f1/0x5170 > evict_folios at mm/vmscan.c:4521 > [ 50.074082][ T2974] try_to_shrink_lruvec+0x983/0xd20 > [ 50.079352][ T2974] shrink_one+0x72d/0xeb0 > [ 50.084061][ T2974] shrink_many+0x70d/0x10b0 > [ 50.088859][ T2974] lru_gen_shrink_node+0x577/0x850 > [ 50.094192][ T2974] shrink_node+0x13d/0x1de0 > [ 50.099028][ T2974] shrink_zones+0x878/0x14a0 > [ 50.103958][ T2974] do_try_to_free_pages+0x2ac/0x16a0 > [ 50.109138][ T2974] try_to_free_pages+0xd9e/0x1910 > [ 50.114190][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 > [ 50.119555][ T2974] __alloc_pages+0xb8c/0x1050 > [ 50.124472][ T2974] alloc_pages_mpol+0x8e0/0xc80 > [ 50.129367][ T2974] alloc_pages+0x224/0x240 > [ 50.134022][ T2974] pipe_write+0xabe/0x2ba0 > [ 50.138632][ T2974] vfs_write+0xfb0/0x1b80 > [ 50.143171][ T2974] ksys_write+0x275/0x500 > [ 50.147723][ T2974] __x64_sys_write+0xdf/0x120 > [ 50.152431][ T2974] do_syscall_64+0xd1/0x1b0 > [ 50.157106][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b > [ 50.162382][ T2974] > [ 50.165956][ T2974] Uninit was stored to memory at: > [ 50.170819][ T2974] obj_malloc+0x70a/0x7b0 > set_freeobj at mm/zsmalloc.c:476 > (inlined by) obj_malloc at mm/zsmalloc.c:1333 > [ 50.175341][ T2974] zs_malloc+0xdbd/0x1400 > zs_malloc at mm/zsmalloc.c:0 > [ 50.179923][ T2974] zs_zpool_malloc+0xa5/0x1b0 > zs_zpool_malloc at mm/zsmalloc.c:372 > [ 50.184636][ T2974] zpool_malloc+0x110/0x150 > zpool_malloc at mm/zpool.c:258 > [ 50.189257][ T2974] zswap_store+0x2bbb/0x3d30 > zswap_store at mm/zswap.c:1637 > [ 50.193918][ T2974] swap_writepage+0x15b/0x4f0 > swap_writepage at mm/page_io.c:198 > [ 50.198615][ T2974] pageout+0x41d/0xef0 > pageout at mm/vmscan.c:654 > [ 50.203012][ T2974] shrink_folio_list+0x4d7a/0x7480 > shrink_folio_list at mm/vmscan.c:1316 > [ 50.207772][ T2974] evict_folios+0x30f1/0x5170 > evict_folios at mm/vmscan.c:4521 > [ 50.212321][ T2974] try_to_shrink_lruvec+0x983/0xd20 > [ 50.217092][ T2974] shrink_one+0x72d/0xeb0 > [ 50.221441][ T2974] shrink_many+0x70d/0x10b0 > [ 50.225891][ T2974] lru_gen_shrink_node+0x577/0x850 > [ 50.230614][ T2974] shrink_node+0x13d/0x1de0 > [ 50.235128][ T2974] shrink_zones+0x878/0x14a0 > [ 50.239646][ T2974] do_try_to_free_pages+0x2ac/0x16a0 > [ 50.244461][ T2974] try_to_free_pages+0xd9e/0x1910 > [ 50.249151][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 > [ 50.254148][ T2974] __alloc_pages+0xb8c/0x1050 > [ 50.258679][ T2974] alloc_pages_mpol+0x8e0/0xc80 > [ 50.263289][ T2974] alloc_pages+0x224/0x240 > [ 50.267767][ T2974] pipe_write+0xabe/0x2ba0 > [ 50.272190][ T2974] vfs_write+0xfb0/0x1b80 > [ 50.276543][ T2974] ksys_write+0x275/0x500 > [ 50.280931][ T2974] __x64_sys_write+0xdf/0x120 > [ 50.289451][ T2974] do_syscall_64+0xd1/0x1b0 > [ 50.303402][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b > [ 50.318721][ T2974] > [ 50.328931][ T2974] Uninit was created at: > [ 50.341845][ T2974] free_unref_page_prepare+0x130/0xfc0 > arch_static_branch_jump at arch/x86/include/asm/jump_label.h:55 > (inlined by) memcg_kmem_online at include/linux/memcontrol.h:1840 > (inlined by) free_pages_prepare at mm/page_alloc.c:1096 > (inlined by) free_unref_page_prepare at mm/page_alloc.c:2346 > [ 50.356492][ T2974] free_unref_page_list+0x139/0x1050 > free_unref_page_list at mm/page_alloc.c:2532 > [ 50.370898][ T2974] shrink_folio_list+0x7139/0x7480 > list_empty at include/linux/list.h:373 > (inlined by) list_splice at include/linux/list.h:545 > (inlined by) shrink_folio_list at mm/vmscan.c:1490 > [ 50.385025][ T2974] evict_folios+0x30f1/0x5170 > evict_folios at mm/vmscan.c:4521 > [ 50.398448][ T2974] try_to_shrink_lruvec+0x983/0xd20 > [ 50.412660][ T2974] shrink_one+0x72d/0xeb0 > [ 50.425591][ T2974] shrink_many+0x70d/0x10b0 > [ 50.438827][ T2974] lru_gen_shrink_node+0x577/0x850 > [ 50.454390][ T2974] shrink_node+0x13d/0x1de0 > [ 50.479401][ T2974] shrink_zones+0x878/0x14a0 > [ 50.529610][ T2974] do_try_to_free_pages+0x2ac/0x16a0 > [ 50.544397][ T2974] try_to_free_pages+0xd9e/0x1910 > [ 50.559556][ T2974] __alloc_pages_slowpath+0x147a/0x2bd0 > [ 50.574932][ T2974] __alloc_pages+0xb8c/0x1050 > [ 50.589024][ T2974] alloc_pages_mpol+0x8e0/0xc80 > [ 50.603421][ T2974] alloc_pages+0x224/0x240 > [ 50.616483][ T2974] pipe_write+0xabe/0x2ba0 > [ 50.629601][ T2974] vfs_write+0xfb0/0x1b80 > [ 50.643009][ T2974] ksys_write+0x275/0x500 > [ 50.656157][ T2974] __x64_sys_write+0xdf/0x120 > [ 50.670080][ T2974] do_syscall_64+0xd1/0x1b0 > [ 50.683405][ T2974] entry_SYSCALL_64_after_hwframe+0x63/0x6b > [ 50.698626][ T2974] > ----------------------------------------