From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B863FD3E773
	for <linux-mm@archiver.kernel.org>; Tue,  5 Nov 2024 21:30:57 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 156086B008C; Tue,  5 Nov 2024 16:30:57 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 106F16B0092; Tue,  5 Nov 2024 16:30:57 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F37596B0096; Tue,  5 Nov 2024 16:30:56 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id D31446B008C
	for <linux-mm@kvack.org>; Tue,  5 Nov 2024 16:30:56 -0500 (EST)
Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 5DFFD141769
	for <linux-mm@kvack.org>; Tue,  5 Nov 2024 21:30:56 +0000 (UTC)
X-FDA: 82753335000.19.DD4B908
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf05.hostedemail.com (Postfix) with ESMTP id 1F9AC100025
	for <linux-mm@kvack.org>; Tue,  5 Nov 2024 21:29:50 +0000 (UTC)
Authentication-Results: imf05.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=ypjWPhiD;
	dmarc=none;
	spf=pass (imf05.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1730842131; a=rsa-sha256;
	cv=none;
	b=MXceIE17s8xbpK5Oo7fxLXwHpBzxkUoUYWvf5I5f1GzS7tmeKrd3B2SOSmV3PUScvo5doS
	lcS/o/rt2+VipVvFhQExhoG+mIM5AMOOn4lS9xsnWzSVLiwa0UpeISP/VzNBrbfhhsgDRp
	3WUw+4d5zT9ZfttOXP86dkHpC6qf1kA=
ARC-Authentication-Results: i=1;
	imf05.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=korg header.b=ypjWPhiD;
	dmarc=none;
	spf=pass (imf05.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1730842131;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=VCCItNDnHNvGEKYzjQ4a9kuwvlfHU21sUagklx5hoFA=;
	b=Sl1ej82HxyDpVE19C/YvQzlolVPVKFzgCq6xZAPwqDb8N9Sk93QDQzfizvmz8CRGy2LEFl
	Hq7mkxoywVxTwjEHu4tdMVDBuGSgBDKRNRt+rfzyY1jcjgRkffSnoI3W4Ho5QN/mo5vT0T
	zeGWgHIwW1dG6v2rrdra0VeHBeE41wE=
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by dfw.source.kernel.org (Postfix) with ESMTP id B81C25C4BF1;
	Tue,  5 Nov 2024 21:30:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DF5BDC4CED1;
	Tue,  5 Nov 2024 21:30:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1730842253;
	bh=hJ/fSdGuiPSVJejMeODYq2K1U7Qo+Lt7vA/fPUxTEzk=;
	h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
	b=ypjWPhiD0+8G318Ox8rIxvKJYksWuuDkEoIyInZ5jqX4+dKNR7wN6TmrTxp3XDlHf
	 boRdf4dIqtlhkAL91aHmoE1c3v+ms1lItK1GB2/RQkA1MpL69X/z/i4J4KwfHUSrEK
	 c0UM2E+sJP+OIcpI4BiTatl086BAVD9Dun/1QPh8=
Date: Tue, 5 Nov 2024 13:30:52 -0800
From: Andrew Morton <akpm@linux-foundation.org>
To: Alan Stern <stern@rowland.harvard.edu>
Cc: syzbot <syzbot+ccc0e1cfdb72b664f0d8@syzkaller.appspotmail.com>,
 linux-kernel@vger.kernel.org, linux-mm@kvack.org,
 pasha.tatashin@soleen.com, syzkaller-bugs@googlegroups.com,
 linux-usb@vger.kernel.org
Subject: Re: [syzbot] [mm?] kernel BUG in __page_table_check_zero (2)
Message-Id: <20241105133052.599b6b71ff547092c9c7aad7@linux-foundation.org>
In-Reply-To: <c5a71213-ca55-4165-8e50-2686d05614e3@rowland.harvard.edu>
References: <67230d7e.050a0220.529b6.0005.GAE@google.com>
	<20241104200007.dc8d0f018cc536a4957a1cd0@linux-foundation.org>
	<f94f3351-be53-4d61-a31a-2bb07925c5ad@rowland.harvard.edu>
	<20241105110236.40819b7effad3f44de73dddf@linux-foundation.org>
	<c5a71213-ca55-4165-8e50-2686d05614e3@rowland.harvard.edu>
X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 1F9AC100025
X-Stat-Signature: 1sps8yg868rgf1ty587awuphjhmub8xc
X-Rspam-User: 
X-Rspamd-Server: rspam05
X-HE-Tag: 1730842190-675315
X-HE-Meta: U2FsdGVkX1/+0psVJ1L+RTWWkJg8Ni2VcLQtQfR/vYjRGktg83Cbv6v1W86wcVw0KqPf/oHOUvY94412hEo12m2Nl8k8diZBXcdWOinMTPOBmXDYbL8tpv/DhhqabIcQrQ73xabLhgWEEZEei5cF+vhlNLW69OnAjpzbS7oHWYcGrp5GF+5TCIu0BcjnyVZHNFLhR8ahTf/8a0iWFYZuK4WV1glEqhVj/XXcamtfUzGzfhkCThfMDfeUwvDQDluZ0vo7LGlo4KPPlGvUMNk8Rq4AWVPfyLjJ6hbv04j8q8Mh90129KAo8HlLHD55CeruJFJNDgRc5PETnDS8QMcTxBDR7oa8+XrJRC88d2y/iIPepv7vxwXLA3BFol0P09JrNUlTJ1fDlcYFAwmrZ0wrDrMkYcxsZo+aL1R0ajDIxKg1VuYWNF+pROiplsCWv0Kg1NZSb0gtMZDYpPrbBz24trUwG68SxVfIX93qWj9AvQSYR4e/xFjMxEats16N3LAXhNFVcAZjhMeEdaf1eYLlI8DujqBCIAfx1TW1wflCyliHUF2rZBDW1dcaIsWIosL/ST1aILmt2PrjYqDEWfnlVoHUSLCwkMnV/46Pav5azFY3ap7+A/kDnxvTCATXg1acDkMuhU9OnQBSiR/fhO4gxLd96rkAiQ56mkqPdYBt7pYi1UNdaYYyz/cN19FtfV9K2OkINwpCVahiX6jsH3UXmEQSkzbAuBpvrW506DtQt/bwWsleFb/VKRWQWIJnElxvWuiUapXiidOChMJiVl5mikiFYfNl6u8uNuT9uMK1HnIrsr9gY5mr0BqDAxS5REjG1ei+ytzeWMTv4lv6PWxgRUW642h9REeT6cA2MW6EenyudlPeM1bkCbYzSqhOYi3tB5Xuk4tSpUnQAyZmMQ8E7ZjsnxiEI3PNUhDY2KHgcHy3LqjQkgNZ36lew/6CB711DPWLlJjc14U2DragORS
 tnCJygvS
 0u9O/EvYi3fdwvQO0wYWX+qbdRCL1sJjUi9o1VNLLHeU+OFE2Dn5am7ZDTLwnYBA9Tc7KuOEbs23bM6gdS0ewk6+0il5HndyjMOa0DcGKP20e7pvuex2gY3WzxlC0Yt5YhboRa7gk6+pNPN39Eqv1eWUcPXxe5i0kq8Qr7VZ6SdAVtoWEt7LJAFli115sw+7wf0uugJDufEWnHhxIcQigEr6AOAWSikl+CNfuZE6KWtPiScpQSMf8UDoiJmV2enZRADQkKKJJWI4SfUFAr9o3c5O48JEZqEIdKzbRqsDXtMdoARPuERDoJe16D14zhm5lmmWGPNkzsgO9h+DbUk1g+ez4J41amOALCb2I976HJ2vZ/C8srU6jNgdRe9srolNu9G0AuPSDFzuPfdratgYLe6U4bvT+obJLb160RbbuMfsuxPvAwMSr0YwqAmmVcfIfIfN4rkxuBKO1ARqfuTljJrHBvF+Gmz2cmA+ncw5rgqY8hXX+Nkp5sB4dAzyq+Nl91w0BR+akaEsBIWCDh0gwg8FTxg==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Tue, 5 Nov 2024 15:42:12 -0500 Alan Stern <stern@rowland.harvard.edu> wrote:

> On Tue, Nov 05, 2024 at 11:02:36AM -0800, Andrew Morton wrote:
> > On Tue, 5 Nov 2024 11:39:59 -0500 Alan Stern <stern@rowland.harvard.edu> wrote:
> > 
> > > On Mon, Nov 04, 2024 at 08:00:07PM -0800, Andrew Morton wrote:
> > > > On Wed, 30 Oct 2024 21:54:22 -0700 syzbot <syzbot+ccc0e1cfdb72b664f0d8@syzkaller.appspotmail.com> wrote:
> > > > 
> > > > > Hello,
> > > > > 
> > > > > syzbot found the following issue on:
> > > > 
> > > > Thanks.  I'm suspecting some USB issue - fault injection was used to
> > > > trigger a memory allocation failure and dec_usb_memory_use_count() ended
> > > > up freeing an in-use page.  Could USB folks please have a look?
> > > 
> > > Andrew, I'm not sure what to look for.
> > 
> > Thanks for looking.
> > 
> > > Can you read through 
> > > usbdev_mmap() in drivers/usb/core/devio.c, along with the four short 
> > > routines preceding it, and let us know if anything seems obviously 
> > > wrong?
> > 
> > All I see is lots of USB code which I don't understand ;) It seems odd
> 
> Well, I wouldn't expect you to understand the USB-specific stuff.  I was 
> really asking about the memory-management calls and error handling.
> 
> > that usbdev_mmap() calls dec_usb_memory_use_count() on some error
> > paths, but goes direct to usbfs_decrease_memory_usage() on others.
> 
> The paths that call dec_usb_memory_use_count() are those on which a 
> memory buffer has been allocated and needs to be deallocated.  That 
> routine then calls usbfs_decrease_memory_usage() as needed.
> 
> > Did you try running the "C reproducer"?
> 
> No, I haven't.  I haven't had much time to work on this.  In fact, I 
> couldn't even tell exactly which call in dec_usb_memory_use_count() 
> caused the fault; the line number listed in the bug report didn't match 
> up with any obvious suspects in my copy of the kernel source.  Was it 
> the kfree(usbm) call?

Check out the sysbot commit first: 850925a8133c.  Line 198 is the
hcd_buffer_free_pages() call.

hcd_buffer_free_pages() doesn't appear in the backtrace - a bunch of
things I'd expect to be present aren't there.