From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5C73AC4332F for ; Wed, 5 Jan 2022 00:08:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7AC266B0071; Tue, 4 Jan 2022 19:08:51 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 7358C6B0073; Tue, 4 Jan 2022 19:08:51 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5D53B6B0074; Tue, 4 Jan 2022 19:08:51 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 488866B0071 for ; Tue, 4 Jan 2022 19:08:51 -0500 (EST) Received: from smtpin29.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 0C296180AA988 for ; Wed, 5 Jan 2022 00:08:51 +0000 (UTC) X-FDA: 78994297662.29.6482FA6 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by imf01.hostedemail.com (Postfix) with ESMTP id 97BA440004 for ; Wed, 5 Jan 2022 00:08:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1641341330; x=1672877330; h=date:from:to:cc:subject:in-reply-to:message-id: references:mime-version; bh=JepRpJLYzlSaO6plfJUd7N28rd7f8sx/+iAnJFEy6K0=; b=O9rZCybWSiYVEK+xK8ICQnaNmeyNz6dOR4Vl4v8Djzy8Id6qqZGQjvcO Nskirit/U5gMLzozxbntzfXRuWganRqq065PkYyH8K4n3l/5z7BvrYvMY IWxp1W24c6CnPfTlzMl380HYS0I14Hod4c9ypPZ41UuQC9KfsOlBooLfU Rkk0D9aJIedGXb2FWP1XLkAd9zaT1mpxQ+dA/yon5sOWkYj1DRJjRmkTP 1t7vL4pZHmfciCo1VQPTk+RN+F8YMlRoeiCcXMzKYMktQY61ubqEfqukD ojHKf7pvTQDe/FRA99uNp1JE9AA/dzRNizmWA06i832OU0TNU3FTi1JAS g==; X-IronPort-AV: E=McAfee;i="6200,9189,10217"; a="229649020" X-IronPort-AV: E=Sophos;i="5.88,262,1635231600"; d="scan'208";a="229649020" Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jan 2022 16:08:48 -0800 X-IronPort-AV: E=Sophos;i="5.88,262,1635231600"; d="scan'208";a="611267959" Received: from marcquat-mobl.amr.corp.intel.com ([10.212.247.3]) by fmsmga003-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 04 Jan 2022 16:08:48 -0800 Date: Tue, 4 Jan 2022 16:08:47 -0800 (PST) From: Mat Martineau To: Andrew Morton , Michal Hocko cc: syzbot , linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, mptcp@lists.linux.dev, netdev@vger.kernel.org, Paolo Abeni Subject: Re: [syzbot] WARNING in page_counter_cancel (3) In-Reply-To: Message-ID: <2bc36f6f-e1e5-52-e62-15adf696bdc@linux.intel.com> References: <00000000000021bb9b05d14bf0c7@google.com> <000000000000f1504c05d36c21ea@google.com> <20211221155736.90bbc5928bcd779e76ca8f95@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Rspamd-Queue-Id: 97BA440004 X-Stat-Signature: n78krmtrqu41hps3gpbnxq1hqz58j64s Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=O9rZCybW; dmarc=pass (policy=none) header.from=intel.com; spf=none (imf01.hostedemail.com: domain of mathew.j.martineau@linux.intel.com has no SPF policy when checking 134.134.136.20) smtp.mailfrom=mathew.j.martineau@linux.intel.com X-Rspamd-Server: rspam02 X-HE-Tag: 1641341316-841115 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, 29 Dec 2021, Michal Hocko wrote: > On Tue 21-12-21 15:57:36, Andrew Morton wrote: >> On Sat, 18 Dec 2021 06:04:22 -0800 syzbot wrote: >> >>> syzbot has found a reproducer for the following issue on: >>> >>> HEAD commit: fbf252e09678 Add linux-next specific files for 20211216 >>> git tree: linux-next >>> console output: https://syzkaller.appspot.com/x/log.txt?x=1797de99b00000 >>> kernel config: https://syzkaller.appspot.com/x/.config?x=7fcbb9aa19a433c8 >>> dashboard link: https://syzkaller.appspot.com/bug?extid=bc9e2d2dbcb347dd215a >>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 >>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=135d179db00000 >>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=113edb6db00000 >> >> Useful to have that, thanks. >> >> I'm suspecting that mptcp is doing something strange. > > Yes. > >> Could I as the >> developers to please take a look? >> Andrew - Yes, we'll get a fix in to net-next soon - thanks for adding the mptcp & netdev lists. >> >>> IMPORTANT: if you fix the issue, please add the following tag to the commit: >>> Reported-by: syzbot+bc9e2d2dbcb347dd215a@syzkaller.appspotmail.com >>> >>> R13: 00007ffdeb858640 R14: 00007ffdeb858680 R15: 0000000000000004 >>> >>> ------------[ cut here ]------------ >>> page_counter underflow: -4294966651 nr_pages=4294967295 > > __mptcp_mem_reclaim_partial is trying to uncharge (via > __sk_mem_reduce_allocated) negative amount. nr_pages has overflown when > converted from int to unsigned int (-1). I would say that > __mptcp_mem_reclaim_partial has evaluated > reclaimable = mptcp_sk(sk)->rmem_fwd_alloc - sk_unused_reserved_mem(sk) > to 0 and __mptcp_rmem_reclaim(sk, reclaimable - 1) made it -1. Thanks for the analysis Michal. -- Mat Martineau Intel