From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5D044C02198
	for <linux-mm@archiver.kernel.org>; Tue, 18 Feb 2025 08:23:52 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id CBA6B2800FC; Tue, 18 Feb 2025 03:23:51 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C42A12800F9; Tue, 18 Feb 2025 03:23:51 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A6DEF2800FC; Tue, 18 Feb 2025 03:23:51 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 8497E2800F9
	for <linux-mm@kvack.org>; Tue, 18 Feb 2025 03:23:51 -0500 (EST)
Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 2A6C74C4D5
	for <linux-mm@kvack.org>; Tue, 18 Feb 2025 08:23:51 +0000 (UTC)
X-FDA: 83132377062.06.F33F92D
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by imf27.hostedemail.com (Postfix) with ESMTP id 827C140007
	for <linux-mm@kvack.org>; Tue, 18 Feb 2025 08:23:48 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=AHjkNdVg;
	spf=pass (imf27.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1739867028; a=rsa-sha256;
	cv=none;
	b=3VYYdTmWiXy1Bl4HzZA4kK6/CUinSexaWH027ggZ4w2V/BAREhtKzPax3VgKPneHyrCP2X
	/toMUk08DPBeF6FpV7r7VDdoArhIPXfx5riLtijoWwIW/RGyEM2MyWuI98784xEVHn3mXi
	4cyaYnkdAhjwgMQd9miNzYNlokkMPJw=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=AHjkNdVg;
	spf=pass (imf27.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1739867028;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=qBvHlvfhr6BmJazXy9Q+HDDUtHYXQv5MYZOFyogRBUc=;
	b=ttZLrbqnD9uC2hc1CJuUYGWNkFrWfJ3RrslKSoT002jsL0X6DFGuXQ1QoQRk7eSh7iRng9
	pGIJTTbH6IgojJQxNei884QeNyEoSbqVJvUW9YoRX8hqB0acD3Mq4WQ02Vj09x+k9p1O4R
	FFYhEyO9/ULHAkrHUz1doXU/gdXnGqM=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1739867027;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:autocrypt:autocrypt;
	bh=qBvHlvfhr6BmJazXy9Q+HDDUtHYXQv5MYZOFyogRBUc=;
	b=AHjkNdVggqCn5ixPR0TlSAdMa51TZQtnr7ROW+UwCmybVGN9oNwuuxqAYYTWisjKlS/7Ym
	XTFXaMU2LEr8MGzszi7lXWa9m+DjcvbyF/txEnDbGm3nY5Jc18KHLT3WKvL8WmEAQLxOx7
	LkcNVRb0sGq5H6sXRCGkL8TUqxo5rJA=
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-694-VFMpE6_EPvClalDkmeFOLw-1; Tue, 18 Feb 2025 03:23:44 -0500
X-MC-Unique: VFMpE6_EPvClalDkmeFOLw-1
X-Mimecast-MFC-AGG-ID: VFMpE6_EPvClalDkmeFOLw_1739867023
Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-4394b8bd4e1so31049815e9.0
        for <linux-mm@kvack.org>; Tue, 18 Feb 2025 00:23:44 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739867023; x=1740471823;
        h=content-transfer-encoding:in-reply-to:organization:autocrypt
         :content-language:from:references:cc:to:subject:user-agent
         :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject
         :date:message-id:reply-to;
        bh=qBvHlvfhr6BmJazXy9Q+HDDUtHYXQv5MYZOFyogRBUc=;
        b=mHBuhrL21kVtG8gMxuBHioOiWuyiC0DesA9yZBSnN23GIi68m0Dv+w9rMV3wVCs+mt
         hhd3AnsD2RsFhB6vGXichZTvKV3SYcNe0rECo3rx8abjaROS/aTtC+UMZTbdnGalAb3U
         /8R0jK7hN7Oo6WWbNdA7XTa3L0BuYatsu3lVVyPDs/gIftx6S6Z9uqGyHGYeUOuO2RpT
         pw/xy7RBOgWkzY6QyR5YbOujgiocom1mrjqGgB8QQBpob8j97mz9iM9qS0zp9UY2Ylq8
         Q+04N4BET/p7smkIpQJV+xQ8lfTU2DXmaG0DmB5FXrsfP9fPJuvepX0kRyMYZpkLxDi8
         nqeg==
X-Forwarded-Encrypted: i=1; AJvYcCXF/PVF8lywUqL1XWU7cml4Db62WD/DsJy25FjW3N1nl9H49bZsKS0MvfKCPnCgd5DnS9s4NqFo4Q==@kvack.org
X-Gm-Message-State: AOJu0YyR1hZvYBo4tyJH35Q3DSMOf95m9DwTAIM9Qo5z8bkIxxU1lOuB
	l+r1d/aftSRVQcAoE/6oxJ9864r068jmM4Rs9H8GCdZNLL52ASGaaL5DRDO/b57V2Ig2dhbF1TA
	gRHKUdhdUZhkg6o25MPwziMJna9c/YpD7n9I202/q0VU9PVUe
X-Gm-Gg: ASbGncs5sgZizE2LOcLwtWPRNb2HUEO/IQGv7WUT3y03grMXaB7/RfDGddVSzBsiiV1
	2F2iAxCNRD0AL8bbAHpDfPuXPbL6CZRY4qRtnsBHgqoUluirYIC0JsT5XgE8wgUZkmBUnXbkkSz
	kIVU81XFBmPy8sGTnSxyAzc0rgmrq6lnBT3xZX30OjZbw+tl2nKmuCDjOYQWDWGdKO6+GPWUzQp
	uffGznme4gJ6YUBs1cXFxp7rKQf/PhUJvR73eF8DqbVJiaAvAYt8O+kzUZzSHorNYpXnC1XJZT7
	t8VZGhdtDOP2Promt6ZtQ2wMveEkdthA4A==
X-Received: by 2002:a05:600c:4f0b:b0:439:8e3e:b0d6 with SMTP id 5b1f17b1804b1-4398e3eb2efmr32505985e9.13.1739867023329;
        Tue, 18 Feb 2025 00:23:43 -0800 (PST)
X-Google-Smtp-Source: AGHT+IF1tH9YBQtD4GkUVh4n7y0i9ZJ1I2JKGhUsOrKgQV1OtugdjJp59dqV+zBOCHkFIW2CoWU6WQ==
X-Received: by 2002:a05:600c:4f0b:b0:439:8e3e:b0d6 with SMTP id 5b1f17b1804b1-4398e3eb2efmr32505555e9.13.1739867022833;
        Tue, 18 Feb 2025 00:23:42 -0800 (PST)
Received: from [192.168.3.141] (p5b0c61a2.dip0.t-ipconnect.de. [91.12.97.162])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4398a64febasm36172685e9.1.2025.02.18.00.23.39
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 18 Feb 2025 00:23:41 -0800 (PST)
Message-ID: <3b893634-5453-42d0-b8dc-e9d07988e9e9@redhat.com>
Date: Tue, 18 Feb 2025 09:23:39 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Add Morton,Peter and David for discussion//Re: [PATCH -next]
 uprobes: fix two zero old_folio bugs in __replace_page()
To: Tong Tiangen <tongtiangen@huawei.com>,
 Masami Hiramatsu <mhiramat@kernel.org>, Oleg Nesterov <oleg@redhat.com>,
 Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
 Arnaldo Carvalho de Melo <acme@kernel.org>,
 Namhyung Kim <namhyung@kernel.org>, Mark Rutland <mark.rutland@arm.com>,
 Alexander Shishkin <alexander.shishkin@linux.intel.com>,
 Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
 Adrian Hunter <adrian.hunter@intel.com>,
 "Liang, Kan" <kan.liang@linux.intel.com>,
 Andrew Morton <akpm@linux-foundation.org>, Peter Xu <peterx@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
 linux-perf-users@vger.kernel.org, bpf@vger.kernel.org,
 wangkefeng.wang@huawei.com, linux-mm <linux-mm@kvack.org>
References: <20250217123826.88503-1-tongtiangen@huawei.com>
 <c2924e9e-1a42-a4f6-5066-ea2e15477c11@huawei.com>
From: David Hildenbrand <david@redhat.com>
Autocrypt: addr=david@redhat.com; keydata=
 xsFNBFXLn5EBEAC+zYvAFJxCBY9Tr1xZgcESmxVNI/0ffzE/ZQOiHJl6mGkmA1R7/uUpiCjJ
 dBrn+lhhOYjjNefFQou6478faXE6o2AhmebqT4KiQoUQFV4R7y1KMEKoSyy8hQaK1umALTdL
 QZLQMzNE74ap+GDK0wnacPQFpcG1AE9RMq3aeErY5tujekBS32jfC/7AnH7I0v1v1TbbK3Gp
 XNeiN4QroO+5qaSr0ID2sz5jtBLRb15RMre27E1ImpaIv2Jw8NJgW0k/D1RyKCwaTsgRdwuK
 Kx/Y91XuSBdz0uOyU/S8kM1+ag0wvsGlpBVxRR/xw/E8M7TEwuCZQArqqTCmkG6HGcXFT0V9
 PXFNNgV5jXMQRwU0O/ztJIQqsE5LsUomE//bLwzj9IVsaQpKDqW6TAPjcdBDPLHvriq7kGjt
 WhVhdl0qEYB8lkBEU7V2Yb+SYhmhpDrti9Fq1EsmhiHSkxJcGREoMK/63r9WLZYI3+4W2rAc
 UucZa4OT27U5ZISjNg3Ev0rxU5UH2/pT4wJCfxwocmqaRr6UYmrtZmND89X0KigoFD/XSeVv
 jwBRNjPAubK9/k5NoRrYqztM9W6sJqrH8+UWZ1Idd/DdmogJh0gNC0+N42Za9yBRURfIdKSb
 B3JfpUqcWwE7vUaYrHG1nw54pLUoPG6sAA7Mehl3nd4pZUALHwARAQABzSREYXZpZCBIaWxk
 ZW5icmFuZCA8ZGF2aWRAcmVkaGF0LmNvbT7CwZgEEwEIAEICGwMGCwkIBwMCBhUIAgkKCwQW
 AgMBAh4BAheAAhkBFiEEG9nKrXNcTDpGDfzKTd4Q9wD/g1oFAl8Ox4kFCRKpKXgACgkQTd4Q
 9wD/g1oHcA//a6Tj7SBNjFNM1iNhWUo1lxAja0lpSodSnB2g4FCZ4R61SBR4l/psBL73xktp
 rDHrx4aSpwkRP6Epu6mLvhlfjmkRG4OynJ5HG1gfv7RJJfnUdUM1z5kdS8JBrOhMJS2c/gPf
 wv1TGRq2XdMPnfY2o0CxRqpcLkx4vBODvJGl2mQyJF/gPepdDfcT8/PY9BJ7FL6Hrq1gnAo4
 3Iv9qV0JiT2wmZciNyYQhmA1V6dyTRiQ4YAc31zOo2IM+xisPzeSHgw3ONY/XhYvfZ9r7W1l
 pNQdc2G+o4Di9NPFHQQhDw3YTRR1opJaTlRDzxYxzU6ZnUUBghxt9cwUWTpfCktkMZiPSDGd
 KgQBjnweV2jw9UOTxjb4LXqDjmSNkjDdQUOU69jGMUXgihvo4zhYcMX8F5gWdRtMR7DzW/YE
 BgVcyxNkMIXoY1aYj6npHYiNQesQlqjU6azjbH70/SXKM5tNRplgW8TNprMDuntdvV9wNkFs
 9TyM02V5aWxFfI42+aivc4KEw69SE9KXwC7FSf5wXzuTot97N9Phj/Z3+jx443jo2NR34XgF
 89cct7wJMjOF7bBefo0fPPZQuIma0Zym71cP61OP/i11ahNye6HGKfxGCOcs5wW9kRQEk8P9
 M/k2wt3mt/fCQnuP/mWutNPt95w9wSsUyATLmtNrwccz63XOwU0EVcufkQEQAOfX3n0g0fZz
 Bgm/S2zF/kxQKCEKP8ID+Vz8sy2GpDvveBq4H2Y34XWsT1zLJdvqPI4af4ZSMxuerWjXbVWb
 T6d4odQIG0fKx4F8NccDqbgHeZRNajXeeJ3R7gAzvWvQNLz4piHrO/B4tf8svmRBL0ZB5P5A
 2uhdwLU3NZuK22zpNn4is87BPWF8HhY0L5fafgDMOqnf4guJVJPYNPhUFzXUbPqOKOkL8ojk
 CXxkOFHAbjstSK5Ca3fKquY3rdX3DNo+EL7FvAiw1mUtS+5GeYE+RMnDCsVFm/C7kY8c2d0G
 NWkB9pJM5+mnIoFNxy7YBcldYATVeOHoY4LyaUWNnAvFYWp08dHWfZo9WCiJMuTfgtH9tc75
 7QanMVdPt6fDK8UUXIBLQ2TWr/sQKE9xtFuEmoQGlE1l6bGaDnnMLcYu+Asp3kDT0w4zYGsx
 5r6XQVRH4+5N6eHZiaeYtFOujp5n+pjBaQK7wUUjDilPQ5QMzIuCL4YjVoylWiBNknvQWBXS
 lQCWmavOT9sttGQXdPCC5ynI+1ymZC1ORZKANLnRAb0NH/UCzcsstw2TAkFnMEbo9Zu9w7Kv
 AxBQXWeXhJI9XQssfrf4Gusdqx8nPEpfOqCtbbwJMATbHyqLt7/oz/5deGuwxgb65pWIzufa
 N7eop7uh+6bezi+rugUI+w6DABEBAAHCwXwEGAEIACYCGwwWIQQb2cqtc1xMOkYN/MpN3hD3
 AP+DWgUCXw7HsgUJEqkpoQAKCRBN3hD3AP+DWrrpD/4qS3dyVRxDcDHIlmguXjC1Q5tZTwNB
 boaBTPHSy/Nksu0eY7x6HfQJ3xajVH32Ms6t1trDQmPx2iP5+7iDsb7OKAb5eOS8h+BEBDeq
 3ecsQDv0fFJOA9ag5O3LLNk+3x3q7e0uo06XMaY7UHS341ozXUUI7wC7iKfoUTv03iO9El5f
 XpNMx/YrIMduZ2+nd9Di7o5+KIwlb2mAB9sTNHdMrXesX8eBL6T9b+MZJk+mZuPxKNVfEQMQ
 a5SxUEADIPQTPNvBewdeI80yeOCrN+Zzwy/Mrx9EPeu59Y5vSJOx/z6OUImD/GhX7Xvkt3kq
 Er5KTrJz3++B6SH9pum9PuoE/k+nntJkNMmQpR4MCBaV/J9gIOPGodDKnjdng+mXliF3Ptu6
 3oxc2RCyGzTlxyMwuc2U5Q7KtUNTdDe8T0uE+9b8BLMVQDDfJjqY0VVqSUwImzTDLX9S4g/8
 kC4HRcclk8hpyhY2jKGluZO0awwTIMgVEzmTyBphDg/Gx7dZU1Xf8HFuE+UZ5UDHDTnwgv7E
 th6RC9+WrhDNspZ9fJjKWRbveQgUFCpe1sa77LAw+XFrKmBHXp9ZVIe90RMe2tRL06BGiRZr
 jPrnvUsUUsjRoRNJjKKA/REq+sAnhkNPPZ/NNMjaZ5b8Tovi8C0tmxiCHaQYqj7G2rgnT0kt
 WNyWQQ==
Organization: Red Hat
In-Reply-To: <c2924e9e-1a42-a4f6-5066-ea2e15477c11@huawei.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: HIkXcP6izgHa1zDRxdcRZFYSS9ifujlOf6-LoFDqmFA_1739867023
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 827C140007
X-Stat-Signature: ga1ais9ikstpkkwknktjnckdbpro5pdk
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-HE-Tag: 1739867028-724328
X-HE-Meta: U2FsdGVkX18m27ifr1KHe0o6Qh0JOM2xEANXuResLkcqnyeijOj8giSOzdFe7OZM9aN2rY5zSIAP7pvblTzROWWODTfbtDr4oF5+sf0a71wbLhBylgH+KubMEumCLvBCKw4zi2XPUJFmxmH4gQox9VDbHH9xs1+32IPcgRyKdlGEVe4OXbMTW1Cf7iK7Aw7GbyDQbio8XZ/n9OTxQHW1ddbAlqqL+a8almdGN/FBjMvnfPmY09c0fhUV5IojyRUE60cBLqnHMnEHXSJlKCfLBc9tU/FGt3MezfNTxeOLLMXaZzERLBiso7zqRk0NbKmjDFp7gDs2n7LR6X1v7W/hYS1vy72FmvmQkRYt+NuYD03J6RkBDEwfJ5kFEZETNJfchD2GHKlHKK57pqxgVEkWDAQ6Rsp1cmvVGYcjU43oG8mZhF86buOhd+zs4T4sdZlkLBNhU1CQM8AidNvD1f0r+kZPxUQiJWQkqHpCOwJQIqeBUdvyJ2EsyjUZsXpHZU9afllJOm3NGV3QzhsG7GF/a3918lYBXT0Yw+SHTA+uIa33Ql1z3hG5ORsxQzMIekDw9YIsNPIiHlqLNyy4SFdZNxKizYy1LU4tIms79PRjVdJDuc5T72xhHSYRD82CAjWj2lmD2nEE40v6twIBq4XOaHFSX0EOOMTRwXSs3ChyJ2v8yqYgV5u03JPgNufNBRM3AanmlISVDPomrEsdzgVLO2bHA3kB1Znx9XflplULiHCSruaO3Xpp8ZGqGgLk4EBujBQh8/TToG1kgzKdYKidzw5IwL6DeuP9XKuyKo5w891SGurbJTi96nlIwCgwnzXqdgLcL0BZuNZylOFnsvwjj0CjVcubORzU9iwHqir+tbJ48msVwLOFo/ELNqJ785n81qWK9xlU6ur2nOP3Jkp0xs5noC1XWteb/q/kW4tvR+woLx/BHzCT5YO0Yi2JUMnInSiRaGYFd07HdoU3z3P
 mYQPC0Fv
 MYduuDHYub7BxGa4Kqq575kHMMujhxM7BRm1KuxmF030UF4WdEncL55vZRxe1U+Kt8ZaitfPeJTtlHteJrXXyQMASvnvMsbiTda/K+DVoGgeMa2cC1YUjWhPJhoHthPWmRATBQJJJhh/LdX3eplW9SQhYbf5IaDQN1YyFdaTzcfjoE3fxzjkp5nCphTzDPe+Kpaoc1BvIMS0nzOyCpuHf4z3AHkEZl5CPiaijoMFbuo+U/7eKsKGQRa+kfoluFne8RdhvtCpGsjTGsuC/cZn5adzB+2zfoU+EZ2oD91dQLhxd2txd1f1VXdJVGkHs7stY0FsW97O33fSDFY5eAut60WhkNhe7yZPOgHXICZ26ZA4qaTx16dEhJcQc4fwGXhIKIh3VWTgNzNEFHa1WQlJbXWtzaX6PMfNGmcmvUIMo786eQ2n6pbsLVpH3zpfVxYMySrFTiEmLO2Ng6odxaMG61i78s3hOtfpxEnECznynJxpfo5RaDxTRyDwQmpQInIyLWDA6k1VZLKkOnYlSvIoXgZuSjAMh4TZPeDUfGlQHC8jhHEE=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On 18.02.25 03:47, Tong Tiangen wrote:
> 
> 
> 在 2025/2/17 20:38, Tong Tiangen 写道:
>> We triggered the following error logs in syzkaller test:
>>
>>     BUG: Bad page state in process syz.7.38  pfn:1eff3
>>     page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3
>>     flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff)
>>     raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000
>>     raw: 0000000000000000 0000000000000000 00000000fffffffe 0000000000000000
>>     page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
>>     Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
>>     Call Trace:
>>      <TASK>
>>      dump_stack_lvl+0x32/0x50
>>      bad_page+0x69/0xf0
>>      free_unref_page_prepare+0x401/0x500
>>      free_unref_page+0x6d/0x1b0
>>      uprobe_write_opcode+0x460/0x8e0
>>      install_breakpoint.part.0+0x51/0x80
>>      register_for_each_vma+0x1d9/0x2b0
>>      __uprobe_register+0x245/0x300
>>      bpf_uprobe_multi_link_attach+0x29b/0x4f0
>>      link_create+0x1e2/0x280
>>      __sys_bpf+0x75f/0xac0
>>      __x64_sys_bpf+0x1a/0x30
>>      do_syscall_64+0x56/0x100
>>      entry_SYSCALL_64_after_hwframe+0x78/0xe2
>>
>>      BUG: Bad rss-counter state mm:00000000452453e0 type:MM_FILEPAGES val:-1
>>
>> The following syzkaller test case can be used to reproduce:
>>
>>     r2 = creat(&(0x7f0000000000)='./file0\x00', 0x8)
>>     write$nbd(r2, &(0x7f0000000580)=ANY=[], 0x10)
>>     r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x42, 0x0)
>>     mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x0, 0x12, r4, 0x0)
>>     r5 = userfaultfd(0x80801)
>>     ioctl$UFFDIO_API(r5, 0xc018aa3f, &(0x7f0000000040)={0xaa, 0x20})
>>     r6 = userfaultfd(0x80801)
>>     ioctl$UFFDIO_API(r6, 0xc018aa3f, &(0x7f0000000140))
>>     ioctl$UFFDIO_REGISTER(r6, 0xc020aa00, &(0x7f0000000100)={{&(0x7f0000ffc000/0x4000)=nil, 0x4000}, 0x2})
>>     ioctl$UFFDIO_ZEROPAGE(r5, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ffd000/0x1000)=nil, 0x1000}})
>>     r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x2, 0x3, &(0x7f0000000200)=ANY=[@ANYBLOB="1800000000120000000000000000000095"], &(0x7f0000000000)='GPL\x00', 0x7, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x30, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
>>     bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r7, 0x0, 0x30, 0x1e, @val=@uprobe_multi={&(0x7f0000000080)='./file0\x00', &(0x7f0000000100)=[0x2], 0x0, 0x0, 0x1}}, 0x40)
>>
>> The cause is that zero pfn is set to the pte without increasing the rss
>> count in mfill_atomic_pte_zeropage() and the refcount of zero folio does
>> not increase accordingly. Then, the operation on the same pfn is performed
>> in uprobe_write_opcode()->__replace_page() to unconditional decrease the
>> rss count and old_folio's refcount.
>>
>> Therefore, two bugs are introduced:
>> 1. The rss count is incorrect, when process exit, the check_mm() report
>>      error "Bad rss-count".
>> 2. The reserved folio (zero folio) is freed when folio->refcount is zero,
>>      then free_pages_prepare->free_page_is_bad() report error "Bad page state".
>>
>> To fix it, add zero folio check before rss counter and refcount decrease.
>>
>> Fixes: 7396fa818d62 ("uprobes/core: Make background page replacement logic account for rss_stat counters")
>> Fixes: 2b1444983508 ("uprobes, mm, x86: Add the ability to install and remove uprobes breakpoints")
>> Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>
>> ---
>>    kernel/events/uprobes.c | 6 ++++--
>>    1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
>> index 46ddf3a2334d..ff5694acfa68 100644
>> --- a/kernel/events/uprobes.c
>> +++ b/kernel/events/uprobes.c
>> @@ -213,7 +213,8 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr,
>>    		dec_mm_counter(mm, MM_ANONPAGES);
>>    
>>    	if (!folio_test_anon(old_folio)) {
>> -		dec_mm_counter(mm, mm_counter_file(old_folio));
>> +		if (!is_zero_folio(old_folio))
>> +			dec_mm_counter(mm, mm_counter_file(old_folio));
>>    		inc_mm_counter(mm, MM_ANONPAGES);
>>    	}
>>    
>> @@ -227,7 +228,8 @@ static int __replace_page(struct vm_area_struct *vma, unsigned long addr,
>>    	if (!folio_mapped(old_folio))
>>    		folio_free_swap(old_folio);
>>    	page_vma_mapped_walk_done(&pvmw);
>> -	folio_put(old_folio);
>> +	if (!is_zero_folio(old_folio))
>> +		folio_put(old_folio);
 >>    >>    	err = 0;
>>     unlock:
> 

The whole "manually replace pages" logic is fragile. I tried to rewrite 
it a while back:

https://lkml.kernel.org/r/20240604122548.359952-1-david@redhat.com

But didn't get to follow-up yet.

I'm not sure if the page_vma_mapped_walk() really does what we would 
expect here.

The folio_remove_rmap_pte(old_folio, old_page, vma); is certainly wrong 
as well for ero folios.


I don't think there is a sane use case right now where we would hit the 
shared zeropage.

So for the time being, I think we should just reject them immediately 
after get_user_page_vma_remote().

At some point I'll follow up with my rewrite that will clean this 
nastiness here up a bit.

-- 
Cheers,

David / dhildenb