Hello:

    My Syzkaller reported me the following issue on:




HEAD commit: 072e51356cd5a4a1c12c1020bc054c99b98333df Merge tag 'nfs-for-5.20-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs

git tree: upstream

kernel config: defconfig

compiler: gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0




------------[ cut here ]------------
trying to isolate tail page
WARNING: CPU: 0 PID: 6175 at mm/folio-compat.c:158 isolate_lru_page+0x130/0x140
Modules linked in:
CPU: 0 PID: 6175 Comm: syz-executor.0 Not tainted 5.18.12 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:isolate_lru_page+0x130/0x140
Code: c3 89 c6 e8 22 4f f2 ff 85 db 75 0d e8 a9 4d f2 ff 44 89 e0 5b 5d 41 5c c3 e8 9c 4d f2 ff 48 c7 c7 a0 be 6a 93 e8 a9 f5 69 01 <0f> 0b eb de 66 66 2e 0f 1f 84 00 00 00 00 00 90 41 54 55 48 89 fd
loop3: detected capacity change from 0 to 16383
RSP: 0018:ffff88800844f8b8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffffc90000509000 RSI: ffff8880037997c0 RDI: ffffed1001089f09
RBP: ffffea000010b040 R08: ffffffff8117b3f8 R09: 0000000000000000
R10: 0000000000000005 R11: ffffed100d2c4ead R12: 00000000fffffff0
R13: ffff88800185aff0 R14: ffffea000010b048 R15: 0000000021000000
FS:  00007f8acbd46700(0000) GS:ffff888069600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c821000 CR3: 0000000005028005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
nfs4: Unknown parameter 'vfat'
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 madvise_cold_or_pageout_pte_range+0x43b/0x8f0
 __walk_page_range+0xa48/0x1310
 walk_page_range+0x14b/0x280
 madvise_pageout+0x184/0x260
 madvise_vma_behavior+0x843/0x13f0
 do_madvise+0x310/0x5b0
 __x64_sys_madvise+0x5f/0x70
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f8acc5d38bd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8acbd45bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f8acc6f2f60 RCX: 00007f8acc5d38bd
RDX: 0000000000000015 RSI: 0000000000004000 RDI: 0000000020ffc000
RBP: 00007f8acc6400a9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffec656fb0f R14: 00007ffec656fcb0 R15: 00007f8acbd45d80
 </TASK>
---[ end trace 0000000000000000 ]---













the bug was bisect to:  

[a4e58cce84ee88129d5d49c064bd2852b481357] mm: introduce MADV_PAGEOUT







the C reproducer is as follows:




#define _GNU_SOURCE 
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>

uint64_t r[1] = {0xffffffffffffffff};

int main(void)
{
// mmap(0x1ffff000, 0x1000, PROT_NONE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);

// mmap(0x20000000, 0x1000000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);

// mmap(0x21000000, 0x1000, PROT_NONE, MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE, -1, 0)
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);

// fd = socket(AF_PACKET, SOCK_RAW, 0x300)
intptr_t res = 0;
res = syscall(__NR_socket, 0x11ul, 3ul, 0x300);
if (res != -1)
r[0] = res;

*(uint32_t*)0x20000100 = 0x10000;
*(uint32_t*)0x20000104 = 3;
*(uint32_t*)0x20000108 = 0x80;
*(uint32_t*)0x2000010c = 0x600;
syscall(__NR_setsockopt, r[0], 0x107, 5, 0x20000100ul, 0x10ul);

// mmap(0x20ffd000, 0x30000, PROT_NONE, MAP_PRIVATE|MAP_FIXED, fd, 0)
syscall(__NR_mmap, 0x20ffd000ul, 0x30000ul, 0ul, 0x12ul, r[0], 0ul);

// madvise(0x20ffc000, 0x4000, MADV_PAGEOUT)
syscall(__NR_madvise, 0x20ffc000ul, 0x4000ul, 0x15ul);
return 0;
}






compile the repro with: 

gcc -static -o repro repro.c







my QEMU startup command line is:

qemu-system-x86_64 \
-s \
-m 2G \
-smp 4 \
-kernel arch/x86/boot/bzImage \
-append "console=ttyS0 root=/dev/sda rw earlyprintk=serial" \
-drive file=../fs/stretch.img,format=raw \
-nographic \
-enable-kvm \
-monitor /dev/null



the bug can reproduce reliably under my experienment settings.




Regards,

Tianshuo