* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
@ 2024-11-25 6:56 ` Suraj Sonawane
2024-11-25 6:58 ` syzbot
2024-11-25 7:16 ` Suraj Sonawane
` (6 subsequent siblings)
7 siblings, 1 reply; 21+ messages in thread
From: Suraj Sonawane @ 2024-11-25 6:56 UTC (permalink / raw)
To: syzbot; +Cc: akpm, linux-kernel, linux-mm, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 7380 bytes --]
#syz test
On Sat, Nov 23, 2024 at 1:01 PM syzbot <
syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/
> ..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted
> 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/674184c9.050a0220.1cc393.0001.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9393 bytes --]
[-- Attachment #2: 0001-fix-kernel-BUG-in-const_folio_flags-2.patch --]
[-- Type: text/x-patch, Size: 1029 bytes --]
From 26b892d116fabd0395de4dcddbeb2dfdbd4a7426 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Mon, 25 Nov 2024 12:22:12 +0530
Subject: [PATCH] fix kernel BUG in const_folio_flags (2)
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
include/linux/page-flags.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 908ee0aad..ab562ff45 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -306,6 +306,12 @@ static const unsigned long *const_folio_flags(const struct folio *folio,
{
const struct page *page = &folio->page;
+ /* Add a check for n to ensure it's within bounds. */
+ if (n >= folio_nr_pages(folio)) {
+ pr_err("Invalid folio index: n=%u, folio_nr_pages=%u\n", n, folio_nr_pages(folio));
+ return -EINVAL;
+ }
+
VM_BUG_ON_PGFLAGS(PageTail(page), page);
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
return &page[n].flags;
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
2024-11-25 6:56 ` Suraj Sonawane
@ 2024-11-25 7:16 ` Suraj Sonawane
2024-11-25 7:18 ` syzbot
2024-11-25 7:37 ` Suraj Sonawane
` (5 subsequent siblings)
7 siblings, 1 reply; 21+ messages in thread
From: Suraj Sonawane @ 2024-11-25 7:16 UTC (permalink / raw)
To: syzbot; +Cc: akpm, linux-kernel, linux-mm, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 7380 bytes --]
#syz test
On Sat, Nov 23, 2024 at 1:01 PM syzbot <
syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/
> ..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted
> 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/674184c9.050a0220.1cc393.0001.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9393 bytes --]
[-- Attachment #2: 0001-fix-kernel-BUG-in-const_folio_flags-2.patch --]
[-- Type: text/x-patch, Size: 1001 bytes --]
From 26b892d116fabd0395de4dcddbeb2dfdbd4a7426 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Mon, 25 Nov 2024 12:22:12 +0530
Subject: [PATCH] fix kernel BUG in const_folio_flags (2)
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
include/linux/page-flags.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 908ee0aad..ab562ff45 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -306,6 +306,12 @@ static const unsigned long *const_folio_flags(const struct folio *folio,
{
const struct page *page = &folio->page;
+ long nr_pages = folio_nr_pages(folio);
+ if (n >= nr_pages) {
+ pr_err("Invalid folio index: n=%u, folio_nr_pages=%u\n", n, folio_nr_pages(folio));
+ return -EINVAL;
+ }
+
VM_BUG_ON_PGFLAGS(PageTail(page), page);
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
return &page[n].flags;
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
2024-11-25 6:56 ` Suraj Sonawane
2024-11-25 7:16 ` Suraj Sonawane
@ 2024-11-25 7:37 ` Suraj Sonawane
2024-11-25 7:39 ` syzbot
2024-11-25 7:53 ` Suraj Sonawane
` (4 subsequent siblings)
7 siblings, 1 reply; 21+ messages in thread
From: Suraj Sonawane @ 2024-11-25 7:37 UTC (permalink / raw)
To: syzbot; +Cc: akpm, linux-kernel, linux-mm, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 7380 bytes --]
#syz test
On Sat, Nov 23, 2024 at 1:01 PM syzbot <
syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/
> ..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted
> 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/674184c9.050a0220.1cc393.0001.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9393 bytes --]
[-- Attachment #2: 20001-fix-kernel-BUG-in-const_folio_flags-2.patch --]
[-- Type: text/x-patch, Size: 1005 bytes --]
From 26b892d116fabd0395de4dcddbeb2dfdbd4a7426 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Mon, 25 Nov 2024 12:22:12 +0530
Subject: [PATCH] fix kernel BUG in const_folio_flags (2)
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
include/linux/page-flags.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 908ee0aad..ab562ff45 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -306,6 +306,12 @@ static const unsigned long *const_folio_flags(const struct folio *folio,
{
const struct page *page = &folio->page;
+ long int nr_pages = folio_nr_pages(folio);
+ if (n >= nr_pages) {
+ pr_err("Invalid folio index: n=%u, folio_nr_pages=%u\n", n, folio_nr_pages(folio));
+ return -EINVAL;
+ }
+
VM_BUG_ON_PGFLAGS(PageTail(page), page);
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
return &page[n].flags;
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
` (2 preceding siblings ...)
2024-11-25 7:37 ` Suraj Sonawane
@ 2024-11-25 7:53 ` Suraj Sonawane
2024-11-25 7:55 ` syzbot
2024-11-25 7:57 ` Suraj Sonawane
` (3 subsequent siblings)
7 siblings, 1 reply; 21+ messages in thread
From: Suraj Sonawane @ 2024-11-25 7:53 UTC (permalink / raw)
To: syzbot; +Cc: akpm, linux-kernel, linux-mm, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 7380 bytes --]
#syz test
On Sat, Nov 23, 2024 at 1:01 PM syzbot <
syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/
> ..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted
> 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/674184c9.050a0220.1cc393.0001.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9393 bytes --]
[-- Attachment #2: 0001-v2fix-kernel-BUG-in-const_folio_flags.patch --]
[-- Type: text/x-patch, Size: 1181 bytes --]
From 332c11344a3c5b064982d556dd40c7a17fdf44e9 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Mon, 25 Nov 2024 13:19:48 +0530
Subject: [PATCH] v2fix kernel BUG in const_folio_flags
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
include/linux/page-flags.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 2220bfec2..214ad9d6d 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -8,6 +8,7 @@
#include <linux/types.h>
#include <linux/bug.h>
+#include <linux/mm.h>
#include <linux/mmdebug.h>
#ifndef __GENERATING_BOUNDS_H
#include <linux/mm_types.h>
@@ -306,6 +307,12 @@ static const unsigned long *const_folio_flags(const struct folio *folio,
{
const struct page *page = &folio->page;
+ long nr_pages = folio_nr_pages(folio);
+
+ if (n >= nr_pages) {
+ pr_err("Invalid folio index: n=%u, folio_nr_pages=%u\n", n, folio_nr_pages(folio));
+ return -EINVAL;
+ }
+
VM_BUG_ON_PGFLAGS(PageTail(page), page);
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
return &page[n].flags;
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
` (3 preceding siblings ...)
2024-11-25 7:53 ` Suraj Sonawane
@ 2024-11-25 7:57 ` Suraj Sonawane
2024-11-25 7:59 ` syzbot
2024-11-25 13:12 ` Suraj Sonawane
` (2 subsequent siblings)
7 siblings, 1 reply; 21+ messages in thread
From: Suraj Sonawane @ 2024-11-25 7:57 UTC (permalink / raw)
To: syzbot; +Cc: akpm, linux-kernel, linux-mm, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 7380 bytes --]
#syz test
On Sat, Nov 23, 2024 at 1:01 PM syzbot <
syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/
> ..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted
> 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/674184c9.050a0220.1cc393.0001.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9393 bytes --]
[-- Attachment #2: 0001-v2fix-kernel-BUG-in-const_folio_flags.patch --]
[-- Type: text/x-patch, Size: 1179 bytes --]
From 332c11344a3c5b064982d556dd40c7a17fdf44e9 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Mon, 25 Nov 2024 13:19:48 +0530
Subject: [PATCH] v2fix kernel BUG in const_folio_flags
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
include/linux/page-flags.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 2220bfec2..214ad9d6d 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -8,6 +8,7 @@
#include <linux/types.h>
#include <linux/bug.h>
+#include <linux/mm.h>
#include <linux/mmdebug.h>
#ifndef __GENERATING_BOUNDS_H
#include <linux/mm_types.h>
@@ -306,6 +307,12 @@ static const unsigned long *const_folio_flags(const struct folio *folio,
{
const struct page *page = &folio->page;
+ long nr_pages = folio_nr_pages(folio);
+ if (n >= nr_pages) {
+ pr_err("Invalid folio index: n=%u, folio_nr_pages=%u\n", n, folio_nr_pages(folio));
+ return -EINVAL;
+ }
+
VM_BUG_ON_PGFLAGS(PageTail(page), page);
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
return &page[n].flags;
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
` (4 preceding siblings ...)
2024-11-25 7:57 ` Suraj Sonawane
@ 2024-11-25 13:12 ` Suraj Sonawane
2024-11-25 13:43 ` syzbot
2024-11-28 10:52 ` David Hildenbrand
2024-11-28 12:57 ` David Hildenbrand
7 siblings, 1 reply; 21+ messages in thread
From: Suraj Sonawane @ 2024-11-25 13:12 UTC (permalink / raw)
To: syzbot; +Cc: akpm, linux-kernel, linux-mm, syzkaller-bugs
[-- Attachment #1.1: Type: text/plain, Size: 7380 bytes --]
#syz test
On Sat, Nov 23, 2024 at 1:01 PM syzbot <
syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/
> ..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for
> Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image:
> https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux:
> https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image:
> https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted
> 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150
> include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2
> 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d
> 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/syzkaller-bugs/674184c9.050a0220.1cc393.0001.GAE%40google.com
> .
>
[-- Attachment #1.2: Type: text/html, Size: 9393 bytes --]
[-- Attachment #2: 40001-fix-kernel-BUG-in-const_folio_flags-2(2).patch --]
[-- Type: text/x-patch, Size: 1043 bytes --]
From 26b892d116fabd0395de4dcddbeb2dfdbd4a7426 Mon Sep 17 00:00:00 2001
From: Suraj Sonawane <surajsonawane0215@gmail.com>
Date: Mon, 25 Nov 2024 12:22:12 +0530
Subject: [PATCH] fix kernel BUG in const_folio_flags (2)
syz test
Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
---
include/linux/page-flags.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/page-flags.h b/include/linux/page-flags.h
index 908ee0aad..ab562ff45 100644
--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -306,6 +306,12 @@ static const unsigned long *const_folio_flags(const struct folio *folio,
{
const struct page *page = &folio->page;
+ /* Add a check for n to ensure it's within bounds. */
+ if (n >= (1 << (PAGE_SHIFT - PAGE_SHIFT))) {
+ // pr_err("Invalid folio index: n=%u, folio_nr_pages=%u\n", n, folio_nr_pages(folio));
+ return -EINVAL;
+ }
+
VM_BUG_ON_PGFLAGS(PageTail(page), page);
VM_BUG_ON_PGFLAGS(n > 0 && !test_bit(PG_head, &page->flags), page);
return &page[n].flags;
--
2.34.1
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-25 13:12 ` Suraj Sonawane
@ 2024-11-25 13:43 ` syzbot
0 siblings, 0 replies; 21+ messages in thread
From: syzbot @ 2024-11-25 13:43 UTC (permalink / raw)
To: akpm, linux-kernel, linux-mm, surajsonawane0215, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
pci 0000:00:01.0: [8086:7110] type 00 class 0x060100 conventional PCI endpoint
[ 3.290039][ T1] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[ 3.312848][ T1] pci 0000:00:01.3: quirk: [io 0xb000-0xb03f] claimed by PIIX4 ACPI
[ 3.318949][ T1] pci 0000:00:03.0: [1af4:1004] type 00 class 0x000000 conventional PCI endpoint
[ 3.329795][ T1] pci 0000:00:03.0: BAR 0 [io 0xc000-0xc03f]
[ 3.337001][ T1] pci 0000:00:03.0: BAR 1 [mem 0xfe800000-0xfe80007f]
[ 3.361051][ T1] pci 0000:00:04.0: [1af4:1000] type 00 class 0x020000 conventional PCI endpoint
[ 3.373573][ T1] pci 0000:00:04.0: BAR 0 [io 0xc040-0xc07f]
[ 3.382024][ T1] pci 0000:00:04.0: BAR 1 [mem 0xfe801000-0xfe80107f]
[ 3.402560][ T1] pci 0000:00:05.0: [1ae0:a002] type 00 class 0x030000 conventional PCI endpoint
[ 3.410376][ T1] pci 0000:00:05.0: BAR 0 [mem 0xfe000000-0xfe7fffff]
[ 3.434234][ T1] pci 0000:00:05.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 3.441110][ T1] pci 0000:00:06.0: [1af4:1002] type 00 class 0x00ff00 conventional PCI endpoint
[ 3.450821][ T1] pci 0000:00:06.0: BAR 0 [io 0xc080-0xc09f]
[ 3.473565][ T1] pci 0000:00:07.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint
[ 3.482224][ T1] pci 0000:00:07.0: BAR 0 [io 0xc0a0-0xc0bf]
[ 3.488084][ T1] pci 0000:00:07.0: BAR 1 [mem 0xfe802000-0xfe80203f]
[ 3.532666][ T1] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[ 3.540225][ T1] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[ 3.546704][ T1] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[ 3.552639][ T1] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[ 3.557841][ T1] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[ 3.574126][ T1] iommu: Default domain type: Translated
[ 3.574126][ T1] iommu: DMA domain TLB invalidation policy: lazy mode
[ 3.579938][ T1] SCSI subsystem initialized
[ 3.588656][ T1] ACPI: bus type USB registered
[ 3.590200][ T1] usbcore: registered new interface driver usbfs
[ 3.591536][ T1] usbcore: registered new interface driver hub
[ 3.592765][ T1] usbcore: registered new device driver usb
[ 3.597008][ T1] mc: Linux media interface: v0.10
[ 3.597222][ T1] videodev: Linux video capture interface: v2.00
[ 3.599410][ T1] pps_core: LinuxPPS API ver. 1 registered
[ 3.601032][ T1] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[ 3.603659][ T1] PTP clock support registered
[ 3.627151][ T1] EDAC MC: Ver: 3.0.0
[ 3.633364][ T1] Advanced Linux Sound Architecture Driver Initialized.
[ 3.641413][ T1] Bluetooth: Core ver 2.22
[ 3.642536][ T1] NET: Registered PF_BLUETOOTH protocol family
[ 3.643486][ T1] Bluetooth: HCI device and connection manager initialized
[ 3.645664][ T1] Bluetooth: HCI socket layer initialized
[ 3.647000][ T1] Bluetooth: L2CAP socket layer initialized
[ 3.648804][ T1] Bluetooth: SCO socket layer initialized
[ 3.649970][ T1] NET: Registered PF_ATMPVC protocol family
[ 3.650883][ T1] NET: Registered PF_ATMSVC protocol family
[ 3.652410][ T1] NetLabel: Initializing
[ 3.653688][ T1] NetLabel: domain hash size = 128
[ 3.654598][ T1] NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO
[ 3.656547][ T1] NetLabel: unlabeled traffic allowed by default
[ 3.658572][ T1] nfc: nfc_init: NFC Core ver 0.1
[ 3.660263][ T1] NET: Registered PF_NFC protocol family
[ 3.662155][ T1] PCI: Using ACPI for IRQ routing
[ 3.664326][ T1] pci 0000:00:05.0: vgaarb: setting as boot VGA device
[ 3.665828][ T1] pci 0000:00:05.0: vgaarb: bridge control possible
[ 3.666971][ T1] pci 0000:00:05.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 3.667008][ T1] vgaarb: loaded
[ 3.672240][ T1] clocksource: Switched to clocksource kvm-clock
[ 3.688400][ T1] VFS: Disk quotas dquot_6.6.0
[ 3.695631][ T1] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[ 3.700793][ T1] netfs: FS-Cache loaded
[ 3.703476][ T1] CacheFiles: Loaded
[ 3.705257][ T1] TOMOYO: 2.6.0
[ 3.706280][ T1] Mandatory Access Control activated.
[ 3.712222][ T1] AppArmor: AppArmor Filesystem Enabled
[ 3.714157][ T1] pnp: PnP ACPI init
[ 3.736384][ T1] pnp: PnP ACPI: found 7 devices
[ 3.842531][ T1] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 3.845775][ T1] NET: Registered PF_INET protocol family
[ 3.852225][ T1] IP idents hash table entries: 131072 (order: 8, 1048576 bytes, vmalloc)
[ 3.865960][ T1] tcp_listen_portaddr_hash hash table entries: 4096 (order: 6, 294912 bytes, vmalloc)
[ 3.869201][ T1] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, vmalloc)
[ 3.873508][ T1] TCP established hash table entries: 65536 (order: 7, 524288 bytes, vmalloc)
[ 3.886899][ T1] TCP bind hash table entries: 65536 (order: 11, 9437184 bytes, vmalloc hugepage)
[ 3.899560][ T1] TCP: Hash tables configured (established 65536 bind 65536)
[ 3.905432][ T1] MPTCP token hash table entries: 8192 (order: 7, 720896 bytes, vmalloc)
[ 3.913210][ T1] UDP hash table entries: 4096 (order: 8, 1048576 bytes, vmalloc)
[ 3.919893][ T1] UDP-Lite hash table entries: 4096 (order: 8, 1048576 bytes, vmalloc)
[ 3.924198][ T1] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 3.939126][ T1] RPC: Registered named UNIX socket transport module.
[ 3.940606][ T1] RPC: Registered udp transport module.
[ 3.942512][ T1] RPC: Registered tcp transport module.
[ 3.943938][ T1] RPC: Registered tcp-with-tls transport module.
[ 3.945413][ T1] RPC: Registered tcp NFSv4.1 backchannel transport module.
[ 3.962055][ T1] NET: Registered PF_XDP protocol family
[ 3.963139][ T1] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 3.964999][ T1] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 3.966783][ T1] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 3.969251][ T1] pci_bus 0000:00: resource 7 [mem 0xc0000000-0xfebfefff window]
[ 3.972090][ T1] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 3.974068][ T1] PCI: CLS 0 bytes, default 64
[ 3.982313][ T52] BUG: unable to handle page fault for address: ffffffffffffffea
[ 3.984585][ T52] #PF: supervisor read access in kernel mode
[ 3.986189][ T52] #PF: error_code(0x0000) - not-present page
[ 3.987390][ T52] PGD db82067 P4D db82067 PUD db84067 PMD 0
[ 3.987390][ T52] Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
[ 3.987390][ T52] CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220-dirty #0
[ 3.987390][ T52] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 3.987390][ T52] Workqueue: async async_run_entry_fn
[ 3.987390][ T52] RIP: 0010:__folio_put+0x239/0x470
[ 3.987390][ T52] Code: ff ff fb ff ff 80 fa 02 0f 9e c1 84 d2 0f 95 c2 84 d1 0f 85 04 02 00 00 3c 01 0f 9e c2 84 c0 0f 95 c0 84 c2 0f 85 f2 01 00 00 <4c> 8b 24 25 ea ff ff ff 31 ff 49 c1 ec 09 41 83 e4 01 44 89 e6 e8
[ 3.997515][ T1] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[ 3.997439][ T52] RSP: 0000:ffffc90000bd7a38 EFLAGS: 00010246
[ 4.002041][ T1] software IO TLB: mapped [mem 0x00000000b4600000-0x00000000b8600000] (64MB)
[ 3.997439][ T52] RAX: fffffbffffffff00 RBX: ffffea00006dfc00 RCX: ffffffff81c85201
[ 4.004393][ T1] ACPI: bus type thunderbolt registered
[ 3.997439][ T52] RDX: fffffbffffffff01 RSI: 0000000000000008 RDI: ffffffffffffffea
[ 4.007324][ T52] RBP: 1ffff9200017af47 R08: 0000000000000000 R09: fffffbfffffffffe
[ 4.007324][ T52] R10: fffffffffffffff1 R11: 0000000000000002 R12: 0000000000000002
[ 4.010853][ T1] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
[ 4.007324][ T52] R13: ffffffff91b2f320 R14: ffffffff91b2f320 R15: ffff8881472f14c8
[ 4.007324][ T52] FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 4.007324][ T52] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4.007324][ T52] CR2: ffffffffffffffea CR3: 000000000db7e000 CR4: 00000000003506f0
[ 4.007324][ T52] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4.007324][ T52] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4.007324][ T52] Call Trace:
[ 4.007324][ T52] <TASK>
[ 4.007324][ T52] ? __die+0x1e/0x60
[ 4.007324][ T52] ? page_fault_oops+0x3b6/0xb80
[ 4.007324][ T52] ? __pfx_page_fault_oops+0x10/0x10
[ 4.007324][ T52] ? __pfx_lock_release+0x10/0x10
[ 4.007324][ T52] ? trace_lock_acquire+0x146/0x1e0
[ 4.007324][ T52] ? is_prefetch.constprop.0+0x9d/0x520
[ 4.007324][ T52] ? lock_acquire+0x2f/0xb0
[ 4.007324][ T52] ? search_bpf_extables+0x36/0x320
[ 4.007324][ T52] ? bpf_ksym_find+0x124/0x1c0
[ 4.007324][ T52] ? __pfx_is_prefetch.constprop.0+0x10/0x10
[ 4.007324][ T52] ? fixup_exception+0x10c/0xaf0
[ 4.007324][ T52] ? kernelmode_fixup_or_oops.constprop.0+0xb8/0xe0
[ 4.007324][ T52] ? __bad_area_nosemaphore+0x390/0x6a0
[ 4.007324][ T52] ? spurious_kernel_fault+0x234/0x3a0
[ 4.007324][ T52] ? hlock_class+0x4e/0x130
[ 4.007324][ T52] ? do_kern_addr_fault+0x5b/0x80
[ 4.007324][ T52] ? exc_page_fault+0xb1/0xc0
[ 4.007324][ T52] ? asm_exc_page_fault+0x26/0x30
[ 4.007324][ T52] ? __folio_put+0x1f1/0x470
[ 4.007324][ T52] ? __folio_put+0x239/0x470
[ 4.007324][ T52] ? __folio_put+0x1ff/0x470
[ 4.007324][ T52] ? __pfx___folio_put+0x10/0x10
[ 4.007324][ T52] ? free_large_kmalloc+0xaa/0x140
[ 4.007324][ T52] ? lockdep_hardirqs_on+0x7c/0x110
[ 4.007324][ T52] unpack_to_rootfs+0x4c6/0x820
[ 4.007324][ T52] ? __pfx_mark_lock+0x10/0x10
[ 4.007324][ T52] ? __pfx_unpack_to_rootfs+0x10/0x10
[ 4.007324][ T52] ? find_held_lock+0x2d/0x110
[ 4.007324][ T52] ? async_run_entry_fn+0x35/0x530
[ 4.007324][ T52] ? __pfx_do_populate_rootfs+0x10/0x10
[ 4.007324][ T52] ? do_populate_rootfs+0x8e/0x770
[ 4.007324][ T52] do_populate_rootfs+0x8e/0x770
[ 4.007324][ T52] ? __pfx_do_populate_rootfs+0x10/0x10
[ 4.007324][ T52] ? kvm_clock_get_cycles+0x40/0x70
[ 4.007324][ T52] ? ktime_get+0x1ac/0x300
[ 4.007324][ T52] ? __pfx_do_populate_rootfs+0x10/0x10
[ 4.007324][ T52] async_run_entry_fn+0x9c/0x530
[ 4.007324][ T52] process_one_work+0x958/0x1b30
[ 4.007324][ T52] ? __pfx_lock_acquire.part.0+0x10/0x10
[ 4.007324][ T52] ? __pfx_process_one_work+0x10/0x10
[ 4.007324][ T52] ? rcu_is_watching+0x12/0xc0
[ 4.007324][ T52] ? assign_work+0x1a0/0x250
[ 4.007324][ T52] worker_thread+0x6c8/0xf00
[ 4.007324][ T52] ? __kthread_parkme+0x148/0x220
[ 4.007324][ T52] ? __pfx_worker_thread+0x10/0x10
[ 4.007324][ T52] kthread+0x2c1/0x3a0
[ 4.007324][ T52] ? _raw_spin_unlock_irq+0x23/0x50
[ 4.007324][ T52] ? __pfx_kthread+0x10/0x10
[ 4.007324][ T52] ret_from_fork+0x45/0x80
[ 4.007324][ T52] ? __pfx_kthread+0x10/0x10
[ 4.007324][ T52] ret_from_fork_asm+0x1a/0x30
[ 4.007324][ T52] </TASK>
[ 4.007324][ T52] Modules linked in:
[ 4.007324][ T52] CR2: ffffffffffffffea
[ 4.007324][ T52] ---[ end trace 0000000000000000 ]---
[ 4.007324][ T52] RIP: 0010:__folio_put+0x239/0x470
[ 4.007324][ T52] Code: ff ff fb ff ff 80 fa 02 0f 9e c1 84 d2 0f 95 c2 84 d1 0f 85 04 02 00 00 3c 01 0f 9e c2 84 c0 0f 95 c0 84 c2 0f 85 f2 01 00 00 <4c> 8b 24 25 ea ff ff ff 31 ff 49 c1 ec 09 41 83 e4 01 44 89 e6 e8
[ 4.007324][ T52] RSP: 0000:ffffc90000bd7a38 EFLAGS: 00010246
[ 4.007324][ T52] RAX: fffffbffffffff00 RBX: ffffea00006dfc00 RCX: ffffffff81c85201
[ 4.007324][ T52] RDX: fffffbffffffff01 RSI: 0000000000000008 RDI: ffffffffffffffea
[ 4.007324][ T52] RBP: 1ffff9200017af47 R08: 0000000000000000 R09: fffffbfffffffffe
[ 4.007324][ T52] R10: fffffffffffffff1 R11: 0000000000000002 R12: 0000000000000002
[ 4.007324][ T52] R13: ffffffff91b2f320 R14: ffffffff91b2f320 R15: ffff8881472f14c8
[ 4.007324][ T52] FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[ 4.007324][ T52] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4.007324][ T52] CR2: ffffffffffffffea CR3: 000000000db7e000 CR4: 00000000003506f0
[ 4.007324][ T52] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4.007324][ T52] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4.007324][ T52] Kernel panic - not syncing: Fatal exception
[ 4.007324][ T52] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2089203793=/tmp/go-build -gno-record-gcc-switches'
git status (err=<nil>)
HEAD detached at 571351cb80
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=571351cb80e526bf973c8f11c46fa7f3bbc2da1e -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241118-105802'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"571351cb80e526bf973c8f11c46fa7f3bbc2da1e\"
/usr/bin/ld: /tmp/cctrbPCi.o: in function `test_cover_filter()':
executor.cc:(.text+0x1426b): warning: the use of `tempnam' is dangerous, better use `mkstemp'
/usr/bin/ld: /tmp/cctrbPCi.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=16fadee8580000
Tested on:
commit: 9f16d5e6 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=47cc5fc1922531f
dashboard link: https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12666530580000
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
` (5 preceding siblings ...)
2024-11-25 13:12 ` Suraj Sonawane
@ 2024-11-28 10:52 ` David Hildenbrand
2024-11-28 11:42 ` Hillf Danton
2024-11-28 12:57 ` David Hildenbrand
7 siblings, 1 reply; 21+ messages in thread
From: David Hildenbrand @ 2024-11-28 10:52 UTC (permalink / raw)
To: syzbot, akpm, linux-kernel, linux-mm, syzkaller-bugs, Matthew Wilcox
On 23.11.24 08:31, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link: https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
Staring at the console output:
[ 520.222112][ T7269] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x1403 pfn:0x125be
[ 520.362213][ T7269] head: order:9 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 520.411963][ T7269] memcg:ffff88807c73c000
[ 520.492069][ T7269] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 520.499844][ T7269] raw: 00fff00000000000 ffffea0000490001 dead000000000122 dead000000000400
[ 520.551982][ T7269] raw: 00000000000014d0 0000000000000000 00000000ffffffff 0000000000000000
[ 520.560912][ T7269] head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
[ 520.672020][ T7269] head: 0000000000001245 0000000000000000 00000001ffffffff ffff88807c73c000
[ 520.735699][ T7269] head: 00fff00000000209 ffffea0000490001 ffffffffffffffff 0000000000000000
[ 520.901989][ T7269] head: 0000000000000200 0000000000000000 00000000ffffffff 0000000000000000
[ 520.991952][ T7269] page dumped because: VM_BUG_ON_PAGE(PageTail(page))
[ 521.086487][ T7269] page_owner tracks the page as allocated
[ 521.132208][ T7269] page last allocated via order 0, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|
^order 0 looks wrong, but let;s not get distracted.
__GFP_THISNODE), pid 7321, tgid 7321 (syz.1.194), ts 520201520231, free_ts 520193076092
[ 521.272012][ T7269] post_alloc_hook+0x2d1/0x350
[ 521.276977][ T7269] __alloc_pages_direct_compact+0x20e/0x590
[ 521.314428][ T7269] __alloc_pages_noprof+0x182b/0x25a0
[ 521.319975][ T7269] alloc_pages_mpol_noprof+0x282/0x610
[ 521.420092][ T7269] folio_alloc_mpol_noprof+0x36/0xd0
[ 521.483167][ T7269] vma_alloc_folio_noprof+0xee/0x1b0
[ 521.539677][ T7269] do_huge_pmd_anonymous_page+0x258/0x2ae0
...
[ 521.851719][ T7269] page last free pid 7323 tgid 7321 stack trace:
[ 521.972611][ T7269] free_unref_folios+0xa87/0x14f0
[ 521.977735][ T7269] folios_put_refs+0x587/0x7b0
[ 522.072508][ T7269] folio_batch_move_lru+0x2c4/0x3b0
[ 522.077794][ T7269] __folio_batch_add_and_move+0x35b/0xc60
[ 522.191992][ T7269] reclaim_folio_list+0x205/0x3a0
[ 522.197131][ T7269] reclaim_pages+0x481/0x650
[ 522.201760][ T7269] madvise_cold_or_pageout_pte_range+0x163b/0x20d0
...
So we allocated a order-9 anonymous folio, but suddenly find it via shmem in the pagecache?
Is this some crazy use-after-free / double-free, where we end up freeing a shmem folio
that is still in the pagecache? Once freed, it gets merged in the buddy, and we then re-allocate
it as part of a PMD THP; but shmem still finds it in the pagecache, and as the it's now suddenly
a tail page, the folio checks trigger.
Maybe the MADV_COLD / MADV_PAGEOUT is a valid hint. But I'm not able to
spot obvious refcount handling issues there.
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150 include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150 include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
--
Cheers,
David / dhildenb
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-28 10:52 ` David Hildenbrand
@ 2024-11-28 11:42 ` Hillf Danton
2024-11-28 12:02 ` David Hildenbrand
0 siblings, 1 reply; 21+ messages in thread
From: Hillf Danton @ 2024-11-28 11:42 UTC (permalink / raw)
To: David Hildenbrand
Cc: syzbot, linux-kernel, linux-mm, syzkaller-bugs, Matthew Wilcox
On Thu, 28 Nov 2024 11:52:42 +0100 David Hildenbrand <david@redhat.com>
> On 23.11.24 08:31, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> > dashboard link: https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
> >
>
> Staring at the console output:
>
> [ 520.222112][ T7269] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x1403 pfn:0x125be
->mapping is cleared for a order9 page
> [ 520.362213][ T7269] head: order:9 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> [ 520.411963][ T7269] memcg:ffff88807c73c000
> [ 520.492069][ T7269] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> [ 520.499844][ T7269] raw: 00fff00000000000 ffffea0000490001 dead000000000122 dead000000000400
> [ 520.551982][ T7269] raw: 00000000000014d0 0000000000000000 00000000ffffffff 0000000000000000
> [ 520.560912][ T7269] head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
> [ 520.672020][ T7269] head: 0000000000001245 0000000000000000 00000001ffffffff ffff88807c73c000
> [ 520.735699][ T7269] head: 00fff00000000209 ffffea0000490001 ffffffffffffffff 0000000000000000
> [ 520.901989][ T7269] head: 0000000000000200 0000000000000000 00000000ffffffff 0000000000000000
> [ 520.991952][ T7269] page dumped because: VM_BUG_ON_PAGE(PageTail(page))
> [ 521.086487][ T7269] page_owner tracks the page as allocated
> [ 521.132208][ T7269] page last allocated via order 0, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|
>
> ^order 0 looks wrong, but let;s not get distracted.
>
> __GFP_THISNODE), pid 7321, tgid 7321 (syz.1.194), ts 520201520231, free_ts 520193076092
> [ 521.272012][ T7269] post_alloc_hook+0x2d1/0x350
> [ 521.276977][ T7269] __alloc_pages_direct_compact+0x20e/0x590
> [ 521.314428][ T7269] __alloc_pages_noprof+0x182b/0x25a0
> [ 521.319975][ T7269] alloc_pages_mpol_noprof+0x282/0x610
> [ 521.420092][ T7269] folio_alloc_mpol_noprof+0x36/0xd0
> [ 521.483167][ T7269] vma_alloc_folio_noprof+0xee/0x1b0
> [ 521.539677][ T7269] do_huge_pmd_anonymous_page+0x258/0x2ae0
> ...
> [ 521.851719][ T7269] page last free pid 7323 tgid 7321 stack trace:
> [ 521.972611][ T7269] free_unref_folios+0xa87/0x14f0
> [ 521.977735][ T7269] folios_put_refs+0x587/0x7b0
> [ 522.072508][ T7269] folio_batch_move_lru+0x2c4/0x3b0
> [ 522.077794][ T7269] __folio_batch_add_and_move+0x35b/0xc60
> [ 522.191992][ T7269] reclaim_folio_list+0x205/0x3a0
> [ 522.197131][ T7269] reclaim_pages+0x481/0x650
> [ 522.201760][ T7269] madvise_cold_or_pageout_pte_range+0x163b/0x20d0
> ...
>
>
> So we allocated a order-9 anonymous folio, but suddenly find it via shmem in the pagecache?
>
> Is this some crazy use-after-free / double-free, where we end up freeing a shmem folio
> that is still in the pagecache? Once freed, it gets merged in the buddy, and we then re-allocate
> it as part of a PMD THP; but shmem still finds it in the pagecache, and as the it's now suddenly
It is not in the pagecache.
> a tail page, the folio checks trigger.
>
>
> Maybe the MADV_COLD / MADV_PAGEOUT is a valid hint. But I'm not able to
> spot obvious refcount handling issues there.
>
> > madvise_pageout_page_range mm/madvise.c:609 [inline]
> > madvise_pageout+0x326/0x820 mm/madvise.c:636
> > madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> > madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> > do_madvise+0x29d/0x700 mm/madvise.c:1461
> > __do_sys_madvise mm/madvise.c:1477 [inline]
> > __se_sys_madvise mm/madvise.c:1475 [inline]
> > __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> > do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> > ------------[ cut here ]------------
> > kernel BUG at include/linux/page-flags.h:309!
> > Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> > CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> > RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150 include/linux/page-flags.h:309
> > Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> > RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> > RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> > RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> > RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> > R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> > R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> > FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> > <TASK>
> > folio_test_locked include/linux/page-flags.h:509 [inline]
> > next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> > filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> > do_fault_around mm/memory.c:5255 [inline]
> > do_read_fault mm/memory.c:5288 [inline]
> > do_fault mm/memory.c:5431 [inline]
> > do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> > handle_pte_fault mm/memory.c:5766 [inline]
> > __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> > handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> > faultin_page mm/gup.c:1187 [inline]
> > __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> > __get_user_pages_locked mm/gup.c:1751 [inline]
> > get_dump_page+0xfb/0x220 mm/gup.c:2269
> > dump_user_range+0x135/0x8c0 fs/coredump.c:943
> > elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> > do_coredump+0x2c42/0x4160 fs/coredump.c:758
> > get_signal+0x237c/0x26d0 kernel/signal.c:2903
> > arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> > exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> > exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> > irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> > RIP: 0033:0x1000
> > Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > RSP: 002b:000000000000010c EFLAGS: 00010246
> > RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> > RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> > RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> > </TASK>
> > Modules linked in:
> > ---[ end trace 0000000000000000 ]---
> > RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150 include/linux/page-flags.h:309
> > Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> > RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> > RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> > RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> > RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> > R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> > R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> > FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
> >
>
>
> --
> Cheers,
>
> David / dhildenb
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-28 11:42 ` Hillf Danton
@ 2024-11-28 12:02 ` David Hildenbrand
2024-11-28 12:23 ` David Hildenbrand
0 siblings, 1 reply; 21+ messages in thread
From: David Hildenbrand @ 2024-11-28 12:02 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, linux-kernel, linux-mm, syzkaller-bugs, Matthew Wilcox
On 28.11.24 12:42, Hillf Danton wrote:
> On Thu, 28 Nov 2024 11:52:42 +0100 David Hildenbrand <david@redhat.com>
>> On 23.11.24 08:31, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following issue on:
>>>
>>> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/..
>>> git tree: upstream
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
>>> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
>>> dashboard link: https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>>>
>>> Downloadable assets:
>>> disk image: https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
>>> vmlinux: https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
>>> kernel image: https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>>>
>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>>>
>>
>> Staring at the console output:
>>
>> [ 520.222112][ T7269] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x1403 pfn:0x125be
>
> ->mapping is cleared for a order9 page
> >> [ 520.362213][ T7269] head: order:9 mapcount:0 entire_mapcount:0
nr_pages_mapped:0 pincount:0
>> [ 520.411963][ T7269] memcg:ffff88807c73c000
>> [ 520.492069][ T7269] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
>> [ 520.499844][ T7269] raw: 00fff00000000000 ffffea0000490001 dead000000000122 dead000000000400
>> [ 520.551982][ T7269] raw: 00000000000014d0 0000000000000000 00000000ffffffff 0000000000000000
>> [ 520.560912][ T7269] head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
>> [ 520.672020][ T7269] head: 0000000000001245 0000000000000000 00000001ffffffff ffff88807c73c000
>> [ 520.735699][ T7269] head: 00fff00000000209 ffffea0000490001 ffffffffffffffff 0000000000000000
>> [ 520.901989][ T7269] head: 0000000000000200 0000000000000000 00000000ffffffff 0000000000000000
>> [ 520.991952][ T7269] page dumped because: VM_BUG_ON_PAGE(PageTail(page))
>> [ 521.086487][ T7269] page_owner tracks the page as allocated
>> [ 521.132208][ T7269] page last allocated via order 0, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|
>>
>> ^order 0 looks wrong, but let;s not get distracted.
>>
>> __GFP_THISNODE), pid 7321, tgid 7321 (syz.1.194), ts 520201520231, free_ts 520193076092
>> [ 521.272012][ T7269] post_alloc_hook+0x2d1/0x350
>> [ 521.276977][ T7269] __alloc_pages_direct_compact+0x20e/0x590
>> [ 521.314428][ T7269] __alloc_pages_noprof+0x182b/0x25a0
>> [ 521.319975][ T7269] alloc_pages_mpol_noprof+0x282/0x610
>> [ 521.420092][ T7269] folio_alloc_mpol_noprof+0x36/0xd0
>> [ 521.483167][ T7269] vma_alloc_folio_noprof+0xee/0x1b0
>> [ 521.539677][ T7269] do_huge_pmd_anonymous_page+0x258/0x2ae0
>> ...
>> [ 521.851719][ T7269] page last free pid 7323 tgid 7321 stack trace:
>> [ 521.972611][ T7269] free_unref_folios+0xa87/0x14f0
>> [ 521.977735][ T7269] folios_put_refs+0x587/0x7b0
>> [ 522.072508][ T7269] folio_batch_move_lru+0x2c4/0x3b0
>> [ 522.077794][ T7269] __folio_batch_add_and_move+0x35b/0xc60
>> [ 522.191992][ T7269] reclaim_folio_list+0x205/0x3a0
>> [ 522.197131][ T7269] reclaim_pages+0x481/0x650
>> [ 522.201760][ T7269] madvise_cold_or_pageout_pte_range+0x163b/0x20d0
>> ...
>>
>>
>> So we allocated a order-9 anonymous folio, but suddenly find it via shmem in the pagecache?
>>
>> Is this some crazy use-after-free / double-free, where we end up freeing a shmem folio
>> that is still in the pagecache? Once freed, it gets merged in the buddy, and we then re-allocate
>> it as part of a PMD THP; but shmem still finds it in the pagecache, and as the it's now suddenly
>
> It is not in the pagecache.
next_uptodate_folio() finds it there? Which is .. via the pagecache
xas_next_entry()?
But good point on the mapping. If we would have freed a folio while
still in the pagecache (before truncation), we'd likely have gotten an
error from free_page_is_bad().
Well, unless check_pages_enabled() is false.
--
Cheers,
David / dhildenb
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-28 12:02 ` David Hildenbrand
@ 2024-11-28 12:23 ` David Hildenbrand
2024-11-28 13:03 ` Hillf Danton
0 siblings, 1 reply; 21+ messages in thread
From: David Hildenbrand @ 2024-11-28 12:23 UTC (permalink / raw)
To: Hillf Danton
Cc: syzbot, linux-kernel, linux-mm, syzkaller-bugs, Matthew Wilcox
On 28.11.24 13:02, David Hildenbrand wrote:
> On 28.11.24 12:42, Hillf Danton wrote:
>> On Thu, 28 Nov 2024 11:52:42 +0100 David Hildenbrand <david@redhat.com>
>>> On 23.11.24 08:31, syzbot wrote:
>>>> Hello,
>>>>
>>>> syzbot found the following issue on:
>>>>
>>>> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/..
>>>> git tree: upstream
>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
>>>> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>>>>
>>>> Downloadable assets:
>>>> disk image: https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
>>>> kernel image: https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>>>>
>>>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>>>> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>>>>
>>>
>>> Staring at the console output:
>>>
>>> [ 520.222112][ T7269] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x1403 pfn:0x125be
>>
>> ->mapping is cleared for a order9 page
> > >> [ 520.362213][ T7269] head: order:9 mapcount:0 entire_mapcount:0
> nr_pages_mapped:0 pincount:0
>>> [ 520.411963][ T7269] memcg:ffff88807c73c000
>>> [ 520.492069][ T7269] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
>>> [ 520.499844][ T7269] raw: 00fff00000000000 ffffea0000490001 dead000000000122 dead000000000400
>>> [ 520.551982][ T7269] raw: 00000000000014d0 0000000000000000 00000000ffffffff 0000000000000000
>>> [ 520.560912][ T7269] head: 00fff00000000040 0000000000000000 dead000000000122 0000000000000000
>>> [ 520.672020][ T7269] head: 0000000000001245 0000000000000000 00000001ffffffff ffff88807c73c000
>>> [ 520.735699][ T7269] head: 00fff00000000209 ffffea0000490001 ffffffffffffffff 0000000000000000
>>> [ 520.901989][ T7269] head: 0000000000000200 0000000000000000 00000000ffffffff 0000000000000000
>>> [ 520.991952][ T7269] page dumped because: VM_BUG_ON_PAGE(PageTail(page))
>>> [ 521.086487][ T7269] page_owner tracks the page as allocated
>>> [ 521.132208][ T7269] page last allocated via order 0, migratetype Movable, gfp_mask 0x3d24ca(GFP_TRANSHUGE|__GFP_NORETRY|
>>>
>>> ^order 0 looks wrong, but let;s not get distracted.
>>>
>>> __GFP_THISNODE), pid 7321, tgid 7321 (syz.1.194), ts 520201520231, free_ts 520193076092
>>> [ 521.272012][ T7269] post_alloc_hook+0x2d1/0x350
>>> [ 521.276977][ T7269] __alloc_pages_direct_compact+0x20e/0x590
>>> [ 521.314428][ T7269] __alloc_pages_noprof+0x182b/0x25a0
>>> [ 521.319975][ T7269] alloc_pages_mpol_noprof+0x282/0x610
>>> [ 521.420092][ T7269] folio_alloc_mpol_noprof+0x36/0xd0
>>> [ 521.483167][ T7269] vma_alloc_folio_noprof+0xee/0x1b0
>>> [ 521.539677][ T7269] do_huge_pmd_anonymous_page+0x258/0x2ae0
>>> ...
>>> [ 521.851719][ T7269] page last free pid 7323 tgid 7321 stack trace:
>>> [ 521.972611][ T7269] free_unref_folios+0xa87/0x14f0
>>> [ 521.977735][ T7269] folios_put_refs+0x587/0x7b0
>>> [ 522.072508][ T7269] folio_batch_move_lru+0x2c4/0x3b0
>>> [ 522.077794][ T7269] __folio_batch_add_and_move+0x35b/0xc60
>>> [ 522.191992][ T7269] reclaim_folio_list+0x205/0x3a0
>>> [ 522.197131][ T7269] reclaim_pages+0x481/0x650
>>> [ 522.201760][ T7269] madvise_cold_or_pageout_pte_range+0x163b/0x20d0
>>> ...
>>>
>>>
>>> So we allocated a order-9 anonymous folio, but suddenly find it via shmem in the pagecache?
>>>
>>> Is this some crazy use-after-free / double-free, where we end up freeing a shmem folio
>>> that is still in the pagecache? Once freed, it gets merged in the buddy, and we then re-allocate
>>> it as part of a PMD THP; but shmem still finds it in the pagecache, and as the it's now suddenly
>>
>> It is not in the pagecache.
>
> next_uptodate_folio() finds it there? Which is .. via the pagecache
> xas_next_entry()?
>
> But good point on the mapping. If we would have freed a folio while
> still in the pagecache (before truncation), we'd likely have gotten an
> error from free_page_is_bad().
>
> Well, unless check_pages_enabled() is false.
Ah, now I get it; at the point int time we check it actually isn't in
the pagecache anymore. We perform a folio_test_locked() check before the
folio_try_get(), which is wrong as the folio can get freed+reallocated
in the meantime.
The easy fix would be:
diff --git a/mm/filemap.c b/mm/filemap.c
index 7c76a123ba18b..f61cf51c22389 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3501,10 +3501,10 @@ static struct folio *next_uptodate_folio(struct
xa_state *xas,
continue;
if (xa_is_value(folio))
continue;
- if (folio_test_locked(folio))
- continue;
if (!folio_try_get(folio))
continue;
+ if (folio_test_locked(folio))
+ goto skip;
/* Has the page moved or been split? */
if (unlikely(folio != xas_reload(xas)))
goto skip;
--
Cheers,
David / dhildenb
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-28 12:23 ` David Hildenbrand
@ 2024-11-28 13:03 ` Hillf Danton
2024-11-28 13:37 ` syzbot
0 siblings, 1 reply; 21+ messages in thread
From: Hillf Danton @ 2024-11-28 13:03 UTC (permalink / raw)
To: syzbot
Cc: David Hildenbrand, linux-kernel, linux-mm, syzkaller-bugs,
Matthew Wilcox
On Thu, 28 Nov 2024 13:23:15 +0100 David Hildenbrand <david@redhat.com>
>
> Ah, now I get it; at the point int time we check it actually isn't in
> the pagecache anymore. We perform a folio_test_locked() check before the
> folio_try_get(), which is wrong as the folio can get freed+reallocated
> in the meantime.
>
> The easy fix would be:
#syz test
--- x/mm/filemap.c
+++ y/mm/filemap.c
@@ -3502,10 +3502,10 @@ static struct folio *next_uptodate_folio
continue;
if (xa_is_value(folio))
continue;
- if (folio_test_locked(folio))
- continue;
if (!folio_try_get(folio))
continue;
+ if (folio_test_locked(folio))
+ goto skip;
/* Has the page moved or been split? */
if (unlikely(folio != xas_reload(xas)))
goto skip;
--
^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [mm?] kernel BUG in const_folio_flags (2)
2024-11-23 7:31 [syzbot] [mm?] kernel BUG in const_folio_flags (2) syzbot
` (6 preceding siblings ...)
2024-11-28 10:52 ` David Hildenbrand
@ 2024-11-28 12:57 ` David Hildenbrand
2024-11-28 13:18 ` syzbot
7 siblings, 1 reply; 21+ messages in thread
From: David Hildenbrand @ 2024-11-28 12:57 UTC (permalink / raw)
To: syzbot, akpm, linux-kernel, linux-mm, syzkaller-bugs
On 23.11.24 08:31, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 9fb2cfa4635a Merge tag 'pull-ufs' of git://git.kernel.org/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10042930580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c4515f1b6a4e50b7
> dashboard link: https://syzkaller.appspot.com/bug?extid=9f9a7f73fb079b2387a6
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=105ff2e8580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/7c0c61a15f60/disk-9fb2cfa4.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3363d84eeb74/vmlinux-9fb2cfa4.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/2b1a270af550/bzImage-9fb2cfa4.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+9f9a7f73fb079b2387a6@syzkaller.appspotmail.com
>
> madvise_pageout_page_range mm/madvise.c:609 [inline]
> madvise_pageout+0x326/0x820 mm/madvise.c:636
> madvise_vma_behavior+0x58c/0x19e0 mm/madvise.c:1045
> madvise_walk_vmas+0x1cf/0x2c0 mm/madvise.c:1274
> do_madvise+0x29d/0x700 mm/madvise.c:1461
> __do_sys_madvise mm/madvise.c:1477 [inline]
> __se_sys_madvise mm/madvise.c:1475 [inline]
> __x64_sys_madvise+0xa9/0x110 mm/madvise.c:1475
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> ------------[ cut here ]------------
> kernel BUG at include/linux/page-flags.h:309!
> Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
> CPU: 0 UID: 0 PID: 7269 Comm: syz.1.183 Not tainted 6.12.0-syzkaller-00233-g9fb2cfa4635a #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150 include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000c0025ff000 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
> folio_test_locked include/linux/page-flags.h:509 [inline]
> next_uptodate_folio+0xac/0x4b0 mm/filemap.c:3505
> filemap_map_pages+0x1c6/0x16a0 mm/filemap.c:3647
> do_fault_around mm/memory.c:5255 [inline]
> do_read_fault mm/memory.c:5288 [inline]
> do_fault mm/memory.c:5431 [inline]
> do_pte_missing+0xdae/0x3e70 mm/memory.c:3965
> handle_pte_fault mm/memory.c:5766 [inline]
> __handle_mm_fault+0x100a/0x2a10 mm/memory.c:5909
> handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
> faultin_page mm/gup.c:1187 [inline]
> __get_user_pages+0x8d9/0x3b50 mm/gup.c:1485
> __get_user_pages_locked mm/gup.c:1751 [inline]
> get_dump_page+0xfb/0x220 mm/gup.c:2269
> dump_user_range+0x135/0x8c0 fs/coredump.c:943
> elf_core_dump+0x2766/0x3840 fs/binfmt_elf.c:2121
> do_coredump+0x2c42/0x4160 fs/coredump.c:758
> get_signal+0x237c/0x26d0 kernel/signal.c:2903
> arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
> exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
> exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
> irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
> asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
> RIP: 0033:0x1000
> Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <00> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> RSP: 002b:000000000000010c EFLAGS: 00010246
> RAX: 0000000000000000 RBX: 00007f08b41363b8 RCX: 00007f08b3f7e759
> RDX: ffffffffff600000 RSI: 0000000000000104 RDI: 8000000000000000
> RBP: 00007f08b3ff175e R08: 0000000100000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f08b41363b8 R15: 00007fff7656a008
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:const_folio_flags.constprop.0+0x12e/0x150 include/linux/page-flags.h:309
> Code: 86 cb ff e8 f4 86 cb ff 48 8d 45 ff 48 39 c3 0f 84 38 ff ff ff e8 e2 86 cb ff 48 c7 c6 00 19 58 8b 48 89 df e8 e3 4b 11 00 90 <0f> 0b e8 6b 0d 2d 00 e9 f1 fe ff ff e8 61 0d 2d 00 eb a3 48 89 df
> RSP: 0018:ffffc9000c55ee30 EFLAGS: 00010293
> RAX: 0000000000000000 RBX: ffffea0000496f80 RCX: ffffc9000c55ecd8
> RDX: ffff88805f401e00 RSI: ffffffff81c1362d RDI: ffff88805f402244
> RBP: 0000000000000001 R08: 0000000000000000 R09: fffffbfff203a591
> R10: ffffffff901d2c8f R11: 0000000000000001 R12: 00000000000014df
> R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920018abdf4
> FS: 00007f08b31bc6c0(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fff76568ff8 CR3: 00000000341ce000 CR4: 00000000003526f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
>
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
>
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
>
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
>
> If you want to undo deduplication, reply with:
> #syz undup
>
#syz test https://github.com/davidhildenbrand/linux.git filemap_test_locked
--
Cheers,
David / dhildenb
^ permalink raw reply [flat|nested] 21+ messages in thread