From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58CB1C636D4 for ; Fri, 27 Jan 2023 17:02:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 721546B0072; Fri, 27 Jan 2023 12:02:13 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6D0146B0073; Fri, 27 Jan 2023 12:02:13 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 54A316B0074; Fri, 27 Jan 2023 12:02:13 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 3E1F46B0072 for ; Fri, 27 Jan 2023 12:02:13 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id F31C1AB7C8 for ; Fri, 27 Jan 2023 17:02:12 +0000 (UTC) X-FDA: 80401196904.28.ACC6E3A Received: from mail-oo1-f44.google.com (mail-oo1-f44.google.com [209.85.161.44]) by imf25.hostedemail.com (Postfix) with ESMTP id 33673A0034 for ; Fri, 27 Jan 2023 17:02:09 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=ZKoWX5BH; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf25.hostedemail.com: domain of hughd@google.com designates 209.85.161.44 as permitted sender) smtp.mailfrom=hughd@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674838930; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=4TlDtVFpYFpxEFCsfHrOa8jm9QVhigpm3WfIEVpmBFY=; b=Jc94HQhZpdgJdIYGBk1airpqOIgCe8UFAMTCyxb1VhWvjNH/N4uTxG1nBxRyoVItRw+CzW 81olwvIkP1UVvef3bAsAm5Shi4YFIa4v+s5PmZ4Nk8dilyIA0l7N1ANws39TTCG8pfCMni Et3ZdD//zoW15Ktwz7VAXDxxU/9OSRk= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=ZKoWX5BH; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf25.hostedemail.com: domain of hughd@google.com designates 209.85.161.44 as permitted sender) smtp.mailfrom=hughd@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674838930; a=rsa-sha256; cv=none; b=fMtH0I9DFccEZt/pXH7dLYB+JvRRoKRyeTt7/pISixj715K+ZjhsvRZ2Hsnz1qHiTDeaB5 1JrmDRxVl1SYg2dUbo4rkpU3luKi3Ds5SvFjp9YbRMRp/88Xg3PNSCXAuGno/Z/xfHVeB8 YfeEJKpF1qX+Zj8OcGlkhrbuMfXPUzo= Received: by mail-oo1-f44.google.com with SMTP id z12-20020a4a490c000000b004f21c72be42so668769ooa.8 for ; Fri, 27 Jan 2023 09:02:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=4TlDtVFpYFpxEFCsfHrOa8jm9QVhigpm3WfIEVpmBFY=; b=ZKoWX5BHY1bXfJD6kdGl73qaUQ++BSNTbGBdldD34BtH+OLR1yJm9jPfS8mcNp9lTn b57MdWN0BrnQt/0LnYqsTQrFNFB628A0eRE6lqR0cNb+ICviaPHty7m1RtYiauol51+X vFDqc8/FCQCphG8FPMBFixdzxZ3NRRB+abLtrnPRrsJTrjURUmqyPi4Ohq6lPqxG3CaU Ctn/hhTL3fPWtkoGmTJLSsieWsXUUHoVc+kZrZ9Wcq0AKt4sf8n8nqmCYPOmewCUbuxC IVS89jDZicK1u45tNSCON6W/5DLpjVwHdAUQcZsfXGA3TZx9aHu0wsSXesR4kYMmlBBB sIBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4TlDtVFpYFpxEFCsfHrOa8jm9QVhigpm3WfIEVpmBFY=; b=0ZEE3KqNoUSI/+XzyzBF1GnNaPH83ci0PO7HSbYZLT9K5NNkpE+gnzSvNAUcEXpsON Xbl9Nd8lsTHbLq4HFFyUXCQMqN3nNc+GpGopgD7lgrOmjXGyJQCECc1YjlzsNsNs6yGb JzpitVsWIvgxjfrO1iVZV56w0DAfxmGySPG82oVYVSQca9zFOfrfmf0XBVVJvnwS1MII tXRATssUQDozRxzekeHugK5v167bHv2UMkaqOjlFigMp2MDNjy9DMhaOcYJYHJaA7nq4 cQU+nSjwRyFlF5nFi9Wz+3FTcZi7bkJWgSLR7vRLCPsuGqkJPbSGehzdkbYP5uw7yAp1 Ie6w== X-Gm-Message-State: AFqh2kpfVLpiAVZABN9nRuW9r6yvyhJ4944EiCg2d73tdCdjKMd/YWW8 OVfjDMLyCafvidlV78aL6Ed5Cw== X-Google-Smtp-Source: AMrXdXtQXI0GhVIDb+uEEjqEDgruY6w0uBngDWKMdq5CL8owUXbUDSOUibOOkEt7HEuzYUAMjPT9/Q== X-Received: by 2002:a4a:b5cb:0:b0:4a3:c9f5:c1ab with SMTP id u11-20020a4ab5cb000000b004a3c9f5c1abmr16568129ooo.6.1674838928928; Fri, 27 Jan 2023 09:02:08 -0800 (PST) Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id b48-20020a4a98f3000000b00499527def25sm1825707ooj.47.2023.01.27.09.02.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Jan 2023 09:02:08 -0800 (PST) Date: Fri, 27 Jan 2023 09:02:04 -0800 (PST) From: Hugh Dickins X-X-Sender: hugh@ripple.anvils To: David Hildenbrand cc: Matthew Wilcox , Sanan Hasanov , "akpm@linux-foundation.org" , "linux-mm@kvack.org" , "linux-kernel@vger.kernel.org" , "contact@pgazz.com" , "syzkaller@googlegroups.com" , Huang Ying , Hugh Dickins Subject: Re: kernel BUG in page_add_anon_rmap In-Reply-To: Message-ID: <713c6242-be65-c212-b790-2b908627c1b4@google.com> References: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="8323328-2120464753-1674838934=:9139" X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 33673A0034 X-Stat-Signature: apgibixsoq175u4y39uawk1y1jc18buj X-HE-Tag: 1674838929-981189 X-HE-Meta: U2FsdGVkX18xRUM80c/NVfc2cgG2+SG0QcWblp9Oxy04ChT4bX8V0hNoZTbCflIGWsUhnMgGs9UXmKxIQHiDRHKXxOAQ4GO4+cWzd0hGPOgXSwU77IjGw3HGoTJ/xQe62RkFQuK45BBNGPbzGiyfIH8r5kJGvHRRx3BHuvne/PwN8ZFHpF1vjwgHfRJcwWIS/HrXWr/eEcXps5XIs0yY2PD/Kh4+J+DxUa2MtJhui8vLTqy8KyRUbChNm26/ys8gnUKP95PfV62O8hgwvTOj0C86Peod4ldyJbw8Efh8RWfTgFQleohWFIKnI0BR4/kR8nk7P2MiOJKB6yHp3GiJTgC5nir8IkXCAv9KiC5UAOLWIsgVWdSvz3UIM41FCgZXwXN76n0573K/QwpauGjRgBtLnxnWnOVaOUzb4OkYjNV1aoNQoXz2FJDF0Q2MEUKxpyrc369wqqGHnX4xcG1Qt22E3J/NOe3EyPUVi/MixyVWqMJVik/Jlv6LOZ4eMMixji9Zp7J6EgwByBQTOjCdeluSw47aV9sjqRKOMkPchxIQftMEU65vsDxqAWw9CQLVvGNitOuT3rUB8u4Fs7rXbOP7Mo4qg9heNSPlI44GXioF7mGAL1zr6bLRsGRPYKziPWiQnxEY94r01w3AaipdMvQHavO4NkV6Qen14VaHHbJkOO/4kpuRERn3ATly8OXZZ6ohykpLI5oI8o9HI2NEX9uOMOOuemAYXA7gBlHYIqNHJzz+eoAS0sstzTRL2pBI4u/SiUsHq1gHPUrp4cr01Lj8Dw0ydQDT9RL8lh2wXGSKf2Ih4e5Guyfr5OOeE4rfXuNoO8EfHhfPmPX5/AVOumB9KMAKIPKXFhQoEtl8n1a70T+DnehgOvzXTvzzL6iJFPIaQO0C2A+qmUrhctSbqmYt/QyZNsH0BricYqIul9MNJf5rRw6pTNTbka46XSku7omPeQU23htXcyQfGaV KFAV+Lg4 OSgSVxuDzmyEZoUUi3xk0uBpiLDa9sVjLhSBMxBv9McRyj6FcFpJExL4aJ20c0ZO/oeNF7G+qhfLozJb3cA9K/ZpOkrQhh9f0q4R/ZnD2X2QErsc0UVpD3aZ3CO8eo86itzyyeVQB6TqLh87sezncCvClF1BDWhmW5hFr2VTFlBdRSR+RygBmGlLBkSoC6lBTGS1vjuPurdG9Lxh0nKjlBwZUrMePxHK6xAEs3L7DJwp9HJXuZHOxWOZux66uXVwCZHEoQupmQfFZZaNz35hEg3hHQNELrrnakSTevG44C5lJvOBp+TqP0O9osEbgt5pYn33sUIHGo5L4MyIQ3t5jG4hacXLwFSlMRlKvt/zEQG5uIhVhHTXH1Gxap5dkZLBuFQ0uLRSHDQdQp12kGlcaMrzXnLGY7aENS4v12UDAjaUfiZw1ssYeimzGZdQ7ZyFKzEe6HujQutxyCOwFpC1m/Nef2Lx7qm5tPDhc8bwSHYHnW6FnGiXAw+Z272QkdXM8gn/xqvt+bMjTGobhJOS120mmrToDBE734VyBna3JsiPfMwQLU1T0fxHmPBq9n9hJYLQY5Kyjy+Z6vPZuWCqWi0dX6Q== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --8323328-2120464753-1674838934=:9139 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE On Fri, 27 Jan 2023, David Hildenbrand wrote: > On 26.01.23 19:57, Matthew Wilcox wrote: > > On Wed, Jan 25, 2023 at 11:59:16PM +0000, Sanan Hasanov wrote: > >> Good day, dear maintainers, > >> > >> We found a bug using a modified kernel configuration file used by syzb= ot. > >> > >> We enhanced the coverage of the configuration file using our tool, > >> klocalizer. > >> > >> Kernel Branch:=C2=A06.2.0-rc5-next-20230124 > >> Kernel > >> config:=C2=A0https://drive.google.com/file/d/1MZSgIF4R9QfikEuF5siUIZVP= ce-GiJQK/view?usp=3Dsharing > >> Reproducer:=C2=A0https://drive.google.com/file/d/1H5KWkT9VVMWTUVVgIaZi= 6J-fmukRx-BM/view?usp=3Dsharing > >> > >> Thank you! > >> > >> Best regards, > >> Sanan Hasanov > >> > >> head: 0000000000020000 0000000000000000 00000004ffffffff ffff8881002b8= 000 > >> page dumped because: VM_BUG_ON_PAGE(!first && (flags & (( rmap_t)((((1= UL))) > >> << (0))))) > >> ------------[ cut here ]------------ > >=20 > > I know it says "cut here" and you did that, but including just a few > > lines above that would be so much more helpful. I can infer that this > > is a multi-page folio, but more than that is hard to tell. > >=20 > >> kernel BUG at mm/rmap.c:1248! > >=20 > > That tracks with VM_BUG_ON_PAGE(!first && (flags & RMAP_EXCLUSIVE), pag= e); > >=20 > >> invalid opcode: 0000 [#1] PREEMPT SMP KASAN > >> CPU: 7 PID: 14932 Comm: syz-executor.1 Not tainted 6.2.0-rc5-next-2023= 0124 > >> #1 > >> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 > >> 04/01/2014 > >> RIP: 0010:page_add_anon_rmap+0xddd/0x11c0 mm/rmap.c:1248 > >> Code: c0 ff 48 8b 34 24 48 89 df e8 1f ff 07 00 49 89 c6 e9 85 f6 ff f= f e8 > >> 52 73 c0 ff 48 c7 c6 c0 3c d8 89 48 89 ef e8 b3 23 f8 ff <0f> 0b e8 3c= 73 > >> c0 ff 48 c7 c6 00 3b d8 89 48 89 ef e8 9d 23 f8 ff > >> RSP: 0018:ffffc9000c56f7b0 EFLAGS: 00010293 > >> RAX: 0000000000000000 RBX: ffff88807efc6f30 RCX: 0000000000000000 > >> RDX: ffff8880464fd7c0 RSI: ffffffff81be733d RDI: fffff520018adedb > >> RBP: ffffea0000c68080 R08: 0000000000000056 R09: 0000000000000000 > >> R10: 0000000000000001 R11: 0000000000000001 R12: ffffea0000c68000 > >> R13: 0000000000000001 R14: ffffea0000c68088 R15: 0000000000000000 > >> FS: 00007f717898a700(0000) GS:ffff888119f80000(0000) > >> knlGS:0000000000000000 > >> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > >> CR2: 00007f7178947d78 CR3: 000000004a9e6000 CR4: 0000000000350ee0 > >> Call Trace: > >> > >> remove_migration_pte+0xaa6/0x1390 mm/migrate.c:261 > >=20 > > if (folio_test_anon(folio)) > > page_add_anon_rmap(new, vma, pvmw.addr= ess, > > rmap_flags); > >=20 > > Earlier in that function, we had: > > if (folio_test_anon(folio) && > > !is_readable_migration_entry(entry)) > > rmap_flags |=3D RMAP_EXCLUSIVE; > >=20 > > so that also makes sense. We can also infer that RMAP_COMPOUND wasn't > > set, so we're trying to do just one page from the folio. > >=20 > > All right, back to rmap.c: > >=20 > > first =3D atomic_inc_and_test(&page->_mapcount); > >=20 > > So first is clearly false (ie _mapcount was not -1), implying somebody > > else already mapped this page. Not really sure what's going on at > > this point. Seems unlikely that the folio changes in > > remove_migration_pte() are responsible since they're from last January. > > Huang has some more changes to migrate.c that I don't feel qualified > > to judge. > >=20 > > Nothing's jumping out at me as obviously wrong. Is it possible to > > do a bisect? >=20 > I reproduced on next-20230127 (did not try upstream yet). >=20 > I think two key things are that a) THP are set to "always" and b) we have= a > NUMA setup [I assume]. >=20 > The relevant bits: >=20 > [ 439.886738] page:00000000c4de9000 refcount:513 mapcount:2 > mapping:0000000000000000 index:0x20003 pfn:0x14ee03 > [ 439.893758] head:000000003d5b75a4 order:9 entire_mapcount:0 > nr_pages_mapped:511 pincount:0 > [ 439.899611] memcg:ffff986dc4689000 > [ 439.902207] anon flags: > 0x17ffffc009003f(locked|referenced|uptodate|dirty|lru|active|head|swapbac= ked|node=3D0|zone=3D2|lastcpupid=3D0x1fffff) > [ 439.910737] raw: 0017ffffc0020000 ffffe952c53b8001 ffffe952c53b80c8 > dead000000000400 > [ 439.916268] raw: 0000000000000000 0000000000000000 0000000000000001 > 0000000000000000 > [ 439.921773] head: 0017ffffc009003f ffffe952c538b108 ffff986de35a0010 > ffff98714338a001 > [ 439.927360] head: 0000000000020000 0000000000000000 00000201ffffffff > ffff986dc4689000 > [ 439.932341] page dumped because: VM_BUG_ON_PAGE(!first && (flags & (( > rmap_t)((((1UL))) << (0))))) >=20 >=20 > Indeed, the mapcount of the subpage is 2 instead of 1. The subpage is onl= y > mapped into a single > page table (no fork() or similar). >=20 > I created this reduced reproducer that triggers 100%: >=20 >=20 > #include > #include > #include > #include >=20 > int main(void) > { > =09mmap((void*)0x20000000ul, 0x1000000ul, PROT_READ|PROT_WRITE|PROT_EXEC, > =09 MAP_ANONYMOUS|MAP_FIXED|MAP_PRIVATE, -1, 0ul); > =09madvise((void*)0x20000000ul, 0x1000000ul, MADV_HUGEPAGE); >=20 > =09*(uint32_t*)0x20000080 =3D 0x80000; > =09mlock((void*)0x20001000ul, 0x2000ul); > =09mlock((void*)0x20000000ul, 0x3000ul); > =09mbind((void*)0x20002000ul, 0x1000ul, MPOL_LOCAL, NULL, 0x7fful, > =09MPOL_MF_MOVE); > =09return 0; > } >=20 > We map a large-enough are for a THP and then populate a fresh anon THP (P= MD > mapped) > to write to it. >=20 > The first mlock() will trigger PTE-mapping the THP and mlocking that subp= age. > The second mlock() seems to cause the issue. The final mbind() triggers p= age > migration. >=20 > Removing one of the mlock() makes it work. Note that we do a double > mlock() of the same page -- the one we are then trying to migrate. >=20 > Somehow, the double mlock() of the same page seems to affect our mapcount= =2E >=20 > CCing Hugh. Thanks David - most especially for the reproducer, not tried here yet. I'll assume this is my bug, and get into it later in the day. Hugh --8323328-2120464753-1674838934=:9139--