From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B3EFC6FD19 for ; Sat, 11 Mar 2023 01:02:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AB13D8E0002; Fri, 10 Mar 2023 20:02:47 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A61528E0001; Fri, 10 Mar 2023 20:02:47 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 902158E0002; Fri, 10 Mar 2023 20:02:47 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 7D2928E0001 for ; Fri, 10 Mar 2023 20:02:47 -0500 (EST) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 49E2BC02DC for ; Sat, 11 Mar 2023 01:02:47 +0000 (UTC) X-FDA: 80554817574.20.EC52363 Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) by imf02.hostedemail.com (Postfix) with ESMTP id 66F7C80012 for ; Sat, 11 Mar 2023 01:02:45 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=s2hHDqKQ; spf=pass (imf02.hostedemail.com: domain of zokeefe@google.com designates 209.85.208.47 as permitted sender) smtp.mailfrom=zokeefe@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1678496565; a=rsa-sha256; cv=none; b=eQcV2n++jSYaPB0Lp7Ch/6wBqBjQfrIoM4tsX/EeOpovWeFJweCIkQMHzZnausfRQxj6c4 8lBvRIBCkQPuNm1OSVeLVMSl9hr3mIIxmB+nmJnf+SNriKAthz0Nby1tJenGp2lpgaH1sr BuN6ukc8Q8O5ohsYjD6rhYqbSPIfWnk= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=s2hHDqKQ; spf=pass (imf02.hostedemail.com: domain of zokeefe@google.com designates 209.85.208.47 as permitted sender) smtp.mailfrom=zokeefe@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1678496565; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=BNeo4Q+YBzB6+k/1T0KBlBv8lS3nFA3RB32TXvnq+ZE=; b=FxEb7jIQfpttiY59MMi5iVCmK7dFxJDmIDIWZiuGylCYsu7jTV+JALMlHENxtWImekHQZu Nu+8qIr7m/rnVYRIf1UWFM+VYPd550B/oGHKhuTzMo5UWA2pZQ7GP/aDM+Lh6I7COFOBjE 3LGIU170p1JU7jEmmpRNgUm3Tug1q9U= Received: by mail-ed1-f47.google.com with SMTP id cy23so27429352edb.12 for ; Fri, 10 Mar 2023 17:02:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; t=1678496564; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=BNeo4Q+YBzB6+k/1T0KBlBv8lS3nFA3RB32TXvnq+ZE=; b=s2hHDqKQ+3WYWekbPQkFW5wMC1cF+w3qJjybbqezMKkv0fmC/e0ZR6YHuOHuw74Gcs S7RtzxPtf3P/046EWeLTi9kmZtwb0kiXgVvc2wsribi2zCpuwgAjRMdxSoFKAN6wgahg 0obQ7sbHM9PC8kT9NTTcoxZhha4NpY6LLFzLZG+/f0JA6Fe5hJCwmiSqT0yv/fAsKKdt LkRmy3AhDg+N9czjTx6TubG6+rSafMIvqsVpWal4g7dwhY0XfMQWmnezeMvjnGc8tkGX tsWB8hkhWdJJUHKHGKgp729LUkN4+ZkOea37hvbZrkJRlQSZZ4i55PVVAPHyhk7JIVUX vRzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678496564; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=BNeo4Q+YBzB6+k/1T0KBlBv8lS3nFA3RB32TXvnq+ZE=; b=ISS2TQpgFnhs7BMH9OHUrnAjnzpGIBJLQhcBTO4vPIwIzV8sX58oW6//U0Pf1artCc b4zBh5cxkHbTWmBgnDhvSuIWhwpeT0PhLPNbr73shuDSAtHAc+1HxhmtTMXLikk//ITj r9Mmh8ZzkUJ4aNJAi9MCXxZ6LHglC+EXRrKzJlcQmS48HmFIsd7EFJ9/R5boVBHNQJdj B50yZtR2HeHcv9KsdQwIQK65TwNNbEy91+nvua4AJpr8nRenWBjab2K2UxqPMabVk1jO 6FYX1REt5+kDX8mS86LLitLp5+flEQropcUgGMWEEXt9akqzd2k6j9++u7wN1ERrjJfQ dJ3w== X-Gm-Message-State: AO0yUKWi8XzpvQdEY8iacejEiz+HKNDJn1/5aD0W+Qu9iCvfFaF6SE2W 5651wvsglKhfsDEPTsIR/dHVoR7wepO8Zutg36JtLQ== X-Google-Smtp-Source: AK7set+Gap6CiHY6IOZLSsQSxwbaC38OW1hIQ1zD+5oGW3MpLx6ATMPwJiklefK1K4P1YUsUq8pdcCYAvQb1F6CcxnI= X-Received: by 2002:a17:906:80c8:b0:8b1:81fa:b07a with SMTP id a8-20020a17090680c800b008b181fab07amr12806858ejx.12.1678496563589; Fri, 10 Mar 2023 17:02:43 -0800 (PST) MIME-Version: 1.0 References: <000000000000226a6105f6954b47@google.com> In-Reply-To: <000000000000226a6105f6954b47@google.com> From: "Zach O'Keefe" Date: Fri, 10 Mar 2023 17:02:06 -0800 Message-ID: Subject: Re: [syzbot] [mm?] kernel BUG in hpage_collapse_scan_file To: syzbot Cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Matthew Wilcox Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Queue-Id: 66F7C80012 X-Rspamd-Server: rspam01 X-Stat-Signature: zkx1qi78x86ypqzqsmagaabgjk6ipiam X-HE-Tag: 1678496565-978095 X-HE-Meta: U2FsdGVkX18uNB4mEv0ldWRUYETQvgGNVAwam71QvWPDLE4bg2brOt6u0NqSdNmMKB0fClXuhiwuv5V8NeO+5zs+n/9Xkj/4XU7TL2lRCiydbM5gkKUyE9hTc6soNOOb9NZ6/Ykc0VwYFy/ugRRBV7eVD2K1M7lVXlkrJ2xwkPTpL1uCVc31vgx4h90yhn/T25DCf0IyscjNloMpIQufzDe0y5T51cpIFKMYY66x70M6GIGK1k/pChbjZtEeimWncnw0oKtAAWUviiDIzeNcRRuL+fJt+dyRKB7qSFIuumCCAS3T/PUcDTMoeXvi9zD2AkWOEzCGonXGsT/hQdf0J20TSOw4Llnb31YuZCSOAKNLhEFHtWo6wr/kozfzqdkbJFlYW6qC5yoyrlCAWl5HzLgyFbAPa1zqrg7LjHJUwlFVFHH7ZOYmk30uzzIRSZZJ+FxDdLiuVzfN2XQdrrLGoskkNxvBqcoqcO5dVblUGFgR8P0RhIfW3lKbRdU9fNHC+kffO6eu2302WCnpho+3hvWttgqCCe0rsYi38qlve4GJtJv0IMtrIjaqOhhvA+hVMCODbRN+pEAxXJ39LU5osdEjmw58UwvmmbpdCiWM9UlkhM839wPWYKCqNwZXBDuuR9BA+rqpRCMCvw62DFyRil0s/MdSPLeClHbm4Yxj6DngLk3IRh+Ue9ZqtLKohjQfNRYqJ/kmmteMBmVwh0jX5Z1jNjbSk7ezTtKwWv6iBYEuBFvbJhH/QXOo31kmoEHsA9uu1BqqbwYAtDxFx83qtfpNiJMydF3+/sINI4B8j78cNfq3srhOpyBYfXhp/ebxNDHQH8KyBpfBqxVgqCTCCNgRrMNATRo6sjaCNap/Y0Evz6trSOPYsfrdN2ivVoRZQ1AbVckYCQxIdd3VsaBTZQrTukrY2AyOhUK8U41n0WDIQvTQ/4y30FmHI3xymZggtm/zZ/XqXpRb61Swxq+ jipNJsom 9JcrI2CVW4U9J3yo+iO7WfGGDzGRFR40BF08LRe2B61viUihazqQdChwjog4kCvX7SmMG16dvn5diiHiDFVp+MigEHWcHsbdVYJVIqhHVlQ++vfJzB0y+7dhpAWT99ROnDu6r62Kw9RxBQI2tozegv2gMTt4bDpO3iNHho3V/rddpcYX2xZYVpviJr1ZUjedJC1HiCqCwb8X11GgYzylty2RgCGqo1CZXxLSyLVNqeLywzf8gUv+W25o0qRso1RTqeLyZtxMCMwiARFzRWMiMsRIldafboaW2R+mXur/xqdPpS4/8Ku/TcVMFosNNofXL0toaJvgt9GfMqxRn/mGdMCIHnw7EqSLaCZaHEeS9/KXYVIZjN+56h0BBcGf5zw35LVQgZdJfcNzojHuFnMDho4Nj3eJF+nTqxz++6Bq7AgyuIQdjugLk9aZ/lA4rFfDXMlFSUm4GKrct523QP3Hz6abKPhGByECzbGdmI0rdp4qVYLfQ2MjKgorW307I9Zhv1BzDAhHzuqFFPZiFbc7rINjBYm+P46QWRyr7XHZIyW5JCKNlfsNgpeFWbtt1ZJFD86SjZLxnPv45VX7iUeT0Pc8O+Hb9vu6wx0aBfaOAkvIoJt/HVwjPexYYyvPfY6Ck34N+p9S71BCqe3ExozG/yE+fkGdFwEd9jLJOnsvMEVtyV6GAniWD5E44kC5Pn5t53PEWODDnbLp9TpYTuoJGjzwmh55FgesS9w/LOaaLC+XsVgZiCspe2QAZus8RNMDbhN1cZE9WCpaGvIwTf28SxlZqzUJCBsBqsswoKqEHu4MR6iruAtBx3bbVqc4u3a5bfIxQKVT9dneOtx9KFJAEe0bi+KF3nI4qEEDpfXbijqRRv1MNIqBcSIf0Pj968oIsL/1vR0aK6766jzruYnwuTdRH0HUIkVvhA868DXXU7Pd8DFGEwKGHOv2BT6UCwVtqDtuS5iMj37GGJbgmUI+1TZSjNk6C jIcchga+ ZJeTpYPYp5KmhT9kUALES3PJz2bSG6Jp X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Mar 10, 2023 at 4:52=E2=80=AFPM syzbot wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 857f1268a591 Merge tag 'objtool-core-2023-03-02' of git:/= /.. > git tree: upstream > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D168e1032c8000= 0 > kernel config: https://syzkaller.appspot.com/x/.config?x=3Df763d89e26d3d= 4c4 > dashboard link: https://syzkaller.appspot.com/bug?extid=3D9578faa5475acb3= 5fa50 > compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Deb= ian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D179e4e12c80= 000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D119cce98c8000= 0 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/b3b7a7e333f1/dis= k-857f1268.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/5940be1cf171/vmlinu= x-857f1268.xz > kernel image: https://storage.googleapis.com/syzbot-assets/986015398e4a/b= zImage-857f1268.xz > > IMPORTANT: if you fix the issue, please add the following tag to the comm= it: > Reported-by: syzbot+9578faa5475acb35fa50@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > kernel BUG at mm/khugepaged.c:1823! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 1 PID: 5097 Comm: syz-executor220 Not tainted 6.2.0-syzkaller-13154-= g857f1268a591 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 02/16/2023 > RIP: 0010:collapse_file mm/khugepaged.c:1823 [inline] > RIP: 0010:hpage_collapse_scan_file+0x67c8/0x7580 mm/khugepaged.c:2233 > Code: 00 00 89 de e8 c9 66 a3 ff 31 ff 89 de e8 c0 66 a3 ff 45 84 f6 0f 8= 5 28 0d 00 00 e8 22 64 a3 ff e9 dc f7 ff ff e8 18 64 a3 ff <0f> 0b f3 0f 1e= fa e8 0d 64 a3 ff e9 93 f6 ff ff f3 0f 1e fa 4c 89 > RSP: 0018:ffffc90003dff4e0 EFLAGS: 00010093 > RAX: ffffffff81e95988 RBX: 00000000000001c1 RCX: ffff8880205b3a80 > RDX: 0000000000000000 RSI: 00000000000001c0 RDI: 00000000000001c1 > RBP: ffffc90003dff830 R08: ffffffff81e90e67 R09: fffffbfff1a433c3 > R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 > R13: ffffc90003dff6c0 R14: 00000000000001c0 R15: 0000000000000000 > FS: 00007fdbae5ee700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000= 000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fdbae6901e0 CR3: 000000007b2dd000 CR4: 00000000003506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > > madvise_collapse+0x721/0xf50 mm/khugepaged.c:2693 > madvise_vma_behavior mm/madvise.c:1086 [inline] > madvise_walk_vmas mm/madvise.c:1260 [inline] > do_madvise+0x9e5/0x4680 mm/madvise.c:1439 > __do_sys_madvise mm/madvise.c:1452 [inline] > __se_sys_madvise mm/madvise.c:1450 [inline] > __x64_sys_madvise+0xa5/0xb0 mm/madvise.c:1450 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7fdbae65dc39 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f= 7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff= ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fdbae5ee2f8 EFLAGS: 00000246 ORIG_RAX: 000000000000001c > RAX: ffffffffffffffda RBX: 00007fdbae6e64b8 RCX: 00007fdbae65dc39 > RDX: 0000000000000019 RSI: 000000000060005f RDI: 0000000020000000 > RBP: 00007fdbae6e64b0 R08: 0000000000000001 R09: 0000000000000033 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdbae5ee300 > R13: 0000000000000001 R14: 00007fdbae5ee400 R15: 0000000000022000 > > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:collapse_file mm/khugepaged.c:1823 [inline] > RIP: 0010:hpage_collapse_scan_file+0x67c8/0x7580 mm/khugepaged.c:2233 > Code: 00 00 89 de e8 c9 66 a3 ff 31 ff 89 de e8 c0 66 a3 ff 45 84 f6 0f 8= 5 28 0d 00 00 e8 22 64 a3 ff e9 dc f7 ff ff e8 18 64 a3 ff <0f> 0b f3 0f 1e= fa e8 0d 64 a3 ff e9 93 f6 ff ff f3 0f 1e fa 4c 89 > RSP: 0018:ffffc90003dff4e0 EFLAGS: 00010093 > RAX: ffffffff81e95988 RBX: 00000000000001c1 RCX: ffff8880205b3a80 > RDX: 0000000000000000 RSI: 00000000000001c0 RDI: 00000000000001c1 > RBP: ffffc90003dff830 R08: ffffffff81e90e67 R09: fffffbfff1a433c3 > R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000000 > R13: ffffc90003dff6c0 R14: 00000000000001c0 R15: 0000000000000000 > FS: 00007fdbae5ee700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000= 000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fdbae6901e0 CR3: 000000007b2dd000 CR4: 00000000003506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > syzbot can test patches for this issue, for details see: > https://goo.gl/tpsmEJ#testing-patches I had a look at this, and the issue is stemming from failed (due to error injection here) xas_store() in collapse_file() (in this report, specifically was picking on shmem after MADV_REMOVE punch). This puts the xa_state into an error state (-ENOMEM) and the subsequent xas_next() will (a) not increment xas->xa_index (which trips the VM_BUG_ON), and (b) returns NULL (which is confusing, since AFAIU, that's a "valid" entry for a truncated page cache entry, but also being used to indicate error). I think the right thing to do is to check xas_invalid() at the top of the loop, or checking return value of all those xas_store()'s and taking appropriate action. There is also the possibility this never occurs in practice due to the "Ensure we have slots for all the pages in the range" check at the top of the function, and that we are only able to trip this from error injection.