From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AB59C54E5D for ; Mon, 18 Mar 2024 21:21:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9F4BA6B009C; Mon, 18 Mar 2024 17:21:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9A50E6B009D; Mon, 18 Mar 2024 17:21:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 894036B009E; Mon, 18 Mar 2024 17:21:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 7A3086B009C for ; Mon, 18 Mar 2024 17:21:18 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 0CB2BA0416 for ; Mon, 18 Mar 2024 21:21:18 +0000 (UTC) X-FDA: 81911430636.02.0379B2C Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) by imf19.hostedemail.com (Postfix) with ESMTP id 566FE1A0007 for ; Mon, 18 Mar 2024 21:21:16 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=b3RgQKgm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf19.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.217.47 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710796876; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=LjOD7mDy02hE6NnUhEBpDyYj8qQdTdU84108fxqZo54=; b=2qMua62TPSkmpIm57BE8lg1aUH1PtPYbIAldIyI+TswLs4Cx15GMFlek61mcFsqGaomoL5 PK5ZiLVSpWjW3fhkX4Y+gj8bxWC2NhbzmsJwN9blR9d207jnXpoDtm2NOHxX8m9s13dP4B ZW7qMuDKFbBv2dRywIg1twsyCfOSVpY= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=b3RgQKgm; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf19.hostedemail.com: domain of 21cnbao@gmail.com designates 209.85.217.47 as permitted sender) smtp.mailfrom=21cnbao@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710796876; a=rsa-sha256; cv=none; b=odu2c9AxQ6kakuUIJKquXyrYZI+gT0rXeIJsPSIZ9wOloqKLr3+z52vdbaj8nbTQHScrGu CrAQIcehNNJJj5WNP3YwLBxCmK+OvWE1l73PUKaqzqHi4Z63oy1xnW04eT56Tpc7U96pzK pHXADpjMpSsJYcUB9TI+cYiOIwt2nwM= Received: by mail-vs1-f47.google.com with SMTP id ada2fe7eead31-4765c5905a8so1157791137.0 for ; Mon, 18 Mar 2024 14:21:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710796875; x=1711401675; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LjOD7mDy02hE6NnUhEBpDyYj8qQdTdU84108fxqZo54=; b=b3RgQKgmekMF8z3lVI5Xt/Fq22OVLC/Ouy0cbWCbX34L78oowcxkt9X40L0hl+Ln1u P0EUPjubdhIojmkveZqrUpjzBsft/gOrvsNqQ2LH9NyujREkLVsS8BOPbWDiORThTS5t R/OBjhrqeQYJ/l1W1olqiNuBJqJU/eEzYzwCQncs6wc/2PvXXg26zTZdqcgUP+HIT/sp 1+jF/X/xaGCJMKSfYKgw7EKtoigB1bt1lu/5KQZBObKdhRUdHEtKzUsr18h06x/DskAv cQz2ceZal99nQts7F/T+9VcLnhzMH7IRZaQurXKyC5eHywfKhYQ53duo/u0ekVlFxngJ xynA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710796875; x=1711401675; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LjOD7mDy02hE6NnUhEBpDyYj8qQdTdU84108fxqZo54=; b=dDX+Qn3oFZQS53NfFtvNqa0XaYsEXC2nUu/pKlQ84QRTx2hPEoDG+s6oGKBC7QWI4b KtCRWhIEp2q8ReAuAgZqJ2G7iTJxPDuu/hgzTBJOzIIM53F57JrsR2vRZ7TaY65gqg+y 6LOwYUh0baYRZDmNGbYjBMqvb/yLnYqqB3XnDI8uZktyztuWmR4J3vArdf1t+summASr 3wEL28UTPwIn9t00cVSxBv0pfFmoHP01ds4H2Wru4QM8PVMulSGHzGtWUT4f7xLuu6F+ rTrtor5GnJL/j8YXSrHzR0Lo7raB3DLYHe5J5xe8D35BYKWoAAJl/fie53LrzUC4Oex9 Rj0Q== X-Forwarded-Encrypted: i=1; AJvYcCWnAS1ZegerM30eK6HLwJ7dp6stnmn+eqRQcApJnyQ0LMp5VE5FKCR2cNUnhsmGvlZ5+JEp33pvLXLuwOssKzNQHMU= X-Gm-Message-State: AOJu0Ywb22IOrYMqPzicLDexc4RUx2aY2KSJuINPuiiBoYzbn0dcpRO9 URv59XN26ng+yb9owM3zOTbFoq2b58HFXRapq+GFPg9DkZfhMoxGn1XFJ0YvghyJ28Db+6US24Z OxnOB7lbVGnt3xcXL2gg6oe9u5Y+UYeS6 X-Google-Smtp-Source: AGHT+IEgv+VBtTzddHrTMKDE0PKfZUgzWlXW0fWbmGnKKrKIrcro7zKXBSaeiSu6H9JTeoRoecWJN2dQPIoSqyAc+Q0= X-Received: by 2002:a67:f785:0:b0:476:302:d94d with SMTP id j5-20020a67f785000000b004760302d94dmr9710309vso.2.1710796875396; Mon, 18 Mar 2024 14:21:15 -0700 (PDT) MIME-Version: 1.0 References: <000000000000bbb3d80613f243a6@google.com> <20240318210917.GA4210@cmpxchg.org> In-Reply-To: From: Barry Song <21cnbao@gmail.com> Date: Tue, 19 Mar 2024 10:21:04 +1300 Message-ID: Subject: Re: [syzbot] [mm?] kernel BUG in sg_init_one To: Yosry Ahmed Cc: Johannes Weiner , Nhat Pham , syzbot , akpm@linux-foundation.org, chengming.zhou@linux.dev, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Barry Song Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 566FE1A0007 X-Rspam-User: X-Rspamd-Server: rspam04 X-Stat-Signature: urfe3b6pawpyj4w6hp5gbiapt5yixeu6 X-HE-Tag: 1710796876-244267 X-HE-Meta: U2FsdGVkX19FIcerWcBsQxP+JeTaXcTmuvQnBpkkVtDS2AwVDodWXtuY5gXWFJ9g43Xomidk+N6ESODV55zos/tIEEjZF7wjZi8+C+LjB96VHRA4/m6oAKqfSWjiYERq+DhOBWs83c7MdeYEXjek+E3fIaIvV6OWM+uVaJXuYdzU6Q3YNJnsiRZSflhaZC6EDl/RkSGb3zlBNAiM/mJ2mzSoazT1+DnvihW7pqdzx88/FHHSfl0dtItRN+Vu4aTPj7pXVMX5PnGvoBkdx2W1gPSlnM8QigEjcIGc3z7KYjwyTtI9Qx3MXYixE+4qP5vhfgjxP4QiL1GKLJdEbsZeJVwnW3gpwTqkxuyzbBhoUlYE83BtI2vDl1QyPb9b0SNzaa+sVwV3IubPAipFaDjUP3ECYkS5kROMb4jfvY+M07D21lf25B+HbQaIkNSp6dvsCqFGFmrgNfoAo79EBQmcKVbuDywRVC39Ew8mp0Z6XoJmphRSJsFYR/9ybiwlVRT0KD2/68tlHg1AlHAujM/PujdWsNcqNQ5myUbDHjaBT0kUWJRuyYO7IuUvIur1IqCunJ5FoL7AMv7fI6YD1ZwbQhK7C9M/YwBx/g4EMYOE9e4UPIZ27znv6BT3MxPM9kyVcvOmXBXG+a6vn+lIAgRknptaAnsGpPbbXLtnwqn2dU7wh8OZ2qstdBkSguaI4VYJFxlC0uKfixZwzbcJH84AYVVDEx21LsRyzmuS+UfrH5nopmFclXKoFiZ64VjMfXfJ6nGMsY2jgmob9RmDzewUNvh4kbQFY1eh43987lkOEmeu1iZ+s8UMo/JNQQkDa8Vaqr/XiLTLcpu7gY0hlo6XGDXDTmNPu1IOuzrVmYgLn/RceWmtZMqPXOo9KNGcVgDdYN4wXyB0RNkTHAczS4ZBVvMPICtKs3RtE4o1sjcppXzz6rjnmO//oGCv73vnbRY+a2VqpGEP2RzeBHah8wQ Bs/idGBw lnKA33u08W0kzAUgDPSPB+j8AgaBeBIaY73X94w6DKD+PXoRlhg3KtxS3r5cT89wQ1zGTFkvKkwBYj+jS8ee7XdJ3e1fRLRNv/2zA5AIIuDcaeB713ClM22CsqWjGXWTjBWCOLtLUmLTFEyqp/98KWcUwToFaApmElUUSm7oqtlWLuVPbV5kiynfkFvCwT8HQ3e/W7lzyeewLdLiqkxjLkm8NRhry/DwCIfcO1oQF7szMDtMcBpuA0Fbig6Qb79aQybny2aT0dtJBmfW61kLj5TPamTdmCNPyRlkiK865hSfpKcw+wJAAdcgUTD2sDrs3MDgusyObEbsbIHaQ32GiB0dF6A== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Mar 19, 2024 at 10:19=E2=80=AFAM Yosry Ahmed wrote: > > On Mon, Mar 18, 2024 at 2:09=E2=80=AFPM Johannes Weiner wrote: > > > > On Mon, Mar 18, 2024 at 01:17:19PM -0700, Yosry Ahmed wrote: > > > On Mon, Mar 18, 2024 at 11:00=E2=80=AFAM Nhat Pham wrote: > > > > > > > > On Mon, Mar 18, 2024 at 9:58=E2=80=AFAM syzbot > > > > wrote: > > > > > > > > > > Hello, > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > HEAD commit: e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-1= 4-09-36' .. > > > > > git tree: upstream > > > > > console output: https://syzkaller.appspot.com/x/log.txt?x=3D13043= abe180000 > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D19bb5= 7c23dffc38e > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3Dadbc983= a1588b7805de3 > > > > > compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, = GNU ld (GNU Binutils for Debian) 2.40 > > > > > userspace arch: arm > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D170= 6d231180000 > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D13ba7= 959180000 > > > > > > > > > > Downloadable assets: > > > > > disk image (non-bootable): https://storage.googleapis.com/syzbot-= assets/8ead8862021c/non_bootable_disk-e5eb28f6.raw.xz > > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/0a7371c63ff= 2/vmlinux-e5eb28f6.xz > > > > > kernel image: https://storage.googleapis.com/syzbot-assets/753944= 1b4add/zImage-e5eb28f6.xz > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag to = the commit: > > > > > Reported-by: syzbot+adbc983a1588b7805de3@syzkaller.appspotmail.co= m > > > > > > > > > > ------------[ cut here ]------------ > > > > > kernel BUG at include/linux/scatterlist.h:187! > > > > > > > > Looks like the provided buffer is invalid: > > > > > > > > #ifdef CONFIG_DEBUG_SG > > > > BUG_ON(!virt_addr_valid(buf)); > > > > #endif > > > > > > > > which is "src" from: > > > > > > > > sg_init_one(&input, src, entry->length); > > > > > > > > Looking at the surrounding code and recent history, there's this > > > > commit that stands out: > > > > > > > > mm/zswap: remove the memcpy if acomp is not sleepable > > > > (sha: 270700dd06ca41a4779c19eb46608f076bb7d40e) > > > > > > > > which has the effect of, IIUC, using the zpool mapped memory direct= ly > > > > as src, instead of acomp_ctx->buffer (which was previously the case= , > > > > as zsmalloc was not sleepable). > > > > > > > > This might not necessarily be a bug with that commit itself, but mi= ght > > > > have revealed another bug elsewhere. > > > > > > > > Anyway, cc-ing the author, Barry Song, to fact check me :) Will tak= e a > > > > closer look later. > > > > > > I am not a highmem expert, but the reproducer has CONFIG_HIGHMEM=3Dy, > > > and it seems like zs_map_object() may return a highmem address if the > > > compressed object is entirely in a single page to avoid copying to a > > > buffer: > > > > > > if (off + class->size <=3D PAGE_SIZE) { > > > /* this object is contained entirely within a page */ > > > area->vm_addr =3D kmap_atomic(page); > > > ret =3D area->vm_addr + off; > > > goto out; > > > } > > > > > > The virt_addr_valid() check seems to indicate that we expect a direct > > > map address in sg_init_one(), right? > > > > If the page is highmem, kmap_atomic() establishes a temporary mapping > > to it in the direct map, such that we have a legit kernel pointer to > > the memory. Otherwise the memcpy() in zswap also wouldn't work... Am I > > missing something? > > IIUC kmap_atomic() establishes a mapping in the kernel portion of the > address space, but not a direct map mapping (i.e. not a linear > mapping), right? > > Does virt_addr_valid() check for addresses being in the kernel portion > of the address space, or it being a linear mapping? I thought it > checks for the latter. the latter, right. >