From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FFB0EEAA5D for ; Thu, 14 Sep 2023 18:21:13 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A10AA8D0009; Thu, 14 Sep 2023 14:21:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9C0CF8D0001; Thu, 14 Sep 2023 14:21:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 888398D0009; Thu, 14 Sep 2023 14:21:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 774EE8D0001 for ; Thu, 14 Sep 2023 14:21:12 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 4B91C1CAC30 for ; Thu, 14 Sep 2023 18:21:12 +0000 (UTC) X-FDA: 81236019984.20.B764D3E Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) by imf26.hostedemail.com (Postfix) with ESMTP id 85EB114000A for ; Thu, 14 Sep 2023 18:21:10 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Ltyaayor; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf26.hostedemail.com: domain of surenb@google.com designates 209.85.210.50 as permitted sender) smtp.mailfrom=surenb@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1694715670; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=r14viLFdjZlr5qs/ZwW+ippwaGuAbVYT3KOmYlUCcNo=; b=euqwEMv4e8uRsGKzMBBqYfaCEmk2VLqRhDQpVBNIDEQhWP/++0ClCP54A/iLyY5QWS1BfL ZKHTv71Cg5aQDvAySIDpXYdsA4NYFDn3UpEpvwbGY3+InRUv53Q38hsF3grUBcPj0t2uuo n4NhcHJVgKVQ8ZjZqBPRMD6uh2zWS+E= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=Ltyaayor; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf26.hostedemail.com: domain of surenb@google.com designates 209.85.210.50 as permitted sender) smtp.mailfrom=surenb@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694715670; a=rsa-sha256; cv=none; b=XvtG6AaAa/jgWrb8CTXtnEHdze2gg4P+MifeEqABTspo58knR54/sm9y64+Kxcdl9fwYbo BBrhXXeIeeBDg3kwhrDS8Z+ocs1iUW1pxLoNWlPHXblkX5eu9HM5Ml95RuT/OkHsVQ279+ a8LgORVlHXB91pIYQwXo9wN/zbdm9Hs= Received: by mail-ot1-f50.google.com with SMTP id 46e09a7af769-6c09f1f9df2so794282a34.2 for ; Thu, 14 Sep 2023 11:21:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1694715669; x=1695320469; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=r14viLFdjZlr5qs/ZwW+ippwaGuAbVYT3KOmYlUCcNo=; b=Ltyaayor8FTtxFhcpRySTYv+4Zh0Ue2D5GIUPy8iEXJ36g/UJv1KFqX8qPBtlxWBmM Ye3xZIFUKgwFhhncDh8ioWJnq13ZMFGRGuhyiEcsk7+UxKJ/JZ0bmn7Knk7eseHOzKv4 lvluDx1f9zQszHhQIJUAcoteBg6TPujmLifNAhjJXNSGyKCCNeptG/XN05wYxd05ugvn Y1UbXvaDSg4KSb5bvPmdXBOlUGLlhNVpHYUojfmv+woTvtgyH2o+/Ag7qKMuRENkut2S M7Vsj2TBj6kHmz6fJMe3B1aVauJJ2UiIhB1N1eV01jOdJUKT325CsHFv7F/EU6l8ojhG xHuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694715669; x=1695320469; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r14viLFdjZlr5qs/ZwW+ippwaGuAbVYT3KOmYlUCcNo=; b=GQynFjboS6mnnJBAedNZPmiP4Fs0/xBGrQIxmnvO5gT2ALpA9el4olZHnbaodPNj4P KgCSE/DUQgdosohWLQjGfR8oIRm408R5WyzjsS0lHQMGt1MqotiduKUhPAZXNX4F4Syn pavuHO9RbmfnBGpVf+63jvreFqq+rCDavxHgIJLX+k6rQ4IX8AItZalSRox3XcSfqtup mZH07bSJ2YmU4Yils/xoYRJTQTYOWX3mBle9Mb+lw0ZV9qdKiewp2Xex355m+HjGgxpE VXyFdFQ209/X+6beOa9+jjEeeA+yaB2r5fLrrYwFr11RL5BNlk5mjtFYaCIc0C7yZQ+L C/tQ== X-Gm-Message-State: AOJu0YwMRS09HezP9QJ1oTxe6BwCCSkQ4J26NpNmj27f0AIAgtGHjdBQ OVRTEipX2PGtbyeNl+qVyazVPa4IIy8cWDSzagm2fA== X-Google-Smtp-Source: AGHT+IFqR2FxLVaE4WCj9ke8MpZJew4TgvR+yFLFOCL/SSpFtMiCbSV346KAy8ngKjHeyUIg1vbMVOD9Nf72nqiJgHo= X-Received: by 2002:a9d:4d84:0:b0:6bf:1fed:95ce with SMTP id u4-20020a9d4d84000000b006bf1fed95cemr6895607otk.22.1694715669318; Thu, 14 Sep 2023 11:21:09 -0700 (PDT) MIME-Version: 1.0 References: <000000000000f392a60604a65085@google.com> In-Reply-To: From: Suren Baghdasaryan Date: Thu, 14 Sep 2023 18:20:56 +0000 Message-ID: Subject: Re: [syzbot] [mm?] kernel BUG in vma_replace_policy To: Matthew Wilcox Cc: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 85EB114000A X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 1k9n833ohwj5nnnb8sta5btpmwih366z X-HE-Tag: 1694715670-390154 X-HE-Meta: U2FsdGVkX1+GYVsqkRZ/62P0xsljnhu8lKu3UikIPvvWhLj2vJfO0aNWJN6nZ2EQlLIsETFKYYmQgHJbYRJ98fBDXJyW7EyIv86KVj/BRXduegHbSBunabvLPnsCGrQOSlbckWRJ2f4kjEnsvIUEJ4GR+1RIOqTYBDUKTiX+ns+gVEiNABAjJOu871rQQVRnoSeqROsfdYn+lpTB7NBbmHEGbLpJhovNNX7+38XAPMnDBpl1LwICFF+w427OfLOQgtqFaJKpW3/dRYYPHsFjgFMcsKVSaQPkTIP9nZMfF0t49qmoEjwNuJ2vWHbqijWduII26DEnwMsmUp0en7CW5osm/XEeWZ2nbbMhdoQgEPUUNyPuvJ0/ccrjSb0geIPpnhxG3Jj9IatKV0AkzIBhE3VaQ/pn+Swp5E1VdsK5JiMdX/c/9IGeKKicuXWjzt7Zc5Ti64W137DtyfsFpaDqdzq9w4yt90x+aNdKDTPO3zSaoMmCIWFTHLlDQpjaTZTJnitc5FnjFx7yh0Uwz3/ORPHmBzCA3eQgyh9BCCy7uwT3t40oejBixnQaAKkKYbUURm0kFaV0+2mubn6EBCX4vOtf8HnFl4rPK0+2VdxfKwplG/3bitoefLqf5T1GKkhxBthAMt4pV8GMW+uMpsNjkiFLp92t+faZCSp5aOSSXv9MdY/6GmEkGytW70jfZd+YGxMWBqq3ouDco/l46PAwUxJG7WmkZ4DLYRjzzylIMxha7MHvp0ZHCYKA8Goa4dJtG+iAucaH2FX2B+S/mQF6LSn55bxozrLa43SPjeiVSEAcL9lxHYGH6l3VBshX4Dgjt9lsTpTo1M0bpFkrE8O4QXUYZnBjYQIv51VVI2v0vs01h+76KpNQqYWGXkvBC3UoIlz5skT1/cuhz8341Cmn5yfCnH4loVDRvwd/tema+qPGjTO8Fcu5McvDBJmTrljBHoU9igeMRHIFccZmBeu cANINr0/ /TkkVKjzGWgr6Co7RDHnQp5TIeBxvVyu2rnyCHrGHBpOxwKXpGqRAMgm+3H74f1czCLefsYXHYCymWrQ+/PClFQXpyHvfHMoU9cuDG8frO6ybfbT45anPyALLsZ0JNq5trU8c7TqU9Gl+qLS5B+VNCZlvFStAuDC4wmJ2exR9Jfo0dfq4O/fw9UcRmgh7JPFwOqnP9LWB7jSMhKpLK473Z1ck3Vs/VbnrgVaE+7ZUpQDzMJXF+Sso8KikYnEkXFNY2ZMT+1triY5djncTtJgTw5ilShvDjNBtFPJnkmvCqDmygMTadzMxTNadfumh4Ge4hTQear43T+PJfRtnEoSuuQV8OIeShdP8JD9BCIMNVAjec04nOkOtFXPw30vbW9T0a1YdRM1MZ5VRsTY94XJwZMuBCi5zSgl8F5kqFE8P3GBWY4/7KH/ceYqR1NxajHF7sXc7F9jX7OuZxD9Qmf79MourDqStn1X/UPEbfCs4nV2Bwjmwp5mMkxcSGmiEnYbRMdMNV9lIBSLxIVMRvaleIvVPFE0WkPGzO1CxkSl6o64TBdk55MCGF+U2Pqijbhz7O2Wzc/weO8mePH2eAW2Jlwtuhj/GaiLV4tzqPb96+/+y4WwNcevB1gACHcoemUWz9mgG2v5BPHAf11Z5RXyYS9ZWcymqIQYdxClci9mEjHh1MDZXsamTM6N0Mx+Kr26v8U+SQ4D1by+/LJDuG8sh7zcn2QGEkanzFoFr7fgcV5LEEptStUc/8AGdZKwFSXh+Wx9MtbFrOE3X6Qj1HLg9AB50KSXqf58b62JTbvy6iN9NyRTHAfn3JMDA8fbufppgdQxduMCabf/fDW1Pj8NemJ9CXvtgSiPD7MGOMxtMJ0cgZtboQIclxgfjEFBjvt009zvMkixkTnAnBcf8crFj9olCUdGsrC7v2VM3bAfUGeW8Vi5Z21tEADOZKr0KiETUV8UbvaYCdnF3FDv3sacKaz/UYORr ubMaOnbq FoipoE8VUpPR8yXL5VfnrUFqRS4+r3dX X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Sep 13, 2023 at 4:46=E2=80=AFPM Suren Baghdasaryan wrote: > > On Wed, Sep 13, 2023 at 4:05=E2=80=AFPM Suren Baghdasaryan wrote: > > > > On Tue, Sep 12, 2023 at 4:00=E2=80=AFPM Suren Baghdasaryan wrote: > > > > > > On Tue, Sep 12, 2023 at 8:03=E2=80=AFAM Suren Baghdasaryan wrote: > > > > > > > > On Tue, Sep 12, 2023 at 7:55=E2=80=AFAM Matthew Wilcox wrote: > > > > > > > > > > On Tue, Sep 12, 2023 at 06:30:46AM +0100, Matthew Wilcox wrote: > > > > > > On Tue, Sep 05, 2023 at 06:03:49PM -0700, syzbot wrote: > > > > > > > Hello, > > > > > > > > > > > > > > syzbot found the following issue on: > > > > > > > > > > > > > > HEAD commit: a47fc304d2b6 Add linux-next specific files fo= r 20230831 > > > > > > > git tree: linux-next > > > > > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D1= 6502ddba80000 > > > > > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3D6= ecd2a74f20953b9 > > > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3Db59= 1856e0f0139f83023 > > > > > > > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Bi= nutils for Debian) 2.40 > > > > > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x= =3D120e7d70680000 > > > > > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D1= 523f9c0680000 > > > > > > > > > > > > > > Downloadable assets: > > > > > > > disk image: https://storage.googleapis.com/syzbot-assets/b2e8= f4217527/disk-a47fc304.raw.xz > > > > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/ed6cdcc= 09339/vmlinux-a47fc304.xz > > > > > > > kernel image: https://storage.googleapis.com/syzbot-assets/bd= 9b2475bf5a/bzImage-a47fc304.xz > > > > > > > > > > > > > > IMPORTANT: if you fix the issue, please add the following tag= to the commit: > > > > > > > Reported-by: syzbot+b591856e0f0139f83023@syzkaller.appspotmai= l.com > > > > > > > > > > > > #syz test > > > > > > > > > > > > diff --git a/mm/mempolicy.c b/mm/mempolicy.c > > > > > > index 42b5567e3773..90ad5fe60824 100644 > > > > > > --- a/mm/mempolicy.c > > > > > > +++ b/mm/mempolicy.c > > > > > > @@ -1342,6 +1342,7 @@ static long do_mbind(unsigned long start,= unsigned long len, > > > > > > vma_iter_init(&vmi, mm, start); > > > > > > prev =3D vma_prev(&vmi); > > > > > > for_each_vma_range(vmi, vma, end) { > > > > > > + vma_start_write(vma); > > > > > > err =3D mbind_range(&vmi, vma, &prev, start, end,= new); > > > > > > if (err) > > > > > > break; > > > > > > > > > > Suren, can you take a look at this? The VMA should be locked by = the > > > > > call to queue_pages_range(), but by the time we get to here, the = VMA > > > > > isn't locked. I don't see anywhere that we cycle the mmap_lock (= which > > > > > would unlock the VMA), but I could have missed something. The tw= o > > > > > VMA walks should walk over the same set of VMAs. Certainly the V= MA > > > > > being dumped should have been locked by the pagewalk: > > > > > > Yeah, this looks strange. queue_pages_range() should have locked all > > > the vmas and the tree can't change since we are holding mmap_lock for > > > write. I'll try to reproduce later today and see what's going on. > > > > So far I was unable to reproduce the issue. I tried with Linus' ToT > > using the attached config. linux-next ToT does not boot with this > > config but defconfig boots and fails to reproduce the issue. I'll try > > to figure out why current linux-next does not like this config. > > Ok, I found a way to reproduce this using the config and kernel > baseline reported on 2023/09/06 06:24 at > https://syzkaller.appspot.com/bug?extid=3Db591856e0f0139f83023. I > suspect mmap_lock is being dropped by a racing thread, similar to this > issue we fixed before here: > https://lore.kernel.org/all/CAJuCfpH8ucOkCFYrVZafUAppi5+mVhy=3DuD+BK6-oYX= =3DysQv5qQ@mail.gmail.com/ > Anyway, I'm on it and will report once I figure out the issue. I think I found the problem and the explanation is much simpler. While walking the page range, queue_folios_pte_range() encounters an unmovable page and queue_folios_pte_range() returns 1. That causes a break from the loop inside walk_page_range() and no more VMAs get locked. After that the loop calling mbind_range() walks over all VMAs, even the ones which were skipped by queue_folios_pte_range() and that causes this BUG assertion. Thinking what's the right way to handle this situation (what's the expected behavior here)... I think the safest way would be to modify walk_page_range() and make it continue calling process_vma_walk_lock() for all VMAs in the range even when __walk_page_range() returns a positive err. Any objection or alternative suggestions? > > > > > > > > > > > > > > Sure, I'll look into this today. Somehow this report slipped by me > > > > unnoticed. Thanks! > > > > > > > > > > > > > > vma ffff888077381a00 start 0000000020c2a000 end 0000000021000000= mm ffff8880258a8980 > > > > > prot 25 anon_vma 0000000000000000 vm_ops 0000000000000000 > > > > > pgoff 20c2a file 0000000000000000 private_data 0000000000000000 > > > > > flags: 0x8100077(read|write|exec|mayread|maywrite|mayexec|accoun= t|softdirty) > > > > > > > > > > syscall(__NR_mbind, /*addr=3D*/0x20400000ul, /*len=3D*/0xc00000= ul, /*mode=3D*/4ul, > > > > > /*nodemask=3D*/0ul, /*maxnode=3D*/0ul, /*flags=3D*/3ul)= ; > > > > > > > > > > 20400000 + c00000 should overlap 20c2a000-21000000