From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 171ADEE01E7
	for <linux-mm@archiver.kernel.org>; Wed, 13 Sep 2023 16:47:07 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 461EE6B0190; Wed, 13 Sep 2023 12:47:07 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 411AE6B019D; Wed, 13 Sep 2023 12:47:07 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 301256B019E; Wed, 13 Sep 2023 12:47:07 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 22CE86B0190
	for <linux-mm@kvack.org>; Wed, 13 Sep 2023 12:47:07 -0400 (EDT)
Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id E5FA1C0EE3
	for <linux-mm@kvack.org>; Wed, 13 Sep 2023 16:47:06 +0000 (UTC)
X-FDA: 81232154052.24.6507BCB
Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174])
	by imf27.hostedemail.com (Postfix) with ESMTP id 2AE374002C
	for <linux-mm@kvack.org>; Wed, 13 Sep 2023 16:47:04 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=Sme9S5cS;
	spf=pass (imf27.hostedemail.com: domain of surenb@google.com designates 209.85.219.174 as permitted sender) smtp.mailfrom=surenb@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1694623624;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=z/fKO5Dxav/6Iiha3n/xM7kTti7BA+0tFs3aXe7sDXI=;
	b=kqfTfKvAKpum51beh+W3IypCReZULMyHdvzDEz7SNjgX+xE2O1e6TPolANXD5s6M4jp3/b
	ufcBLuK4K08pL4emUBoUePXiqZEFDFMaT29Ua7h58a3QQKD0U/UTrudOqXOewLQtOwHusL
	rB6gLsqrPNL3aosZEyzjoI3b7kglG9k=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1694623624; a=rsa-sha256;
	cv=none;
	b=l3OmX1I0TwYzB/5Usfolf3WGyvm7uVa6ecrc0GNBN3oKrK6TYmZ1yUpmGvt3evGGbXOFTV
	e1coNAZwcZJ5gs7sTTbisI3I05DGsVLD7UjEOPb8X5YtcNYYGvPzwth6N2mmaAfKNuPIUX
	nimpMl4bUgzUm/zTNJ5qsB0ZhS/IdhA=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=Sme9S5cS;
	spf=pass (imf27.hostedemail.com: domain of surenb@google.com designates 209.85.219.174 as permitted sender) smtp.mailfrom=surenb@google.com;
	dmarc=pass (policy=reject) header.from=google.com
Received: by mail-yb1-f174.google.com with SMTP id 3f1490d57ef6-d7eccc1b8c6so54104276.0
        for <linux-mm@kvack.org>; Wed, 13 Sep 2023 09:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1694623623; x=1695228423; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=z/fKO5Dxav/6Iiha3n/xM7kTti7BA+0tFs3aXe7sDXI=;
        b=Sme9S5cSDvJk2cJDSNTd7JbTNhUbLsOoHHgjVZ4rHaja/wMBnJYPlV0Hc8eSDTFTKp
         XJqBhIo/9jKP1KXCz9NztblJ7qcxrw4QMiQl3VcdwtOaadmIT3xSFGRhF0o6WWvb7FrI
         iJhpLtaMoA2b5oPBhu8R3a4G6jFRM5k7gUu/HnOyrvT1RP9jeVaaQvkS3upYbWCtnxfn
         h5ThHW9SIzrNZvIYhT1REwL/RDBGBqDB27fCXXKQpY6MIOIOecjSLmzxuDHphQKFDMHT
         tSgzitkfoL+kjzInFaXiG7P0DyTuZoOJl3VoTWvlsBizZIYwxbgPcmmMrRZuyw2CfenB
         ViUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1694623623; x=1695228423;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=z/fKO5Dxav/6Iiha3n/xM7kTti7BA+0tFs3aXe7sDXI=;
        b=PgOgA/Zl5A9dEduCUJZDdDbS9Aflie4hKuwG6dwkJqSavBV0K/wTjkqirVy9EZ1PkB
         7rT8pTQRZQ03P3ElNIRJIgfcyoIrEYXhT9Ns9ydq3rdhDHBHi5rHd0rfmSnu3Ji0XnxL
         uA+NJBsZOyR68773Hc1Qs//hSmZPZb13SnmgsnwxQmBDkWzZA5jNENxX2Y/Ox3COGjon
         lv0rJR59tv+oqlRFgVFE7dFaTzqAMQwolMDgiMM1H1qxcWYSJL1VPNfYJv9BOvxOsa0Z
         wneLHCHt2f3LR36vbY57EiyTCnJtPK2/3OphOFN3hEzYNg4r/kKqgN5wK0r89VUcjG4w
         05TA==
X-Gm-Message-State: AOJu0YyEvRCbPDGvUhQEzcWBDbv5bHgI3RQvx317OnAeYlfq85z0TqvL
	KZ8twTvv113XFFIuMxeu2T/MGJSDKMyZ2x49zZTYqA==
X-Google-Smtp-Source: AGHT+IHmrJRZT+aRCAvNCloGokg7CwtZcm89bQx5f0T8EbdqoKmuIOQzjWRwgBnln2xOnZCjjy0MkP1bXVTsu4lZBaI=
X-Received: by 2002:a25:6852:0:b0:d7b:95ff:14f with SMTP id
 d79-20020a256852000000b00d7b95ff014fmr2813017ybc.61.1694623623073; Wed, 13
 Sep 2023 09:47:03 -0700 (PDT)
MIME-Version: 1.0
References: <000000000000f392a60604a65085@google.com> <ZP/3hgDCXeceE9uU@casper.infradead.org>
 <ZQB76G/6NxVgoE9u@casper.infradead.org> <CAJuCfpGEa504z1pgqR9KtCWQPESTcRcu8xoyxcNOv=6t4R+ong@mail.gmail.com>
 <CAJuCfpHYNbH0WmfDnpX6eqL3f3Z632iQrcw6oqPXtB0_QjaiiQ@mail.gmail.com> <CAJuCfpF4j6fKpk853tXu155jbfk1z_PbWXjf4bypYwDRf78-iw@mail.gmail.com>
In-Reply-To: <CAJuCfpF4j6fKpk853tXu155jbfk1z_PbWXjf4bypYwDRf78-iw@mail.gmail.com>
From: Suren Baghdasaryan <surenb@google.com>
Date: Wed, 13 Sep 2023 16:46:50 +0000
Message-ID: <CAJuCfpETZr56WD5j7aQY-dY84ciur=QTZYxuShmjEG+fZFhDsw@mail.gmail.com>
Subject: Re: [syzbot] [mm?] kernel BUG in vma_replace_policy
To: Matthew Wilcox <willy@infradead.org>
Cc: syzbot <syzbot+b591856e0f0139f83023@syzkaller.appspotmail.com>, 
	akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, 
	syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: 2AE374002C
X-Rspam-User: 
X-Rspamd-Server: rspam11
X-Stat-Signature: jrye8p5ntubsziaeif3z3yw81dbphtpe
X-HE-Tag: 1694623623-157838
X-HE-Meta: U2FsdGVkX1+qp1jqh22AxQpR7Mth1XceEvZIvcMNKLE1OYbDAjC/NqYiK7lNcId29yCc4Zch2R0mLSlG9zvELsbEZy+zSBGjCv0lwkIG3PIGRG+ywZkYZIiAy6NiWFdM+5MT++qcYY4PnmpB5+YX++NiqgnUdsp/mEpRO6CXfzHx3BVQgt5Avtla86xczT1pXpXogQ0RFRO4c4ECLWJBxUpLJTOAXQl8D+U4DQKoUDQNVphBPI8VUNjawZKdthc0yk2hfENeJUkgMM419GN1y2cxmq6VLG9grfkbZ3pb9V+sCd7tbgwGY0oUtzp8IGbnp27W/zX4+7N3xEsBjNS3exx1F8V8I1ghoFqFgne2RnBIduaJyy5uj/WL9k54umIbl9JouEoLmE/O+Ue9wZbKCVAxc6aC0z8I97+z7dqiOnfAXqo5eRQYV8/1o1CiWMus1imay1AlATD2mg98vzcVgKI/3g3XNU84cbH8h1/YgsnkOrWY+LMpA5HLh3bSaapsHyQ0cQvlLV3Syv5YQo8A7fM6GVffq6S2MHHgAQgipmDdN1nLvzyewbInGhjtb+afXiGLSBR8rLcAc1/hTw3r8uoYtR3rKDzuc0NZPtIFfewORh7dcMf+STZAFts95MvBgf8LzCcqk1QKkYrOZO7+mIz8/bo92OWTnsC2hPev6ZNFINYP0WOWYejt7AcLsHRBh1Y14+fks1nJnF3WueLykhkukpRjoROZeEjaARTYPJKLogovHc5XKcXSqMGI51fHFr/6sKKTesnjjz0Sr7PEzU4741eL3diPmcJfbN+mkP6O12yxioTKiW8mbs35JHvGS3chvRsKFZ7l3ASeKWod4BlPv16gmUiXiKirjWC9AJChpiDqberBVr2RnOEaSJAgYZaBspeocjkIquHCTjPJZCZK1hAde8q/HFVhYzYEiBTk5EipUhJ2zSstadnLKxCJqy4IDOy+hcRX3GMyFxu
 cSjgj34/
 s8MCltDE7OEkd5T4oJR3Fg0VXB2sEOfy4EY581WyzIuoTOcU2B5mOGHPZhHpo9OyQ89pwPGnZUrwyYk2CVFNvJIAUUsLIDlwfdstVv8rjOJmCmU5659DKwBDg73pLh4Uod2QN6ggosMYvoqZJeU+W5AymIGFkPsHvKE4auMViCmIlCF5oX3Ux/elPA/D/bcn+34nEsdGiQ81gA2eSaehZuwT63Uc975smS9f6LWFz0iKulHoC4hn52lMMUqPr9vvW9IQeE+SG09ZRVjIbj49vZQH/Veovu4romjnjOELAXbTO6r4LiYCDPwo5s+qewE3bLerHhEt1WyFNqiy5arSmWK/HxQmVfLYwZ878k3CeHIE+5qeErNtEumzbOBKr/OL6CAU/zM/wHbqWEr3KZREfXxpfG8H/wy7Wdlmt5mkViVBjefXplhnMGQSJ/Ze9qRZwN6aWL/rELnuR/cIMx1PnCgaikJrUyu1FI6GY/REGVr9Vvo2MCpFxuybFRbLPATLVUZLLvsUY8U+gJoFVRbTbi/Rge7ETLyUO/UCqQbhCcRqbeO3kCufALGp6O+mT9VR1P5eKuveshQCTpJkY8f49eFtYiuXP9r97n+ExjU5pgSh1zGwkdc5tsH+oMnIJFPo9hKmMv6U+tiD4j6Q4PTi8/caTMmx92AifV3d1E1nsI6K7wwTN2cQqX+ej0hcpfdetnfHTYuGVjFnjfFPxclXmiAbrK9iCFFCu/KmiS3q5csO5E1Wgnlh2tt8a7q+y3G+2fBwWE390Wh1p4DfL16sE8/IQJXGtNiM0t58L979gVP1i+SeB8Br5nSSrVqKRr5sOQdjPi0WFJaIBnXp/O5XhUIe/r8NTebdZa1Pmzo0wHGGWHj+4CqssfuW5Fs1dja47pcpdEbXbcBx021pkTdYrFDk0hr7OJEpXoUtS01OC8LhG3P12RXwu4ujjy6vC7p7r2ZGykcBF66wha4b59ImidxBBFG7n
 v/LpwBJb
 boIARnwTJXw49YfTsSmkQZQiXI/NwLhc
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Sep 13, 2023 at 4:05=E2=80=AFPM Suren Baghdasaryan <surenb@google.c=
om> wrote:
>
> On Tue, Sep 12, 2023 at 4:00=E2=80=AFPM Suren Baghdasaryan <surenb@google=
.com> wrote:
> >
> > On Tue, Sep 12, 2023 at 8:03=E2=80=AFAM Suren Baghdasaryan <surenb@goog=
le.com> wrote:
> > >
> > > On Tue, Sep 12, 2023 at 7:55=E2=80=AFAM Matthew Wilcox <willy@infrade=
ad.org> wrote:
> > > >
> > > > On Tue, Sep 12, 2023 at 06:30:46AM +0100, Matthew Wilcox wrote:
> > > > > On Tue, Sep 05, 2023 at 06:03:49PM -0700, syzbot wrote:
> > > > > > Hello,
> > > > > >
> > > > > > syzbot found the following issue on:
> > > > > >
> > > > > > HEAD commit:    a47fc304d2b6 Add linux-next specific files for =
20230831
> > > > > > git tree:       linux-next
> > > > > > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D165=
02ddba80000
> > > > > > kernel config:  https://syzkaller.appspot.com/x/.config?x=3D6ec=
d2a74f20953b9
> > > > > > dashboard link: https://syzkaller.appspot.com/bug?extid=3Db5918=
56e0f0139f83023
> > > > > > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binu=
tils for Debian) 2.40
> > > > > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=3D1=
20e7d70680000
> > > > > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=3D152=
3f9c0680000
> > > > > >
> > > > > > Downloadable assets:
> > > > > > disk image: https://storage.googleapis.com/syzbot-assets/b2e8f4=
217527/disk-a47fc304.raw.xz
> > > > > > vmlinux: https://storage.googleapis.com/syzbot-assets/ed6cdcc09=
339/vmlinux-a47fc304.xz
> > > > > > kernel image: https://storage.googleapis.com/syzbot-assets/bd9b=
2475bf5a/bzImage-a47fc304.xz
> > > > > >
> > > > > > IMPORTANT: if you fix the issue, please add the following tag t=
o the commit:
> > > > > > Reported-by: syzbot+b591856e0f0139f83023@syzkaller.appspotmail.=
com
> > > > >
> > > > > #syz test
> > > > >
> > > > > diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> > > > > index 42b5567e3773..90ad5fe60824 100644
> > > > > --- a/mm/mempolicy.c
> > > > > +++ b/mm/mempolicy.c
> > > > > @@ -1342,6 +1342,7 @@ static long do_mbind(unsigned long start, u=
nsigned long len,
> > > > >       vma_iter_init(&vmi, mm, start);
> > > > >       prev =3D vma_prev(&vmi);
> > > > >       for_each_vma_range(vmi, vma, end) {
> > > > > +             vma_start_write(vma);
> > > > >               err =3D mbind_range(&vmi, vma, &prev, start, end, n=
ew);
> > > > >               if (err)
> > > > >                       break;
> > > >
> > > > Suren, can you take a look at this?  The VMA should be locked by th=
e
> > > > call to queue_pages_range(), but by the time we get to here, the VM=
A
> > > > isn't locked.  I don't see anywhere that we cycle the mmap_lock (wh=
ich
> > > > would unlock the VMA), but I could have missed something.  The two
> > > > VMA walks should walk over the same set of VMAs.  Certainly the VMA
> > > > being dumped should have been locked by the pagewalk:
> >
> > Yeah, this looks strange. queue_pages_range() should have locked all
> > the vmas and the tree can't change since we are holding mmap_lock for
> > write. I'll try to reproduce later today and see what's going on.
>
> So far I was unable to reproduce the issue. I tried with Linus' ToT
> using the attached config. linux-next ToT does not boot with this
> config but defconfig boots and fails to reproduce the issue. I'll try
> to figure out why current linux-next does not like this config.

Ok, I found a way to reproduce this using the config and kernel
baseline reported on 2023/09/06 06:24 at
https://syzkaller.appspot.com/bug?extid=3Db591856e0f0139f83023. I
suspect mmap_lock is being dropped by a racing thread, similar to this
issue we fixed before here:
https://lore.kernel.org/all/CAJuCfpH8ucOkCFYrVZafUAppi5+mVhy=3DuD+BK6-oYX=
=3DysQv5qQ@mail.gmail.com/
Anyway, I'm on it and will report once I figure out the issue.

>
> >
> > >
> > > Sure, I'll look into this today. Somehow this report slipped by me
> > > unnoticed. Thanks!
> > >
> > > >
> > > >  vma ffff888077381a00 start 0000000020c2a000 end 0000000021000000 m=
m ffff8880258a8980
> > > >  prot 25 anon_vma 0000000000000000 vm_ops 0000000000000000
> > > >  pgoff 20c2a file 0000000000000000 private_data 0000000000000000
> > > >  flags: 0x8100077(read|write|exec|mayread|maywrite|mayexec|account|=
softdirty)
> > > >
> > > >   syscall(__NR_mbind, /*addr=3D*/0x20400000ul, /*len=3D*/0xc00000ul=
, /*mode=3D*/4ul,
> > > >           /*nodemask=3D*/0ul, /*maxnode=3D*/0ul, /*flags=3D*/3ul);
> > > >
> > > > 20400000 + c00000 should overlap 20c2a000-21000000