From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B77FC47077 for ; Thu, 11 Jan 2024 16:40:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E63986B009B; Thu, 11 Jan 2024 11:40:27 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E13656B009C; Thu, 11 Jan 2024 11:40:27 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CB36C6B009D; Thu, 11 Jan 2024 11:40:27 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id B6E566B009B for ; Thu, 11 Jan 2024 11:40:27 -0500 (EST) Received: from smtpin19.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 8B9F18062C for ; Thu, 11 Jan 2024 16:40:27 +0000 (UTC) X-FDA: 81667593294.19.2390BAA Received: from mail-yw1-f171.google.com (mail-yw1-f171.google.com [209.85.128.171]) by imf07.hostedemail.com (Postfix) with ESMTP id BF46A40016 for ; Thu, 11 Jan 2024 16:40:24 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="K/9VWipw"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf07.hostedemail.com: domain of surenb@google.com designates 209.85.128.171 as permitted sender) smtp.mailfrom=surenb@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1704991224; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=KVv8eBb/CwcvJCElZQunsaE8crnUx0tkNXTdCJiaHdI=; b=SYYuX366lzcE3fxbCH12KO6m7C6Sg6aiT7+81ApLZRqzeH99Wc9XLAZThHh+yXmkUjnQ28 3PQFGmJJshEyCaZYo40nIF0ITGTTndif2EoHtRYxNm3PeKOzm/T+81tmJIORbhSZmz71vQ lPMw3z9tWiSdigFEIqc68BdbkQqKgJs= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="K/9VWipw"; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf07.hostedemail.com: domain of surenb@google.com designates 209.85.128.171 as permitted sender) smtp.mailfrom=surenb@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1704991224; a=rsa-sha256; cv=none; b=8WBegqDCR0x85eOkUNYvIFnWxRXlNzgkrQHFKaN1DYsq6aJQXQDgWrp6U+gETnXXe0zU/R bwmMrsMip9tTNyeUHSHuvIhAnN58snE1QXikgTi9MaoteH4eHI0p5HlA2gALfRH34XRA73 WeM2EWRM6nTArIyyOMTFwLi9O7asiWM= Received: by mail-yw1-f171.google.com with SMTP id 00721157ae682-5edfcba97e3so58909277b3.2 for ; Thu, 11 Jan 2024 08:40:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1704991224; x=1705596024; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=KVv8eBb/CwcvJCElZQunsaE8crnUx0tkNXTdCJiaHdI=; b=K/9VWipwbYwJt6n/Trj8p4o7yX9dkFfDad0TNx0Jdxwu0p9Ikn9vMkfsl1+DEc28Mf 7A+isqZFUBVvAJrXfuTHseeUEII/saO3ajaU7wTXSi/e71hp1cwTfyrxA99EwN4uCffj sCb6C2ecw5v1AJyFNZnCL9aHzWhLTsf/dFc5p8fkoKO+r1Z5B/HWj8JSmyj3MTXl0jOI XzfA1RBEY5RDK78I8uNuS22moPWNZ/lWwUF5FmkWT/SIa0zXqypzowj7+igdV35ROd6r dANDKfUvLag4K87JW4RP3g2y6E6KuRDkYI8aSg8fHR3zSuQ9dGqE4rIy0TuwIrPCI8XM daeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704991224; x=1705596024; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KVv8eBb/CwcvJCElZQunsaE8crnUx0tkNXTdCJiaHdI=; b=cxPYdKyf4+ORx2NyRVbb3wPG1jmpK4rWzJ2AW74VxVGEcBB6iX3cJVj/Rp8ulf/pUs gtkj8S1bAfPN1dNMU+rcwhsOwQrH/7zXmi0BEQnMgHKd9tZ7RvpSorrdAKjTkJv446zH NggY8TItcR8qqfQ9ScrozMaeondSQCsyGS1/xpNPBJM+fOwY7g9yQvvjQbA5VzWF34tN rutV5156pOr/MMDAweHFn1cppnT+ozj1x3Gej7sC8wLeHboJzLm0xypK2RTjFL3XVl4z Y1UjdlazL9pLJtW4zBM6etT6DqJaeFf5X8jYdK4p97znttSmoECfT5LlfRnWhJEJXrRy T8AQ== X-Gm-Message-State: AOJu0YxyJTM8cbOXC0fmFc9fwH78qigZDDuwM/TTpL7240y8A+E4Yooi oWHcWpAA3sNpq7G00Qt/Cu8bELrWaALNvqbgZQ0Jk/Dk9Hrw X-Google-Smtp-Source: AGHT+IEu4g55t2jqrRt3jfTSN2JwMwiRh1Lgge0tAotRb9M3udJ9v/AjXsD4LIq13qUSa9B8fcImN9fxsaioVsX7AYE= X-Received: by 2002:a81:ae0f:0:b0:5e8:6e8f:d47a with SMTP id m15-20020a81ae0f000000b005e86e8fd47amr45722ywh.75.1704991223426; Thu, 11 Jan 2024 08:40:23 -0800 (PST) MIME-Version: 1.0 References: <00000000000011d709060eadffd3@google.com> In-Reply-To: <00000000000011d709060eadffd3@google.com> From: Suren Baghdasaryan Date: Thu, 11 Jan 2024 08:40:11 -0800 Message-ID: Subject: Re: [syzbot] [mm?] kernel BUG in move_pages To: syzbot Cc: aarcange@redhat.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: BF46A40016 X-Stat-Signature: q6qp7dhsrn3gp7e5miz6s4a8cgrb6gk6 X-HE-Tag: 1704991224-50945 X-HE-Meta: U2FsdGVkX1+Wj/ncis5L6SFh2Tg0oJeYICOBK6WXRvkM6i08egGktd60ngVI5anBtYNRaCbJSr1SHkBhKtq587qllyEi4Mz1maIYVYWnizsUaivXJHyKqtGwW58B9U7J7XaXFByGdB8FhsOWsXRD+VmLdfX3yZyxjwMCXTLyEYJ1x4xWBfHtSub4hX/BdNfHLkB/poPqZPnaKIcR7Z+N+knfq+rTTLeL6h7fJygDYPERe4V+bXMywU0l6YkJjtmYtjwiKpWjmSIwIQRgGKUnnci79c5CHF0+6jbcZFch9IMkqDAAAAvy6bQFMLVEyXNohS2iaSgesjPGYHJmG2TktimqNb6OXOmfe/rlEhrGdAocKbJWIWarPYdFtUlA/RQEutw11p0QJCnKy+sU88Kf1IA2y+ZB7Z/ddRwUa5xaYLH4MbXZXcmXuLiquZw8lWsxigL4MZlEHw8vW4v68fM/BAXa7PUgD4dIceif/okxLdRyU92bvDnveZNHLpE8PeNtB2NQJJAt/fprjLvL8UXQBBZvBzBsY3qkNGpl//nVNczNMJWNASLKMe4AIZDtTNW1ig9TZrTJml/q2ffP8yFQFUPIjKCGMAVux3ftp13Ib6OOW2AtmTfkC4ojDW4EL4hG/oOgfTOIYQNlOCsUKcuNsYZ8v8osWgjMWEMfuF0GYHPqm1iTx7mK2kUjqPzUOZycbvYxL/ScJA5rOOMEMAFdkIXkTiK0DqlSEuljg3Jb9CO1zOeD7OvfoIfK2kbQauDS6mWF+x8zjm/jrHGxKo0BuoFzx7s2dei7OGGnr6rT3j7EocP7w/gAQGVLMxA/FfcrAVFMmwSyUYodGNsPevXPpZi8YLjsrXW+T2eijw+P1ed+3jCu+kGphbi+v2+0W7l5zW1c1+vo13mcuvLROPMY0+iLH2Yb9lS64YM8P31Gi/0a5T6X3az7wwbxEDFmUfiEweAZ2js64eWZmIl3+bh /UPrs60l VFoSvghZ8qIKtN97LPlaqF5SEpuGy1+j/GKBdxGkiLCIJEnpsJ7tTgO2/7QEuEYFwN/NsmWdCYiggsBBeVk8htj9NCow2plKrtDENBlG7Af6WlZBuhEi2LQDICAr4kK+O4dFEHDzk8v8EeB4TMhAK8ip/9nELLsv2EpXqeSVSHUR2hpEsZL2cs6ZWZy90frUYQdUICZCmyZBV/1DIljQzHP1yae0C8Gf+Kr5p1JwzD9VQZtZRUbLGZUa6TynYxQT3+Wt5u4KDeH800TaqMmYtbmM9Ohy6lI8VTQKDaCUZOzA++XeWD7ZCAo5A+hSH0vkCuPlCCoyvLorlXcZtkZvr1N1goss205rZVtdujqrCxSFXgmVwXuJLezhXjAE1CpXLkZXw6u25spJ03nKfUiYygUBprBFyCqKq2Vqq1urZdWTJ+YQg0UUXMPfLK47eOy3FBtx7YuzAX2k5VWn4hhKEO4Sd2WCdBJcTio+hb0xsP1hHDFdmVyEroq9n1L0ADS8H5kLpEQ9Nv2AFAtAy7b07wv0uMiQVlLxnA8xf3kQ57JgjH6BnYSDit5TyP4Cp0uyckcW24vQM9TA+bXIuVq4bghoffrCEHM5lbXKY8VR6FB/dMHGg3VYkAXDQqGrCqNUH3E7xmiQJ21rrm+MBaw2aZDJzieeVre//U11plQcyF64gIZmOQt6HNfaguwIM8CTgtK3HGbTO/p6VwRvF0tNs4pamVuPSRqji5oePDXZUqWOT1Xr6SWKp5n2/ohStmss3M0GIgueuhfvVB7pRhT29Xku/XRrn2SRWvFmQZLmFOBc6GIbrBA7qkj9UAInsQ9Lae3k2gkD8smGGWTypHFNbjlKSQ3beqQJmzxI4EjrljMTIxlZX+ApqOgtmOeH1mzmi1nTMY6DtSRW4ARBTPNt1AMdfjQOV+NKc54+HAaboxVBCMjR+kwnQGQ9q4wj76rPjkZ0KNL8FLz22gJu2c3QgZo/VzbtJ caNyv+NI VaBrTISDTLcqRZuUgBCtdgZ+vrT43peMtGxaiykG6AI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jan 11, 2024 at 8:25=E2=80=AFAM syzbot wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: e2425464bc87 Add linux-next specific files for 20240105 > git tree: linux-next > console+strace: https://syzkaller.appspot.com/x/log.txt?x=3D14941cdee8000= 0 > kernel config: https://syzkaller.appspot.com/x/.config?x=3D4056b9349f3da= 8c9 > dashboard link: https://syzkaller.appspot.com/bug?extid=3D705209281e36404= 998f6 > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for D= ebian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D125d0a09e80= 000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=3D15bc7331e8000= 0 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/2f738185e2cf/dis= k-e2425464.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/b248fcf4ea46/vmlinu= x-e2425464.xz > kernel image: https://storage.googleapis.com/syzbot-assets/a9945c8223f4/b= zImage-e2425464.xz > > The issue was bisected to: > > commit adef440691bab824e39c1b17382322d195e1fab0 > Author: Andrea Arcangeli > Date: Wed Dec 6 10:36:56 2023 +0000 > > userfaultfd: UFFDIO_MOVE uABI > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=3D11cb6ea9e8= 0000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=3D13cb6ea9e8= 0000 > console output: https://syzkaller.appspot.com/x/log.txt?x=3D15cb6ea9e8000= 0 > > IMPORTANT: if you fix the issue, please add the following tag to the comm= it: > Reported-by: syzbot+705209281e36404998f6@syzkaller.appspotmail.com > Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI") > > do_one_initcall+0x128/0x680 init/main.c:1237 > do_initcall_level init/main.c:1299 [inline] > do_initcalls init/main.c:1315 [inline] > do_basic_setup init/main.c:1334 [inline] > kernel_init_freeable+0x692/0xc30 init/main.c:1552 > kernel_init+0x1c/0x2a0 init/main.c:1442 > ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 > ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242 > ------------[ cut here ]------------ > kernel BUG at include/linux/page-flags.h:1035! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 5068 Comm: syz-executor191 Not tainted 6.7.0-rc8-next-2024010= 5-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS G= oogle 11/17/2023 > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] >From a quick look, I think the new ioctl is being used against a file-backed page and that's why PageAnonExclusive() throws this error. I'll confirm if this is indeed the case and will add checks for that case. Thanks! > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 7= 9 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6= 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000= 000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > > userfaultfd_move fs/userfaultfd.c:2047 [inline] > userfaultfd_ioctl+0x683/0x6420 fs/userfaultfd.c:2169 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:871 [inline] > __se_sys_ioctl fs/ioctl.c:857 [inline] > __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xd0/0x250 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x62/0x6a > RIP: 0033:0x7f4bada9b3e9 > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f= 7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff= ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fff2c1d6998 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 > RAX: ffffffffffffffda RBX: 00007fff2c1d6b68 RCX: 00007f4bada9b3e9 > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003 > RBP: 00007f4badb0e610 R08: 00007fff2c1d6b68 R09: 00007fff2c1d6b68 > R10: 00007fff2c1d6b68 R11: 0000000000000246 R12: 0000000000000001 > R13: 00007fff2c1d6b58 R14: 0000000000000001 R15: 0000000000000001 > > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:PageAnonExclusive include/linux/page-flags.h:1035 [inline] > RIP: 0010:move_pages+0x1697/0x3d40 mm/userfaultfd.c:1402 > Code: 00 00 48 c1 e8 0c 48 21 d0 48 c1 e0 06 48 01 c3 e9 b6 f7 ff ff e8 7= 9 c6 9c ff 48 c7 c6 e0 7e dc 8a 48 89 df e8 0a 20 dc ff 90 <0f> 0b e8 62 c6= 9c ff 48 89 da b8 ff ff 37 00 48 c1 ea 03 48 c1 e0 > RSP: 0018:ffffc90003aefa98 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: ffffea0001e40000 RCX: ffffffff81687599 > RDX: ffff88802a155940 RSI: ffffffff81eb5d46 RDI: 0000000000000000 > RBP: ffff88802abab810 R08: 0000000000000000 R09: fffffbfff1e75fda > R10: ffffffff8f3afed7 R11: 0000000000000001 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000020518000 R15: 0000000000000000 > FS: 00005555562cf380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000= 000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00000000204f8000 CR3: 000000006a725000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > For information about bisection process see: https://goo.gl/tpsmEJ#bisect= ion > > If the report is already addressed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite report's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the report is a duplicate of another one, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup