From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF7BEC4332F
	for <linux-mm@archiver.kernel.org>; Thu,  2 Nov 2023 12:15:27 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 331CA80020; Thu,  2 Nov 2023 08:15:27 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2E1978D000F; Thu,  2 Nov 2023 08:15:27 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 1832A80020; Thu,  2 Nov 2023 08:15:27 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 0869D8D000F
	for <linux-mm@kvack.org>; Thu,  2 Nov 2023 08:15:27 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id C79D280223
	for <linux-mm@kvack.org>; Thu,  2 Nov 2023 12:15:26 +0000 (UTC)
X-FDA: 81412909452.11.96AE98F
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172])
	by imf02.hostedemail.com (Postfix) with ESMTP id E240D80014
	for <linux-mm@kvack.org>; Thu,  2 Nov 2023 12:15:24 +0000 (UTC)
Authentication-Results: imf02.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=eoNk1v2g;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf02.hostedemail.com: domain of nogikh@google.com designates 209.85.214.172 as permitted sender) smtp.mailfrom=nogikh@google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1698927325;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=BLtki7Tvhg3cfynKI8VTWZvTXZqgVOp4BvlKQ89Tgq8=;
	b=W1UgGV+TRkQ3y6Bq0K174f5Y7E4SptofknL2iiaIbX6HLiKnDxJ/PfJIE5dDmYq8fUM+Ru
	25reDyXoqgtq2KOVpkMbaGxRN/gd2GrFXkqQhuLHYCXGjtqbzrGl73/w9Ym/NxIYe9bh3U
	FGCndPAqUerDOlsegw+4/cHq6DB4n4Y=
ARC-Authentication-Results: i=1;
	imf02.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=eoNk1v2g;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf02.hostedemail.com: domain of nogikh@google.com designates 209.85.214.172 as permitted sender) smtp.mailfrom=nogikh@google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1698927325; a=rsa-sha256;
	cv=none;
	b=8T/1gC27VLYKKWA+zG6jfkrbcA2yGPEqbFtEvfzYO9PBIBs+NJIPKQjqjl0L0mhuvJsTtK
	6M7gwYyleCIIdpNDdy2lHhf1VSisIUsS0NRxx4bPikEiI4BLkiMKmwD1qmhS/bk+05gori
	POlA2uty72bLGIDJYNF9vKEXXKrLxrE=
Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1cc209561c3so76705ad.0
        for <linux-mm@kvack.org>; Thu, 02 Nov 2023 05:15:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1698927324; x=1699532124; darn=kvack.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=BLtki7Tvhg3cfynKI8VTWZvTXZqgVOp4BvlKQ89Tgq8=;
        b=eoNk1v2gMaiNhBxBthCEwU0gGLO6tO+KpMKA7ubI05/7imxye01wU068UtcvFiMO0S
         rS/vSYnSguWDvoJhlJR9/qUS4LemCj5ODr+LlIYPQ4t9oKJrDVz4X5i/8Hus6fOvCVOh
         rRc/THE9kYQ51Az1uasPXd5Ijstain1YS1q4TkCZ3bhNBcEVhT3JKVy5ZdOvRE8d5XcG
         ihIuPTfFOOi7Lmp/D0tBBm60p9yrRyANmWsFlRzm9UhuueZ/Fu2gCcAHQVNld15rFFiy
         SKYe/vJehdtIthIKEUxwNzlW/CaP0WZ8BmFMLB8itaqh2YK7+z/oxq0AznP3XVEBnsCq
         Qfjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698927324; x=1699532124;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=BLtki7Tvhg3cfynKI8VTWZvTXZqgVOp4BvlKQ89Tgq8=;
        b=bUF/+DD3fhAFzfBUBQGi7pwuA1rZnd2nfg8EnfDHwYf6tt4tb5YYDeZrO0frG0jPcX
         8NI2LA132aI8j4rZzGVpTwj07t0WAqkUDWlH3x9eA2tlOrQdcmQXUXU6ZmZeYi6AQo3K
         1+FcubOQ6HX2+7bjljInjrndoJPFUqcaobx3KFbjb55bbZOXj7cMHXErja4/L8oX2zL/
         19zVB162ijL8A9S9lEVtHk9HdldMFQ+4EJGFrpAMNO5x0B3v9zq1Rhw3F2VNZg8fWzWh
         1LTSU/4BhsXESn24xA88t3y8j3Lz04d7WJb3S60YHl9lBDmvzU1TXr0+ENiY1DzK3jI4
         +IKA==
X-Gm-Message-State: AOJu0YyXBZmkPB/sBmauhAGutuAk9HtKUnzic8V7fKvqG1aL+V+5phTR
	OcQoPB5W80xkbqBLQnvptP9lTKn994cjRQ40Fo1n2w==
X-Google-Smtp-Source: AGHT+IGwx2rPuQQagIfl/7Tfoni/vWt4ouxXSpYmUpUnYMQOYasHa7WI2v13oUvPw5v+Me6ibxgqoaXuJZQNUf3jy+0=
X-Received: by 2002:a17:902:c254:b0:1bc:8e52:575b with SMTP id
 20-20020a170902c25400b001bc8e52575bmr106919plg.6.1698927323440; Thu, 02 Nov
 2023 05:15:23 -0700 (PDT)
MIME-Version: 1.0
References: <00000000000078d1e00608d7878b@google.com> <bce5df0508221ab30a1fb121a219034631abedf5.camel@surriel.com>
In-Reply-To: <bce5df0508221ab30a1fb121a219034631abedf5.camel@surriel.com>
From: Aleksandr Nogikh <nogikh@google.com>
Date: Thu, 2 Nov 2023 13:15:11 +0100
Message-ID: <CANp29Y6TXkZzRLCFWRMQ6ORSz+hK5qQ2DaF7esNsLnZ0c2BcMA@mail.gmail.com>
Subject: Re: [syzbot] [mm?] general protection fault in hugetlb_vma_lock_write
To: Rik van Riel <riel@surriel.com>
Cc: syzbot <syzbot+6ada951e7c0f7bc8a71e@syzkaller.appspotmail.com>, 
	akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, 
	llvm@lists.linux.dev, mike.kravetz@oracle.com, muchun.song@linux.dev, 
	nathan@kernel.org, ndesaulniers@google.com, syzkaller-bugs@googlegroups.com, 
	trix@redhat.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: E240D80014
X-Rspam-User: 
X-Rspamd-Server: rspam05
X-Stat-Signature: kp1je1jkttmao6t6hsnskco8med6kzjt
X-HE-Tag: 1698927324-120295
X-HE-Meta: U2FsdGVkX1+G8948baY6VBSvDcx5xsyt5tcujT56qhgeDGmYFhe+Ezj2bvXCcXL4wyXdlwg1+hTm2J4cXCG8rZEUdsQF+lz+a0tM6+9eDNmcrKo7G9vtW0AOu9V6AXCO9BbUy+T2lR0gfMbzFPpFYS+N9ZfEyECxDPG+xubL5cpHbqSVB2bWFR1gcqXl0RcfOBHM+LF29bp20WvVjkfS/jsIgPn/6ymyyLgZDo2tggb+ZK7v0f6ZwRRQ8nRhOdaB6rrMAiTeNR2lJhaZLLWNtTQuxmyvqR72EN4UmYSyIbWLwxmo0LPBbS05CKVuozdNGs8cp0ma4fjepXX17Ij0YmnYdfiupLP9M1Ninh+9KKEYh+p/SI+xQ3HGVzc0bw66yWdJcsxuxQrPo9TYOZI5waUhYQ/ZxP/DEEAjeLnZp8nHWMJk6LVSBgng3kBIiqZzZCNDGSoXXwOYs6si9pLabR3HfDbHkwoRAXk2Jd3j/DTANb7H66O0DTRKj+prMnFDedhFAuuerqfJ42IeLsrq2YxadOM/CScvhjmiQuKBS7UelfgvjPywL2wtyWMA0HIt/RqO0zybR5kd9CaBDCYzm41AT7rH9gK90JBTscombDbWSz67smoH8QU2h2jkfw9itvdOHvlWJMUeIM7+MUDX2RpnjUFGiw95CeEFFoHMn8rTyNh7CEIu+V9716xZ90fTbYfg+71mOLcJYMj3evADvUUkWJkFUpYozxAw6E9pA9EvtisbY4jXfpKg0W/+4CnkK7Bl+wHacrVUFuSIJYcjlzpwZLZ46KaLvO6vrgZzCpArqeffGhrUDEOzcc2ISfn2p2YnF5EUGPWKgqc82wQWPo3b7lrV3wjVY+crMtYNjLBF2ntC0OXXwfwnZaratUh1uRTKTF39Mb0f5Gf4yEn85DfGmeRypajClLLDHzZvO1FgvRhg7ncEzbQez/pv9IqOR7H1N+d0WA6ARczSql6
 t3xJvggl
 xU9wbecjtnai7lkUm5d/nvLY0OhYdc0xcVNzpiPhQTnAxVnEMjcGlJnBECk7PT+me8OEyidnQ3sOFjAkBfbbYeEzhZOwvVeBXkg69fUBZuNcH0uqUmOLPKmUplneFqIBQ+FLZ0BoBqGCEMtJuPwLbzBHSs6AjOOhc20B+/h1+l+X2a0O8rMyPDL/lrHz3rTw52CU4NWNkHvQFSYS2AK/0r0t/UFkHFwN+6LIHU4ZNCQn+BBs/Bf+LQcHJwOvT4E8akyll3MbJhKgVQeyQ+w/ZiH2jkhW1ikL567L0rWTjVHC84J7M4byNEvNupNw3zSLGu8SjRtCKqHr3mf/vhRGJgSBT2srv2SH6uTEuDuGGENQSU6osTFCvvCoU6ucDAkFKqe92nPDJ+R+id9vcLeXjkH00BUgq9ePtqp3XznE4RTBlnZmhAAm3bEifcyCDkWjDll7vSeSegcALOUQ3SFSeCVBfphaDxpJf9kPXd8qJ1EpTD1nGAMZtbazL7SZ2UfIbyCHcPjfMO6kukQ+Xh8dV4R3XwhIftBNXZhfpaiF0T7y20PiFbjpoanGrp90lEtz438saxPPejlvnrlNtMLLG2VK6OxuXOkP2v+PqROA9ce4TOCzHri0SHi9FEa2wTQ3w4Du9jpw18V9yuF0=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Tue, Oct 31, 2023 at 7:39=E2=80=AFPM Rik van Riel <riel@surriel.com> wro=
te:
>
> On Sun, 2023-10-29 at 02:27 -0700, syzbot wrote:
> >
> > commit bf4916922c60f43efaa329744b3eef539aa6a2b2
> > Author: Rik van Riel <riel@surriel.com>
> > Date:   Fri Oct 6 03:59:07 2023 +0000
> >
> >     hugetlbfs: extend hugetlb_vma_lock to private VMAs
> >
>
> I've been trying to reproduce the issue here, but the test
> case has been running for 4+ hours now on a KVM guest, with
> KASAN and CONFIG_PROVE_LOCKING enabled. No crashes yet.

FWIW you may also try to use the syzbot-built kernel shared via the
"Downloadable assets" section[1]. I've just run the C repro against it
and it crashed immediately.

[   66.222816][ T5095] general protection fault, probably for
non-canonical address 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
[   66.227224][ T5095] KASAN: null-ptr-deref in range
[0x00000000000000e8-0x00000000000000ef]
[   66.230109][ T5095] CPU: 0 PID: 5095 Comm: repro Not tainted
6.6.0-rc7-syzkaller-00142-g888cf78c29e2 #0

[1] Here are the instructions with commands to copy-paste:
https://github.com/google/syzkaller/blob/master/docs/syzbot_assets.md

--=20
Aleksandr

>
> I'll try adapting the config file from syzkaller so the
> resulting kernel boots here, but this is not looking like
> an easy reproducer so far...
>
> The crash is also confusing me somewhat, because it looks
> like hugetlb_vma_lock_write() is passing a nonsense (very small
> value) resv_map->rw_sema pointer down to down_write, but the
> code has some protection against that:
>
> static inline bool __vma_private_lock(struct vm_area_struct *vma)
> {
>         return (!(vma->vm_flags & VM_MAYSHARE)) && vma-
> >vm_private_data;
> }
>
> void hugetlb_vma_lock_write(struct vm_area_struct *vma)
> {
>         if (__vma_shareable_lock(vma)) {
>                 struct hugetlb_vma_lock *vma_lock =3D vma-
> >vm_private_data;
>
>                 down_write(&vma_lock->rw_sema);
>         } else if (__vma_private_lock(vma)) {
>                 struct resv_map *resv_map =3D vma_resv_map(vma);
>
>                 down_write(&resv_map->rw_sema);
>         }
> }
>
> At fork time, vma->vm_private_data gets cleared in the child
> process for MAP_PRIVATE hugetlb VMAs.
>
> I do not see anything that would leave behind a tiny, but
> non-zero value in that pointer.
>
> I'll keep poking at this, but I don't know if it will
> reproduce here.
>
> > general protection fault, probably for non-canonical address
> > 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x00000000000000e8-
> > 0x00000000000000ef]
> > CPU: 0 PID: 5048 Comm: syz-executor139 Not tainted 6.6.0-rc7-
> > syzkaller-00142-g888cf78c29e2 #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine,
> > BIOS Google 10/09/2023
> > RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
> > Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 c1 1e 42 0b 45 85 c0 0f 84
> > be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80>
> > 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 d9 5f 90 0f 84 96 0d 00
> > RSP: 0018:ffffc90003aa7798 EFLAGS: 00010016
> >
> > RAX: ffff88807a0b9dc0 RBX: 1ffff92000754f23 RCX: 000000000000001d
> > RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
> > RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
> > R10: 00000000000000e8 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > FS:  0000000000000000(0000) GS:ffff8880b9800000(0000)
> > knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020000280 CR3: 00000000758bf000 CR4: 0000000000350ef0
> > Call Trace:
> >  <TASK>
> >  lock_acquire kernel/locking/lockdep.c:5753 [inline]
> >  lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718
> >  down_write+0x93/0x200 kernel/locking/rwsem.c:1573
> >  hugetlb_vma_lock_write mm/hugetlb.c:300 [inline]
> >  hugetlb_vma_lock_write+0xae/0x100 mm/hugetlb.c:291
> >  __hugetlb_zap_begin+0x1e9/0x2b0 mm/hugetlb.c:5447
> >  hugetlb_zap_begin include/linux/hugetlb.h:258 [inline]
> >  unmap_vmas+0x2f4/0x470 mm/memory.c:1733
> >  exit_mmap+0x1ad/0xa60 mm/mmap.c:3230
> >  __mmput+0x12a/0x4d0 kernel/fork.c:1349
> >  mmput+0x62/0x70 kernel/fork.c:1371
> >  exit_mm kernel/exit.c:567 [inline]
> >  do_exit+0x9ad/0x2a20 kernel/exit.c:861
> >  __do_sys_exit kernel/exit.c:991 [inline]
> >  __se_sys_exit kernel/exit.c:989 [inline]
> >  __x64_sys_exit+0x42/0x50 kernel/exit.c:989
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> > RIP: 0033:0x7ff2b7a78ab9
> > Code: Unable to access opcode bytes at 0x7ff2b7a78a8f.
> > RSP: 002b:00007fff926ea6b8 EFLAGS: 00000246 ORIG_RAX:
> > 000000000000003c
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff2b7a78ab9
> > RDX: 00007ff2b7ab23f3 RSI: 0000000000000000 RDI: 0000000000000000
> > RBP: 000000000000cfda R08: 0000000000000000 R09: 0000000000000006
> > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff926ea6cc
> > R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
> >  </TASK>
> > Modules linked in:
> > ---[ end trace 0000000000000000 ]---
> > RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004
> > Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 c1 1e 42 0b 45 85 c0 0f 84
> > be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80>
> > 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 d9 5f 90 0f 84 96 0d 00
> > RSP: 0018:ffffc90003aa7798 EFLAGS: 00010016
> > RAX: ffff88807a0b9dc0 RBX: 1ffff92000754f23 RCX: 000000000000001d
> > RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8
> > RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
> > R10: 00000000000000e8 R11: 0000000000000000 R12: 0000000000000000
> > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
> > FS:  0000000000000000(0000) GS:ffff8880b9800000(0000)
> > knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020000280 CR3: 00000000758bf000 CR4: 0000000000350ef0
> > ----------------
> > Code disassembly (best guess):
> >    0:   45 85 c9                test   %r9d,%r9d
> >    3:   0f 84 cc 0e 00 00       je     0xed5
> >    9:   44 8b 05 c1 1e 42 0b    mov    0xb421ec1(%rip),%r8d        #
> > 0xb421ed1
> >   10:   45 85 c0                test   %r8d,%r8d
> >   13:   0f 84 be 0d 00 00       je     0xdd7
> >   19:   48 ba 00 00 00 00 00    movabs $0xdffffc0000000000,%rdx
> >   20:   fc ff df
> >   23:   4c 89 d1                mov    %r10,%rcx
> >   26:   48 c1 e9 03             shr    $0x3,%rcx
> > * 2a:   80 3c 11 00             cmpb   $0x0,(%rcx,%rdx,1) <--
> > trapping instruction
> >   2e:   0f 85 e8 40 00 00       jne    0x411c
> >   34:   49 81 3a a0 d9 5f 90    cmpq   $0xffffffff905fd9a0,(%r10)
> >   3b:   0f                      .byte 0xf
> >   3c:   84                      .byte 0x84
> >   3d:   96                      xchg   %eax,%esi
> >   3e:   0d                      .byte 0xd
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > For information about bisection process see:
> > https://goo.gl/tpsmEJ#bisection
> >
> > If the bug is already fixed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before
> > testing.
> >
> > If you want to overwrite bug's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the bug is a duplicate of another bug, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
> >
>
> --
> All Rights Reversed.
>
> --
> You received this message because you are subscribed to the Google Groups=
 "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
 email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgi=
d/syzkaller-bugs/bce5df0508221ab30a1fb121a219034631abedf5.camel%40surriel.c=
om.