From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B8BCC27C4F for ; Fri, 21 Jun 2024 15:29:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E2F6C8D017E; Fri, 21 Jun 2024 11:29:00 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DDF508D017A; Fri, 21 Jun 2024 11:29:00 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C805B8D017E; Fri, 21 Jun 2024 11:29:00 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id A82CD8D017A for ; Fri, 21 Jun 2024 11:29:00 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 3443EA193E for ; Fri, 21 Jun 2024 15:29:00 +0000 (UTC) X-FDA: 82255278840.18.120186C Received: from mail-vk1-f172.google.com (mail-vk1-f172.google.com [209.85.221.172]) by imf22.hostedemail.com (Postfix) with ESMTP id 6AC68C0011 for ; Fri, 21 Jun 2024 15:28:58 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gZzu754A; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf22.hostedemail.com: domain of elver@google.com designates 209.85.221.172 as permitted sender) smtp.mailfrom=elver@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1718983726; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=QYdGoLjV8Z3CP8OmW5eh6pLgOYuafTXjejO9tHjo7ZY=; b=DxWR1+VQb7EgKvXJRLVgKGypN0nF2lx5bBX07SmSOlGewb1heWDN6NRT8cu7W/+Gxj3sNd v0Bx+XdPt/yTH+V/ZmHCfwDHPnqnTbYT95KT7OwtbE5xjRUklgvygtZ9/v/Gc41p9YhB07 rOEuajM3VbE8csDgbNGVDriAhuX9O4s= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1718983726; a=rsa-sha256; cv=none; b=RTMoLp+m7FFnSnQny7CmlpClhfsCgNPJLyunW9tf2aKCLZB+AqlQ5rIqn+QQrvWBBJDgaD UIgQuyT2Czkd3iWXpwsdLF0sbgzbmQ/eo9J1FV+vlR2hdhPYEvBOVplCrNUzEl4Ki0RLVg D3XugchrpnU3mZWjITzFKtH2kwBpyJk= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=gZzu754A; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf22.hostedemail.com: domain of elver@google.com designates 209.85.221.172 as permitted sender) smtp.mailfrom=elver@google.com Received: by mail-vk1-f172.google.com with SMTP id 71dfb90a1353d-4e1c721c040so623667e0c.3 for ; Fri, 21 Jun 2024 08:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1718983737; x=1719588537; darn=kvack.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QYdGoLjV8Z3CP8OmW5eh6pLgOYuafTXjejO9tHjo7ZY=; b=gZzu754AI1XZVMKv4+bYLZYcbAiJgQ+YrQMsNK8ClOnMeenlKZivVZ3sLtzRsRubE+ iMPhjlXXxrsjSVLSDvOcuw2OACyliu5TrDpwkEsUHGZjgw6kzFxIUwZsgux5ZYNg88wx yQZwK2Kf6dPhBKN3ebdFlvW91HrQcSzKUefwLONviNU/++ZehKUvK5V1jlwpMJ49Y63n 7fDARU8esZr6Lk4LztdkA0TWjbj4RjoIV2/YJlwp6lLVsG7bUYXdKu4gZ1UPlw3OAHfF 3ujE37LKnC2LYaasi8Qkqnwf/FU2HIRZdOwscxCoep6ManY+g9rMwtbvf3bgMIdVJElt ataw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718983737; x=1719588537; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QYdGoLjV8Z3CP8OmW5eh6pLgOYuafTXjejO9tHjo7ZY=; b=NcZstgZi/ABFYNRguuRQIpQFmTq8jT5P34IkSSVozMW6G3a0Jc9nBfJn4iVfD2k7xm NgUC3N4R7Eng/oFVFHIDTUcBG3IXd2s342YMxGUANJVlsCHET6bLFzotZ0+I/cjdKulf C6YUVH2bBbS/ycL7VAnAMJTH3/nVVt4uVi1SzVzvlWka5ISFxfJMPeH/7F34kG3Y2/VH lvt6Ftki4c3Ps3oTgIZ/KkDx+5kzayOvBuUcIGNwHHAxaQiw35OZt3hE1fEfha1wx0eR 9/wGSswqWZ+5+RFZ5QjP8SMA4WPOHgld8Xg0keQ6XNM0nTBPu32YtUITjCcR1dgoLZAp Glgg== X-Forwarded-Encrypted: i=1; AJvYcCViA1Z5BZfBZNLcOe0br1Ll49Ugceqau8QbOQ4rEbwuPYI4bAO8nQmiECmXP9ht0u6m6q4YTmREPRYQRh/Tsmg9mjo= X-Gm-Message-State: AOJu0YwDptMDF57z05oACT66w+t31KUURgLHVe1jXnNW0djrrLFeM2cZ HVuAvIp9/L06MfCLYisA07MXID4VZmv5ZlyBEHwWyfcnR/DVJHR3dVBdGT1Wy4LeJdf4QwdWv1Z aYKQmTV/l0HCE5ycju04v2msippM993ofQc5N X-Google-Smtp-Source: AGHT+IHEAW3VDBpOi5I+/UCk7VbTgbvh4YQQ6kvt8JBLarOOYXRfwyBHJvUNGr2MF2gNuWN1llJ5pOz1pesqmOhdVGU= X-Received: by 2002:a05:6122:251c:b0:4ec:f183:c9a8 with SMTP id 71dfb90a1353d-4ef27709600mr9347198e0c.9.1718983737267; Fri, 21 Jun 2024 08:28:57 -0700 (PDT) MIME-Version: 1.0 References: <0000000000008d1e5a061b666b11@google.com> In-Reply-To: <0000000000008d1e5a061b666b11@google.com> From: Marco Elver Date: Fri, 21 Jun 2024 17:28:17 +0200 Message-ID: Subject: Re: [syzbot] [mm?] KCSAN: data-race in mtree_range_walk / rcu_segcblist_enqueue (2) To: liam.howlett@oracle.com Cc: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, lstoakes@gmail.com, syzkaller-bugs@googlegroups.com, vbabka@suse.cz, RCU , "Paul E. McKenney" , Joel Fernandes Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 6AC68C0011 X-Stat-Signature: 9x1pafawb5f5sa8bxfu76g3j7tnr4spm X-Rspam-User: X-HE-Tag: 1718983738-654874 X-HE-Meta: U2FsdGVkX19SXSiGvcs/txdmWo9/Olr0HFBJUZmc/x3hHW+WH5oZubFRPkNsikkl2pZ2GgvQj/EGT9vRQdI6Tww/YHWdsfbB3KxXNv50fa+G1BZ9y0kdZh4Ey/uv2sagMiO2OYhfbDVxreEUPJFhlvGbTXxBYfHh6STi1GRCUCW150jdSoGYtxFLft2uOt6BoeBOlJ3K1+271s+nQF3ml46lj5Z9HEbr/FCtluu0Ntnwe8FhBlCCZnP4aIXHv3VPxa6G62J54asM8nfMLX1FQGZuzbuxTwJcqDzTHaU2QZGKIVGniswKSVb0+uI8t5K5S4i1kcZ7IBb0960kBy9z8dLQx7IdkBpI/ieE5rx+NCPUHlxItBPXga9QHGtg2u5PZfb8R7lQobr51+OQardIklPEIFlOZQlybVzdFgC9dRCT/wZZFEy+LqldQnws06OrN2cWoHUIy3sZPcWfzoVP5PNPSMGIOgRWZLbYTdpxsIyb7rRovf5I4jYZdOqV469FNQave+UFidpzCIQUECs/cs9Mtru7q88hmsu2DdCuFlU+1Mw/W5c6sEALgHheYCwfWscddXsX8u9LX57vSf+7G5Ve9fWgPOBbDq0B1QMJso2gm+h2QC8yqFL4SCUAFYCcNIdATRdsf2IIgGSaBSunUrs04k132ybRdQrIvqssKmERiepebXh/Eg9svKkYwD0wHJyOGuh0qWH+l3/BzJV7g30Yheh/YudHGT4Qi8BeKeph3fM5FhqCjOyznMMDrTE6nqdswV5cCQ7KY/qYN4P//sREmUtBzM0kMKjzl/GDwU5H2l9CJdmaEqNw0K0sOzyLqRVI68B9LXg0h3XWZWp1SobkwzpD6jwnhn9VtQ9dYxByIiPQNAsl+cfh/PW/wTznJGi6AKD66+I0kHHART4FIv4UAV93ciYiRtK1AVi9zHYnSx9HUx5fOhPZiGs7nSHUmh2h0If3xbd3bJitCJ8 a7vxtq91 nMumKMM8Iyp+T+1+aUhEeFKe4xbtwyONrfF7uwSDMdznko7aI0v56la2ljQVidQ6/ZHqIW1I46H2NQGyNPYUqQpfbcgsZ4fzzRvFbCWUzARQe+EkrIrYsmAZsOAGN7RSSgSCNjY/KB0j8X5couVRSx7lZ29DlZhNFG2qaUVMQZiP8sHoaqfT9Bv6Wb6Cf12oWwYe2Qa07fufEpKPHVYcK8iO/mu58NPHEPaoNZzlob87drS/msNfHKD1mkuurseerOo7eYU8hjfrC0aO+MB58aXLldTb+BjFTDCe2T1/2L3h8v+lP68dAr2BOTzOkj4SfUYHfSfXwVjJmbXPAbnEQL7rMZvi19amyAHwfmRIovxRH3gWqs67Mec/3ToXIABfxJA4FCgflT1vDFNjoWbOLfp/P7ogBykG8eU2KT//73Obn3MUhf20WWLDsI72T0MSqQmQ6Xh3PdW2sDBznPLPh+uywThdOZNzyQ86S9y+7kZgiurqdpjwbcyviET4S6EbDLlZ7NazwozEB/nLyV5uRMscybv2CDSNq7CwdIlnzX2uNX10Aamb3PeSiRojTOTcD7JVY+K8YZm+ESF/j63ljeBgT3Oi8QGynAlHFWqbwelJoIbrCssjDpHAnl8hU0ZsNuyYTONmmWVA8IwfNdk55dGO5CTm69zD5jSsXnCHv32uieI4Z8wwSbh3pZz59vJK81rVMv6ixmK4SfU3pp9c3zrepAnTelVviuavWY6tYmm0UQ0fxoYNl7IHMDlnQpmlDFk47SwhLqamkUDWOqUWNPBT7NiEPCAN11eyR X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: [+Cc rcu folks] On Fri, 21 Jun 2024 at 15:29, syzbot wrote: > > Hello, > > syzbot found the following issue on: > > HEAD commit: 50736169ecc8 Merge tag 'for-6.10-rc4-tag' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=164ec02a980000 > kernel config: https://syzkaller.appspot.com/x/.config?x=704451bc2941bcb0 > dashboard link: https://syzkaller.appspot.com/bug?extid=9bb7d0f2fdb4229b9d67 > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/e4cbed12fec1/disk-50736169.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/d50b5dcae4cd/vmlinux-50736169.xz > kernel image: https://storage.googleapis.com/syzbot-assets/f2c14c5fcce2/bzImage-50736169.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9bb7d0f2fdb4229b9d67@syzkaller.appspotmail.com > > ================================================================== > BUG: KCSAN: data-race in mtree_range_walk / rcu_segcblist_enqueue > > write to 0xffff888104077308 of 8 bytes by task 12265 on cpu 1: > rcu_segcblist_enqueue+0x67/0xb0 kernel/rcu/rcu_segcblist.c:345 > rcutree_enqueue kernel/rcu/tree.c:2940 [inline] > call_rcu_core kernel/rcu/tree.c:2957 [inline] > __call_rcu_common kernel/rcu/tree.c:3093 [inline] > call_rcu+0x1bd/0x430 kernel/rcu/tree.c:3176 > ma_free_rcu lib/maple_tree.c:197 [inline] > mas_free lib/maple_tree.c:1304 [inline] > mas_replace_node+0x2f8/0x440 lib/maple_tree.c:1741 > mas_wr_node_store lib/maple_tree.c:3956 [inline] > mas_wr_modify+0x2bc3/0x3c90 lib/maple_tree.c:4189 > mas_wr_store_entry+0x250/0x390 lib/maple_tree.c:4229 > mas_store_prealloc+0x151/0x2b0 lib/maple_tree.c:5485 > vma_iter_store mm/internal.h:1398 [inline] > vma_complete+0x3a7/0x760 mm/mmap.c:535 > __split_vma+0x623/0x690 mm/mmap.c:2440 > split_vma mm/mmap.c:2466 [inline] > vma_modify+0x198/0x1f0 mm/mmap.c:2507 > vma_modify_flags include/linux/mm.h:3347 [inline] > mprotect_fixup+0x335/0x610 mm/mprotect.c:637 > do_mprotect_pkey+0x673/0x9a0 mm/mprotect.c:820 > __do_sys_mprotect mm/mprotect.c:841 [inline] > __se_sys_mprotect mm/mprotect.c:838 [inline] > __x64_sys_mprotect+0x48/0x60 mm/mprotect.c:838 > x64_sys_call+0x26f5/0x2d70 arch/x86/include/generated/asm/syscalls_64.h:11 > do_syscall_x64 arch/x86/entry/common.c:52 [inline] > do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > read to 0xffff888104077308 of 8 bytes by task 12266 on cpu 0: > mtree_range_walk+0x140/0x460 lib/maple_tree.c:2774 > mas_state_walk lib/maple_tree.c:3678 [inline] > mas_walk+0x16e/0x320 lib/maple_tree.c:4909 > lock_vma_under_rcu+0x84/0x260 mm/memory.c:5840 > do_user_addr_fault arch/x86/mm/fault.c:1329 [inline] > handle_page_fault arch/x86/mm/fault.c:1481 [inline] > exc_page_fault+0x150/0x650 arch/x86/mm/fault.c:1539 > asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 > > Reported by Kernel Concurrency Sanitizer on: > CPU: 0 PID: 12266 Comm: syz-executor.3 Not tainted 6.10.0-rc4-syzkaller-00148-g50736169ecc8 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 > ================================================================== This is not an ordinary data race. I suspect this to be an incorrect use of RCU, resulting in some kind of use-after-free / type-confusion. The access within rcu_segcblist_enqueue() is to maple_node::rcu (at offset 8 into maple_node). The racing access in mtree_range_walk() is to either maple_node::mr64::pivot[0] or maple_node::ma64::pivot[0] (both also offset 8 into maple_node).