From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A30BBC433F5
	for <linux-mm@archiver.kernel.org>; Fri, 22 Apr 2022 05:09:20 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 02DA16B0072; Fri, 22 Apr 2022 01:09:20 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id F1FD16B0073; Fri, 22 Apr 2022 01:09:19 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DE6866B0074; Fri, 22 Apr 2022 01:09:19 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28])
	by kanga.kvack.org (Postfix) with ESMTP id D01026B0072
	for <linux-mm@kvack.org>; Fri, 22 Apr 2022 01:09:19 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay12.hostedemail.com (Postfix) with ESMTP id 95B911206FC
	for <linux-mm@kvack.org>; Fri, 22 Apr 2022 05:09:19 +0000 (UTC)
X-FDA: 79383336438.07.001A9A7
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181])
	by imf07.hostedemail.com (Postfix) with ESMTP id B831040022
	for <linux-mm@kvack.org>; Fri, 22 Apr 2022 05:09:16 +0000 (UTC)
Received: by mail-pl1-f181.google.com with SMTP id c12so8401254plr.6
        for <linux-mm@kvack.org>; Thu, 21 Apr 2022 22:09:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=bytedance-com.20210112.gappssmtp.com; s=20210112;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=rpqDRBjWTFgnwu8hYqPDued7W5tN/z70+zi0V+kqfDQ=;
        b=Q0hcI1wq6TOk2nT188DONJl8NB23KNtCjhfItg9EEg/p3Wrhq0eawgIr8JTlnSl9gT
         RzIQDZfLJK+Un/ClfO2FXBkYSxX0RjMPs7MbYdAjubXsDgh9wwa+RtV9E5XVFLCszDIQ
         MK3KtHeydNAlOsqh4MLUdnTetvCSN8IWoMM0n9FKeVZF9sJISp/ncUeqhoYYHl/xuukl
         H3LmXrFpqgD8zzpVJaBj1kwZwxVDascj4aIViTToD8Q9SDtUes4R+Nq1PatVvkeb4RvG
         o8vKY2uDUfGaecPS6vWVIbDWWAjIFfHW9FnfCtkA+QERRjBrDY6cgpFwj0dMT3zWcrN9
         UHWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=rpqDRBjWTFgnwu8hYqPDued7W5tN/z70+zi0V+kqfDQ=;
        b=p69EunZLu83IuDHtRp7MOuVNLKlJYebvH2WiFfD6CsLWu6HuH9dRKyRCqazAeijdMc
         sf7hA7VZHjIXYUy4psuSVB6B6oFQH0g+nWi55J/Y85mJ+f+PJcxPGjYi/nhDEE+ShY5W
         rhpnY08rd/m01192saGYyZNEumsa9MLZk9vZsDP5XarTWwqiy60yeu3Wdd9Y3oAGBt+C
         FOWztwyf3uIafJ9ifZNrLgQ7Us4r1gAvn/X9eql1shG1XoRMAt4j+UqT9eFse12jsWzb
         +9mbrhzZWl8YplJi76zUp6aiX0gMuyahKVkvFFzBdddyOkuEJm1LiwGouCzNN2vj0LPP
         p1fA==
X-Gm-Message-State: AOAM5330ZeTOswplfR7xCrB3Z445K3xtD9CnlCZ4UMmYMTu5E632Ao6O
	ik/z1pFH7JNIl8+XglI+RmSJgQ==
X-Google-Smtp-Source: ABdhPJwEWcy2D4mg4wIjBcgA4vTprLUh+mK4jKEEc3+Pu6A1K8wQq7O31Sm6PJfJsxTdGi+dnPQypg==
X-Received: by 2002:a17:902:bc8b:b0:158:ac00:cca0 with SMTP id bb11-20020a170902bc8b00b00158ac00cca0mr2893469plb.102.1650604155898;
        Thu, 21 Apr 2022 22:09:15 -0700 (PDT)
Received: from localhost ([139.177.225.255])
        by smtp.gmail.com with ESMTPSA id g15-20020aa7818f000000b00505ce2e4640sm844208pfi.100.2022.04.21.22.09.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 21 Apr 2022 22:09:15 -0700 (PDT)
Date: Fri, 22 Apr 2022 13:09:11 +0800
From: Muchun Song <songmuchun@bytedance.com>
To: Marco Elver <elver@google.com>
Cc: syzbot <syzbot+ffe71f1ff7f8061bcc98@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, dvyukov@google.com, glider@google.com,
	kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com,
	Roman Gushchin <roman.gushchin@linux.dev>, cgroups@vger.kernel.org
Subject: Re: [syzbot] WARNING in __kfence_free
Message-ID: <YmI4d8xR3tafv2Cq@FVFYT0MHHV2J.usts.net>
References: <000000000000f46c6305dd264f30@google.com>
 <YmEf8dpSXJeZ2813@elver.google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YmEf8dpSXJeZ2813@elver.google.com>
X-Rspam-User: 
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: B831040022
X-Stat-Signature: 6fnqm3o4km5km4mpm53rf8tazawgd7s6
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=bytedance-com.20210112.gappssmtp.com header.s=20210112 header.b=Q0hcI1wq;
	dmarc=pass (policy=none) header.from=bytedance.com;
	spf=pass (imf07.hostedemail.com: domain of songmuchun@bytedance.com designates 209.85.214.181 as permitted sender) smtp.mailfrom=songmuchun@bytedance.com
X-HE-Tag: 1650604156-368957
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Apr 21, 2022 at 11:12:17AM +0200, Marco Elver wrote:
> On Thu, Apr 21, 2022 at 01:58AM -0700, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following issue on:
> > 
> > HEAD commit:    559089e0a93d vmalloc: replace VM_NO_HUGE_VMAP with VM_ALLO..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10853220f00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=2e1f9b9947966f42
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ffe71f1ff7f8061bcc98
> > compiler:       aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > userspace arch: arm64
> > 
> > Unfortunately, I don't have any reproducer for this issue yet.
> > 
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+ffe71f1ff7f8061bcc98@syzkaller.appspotmail.com
> > 
> > ------------[ cut here ]------------
> > WARNING: CPU: 0 PID: 2216 at mm/kfence/core.c:1022 __kfence_free+0x84/0xc0 mm/kfence/core.c:1022
> 
> That's this warning in __kfence_free:
> 
> 	#ifdef CONFIG_MEMCG
> 		KFENCE_WARN_ON(meta->objcg);
> 	#endif
> 
> introduced in 8f0b36497303 ("mm: kfence: fix objcgs vector allocation").
> 
> Muchun, are there any circumstances where the assumption may be broken?
> Or a new bug elsewhere?

meta->objcg always should be NULL when reaching __kfence_free().
In theory, meta->objcg should be cleared via memcg_slab_free_hook().

I found the following code snippet in do_slab_free().

  /* memcg_slab_free_hook() is already called for bulk free. */
  if (!tail)
  	memcg_slab_free_hook(s, &head, 1); 

The only posibility is @tail is not NULL, which is the case of
kmem_cache_free_bulk(). However, here the call trace is kfree(),
it seems to be impossible that missing call memcg_slab_free_hook().

Thanks.