From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86CB3C77B7C for ; Wed, 10 May 2023 16:18:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 098246B0071; Wed, 10 May 2023 12:18:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 047E46B0072; Wed, 10 May 2023 12:18:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E52246B0074; Wed, 10 May 2023 12:18:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id D57656B0071 for ; Wed, 10 May 2023 12:18:01 -0400 (EDT) Received: from smtpin15.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 5C787120B07 for ; Wed, 10 May 2023 16:17:59 +0000 (UTC) X-FDA: 80774851878.15.9CE6C0B Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf12.hostedemail.com (Postfix) with ESMTP id 40C3840009 for ; Wed, 10 May 2023 16:17:56 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=arm.com; spf=pass (imf12.hostedemail.com: domain of mark.rutland@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=mark.rutland@arm.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683735477; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zZDXC4ydQpA9ZFfnzyj/WPP61+zRxvdLOVaiY1z9EGs=; b=MxerfBs9Wca5y2H03lwwvfi5lvshKnmbfl6RHEwxtd12NtF4jn/wD1mBo4znwgkY0Gjlfs LgGNcNBiXqJkHgyHZzgCxcqeQRCSfHMp7X1RAPWe95rnEINb2E0cwV+Jw8zPG2HZcQLQZW cfm4XrTzepqh98eYKLZ59y8ucJNE8LM= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683735477; a=rsa-sha256; cv=none; b=SzVRPSi5ED4HBRYgKqroRM+pwy+H5PRdgZTC8+aANsjxHCPbKrxgEMUSU7U9WBut7B6+R1 NwGigJ91knBCB5n+D0pnb/YzNue1WN/UV3pR2op1F0ssQ2OFsxszQ9L9WiHWKuPajAv//k +CKmNLwT357BujjFgKMTK06tIQlFIR4= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=arm.com; spf=pass (imf12.hostedemail.com: domain of mark.rutland@arm.com designates 217.140.110.172 as permitted sender) smtp.mailfrom=mark.rutland@arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8CEA81063; Wed, 10 May 2023 09:18:40 -0700 (PDT) Received: from FVFF77S0Q05N.cambridge.arm.com (FVFF77S0Q05N.cambridge.arm.com [10.1.32.173]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0C5B43F67D; Wed, 10 May 2023 09:17:54 -0700 (PDT) Date: Wed, 10 May 2023 17:17:49 +0100 From: Mark Rutland To: Lorenzo Stoakes Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , "Liam R . Howlett" , Vlastimil Babka Subject: Re: [PATCH] mm/mmap/vma_merge: always check invariants Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Stat-Signature: 5a8hdiy6xxer6gn451apt5xcmirxne84 X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 40C3840009 X-Rspam-User: X-HE-Tag: 1683735476-609167 X-HE-Meta: U2FsdGVkX19Q7Hnw/eBVFnqMlEfkxsP55VN/zQBKrh1RCzK5Q5vxY3Xq4cLagg8Ejt84AS7/XLPLP/owGVt8hMUoZhm+IiEHgEn6IeaZYx+KeLDQJTRXwUZRZkkwH0sq4Z0w/PAtyS2aAMw3kA8oylTITdiPymi1lEngfSdPIe9/Kaj76AkMPDc7YNsUA+EZueyOYUvqz/0RYYkTHR6+gVn8h/Jm/k1NV42dr2RjfyZpXtiWB2CR8sba8rIYfv3OKX5UMccEtpM5moPUZeVL6/EmMZeJSlTWktmzblhbstAA3VfUvW+3gMKO1egMOLKbOs/YH4Fvv+XKGwcufSl7GAwhDZZUrDaFDVCJROeDPVnppZX4a7pS1P+Juk4Tkv4hNl4UQz0++FLQibwyHWUM8yBuwIfP/SVzM1ZjCpqmwDuackK0W5BdGfeg/OsDGDn5rWm3qwFDbJWxjmYJ3ADiOWkuSe3guDrSvfvA5QdtasgTbzezDLjHB/chzY3f/MTKhKLmIBl1WinoSl7iojXJhMhcEffgqC/3MlR1qiDPuBaEQPQjzxwB9mXRhJHwG7gu6byrYVNh6NH7MeDWSd53x22FrtbGXWdzqgmL20a60h0yjreFmzwh2ksUZ0+Rrz8dN3y1pzD4gu2ZJAlhgGbebQGw0k7Zg6E65sksVMWR9yfdMnNfZvHljmRWwtflzKEHGof0wNq4qDZ+sM0jIAXjs9HDxosBb908SBKmewrWJ7GMsbKsOJmY8WJY3RKBaGBX6Qt9TKCvYeklWOk76MVocmoeMsBKHTq+dW8apfnx6KX6fd6ibzis/9ragdg5AqxjJd6ls1DSKS51mJ6YcdDt2Yvy/6NdskCCkPYUCJman+R6QnxKInjZFAZnZe18rQQqPT+jaJwi1jV5YL3d9Vm6VRUTM7K+hFSmapgV6EJf3FxqU7QZqb2VXf0J3xsls626RHEADf8Uo/khtlTSl20 v73xR6FL 2M9siovFYt67pS+lln/Ty245qRgvVwMDyX2spl1bTjzh7HAAhFgVaQ7aWCi/5QcL3UHHcq09ZogUF4p+Ual9jgnDam4YA2IEymBkH2UNjcknHPdh/m/QoZvlmI9t2AAX6dZiNz737HLLBjI70YmmYieu0CIANSqv03qhzPDVG9j66h7SxAtGyc8KUNfc9XCNr5jkzmkqy7y/JZCjLLMRDD1T7sNjuFFy1svLUVUp0bjmoXbBxkE0Yt6Al2EoqOQl10njU7bv8SOPBBxU= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, May 10, 2023 at 09:04:44AM -0700, Lorenzo Stoakes wrote: > On Wed, May 10, 2023 at 03:15:51PM +0100, Mark Rutland wrote: > > Hi, > > > > On Sun, Apr 30, 2023 at 09:19:17PM +0100, Lorenzo Stoakes wrote: > > > We may still have inconsistent input parameters even if we choose not to > > > merge and the vma_merge() invariant checks are useful for checking this > > > with no production runtime cost (these are only relevant when > > > CONFIG_DEBUG_VM is specified). > > > > > > Therefore, perform these checks regardless of whether we merge. > > > > > > This is relevant, as a recent issue (addressed in commit "mm/mempolicy: > > > Correctly update prev when policy is equal on mbind") in the mbind logic > > > was only picked up in the 6.2.y stable branch where these assertions are > > > performed prior to determining mergeability. > > > > > > Had this remained the same in mainline this issue may have been picked up > > > faster, so moving forward let's always check them. > > > > > > Signed-off-by: Lorenzo Stoakes > > > --- > > > mm/mmap.c | 10 +++++----- > > > 1 file changed, 5 insertions(+), 5 deletions(-) > > > > > > diff --git a/mm/mmap.c b/mm/mmap.c > > > index 5522130ae606..13678edaa22c 100644 > > > --- a/mm/mmap.c > > > +++ b/mm/mmap.c > > > @@ -960,17 +960,17 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, > > > merge_next = true; > > > } > > > > > > + /* Verify some invariant that must be enforced by the caller. */ > > > + VM_WARN_ON(prev && addr <= prev->vm_start); > > > + VM_WARN_ON(curr && (addr != curr->vm_start || end > curr->vm_end)); > > > + VM_WARN_ON(addr >= end); > > > + > > > > I'm seeing this fire a lot when fuzzing v6.4-rc1 on arm64 using Syzkaller. > > > > Thanks, from the line I suspect addr != curr->vm_start, but need to look > into the repro, at lsf/mm so a bit time lagged :) No problem; FWIW I can confirm your theory, the reproducer is causing: addr > curr->vm_start ... confirmed the the following hack, log below. | diff --git a/mm/mmap.c b/mm/mmap.c | index 13678edaa22c..2cdebba15719 100644 | --- a/mm/mmap.c | +++ b/mm/mmap.c | @@ -961,9 +961,21 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, | } | | /* Verify some invariant that must be enforced by the caller. */ | - VM_WARN_ON(prev && addr <= prev->vm_start); | - VM_WARN_ON(curr && (addr != curr->vm_start || end > curr->vm_end)); | - VM_WARN_ON(addr >= end); | + VM_WARN(prev && addr <= prev->vm_start, | + "addr = 0x%016lx, prev->vm_start = 0x%016lx\n", | + addr, prev->vm_start); | + | + VM_WARN(curr && addr != curr->vm_start, | + "addr = 0x%016lx, curr->vm_start = 0x%016lx\n", | + addr, curr->vm_start); | + | + VM_WARN(curr && addr > curr->vm_end, | + "addr = 0x%016lx, curr->vm_end = 0x%016lx\n", | + addr, curr->vm_end); | + | + VM_WARN(addr >= end, | + "addr = 0x%016lx, end = 0x%016lx\n", | + addr, end); | | if (!merge_prev && !merge_next) | return NULL; /* Not mergeable. */ ... with that applied, running the reproducer results in: | addr = 0x0000ffff99dc2000, curr->vm_start = 0x0000ffff99db2000 | WARNING: CPU: 0 PID: 163 at mm/mmap.c:968 vma_merge+0x3d4/0x1260 ... i.e. addr > curr->vm_start Thanks, Mark.