Re: WARNING in try_grab_page

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Matthew Wilcox <willy@infradead.org>
To: Yikebaer Aizezi <yikebaer61@gmail.com>
Cc: akpm@linux-foundation.org, linux-mm@kvack.org
Subject: Re: WARNING in try_grab_page
Date: Thu, 3 Aug 2023 14:19:20 +0100	[thread overview]
Message-ID: <ZMupWEK1YLh9wuRy@casper.infradead.org> (raw)
In-Reply-To: <CALcu4rbFsnB5hsiv310tRNNBioLve0n553O1cX1mS9+HdA8r+w@mail.gmail.com>

On Thu, Aug 03, 2023 at 04:56:03PM +0800, Yikebaer Aizezi wrote:
> console output:
> https://drive.google.com/file/d/1Lq71bFwtEDix82PEf_193CLG6uh1Pjj9/view?usp=drive_link

I dug through this, and what I found troubles me.

 ------------[ cut here ]------------
 WARNING: CPU: 0 PID: 13067 at mm/gup.c:229 try_grab_page+0x2dd/0x3a0
 Modules linked in:
 CPU: 0 PID: 13067 Comm: syz-executor Tainted: G    B              6.5.0-rc2 #1
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
 RIP: 0010:try_grab_page+0x2dd/0x3a0
 Code: ff be 04 00 00 00 4c 89 e7 e8 cf fa 13 00 f0 41 ff 04 24 e8 65 96 cb ff 45 31 e4 5b 44 89 e0 5d 41 5c 41 5d c3 e8 53 96 cb ff <0f> 0b e8 4c 96 cb ff 41 bc f4 ff ff ff 5b 44 89 e0 5d 41 5c 41 5d
 RSP: 0018:ffffc9000c2777e0 EFLAGS: 00010212
 RAX: 0000000000000247 RBX: ffffea00003ae340 RCX: ffffc90002bb1000
 RDX: 0000000000040000 RSI: ffffffff81ad81ed RDI: ffffea00003ae374
 RBP: ffffea00003ae340 R08: 0000000000000000 R09: fffff94000075c6e
 R10: ffffea00003ae377 R11: 0000000000084001 R12: ffffea00003ae374
 R13: 0000000000210002 R14: ffffea00003ae340 R15: 000000000eb8d225
 FS:  00007f5841a13640(0000) GS:ffff888063e00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000500310 CR3: 0000000018d0c000 CR4: 0000000000750ef0
 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
 PKRU: 55555554
 Call Trace:
  <TASK>
  ? __warn+0xe2/0x340
  ? try_grab_page+0x2dd/0x3a0
  ? report_bug+0x25d/0x460
  ? handle_bug+0x3c/0x70
  ? exc_invalid_op+0x14/0x40
  ? asm_exc_invalid_op+0x16/0x20
  ? try_grab_page+0x2dd/0x3a0
  ? try_grab_page+0x2dd/0x3a0
  follow_page_pte+0x18c/0x1610
  ? try_grab_page+0x3a0/0x3a0
  ? rcu_is_watching+0xe/0xb0
  follow_page_mask+0x2e4/0xbd0
  __get_user_pages+0x3fa/0xcf0
  ? follow_page_mask+0xbd0/0xbd0
  ? down_read_killable+0x146/0x4f0
  ? down_read_interruptible+0x4f0/0x4f0
  ? rcu_is_watching+0xe/0xb0
  __gup_longterm_locked+0x5fa/0x1ec0
  ? io_schedule_timeout+0x150/0x150
  ? rcu_is_watching+0xe/0xb0
  ? get_user_pages_unlocked+0x580/0x580
  ? lock_release+0x4f7/0x670
  ? internal_get_user_pages_fast+0xe27/0x2690
  ? lock_downgrade+0x690/0x690
  ? preempt_schedule_common+0x45/0xb0
  ? pud_huge+0x9c/0xe0
  ? pmd_huge+0xe0/0xe0
  internal_get_user_pages_fast+0x119b/0x2690
  ? mtree_load+0x1df/0x980
  ? __gup_device_huge+0x530/0x530
  ? rcu_is_watching+0xe/0xb0
  ? lock_release+0x4f7/0x670
  get_user_pages_fast+0x95/0xe0
  ? get_user_pages_fast_only+0xe0/0xe0
  do_get_mempolicy+0x50c/0xd20
  ? sp_delete+0xf0/0xf0
  ? seccomp_notify_ioctl+0xd80/0xd80
  __x64_sys_get_mempolicy+0x187/0x2a0
  ? __ia32_sys_migrate_pages+0xf0/0xf0
  ? __secure_computing+0x1ff/0x360
  do_syscall_64+0x35/0xb0
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 RIP: 0033:0x47959d
 Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b4 ff ff ff f7 d8 64 89 01 48
 RSP: 002b:00007f5841a13068 EFLAGS: 00000246 ORIG_RAX: 00000000000000ef
 RAX: ffffffffffffffda RBX: 000000000059c0a0 RCX: 000000000047959d
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: 000000000059c0a0 R08: 0000000000000003 R09: 0000000000000000
 R10: 0000000020ff9000 R11: 0000000000000246 R12: 000000000059c0ac
 R13: 000000000000000b R14: 0000000000437250 R15: 00007f58419f3000
  </TASK>
 Kernel panic - not syncing: kernel: panic_on_warn set ...

> WARNING: CPU: 0 PID: 13067 at mm/gup.c:229 try_grab_page+0x2dd/0x3a0

That's this line:
        if (WARN_ON_ONCE(folio_ref_count(folio) <= 0))
Called from:
  follow_page_pte+0x18c/0x1610

That did:
        ptep = pte_offset_map_lock(mm, pmd, address, &ptl);
        pte = ptep_get(ptep);
        page = vm_normal_page(vma, address, pte);
        ret = try_grab_page(page, flags);

So we grabbed the PTE lock, looked up the PTE, translated that into
a page ... and found a page with a zero (or negative) refcount.
That's Really Bad.  I think it was a zero refcount because r08 is 0
and I don't see any other registers which have a plausible negative
32-bit number in them.

Yikebaer, could I trouble you to add this:

+++ b/mm/gup.c
@@ -226,7 +226,7 @@ int __must_check try_grab_page(struct page *page, unsigned int flags)
 {
        struct folio *folio = page_folio(page);

-       if (WARN_ON_ONCE(folio_ref_count(folio) <= 0))
+       if (VM_WARN_ON_ONCE_FOLIO(folio_ref_count(folio) <= 0, folio))
                return -ENOMEM;

        if (unlikely(!(flags & FOLL_PCI_P2PDMA) && is_pci_p2pdma_page(page)))

and rerun the syzkaller?  That'll give us some more information about
what has happened, although it won't tell us why it happened.

We might need to catch someone decrementing the refcount to lower than
the mapcount to catch this ... which will be tricky, given the other
things we reuse the mapcount for.

next prev parent reply	other threads:[~2023-08-03 13:19 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-03  8:56 Yikebaer Aizezi
2023-08-03 12:50 ` Matthew Wilcox
2023-08-03 13:19 ` Matthew Wilcox [this message]
2023-08-04  3:14   ` Yikebaer Aizezi
2023-08-04  3:42     ` Matthew Wilcox
2023-08-04 13:32       ` Matthew Wilcox
2023-08-04 13:35     ` David Howells
2023-08-06  7:51       ` Yikebaer Aizezi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZMupWEK1YLh9wuRy@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=linux-mm@kvack.org \
    --cc=yikebaer61@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox