From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EA8D0CDB483 for ; Wed, 18 Oct 2023 09:20:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5A1FE8D0147; Wed, 18 Oct 2023 05:20:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 550138D0016; Wed, 18 Oct 2023 05:20:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 417B48D0147; Wed, 18 Oct 2023 05:20:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 2E9658D0016 for ; Wed, 18 Oct 2023 05:20:47 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id EDE7EC01B2 for ; Wed, 18 Oct 2023 09:20:46 +0000 (UTC) X-FDA: 81358037292.08.4414DB8 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by imf07.hostedemail.com (Postfix) with ESMTP id 26DB94000D for ; Wed, 18 Oct 2023 09:20:44 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=iL4o9L7m; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf07.hostedemail.com: domain of elver@google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=elver@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697620845; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=9ewrMPyx4pJfcubjcrEJa/asBuC5oD61em5IsCdml64=; b=36Bjs4B84V0u8prR3yKinJxjKx6pyNF7u/JOlkPCkOspkIJcI4x0XbJI21GwypgvPkfWnX pQf4ZK/REhKHmKU53VROq+Tnr74UhMYqzLnp4084tpwtcqEr14eUuxXxhD4hams3b2NzAe eLdck4IJOPHWO9i1TZ0j8nCQ5vi7HYg= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=iL4o9L7m; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf07.hostedemail.com: domain of elver@google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=elver@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697620845; a=rsa-sha256; cv=none; b=Hj806DgoVwQoJxcyv2qekX1ga3z0HNLI77GMSPYcUA2ypRWDLbMoTJMGIXmWeOLNoNUhey yhR28m90m7Tv5GOGJ3D9eQ2fo5xcxW2JopqJHYQlJeyBmn9LhigehHFreRUlTmFhmr+PsK 6yLKUGt4jAGHGyD5ho1XMo4Dw1o3EdA= Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4083f613275so1807875e9.2 for ; Wed, 18 Oct 2023 02:20:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697620844; x=1698225644; darn=kvack.org; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=9ewrMPyx4pJfcubjcrEJa/asBuC5oD61em5IsCdml64=; b=iL4o9L7mWWbfabe4gPSlLPjdDC5jMPgRMiTEP/RtgwC4ryEZI/gRopnRR4+iScW9Cn sNG6oG00l48E50Yucb2eP4X8nrWj4xGFmvcCvCLOkv64xzQ4t6wyDyb0v6DjCIk7PeMT a0XFobJBcvRev37ze4TSvqaMDjcjF9GTK5hRl86xBoiDYy6K4Av6HEMXYGLra0P6fwgS yTPlNoNpnfb6MAKc97ZaB+bOa0ybNPCZrFvom13BbUQKeHtx++6iUIg+MV1YKHPP/ewc 0DBFKXoG8R/xdeGiz289XXbhjR97Mn7k0DjYd2sJKo/22r1wzEuHo9G41iU0qvKxjAcC v+XQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697620844; x=1698225644; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9ewrMPyx4pJfcubjcrEJa/asBuC5oD61em5IsCdml64=; b=xOSrBkQaM0Z3cxVIxlGeywO15TSZf7oMIrcAFwD+4FL/GCeqlGC64/ssx8H33snJLi 7AHWjOt2TP7rEvqGX0aol0VEf8Ej49q5+Eo+ddnYC5MgiSgXQajgp1bHfvI5hRWfQfCj LLoSDoafmWuADp17XaWkhGr6iRJWtCRuNKpDlsr0wFROXyO57spjrMfhcZUiPjNlIMT3 nsq2+SuQQiZgnWfi5lcxNpwtBbsdHBiUUpIZEuJnJbOAYzXLcZcdXr7XIxLjcXMHwOsW FAf6FpqYxDDWZWPEMV+qtwu/tINuTbo8wD8xVQBzhkbLAnBvCm4yc+9caYMSMD4YDCI8 YVYQ== X-Gm-Message-State: AOJu0YwifUBIWlm1c6DC2j2dagQTz5ZJhrpprEaM5xqCZ+6iZONmPmaG l7H/8oAEt7Fj+2uwEifKxomhoQ== X-Google-Smtp-Source: AGHT+IGi3FLJ0Wf3sLFhYoNxoDCCu6JqOQ4wFhsrh26tmEfNkB34bnsv2gYfdBeY4hAom5KZzFhfCA== X-Received: by 2002:a05:600c:4f49:b0:405:3b1f:968b with SMTP id m9-20020a05600c4f4900b004053b1f968bmr3664452wmq.21.1697620843537; Wed, 18 Oct 2023 02:20:43 -0700 (PDT) Received: from elver.google.com ([2a00:79e0:9c:201:8d0f:ea49:93ba:ca57]) by smtp.gmail.com with ESMTPSA id c39-20020a05600c4a2700b0040588d85b3asm1117664wmp.15.2023.10.18.02.20.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Oct 2023 02:20:43 -0700 (PDT) Date: Wed, 18 Oct 2023 11:20:37 +0200 From: Marco Elver To: syzbot , Muchun Song Cc: akpm@linux-foundation.org, dvyukov@google.com, glider@google.com, kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, Andrey Konovalov Subject: Re: [syzbot] [mm?] [kasan?] WARNING in __kfence_free (3) Message-ID: References: <000000000000bc90a60607f41fc3@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <000000000000bc90a60607f41fc3@google.com> User-Agent: Mutt/2.2.12 (2023-09-09) X-Rspamd-Queue-Id: 26DB94000D X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: wxhywgcnzm4bum5pumc41on9uioquumr X-HE-Tag: 1697620844-214846 X-HE-Meta: U2FsdGVkX18KeyMgBgET49xt4HX8jdN7TEZxWxRAuyxmOG+g/GQbegbMv01tchT6T9DSeGs0JsNDMwnEQFOtaJgUnLDmsAwZxw+Sy/owkOYR/JQgaydfYClH5ABuF/qI0bRmuG1Qe44tQiJvipT1SmErmOdy6fnMqB4f4IWa+sM3qpRLWBGqLnI66n5z1mCN7QUvTu7GmcKBZJWlHuYoD9TTJmuWeB7bo4m03RVxYUjvh2dtTI63HxwpHNkxUhlay2V4Ir/YSPgqTbHWhYVwiiD1Zjpm3KF2IF9FWm/rfdoQ6EEpx6vVBYPLhIZaLqc+kr1spLd8W2aXVSjK4/mDCn0CLLKmeKZFoNgj6Wj4Gvl8NBukeMiATbP5WT/E/TfyB7y3cv2EMVWuEjHH6tP+LSroH+WX8m3cbBZreu7rczXyc/neFHOL6Qmbc15u3WxP6Ax47FDfkCh3AzQ5fJ/zU/BCaQK4KkyTp8ONU/qmm7tJqcsAj98AAmMNUyPPlaa7qWXw8gzR0awd4onFh39sxG/iw3BNc5HTkIImRGgL+/MLDbkGerkFctryKNL/Uak3SAXu+wCVltryXlEmuZB3+LbRK9joSP8CuywXwDifylAJqJRhzt6qBRIexbbYZimFpYr+tk0W0moAJ8zMz38ZLmiOgpg7OkMu3sYDQqowCXtRTpOE9Q/sBqjHR85u5SfQebuLtbQ95JI4/wXrg831NWJt8MHbji2qfWDfaN/Oxs6zalVF4hyqjoJkxPkyw3HAwVcrR7G0mDqMZresO5AewejlG8LqRZZycvg6EhF0TLNGWTr9JhgBNPMGpAf38hfhEWhN/eOxlFCz4d+4EAFxLF659kCFq7Qf9EeVJdgF1smXVIfCBpopBxhNtuQEnmyxJmXqoGDbi+TwFhkWlkGkI+zfRk2KAqEIc7WKTBKbtVLkEaxwl/juDXuDND+vNCICm2z4j/obf2Y3Te6viuL rsu2+dRn WUNjiQdl4DG85ds0IMUcRsH53MAyPg2eRKZqbt33RF/3oLpLKaG8oiq0sWwuBufg0FVC/rM1Dj0Lx2DKpMtVDHX289CWd54xUZ0TJVlNnUWTFzoiRupOMsbFdqYpYj3KauUMgi8k7CUvKI5aNttgvgLzgOuiffFfsvJp6xce/u6d7zX3exVtctB2Ai1NBu7XKC65bpwAVgbZAqWmvzevrGblcXCxcmYd59kFKkWRUGltFHpVV2ViPyNbq0u8CH+CTj8dbVDyDD5bXAwLYk1liDtT4u7GdbIS1hl0+d46rLOz0uSLXEBSe+fG4P033PXRsYB6jb54T+E9e5UXMhZU56XO+BM1OmU86SWdEcaYhXMzJcwIiXZbcNvEG54Mc9KwrI5BzuKTS43gNEgTTViPz4bDiN2hOAByc7qw2b6QzTWVtPvnggCXZ7jW5lU/bmkl7dPFV/XrdJvsHhTwWTVfvXq+rVnVBKIIZlKYTs9i7AmguvwZ66QLxKeNT+NsY/CP3oSvWvTz7Ttt1FVrSa3ZsX1Y0FnTsvCwtuXxpvUvkV48qeq/vsO8hYaCdlI9KH7fwvBBXlp949l4xHxB/nmyzZEZCnJmGe7fIWb7grPWIHKbKYXS3R5hJkdn/JyHLq3LJa+vTbAra3zcHgPK7uDKQBQ+a4a4nGO7axQShI4l598XAUxC3W/gR69o9C+IEh4GWfHLLON7eYT4aJBwO9kWZ5e4owuyc8IfSnq/kZ5Gb+GOtl3fvXKAQKw1UYUxwTzVnbyj/vRuOSBmhLjtqy6NGjxmvXLv10dgnmD+QxYVCzm9ZwJiQIUCn0B6RVGAsruZDVrNylLVYK087vOpg58Mieul45sXZVC4DM77Dp3bfAbU0GNXHKxYhXnDzxuufSDSzygk2iNoT7x1cg1gaqFAGU+pR/2/XRIu8zhaNJ3+2evDuMGnzdobU437y8BAPKi9QmC1eiYpvVs+jZVeF62zTr0DpsWm+ zix+7ori CSI+3IddM/C03S0tMt3LRX6V+L1hKacgf2GnjkbwafS/GP5Vemch9KGZg1IGmkJBeA9N7mmy0k4= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Oct 17, 2023 at 07:09PM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 213f891525c2 Merge tag 'probes-fixes-v6.6-rc6' of git://gi.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14a731f9680000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a4436b383d761e86 > dashboard link: https://syzkaller.appspot.com/bug?extid=59f37b0ab4c558a5357c > compiler: aarch64-linux-gnu-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: arm64 > > Unfortunately, I don't have any reproducer for this issue yet. > > Downloadable assets: > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/384ffdcca292/non_bootable_disk-213f8915.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/98b9a78b6226/vmlinux-213f8915.xz > kernel image: https://storage.googleapis.com/syzbot-assets/8ed2ef54968f/Image-213f8915.gz.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+59f37b0ab4c558a5357c@syzkaller.appspotmail.com > > ------------[ cut here ]------------ > WARNING: CPU: 1 PID: 3252 at mm/kfence/core.c:1147 __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147 This has happened before: https://lore.kernel.org/all/FC29C538-1446-4A3F-A6FA-857295D7DEB3@linux.dev/T/#u And is this warning: | void __kfence_free(void *addr) | { | struct kfence_metadata *meta = addr_to_metadata((unsigned long)addr); | | #ifdef CONFIG_MEMCG | KFENCE_WARN_ON(meta->objcg); <-------- | #endif Which is this assembly in the vmlinux provided by syzbot: ffff8000802bed9c: 22 40 42 f9 ldr x2, [x1, #1152] ffff8000802beda0: 02 fe ff b4 cbz x2, 0xffff8000802bed60 <__kfence_free+0x38> ffff8000802beda4: 00 00 21 d4 brk #0x800 So we know the pointer is in x2, and from the below we know it's fcff000006a24ec0. Muchun, last time you said: > Maybe we could improve the warning message, > e.g. print the current value of "meta->objcg". Does this somehow help you better understand what's going on? Also this is a KASAN_HW_TAGS instance (using arm64 MTE), not sure that's relevant though. > Modules linked in: > CPU: 1 PID: 3252 Comm: syz-executor.1 Not tainted 6.6.0-rc6-syzkaller-00029-g213f891525c2 #0 > Hardware name: linux,dummy-virt (DT) > pstate: 81400009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) > pc : __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147 > lr : kfence_free include/linux/kfence.h:187 [inline] > lr : __slab_free+0x48c/0x508 mm/slub.c:3614 > sp : ffff800082cebb50 > x29: ffff800082cebb50 x28: f7ff000002c0c400 x27: ffff8000818ca8a8 > x26: ffff8000821f0620 x25: 0000000000000001 x24: ffff00007ffa3000 > x23: 0000000000000001 x22: ffff00007ffa3000 x21: ffff00007ffa3000 > x20: ffff80008004191c x19: fffffc0001ffe8c0 x18: ffffffffffffffff > x17: ffff800080027b40 x16: ffff800080027a34 x15: ffff800080318514 > x14: ffff8000800469c8 x13: ffff800080011558 x12: ffff800081897ff4 > x11: ffff800081897b28 x10: ffff800080027bfc x9 : 0000000000400cc0 > x8 : ffff800082cebc30 x7 : 0000000000000000 x6 : 0000000000000000 > x5 : ffff80008004191c x4 : ffff00007f869000 x3 : ffff800082420338 > x2 : fcff000006a24ec0 x1 : ffff00007f8a50a0 x0 : ffff00007ffa3000 > Call trace: > __kfence_free+0x7c/0xb4 mm/kfence/core.c:1147 > kfence_free include/linux/kfence.h:187 [inline] > __slab_free+0x48c/0x508 mm/slub.c:3614 > do_slab_free mm/slub.c:3757 [inline] > slab_free mm/slub.c:3810 [inline] > __kmem_cache_free+0x220/0x230 mm/slub.c:3822 > kfree+0x5c/0x74 mm/slab_common.c:1072 > kvm_uevent_notify_change.part.0+0x10c/0x174 arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5908 > kvm_uevent_notify_change arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5878 [inline] > kvm_dev_ioctl_create_vm arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5107 [inline] > kvm_dev_ioctl+0x3e8/0x91c arch/arm64/kvm/../../../virt/kvm/kvm_main.c:5131 > vfs_ioctl fs/ioctl.c:51 [inline] > __do_sys_ioctl fs/ioctl.c:871 [inline] > __se_sys_ioctl fs/ioctl.c:857 [inline] > __arm64_sys_ioctl+0xac/0xf0 fs/ioctl.c:857 > __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] > invoke_syscall+0x48/0x114 arch/arm64/kernel/syscall.c:51 > el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:136 > do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:155 > el0_svc+0x40/0x114 arch/arm64/kernel/entry-common.c:678 > el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:696 > el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:595 > ---[ end trace 0000000000000000 ]---