From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E55CCC5AE4A for ; Wed, 15 Nov 2023 19:39:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2A01E6B03B6; Wed, 15 Nov 2023 14:39:15 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 24FBB6B03B8; Wed, 15 Nov 2023 14:39:15 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 13F446B03B9; Wed, 15 Nov 2023 14:39:15 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 07E9A6B03B6 for ; Wed, 15 Nov 2023 14:39:15 -0500 (EST) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id C34BC1CA969 for ; Wed, 15 Nov 2023 19:39:14 +0000 (UTC) X-FDA: 81461202228.25.A4AB194 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf21.hostedemail.com (Postfix) with ESMTP id 9A4821C000E for ; Wed, 15 Nov 2023 19:39:11 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=Nepq4AU8; dmarc=none; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1700077152; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fBJcHqQEVaFglNHQdjjrI1nuF758JCtqWF32MgFM9JY=; b=8hUsWTfetH3flSOMW+lQuAXuCktkC8WaaXQLU5G9l37u2UrnHOwgxBLMgdnoK35XHAPZ/I mASb/S1peq7jSzVBm92RGAJOtEsMXUpkMYQBQrv9hYHbrwt/Mi8H5SWc/2FeHJ0Fi1Hrz1 saQjD1Z6cySKpbg9iDAxTiQAB/W3WBA= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=Nepq4AU8; dmarc=none; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1700077152; a=rsa-sha256; cv=none; b=IpemwurG9qowffPxMfDTadjCfL12A9pRWb9XzNO07v7kzO63DWBtsMYYyWQQyEflhF5Bvk 25PXE42a9ZdAgGxIGVO0s3lOYL0BuKva8ZnnqIrJp2oMy8eWL9kPZAS5nDiVCJaAwYRS52 bnZjtenmsWmX+essWU+hBXmD6UkfdqA= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=fBJcHqQEVaFglNHQdjjrI1nuF758JCtqWF32MgFM9JY=; b=Nepq4AU8q7jweHyqtxjH47ST2P OIZrV1uHP2cWjonavRphGtw6KmjvicMzQE7MUu9momz6ErjdNyc4WAZWQAOVvobZCy3mfirkHCXrA cEdHjYdaAB0oSOCAQJH08+D/+T7q0Zy/liRGnLbyXC975xVKyrmatuZpD7FjXHpmK/EN3GYMerEJn GlxomJxCxSD/8FcpXrTd12oQ5NKwskDjyUeSbst9ZNClSZolBhqj01ekFj/Av3Vfy6NpAHD3+SKFG 2LvuWIe5lzExBgF6UYUPbnvGJ8CFFh9L6ytKZvqBUPXVqBE4nGxON4fdSAEt14jELOYDP7L26b6Hw aoM6O4tw==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1r3Lj8-00G2SN-DY; Wed, 15 Nov 2023 19:39:06 +0000 Date: Wed, 15 Nov 2023 19:39:06 +0000 From: Matthew Wilcox To: Hugh Dickins Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, jose.pekkarinen@foxhound.fi Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in __pte_offset_map_lock Message-ID: References: <0000000000005e44550608a0806c@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 9A4821C000E X-Stat-Signature: rs3iejo5quecemzikxo6y15qt811uqfu X-HE-Tag: 1700077151-737981 X-HE-Meta: U2FsdGVkX1+5rfxDRqFi0rE8bZHc0Uj9C9OZBgufWXApYuA22qgvdCLEtKFkUZbZOIvou+H+fxNeiV3C5GZlWnRRD/OS56hXkDi8tZi0VvjZC3Ny7wc4ptpKcRdy22zLA+yq7XgfPX8qJxU+k9N+M2qmv4KgjiGyFr+PVdG9Woea+8tQ9S7oALT9m9I4VfX12XrChY8yeuXuBBwLQiQYGmvRIDP8oHy5mv9vO+DknF/Yvy3qC4Q22okunJ9nFJBoY+syUIqictTUKSVH+bnjwf7jSNznRLNHlPERkdMnFmvfIdQFsdaXI/IU0LIlf3yMYksOA9pZRdK1MaBS+vW7Kqdf5KbWqmx9ik1n6M7jJe7kMQVioPiE9l402XIeh8kW5rxEE0LNrRPuwE0J+2nxVhfMIWugHaPsshhot9Frp1HymZ0P9guulVAka4n+SOvIafYAc9Gns0fSrUXQQGEjFtLQTsxcPNSyznH+9n8+U2wYE4oHZrFEZnKz+BXfiluC4qLxWCJuliSeCEIlgv8nsGX5aPwQyScpcb3mjWgojKEbPkayhd8Tdhf/rmansdrwjVqEmvNuhPOoaVmM3THYvQWqAx9eHkrBHv2v7bSY0LvxVh3WCpLGvABaW/Ag+uwIo7F7o1saNSkB1jYpJsFDKzph5JI+C8IOMDGwOS2zUnHnwqW/eu21UyBQC/DIlRc2WCcXIaC8177ArE4JWtjRejFc7W4t/9F0pRB2hXjsodg83HR1G2FN93QZYDUsTiLEjX1kPRQmQ6VlRpIT1o5Vdq85l1MAIth2s1uMbuy9YTfmWreUgvsyE9dTIQ955k6zDWxOxehXmaFSY37vjPh6sH2NdbMyFehKysy0HJMkZGpM4cJx6kGTjU9DT3vs0zGWq2/vlnNh3h+ETZT0S142CW/j2tKBiBs9bbD5QKnFCVaYtZwn0mCshRlpAbZ9HPTGlvgr8uVnWmwL16DtaPG WfSQ3li6 z5g8QnynHX2FRViSedI4bI5FzrlgJzcpr4rA9o5f7QKVnZESutU2Sil9fLirDghKRm8YHqNQYUQn1jl1dC1jmRQXH0g+eJq0l0ZAp5rDIfSKa+aWONro+dwlXiPdEuYVvFzP+3uTA5IVMN0+s8fYHOyJ2L0wh5Y8yXIfFHfs15OK/vGEatCnJPmBGFvljds0eHAefkioShSbBxNGIMFbm4uC5mzy6VY1fHAv3K0ectwMibcY5aTY8K5IUZO3Aja+hrkIHlOytnnRl/+8V9RQS/Thbx+Z5usEpGth6hOe4uhSthj/5OZpmFsshNoNHxKzrbQCcFIwDLl2bxXJlpCYaocml7g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Oct 26, 2023 at 11:07:35PM -0700, Hugh Dickins wrote: > I've spent a while worrying over this report, but have not been able > glean much from it: I'm not at all familiar with arm64 debugging, so > cannot deduce anything from the registers shown, though suspect they > would shed good light on it; but it may just be a waste of time, since > it was on a transient 6.6-rc6-based for-kernelci branch from last week. > > If I read right, the reproducer is exercising MADV_PAGEOUT (splitting > huge pages) and MADV_COLLAPSE (assembling huge pages), on mmaps > MAP_FIXED MAP_SHARED MAP_ANONYMOUS i.e. shmem. > > Suspicion falls on my 6.6-rc1 mm/khugepaged.c changes; but I don't see > what's wrong, and shall probably give up and ignore this - unless an > arm64 expert can take it further, or syzbot reproduces it on x86 on a > known tree. Just to tie the two threads together ... it looks to me like what's happening is __pte_offset_map_lock() is racing with pagetable_pte_dtor(). That is, we're walking the page tables, find a pmd, look up its page/ptdesc, but because CONFIG_LOCKDEP is enabled, ptdesc->ptl is a pointer to a lock, and that pointer is NULL. More discussion here: https://lore.kernel.org/linux-mm/ZVUWLgFgu+jE3QmW@casper.infradead.org/T/#t