From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54EBCC001DE for ; Sun, 23 Jul 2023 05:13:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6AC706B0072; Sun, 23 Jul 2023 01:13:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 65C646B0074; Sun, 23 Jul 2023 01:13:48 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 523B26B0075; Sun, 23 Jul 2023 01:13:48 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 359F26B0072 for ; Sun, 23 Jul 2023 01:13:48 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id E8A8916085D for ; Sun, 23 Jul 2023 05:13:47 +0000 (UTC) X-FDA: 81041709294.02.6761A92 Received: from mail-yw1-f182.google.com (mail-yw1-f182.google.com [209.85.128.182]) by imf05.hostedemail.com (Postfix) with ESMTP id 0A93D10000C for ; Sun, 23 Jul 2023 05:13:44 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=pxxQm9qQ; spf=pass (imf05.hostedemail.com: domain of hughd@google.com designates 209.85.128.182 as permitted sender) smtp.mailfrom=hughd@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1690089225; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=x1ZfOwaKKKJgIept69Tevl6HvLchA0CxbTdb2gike2M=; b=BTpYy+lhsHMg/meyWYe5iJAlQ0zYDxx8Iwt95Xnnq2K/PfQFZrX8ETiMwBJIeImuVmB1xd 41PMU9W7mDeuJPJPA3Mq2wnyzX9MHSF86+YPIXnlmcwybEUpl3CInE23HmmKgkDmuabtne sgW/Ow5EcdCycoqHSKnBh/SDkkTaLGo= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1690089225; a=rsa-sha256; cv=none; b=fTVx4q5N1Dv8e0EWhV5U8jyvSa3AXQIldQe7YgcHcSDvn+jZQvKn4sQyV7dkgduA7osm+y RlFt5IlHAYbhRErC6NKYI/adwbKLFedvfNJ/ShQv1CRSCir5LCdeDzMjCG5GS+mfhZ8VQm 5VslrB2DEpzjL+1IFMxuA6cfUNPyF10= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=pxxQm9qQ; spf=pass (imf05.hostedemail.com: domain of hughd@google.com designates 209.85.128.182 as permitted sender) smtp.mailfrom=hughd@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-yw1-f182.google.com with SMTP id 00721157ae682-5839f38342fso20961177b3.0 for ; Sat, 22 Jul 2023 22:13:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1690089224; x=1690694024; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=x1ZfOwaKKKJgIept69Tevl6HvLchA0CxbTdb2gike2M=; b=pxxQm9qQCDthyLaFkM+M67s9S6a72jEUDIjRI/e9MbgGPKVc1Y1BWTtK+FV65GJ7Wt FryXD7lM5nIYmTMjFoOVUViVqHuV2pYxHAbIEBZ0Wba9jmqDQJmlAlxOdZCGTxBo8Uze 0pEOm2hCUXw7PmvAUw0wnOpp74MA8U+zxhs/Fja2NCxSvwdfmo4CRJ8AFXeA4oA8GeWI ApbaKCNFrWXOXCe4o6lAbcJmwsc+BXLkKXISDHDYZEXqcdizL256eit3SGPFWpoKVzeb G6TPPiKdI9lXv44jKW9IdfUmaPfkQLLUaVeWrstN5bnvZnbOfn+05Mor0DUoHncG5+Kb CytA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690089224; x=1690694024; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=x1ZfOwaKKKJgIept69Tevl6HvLchA0CxbTdb2gike2M=; b=IuSPA5BcT2Ol1ma+HpfJazEvUuZOpBu0Yx0xTs+dB20gAqnh7jS+RDsbztV+iUhVSj nzcN6YknQHMJAk7j9OxrFidS5NPn/HOsTN5MQfXlbZ3Usdhr9D3bo9IIZMbU1LKloWra aVE46eoT91mAxson20Fdv94uVOmn/sneSbaimxMVRZub3WCMKVRMUoWsAq5J4+eHIegz 6srhQy0IYpGQ4GJc4CTHtlylEAQAFrR+ipC/olhsNCx4YB5SldQL38yAoZEQzSo/ohIh ltIR1yZoSnIIZAYE3sxuowOe7NEDuq8zQ7ndFgg0K2ptSo5HH28OzbvBYXPAGdPng1E5 pDmw== X-Gm-Message-State: ABy/qLYo8F/mgFVky6V0ivCIgD1WSIm1TANm5G1zV/BGkX+8pfvd2748 JodNHbBKNDrCU5+HEYx4AIH9iQ== X-Google-Smtp-Source: APBJJlH6X4eduVGpJ5WiuZoN1aTyV4a+JKpQ8Alq10CcmmIvZLm2NgRfGE0DhMJPr+olvt/nlTFHFA== X-Received: by 2002:a81:d250:0:b0:577:21ff:4d47 with SMTP id m16-20020a81d250000000b0057721ff4d47mr4509261ywl.7.1690089224020; Sat, 22 Jul 2023 22:13:44 -0700 (PDT) Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id t7-20020a815f07000000b0057a05834754sm2015261ywb.75.2023.07.22.22.13.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 22 Jul 2023 22:13:43 -0700 (PDT) Date: Sat, 22 Jul 2023 22:13:36 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@ripple.anvils To: syzbot cc: akpm@linux-foundation.org, hughd@google.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, luto@kernel.org, peterz@infradead.org, syzkaller-bugs@googlegroups.com, tglx@linutronix.de Subject: Re: [syzbot] [mm?] kernel BUG in collapse_file (3) In-Reply-To: <000000000000f9de430600ae05db@google.com> Message-ID: References: <000000000000f9de430600ae05db@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Stat-Signature: dqfnuqmasuw6j8u7quxkfaq3yknzoe8r X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 0A93D10000C X-Rspam-User: X-HE-Tag: 1690089224-651099 X-HE-Meta: U2FsdGVkX1/iJFYgtJSrGY2bfew3B1twx9Cdu1eaSRqYvC8uSgsy0cNvTH29aHXoJnTyXvFwi9E/yDzt+CGbr81s066AaBvBkZDTpL9vb+Of495OltrdyTgb48l/d9zcAm7omMcaprkpsU7vjNJDF/1z7WbUDe59BwnzRDq5xablj07Vm0V0RGfToGnEyNbj8MUHea1P7VywYHYQnZZiQGCUOGm1qXOdBRQWnytVOkTIAvtqiiN8lRMR5rRCKnyaZnUYZN1KsRcHprbmoRglAZM0jiLpS9kWFpJrsm1881Hxs+TQu2+2HnEY2n5aBprlTVGPoKqUWDdJBNJiqtUOyGnIJjLmCh8Ns6+eHpOfo4NeFjZehtpYKGyCGilulM9U04G4Mw5oc9joo1EFo9n3QNV5lm1I4McVc9+SqRj9O+oU1g5z+8QvYExqSwq34l1hIqDrb2gydN4BUBXsn4Y5qAnDitHTkwjof0/+BqOaHcb9YtXXOhl9aJxuYcf5Ir1LItXiVOVUpnwBI3Z8+ANLWROlrgWyCQ/RBRPI7LqViDo3mIi5il32vHEQ8fWSx1GYusnPf0XR0d2PjUwwitnrSbS6Fhm1hs5g+BAlyRK/muyJ40P4bpNnDjYgeko9NdM6S8ECtsJ9encBqKyzFF1tl4M1oG9gOkT5pc7JHD2buHOw07d55SdsI0kAdEUWCMCpCsq+ODdVaxI40J6ToquD30atA8Wv4jQp7QSqtJEXpeTt76BFIhpo31DnCs/mK4P4j9r/8BfLKLLmyNk8YzM/veQOPKsfoo4GUsm5BFYCFqWNgvdapDKRrrSMqSwGku6AD8SiDdghGnTBlF+CM2ezpEXNL84Lg9eSuNtt6tXIOrxQZtuRsZWJ/i/HSTlXz/I5rYLp6ErvpXq3CSSNFKfiA9zWC73HiTX7UbQBq89mO547KN5w1Yh5BJAts9QLOUYw+NDGEZfIGG7WeanVy9e 11l+Me/w JFj8rqR7ASG9vTiYt9Wg2VEQw3ex6EnksMWcC7kA5uVakZCiQCg1CP8FgLV3Zj3lldO8zkgVadS2eFX/sFXnMU/Vxzc7HlPhBvJ59MGQpmCB05SMDEZeU5za9LHId/z4UJKNjzS1KM41PxaO3JgHNgPqJQ8x0nu4w46HcRGYqoizLMVYz2G+BQsLMdwK8OY9+6IZSbBLOS/l2TOaFS25bLGAoX9JYrcFg6qSQYynWinwlTU+JKPav7comxECsmIMeRySazIpPILWWfPpfwjB6tp1IvDD5hiD1x2hEl/qbDrRV15Vg9/Wmkk6L9Ws6EO5VX6tEx4IkHoIJbQEJSDHHXjuBJHQPlwOy3q4smUo/gHS0ynLBkrSQFTpRBzjZrnz0/mDv3MKuRkqNTPQkP4IxxODhalu6xFymkK19vXllr0t+8L/jYtH5NkiwpKVWZ6LluU5y72C3wjkVSkXar/rVaSRwFKgUYlMLbMD/QPEi/waSMZqgsfDOVcaE0YXgaJiusVlsiSHXCfouvkPxaKZgHi9AEA7sgY2H6NBroPXaTCsYMsbQHpxOeXCrTrKCj0McQAfnGOdC1TVMxSH/G7FGRdeyHY7g/SU6TCymLhCyqglwLPIQ8v5TL5x5xy0dE7F+/bwnLtQ5P+RUWnAWvKfR+EyotoI3iCL5BJy4hptIcR738dWaOgh8niGz2AtaqWMwC3pff3sObj+sOfCUidEGPvXYfrH0l3tEKmacCaJ6UMYNWcYEbk7z/5lnpx8reCO0bmCxRTj0+36fVFKzTfo5ateJxlSXIkN31N7Ueoh2EEIgz7NQY2xCBYMeRB6O8xGqwjwEbwixatVhTFjKvXjhdn4NTWLieq+aa6j2ovLcT7+rt/ZeodmudK+dP7Di1ZlWibY/nPuViteZ4OzF2ouTMpFTxRvbHuJHQ7AW X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, 17 Jul 2023, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: e32622656258 Add linux-next specific files for 20230713 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=16cd037aa80000 > kernel config: https://syzkaller.appspot.com/x/.config?x=55a2f8abfda98f31 > dashboard link: https://syzkaller.appspot.com/bug?extid=fe7b1487405295d29268 > compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=131922e4a80000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14277fd8a80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/d1c2a7ce287f/disk-e3262265.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/2041e3e43285/vmlinux-e3262265.xz > kernel image: https://storage.googleapis.com/syzbot-assets/44f789cdae5d/bzImage-e3262265.xz > > The issue was bisected to: > > commit 49a44d59344d1a6a4cc841d6e4a8727f99ed97bf > Author: Hugh Dickins > Date: Wed Jul 12 04:42:19 2023 +0000 > > mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock() > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=105af56aa80000 > final oops: https://syzkaller.appspot.com/x/report.txt?x=125af56aa80000 > console output: https://syzkaller.appspot.com/x/log.txt?x=145af56aa80000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+fe7b1487405295d29268@syzkaller.appspotmail.com > Fixes: 49a44d59344d ("mm/khugepaged: collapse_pte_mapped_thp() with mmap_read_lock()") > > ------------[ cut here ]------------ > kernel BUG at mm/khugepaged.c:1785! > invalid opcode: 0000 [#1] PREEMPT SMP KASAN > CPU: 1 PID: 5058 Comm: syz-executor181 Not tainted 6.5.0-rc1-next-20230713-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 > RIP: 0010:collapse_file+0x1150/0x5510 mm/khugepaged.c:1785 > Code: 89 c6 e8 e3 67 a6 ff 84 db 0f 85 66 f1 ff ff e8 a6 6c a6 ff 0f 0b e9 5a f1 ff ff c6 44 24 48 00 e9 65 f0 ff ff e8 90 6c a6 ff <0f> 0b e8 89 6c a6 ff 4d 85 ed 74 1c e8 7f 6c a6 ff 44 89 eb 31 ff > RSP: 0018:ffffc90003bff810 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: 00000000000000ff RCX: 0000000000000000 > RDX: ffff88807e618000 RSI: ffffffff81df5fb0 RDI: 0000000000000007 > RBP: 0000000777fa80ff R08: 0000000000000007 R09: 0000000000000000 > R10: 00000000000000ff R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: ffff8880227b3680 R15: 0000000777fa7eff > FS: 00007fdc40a816c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fdc40b169f8 CR3: 00000000278a9000 CR4: 00000000003506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > > hpage_collapse_scan_file+0xc8d/0x1650 mm/khugepaged.c:2285 > madvise_collapse+0x52c/0xb50 mm/khugepaged.c:2729 > madvise_vma_behavior+0x200/0x1e60 mm/madvise.c:1094 > madvise_walk_vmas+0x1c6/0x2b0 mm/madvise.c:1268 > do_madvise.part.0+0x29c/0x5d0 mm/madvise.c:1448 > do_madvise mm/madvise.c:1461 [inline] > __do_sys_madvise mm/madvise.c:1461 [inline] > __se_sys_madvise mm/madvise.c:1459 [inline] > __x64_sys_madvise+0x115/0x150 mm/madvise.c:1459 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7fdc40ac0399 > Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fdc40a81238 EFLAGS: 00000246 ORIG_RAX: 000000000000001c > RAX: ffffffffffffffda RBX: 00007fdc40b4a308 RCX: 00007fdc40ac0399 > RDX: 0000000000000019 RSI: 000000000040c101 RDI: 0000000020000000 > RBP: 00007fdc40b4a300 R08: 00007fdc40a816c0 R09: 00007fdc40a816c0 > R10: 00007fdc40a816c0 R11: 0000000000000246 R12: 00007fdc40b4a30c > R13: 0000000000000000 R14: 00007fffbeb44cf0 R15: 00007fffbeb44dd8 > > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:collapse_file+0x1150/0x5510 mm/khugepaged.c:1785 > Code: 89 c6 e8 e3 67 a6 ff 84 db 0f 85 66 f1 ff ff e8 a6 6c a6 ff 0f 0b e9 5a f1 ff ff c6 44 24 48 00 e9 65 f0 ff ff e8 90 6c a6 ff <0f> 0b e8 89 6c a6 ff 4d 85 ed 74 1c e8 7f 6c a6 ff 44 89 eb 31 ff > RSP: 0018:ffffc90003bff810 EFLAGS: 00010293 > RAX: 0000000000000000 RBX: 00000000000000ff RCX: 0000000000000000 > RDX: ffff88807e618000 RSI: ffffffff81df5fb0 RDI: 0000000000000007 > RBP: 0000000777fa80ff R08: 0000000000000007 R09: 0000000000000000 > R10: 00000000000000ff R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: ffff8880227b3680 R15: 0000000777fa7eff > FS: 00007fdc40a816c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007fdc40a60d58 CR3: 00000000278a9000 CR4: 00000000003506f0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 This was a very helpful report from syzbot (not all of them are, I know ;) kernel BUG at mm/khugepaged.c:1785! in that tree was the VM_BUG_ON(start & (HPAGE_PMD_NR - 1)); on coming in to collapse_file(). Which seems an unlikely thing to get wrong, and I couldn't see why, and the repro did not repro for me. I wouldn't usually bother to look at the linked bisection log https://syzkaller.appspot.com/x/bisect.txt?x=105af56aa80000 but in this case it was very instructive. My first reaction to the kinds of crash it was showing (__fput, task_work_run, hardly any in collapse_file) made me think the bisection had gone off course. But no: they all point to fput(), hence vma->vm_file, and my guilty commit was blithely setting "mmap_locked = true", without realizing that that setting is supposed to give guarantees that "vma" has been revalidated since the mmap_lock was taken - not so. Patch for mm-unstable follows with some others tomorrow. Hugh