From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35F3CC4167B for ; Tue, 31 Oct 2023 18:39:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C7F226B02BA; Tue, 31 Oct 2023 14:39:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C2EAB6B02BB; Tue, 31 Oct 2023 14:39:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B1DA66B02BC; Tue, 31 Oct 2023 14:39:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id A335C6B02BA for ; Tue, 31 Oct 2023 14:39:56 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 832C01A08DA for ; Tue, 31 Oct 2023 18:39:56 +0000 (UTC) X-FDA: 81406620792.24.0785B0E Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) by imf14.hostedemail.com (Postfix) with ESMTP id 632E2100018 for ; Tue, 31 Oct 2023 18:39:53 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=none; dmarc=none; spf=none (imf14.hostedemail.com: domain of riel@shelob.surriel.com has no SPF policy when checking 96.67.55.147) smtp.mailfrom=riel@shelob.surriel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1698777595; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=msGfxJOoOVV8ph58IKiY/nUQmCILRMgwwc+O8h7bHg4=; b=WZ+v0qCSbzc080Q3aZRa1j2t5xcfeXdKJcqOkqlwnwHrWabI8TdA+n/oNCksusjks2kHQ+ OKnid9YnvVMv098nf2xmWzOvGlwXBY9mwiE78gAOVFTgZohDnhOlH24TA2dNNWZTYFOwJi oNDTbTUQTS/fpapgYsK4EZ11TCgKT6s= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=none; dmarc=none; spf=none (imf14.hostedemail.com: domain of riel@shelob.surriel.com has no SPF policy when checking 96.67.55.147) smtp.mailfrom=riel@shelob.surriel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1698777595; a=rsa-sha256; cv=none; b=p94nRRyWDp6QM8I4srgrNYPiPReYASVODWAdtrj/NyHjc8CcwSgjbjYs2M+mEKWC5KiQlH x9Ucp7mvx0rCac/bfqmzkJAl95JuU3PwyXIdoVwCApJa1hKMMCszf/AxSVNf7vPnEi1FOS r6HDH9STBdr9oEDMNEcy3r6XvxIM5UE= Received: from imladris.home.surriel.com ([10.0.13.28] helo=imladris.surriel.com) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.2) (envelope-from ) id 1qxtdf-0003Nw-1c; Tue, 31 Oct 2023 14:38:55 -0400 Message-ID: Subject: Re: [syzbot] [mm?] general protection fault in hugetlb_vma_lock_write From: Rik van Riel To: syzbot , akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, llvm@lists.linux.dev, mike.kravetz@oracle.com, muchun.song@linux.dev, nathan@kernel.org, ndesaulniers@google.com, syzkaller-bugs@googlegroups.com, trix@redhat.com Date: Tue, 31 Oct 2023 14:38:55 -0400 In-Reply-To: <00000000000078d1e00608d7878b@google.com> References: <00000000000078d1e00608d7878b@google.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 632E2100018 X-Stat-Signature: 8ejn6pxmc786mc5fokr5gqapyh53bnrb X-HE-Tag: 1698777593-41239 X-HE-Meta: U2FsdGVkX18NAuXulSyHOfi4NMoVG9u0ZXMj2crs9wQFobCzXhziXQIPn7A8Cv/aF+lg74AookFodU53BySFWm5qbF47jAueyDd3hTIfmwwLo8VnRW0q39XTnzYbKDN1ArwR9jHaH472jLTiewaClihws683tXkp+1s0orFy4IrjOhcrQQvHPbsC1ZVfIBGjZP3K8RsKKKEuwyQ56dpWFozmuqG1PdXWc26/Uk3EHFfSiiTRbMpImGGZWt6gj8PlU5lyxakDIjb4cDp+U4f97rqKqFMzqLsyxYpPv+11yj1/0jF8xtmQIuOXauMMi7QXWN1uv1MGD3cwkxaskrSwDsW0IFehNe5V4xlj+kRlidTbNx4phRIefMr3tEWVhX/4NAZtYOuz65LYUt362Cua1H8n2w1+Cywr9y+HsR9vY7qPisrds6hDKkKyI1BGz5Y+gKRUPvgPUaA0bybcMirKwUPACcbyG0Xr3r+UTp/H0R5TuglI9QhgU6E6mh7upfVQEp25EgV6wIu06D7ltf9FwPX2mTQPYKhReL/hAVUJfoLPIjpBY0umkHgizs6gxyU0eXlJ/xDIwT5GybadCZN1kfIxSfA7vPp9/tTpr4PoKXHa/0kh+FLF4oEFnNI5Pt8WOEJIgS5xhMnpuLXxW80gYVOd2o0jCq37vKl8U8+wNl4SdMJooNneAy59etSVbSigG4dnpZPN9/qe9HKq3TMtk5nr30pVYQQ7FVehrkB/g7y6kEHjYznmH2Jakb4X4gZNEDyJS5baLL1s0qoIvIJhXXDFhK/cG0qWw0ern9I0XLypo1Mcum8Zft4f+lG/qx8ObouPQdjp243NtVL7KK4jER3WzWv7D4xNVn7YyLda+P9q4EnMTSXdGacF6tUZEmjxOLrCxKKPgCWT1KGC314QxxmgZ8ufG4Q4kdWqadFFmWJHcH0TwQENiTEQPmfx7siA5eWdXUfzzZFZHIK28ht n1GXKfcx FgLEmhy+mA/Jlm6xFpjLC70CRupQXizo54TQW9Mub7A0Er8AHmbBrPyhtNVxEK72DrmL0+zKTuQ0ET1XsbDWEes/Bfn3vSZVp52dQhRIEtj75w7Sju5U+9T5+cd8uC4FNkglmtdq/0sznVksI5+6P5x33ljdfXUUB2BOBqqoPQ5HWah6BPODhYVlhMNQAdhSAH377/V6zpAkv2/HUlxKhF+m1SAI3JU0urRY2+RS5zOynT/xmVmqOdZVKHyFHzNIhQhijZEZoC/2rv4sUHtRSLsWDwWODdYI9HNCtJ74RDMHZv2OmDyLV4PwXJr8r165E2OzkPJr/8ducu/pllEXeCzg9C/L3jqmnlU4wjjEPCkFJXlT4m5633vDy7+9YRwXlEUCZVFW1bcAD8VFxBFX9b15lzUabC9cBOodOhIplNiM1H4IOYM46byATwWXQgdscBDsJI/gcy1AW87z26TReMhAjP2CicXTFUlrzVUrffwoEulj9TmMrOgmdeJxGxJxz2sFV2UVOnDawxfY038bRUaDMT1FzFFR4HeieSLMaIRWC816b4iCuuGqcEWpFmO+53US9fcuR3vCI8pSTvNfXgeVFrmG/Trx3YeAoVBfyrpMTQCVBzbffBEb/q0cXhwK59NlwLTEI9r6pyiK7aSb0YwwM3ElugkvPQzd1eMRVOKvGC3zM93tYsYKwNe14TUO3Heay X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Sun, 2023-10-29 at 02:27 -0700, syzbot wrote: >=20 > commit bf4916922c60f43efaa329744b3eef539aa6a2b2 > Author: Rik van Riel > Date:=C2=A0=C2=A0 Fri Oct 6 03:59:07 2023 +0000 >=20 > =C2=A0=C2=A0=C2=A0 hugetlbfs: extend hugetlb_vma_lock to private VMAs >=20 I've been trying to reproduce the issue here, but the test case has been running for 4+ hours now on a KVM guest, with KASAN and CONFIG_PROVE_LOCKING enabled. No crashes yet. I'll try adapting the config file from syzkaller so the resulting kernel boots here, but this is not looking like an easy reproducer so far... The crash is also confusing me somewhat, because it looks like hugetlb_vma_lock_write() is passing a nonsense (very small value) resv_map->rw_sema pointer down to down_write, but the code has some protection against that: static inline bool __vma_private_lock(struct vm_area_struct *vma) { =20 return (!(vma->vm_flags & VM_MAYSHARE)) && vma- >vm_private_data; } =20 void hugetlb_vma_lock_write(struct vm_area_struct *vma) { if (__vma_shareable_lock(vma)) { struct hugetlb_vma_lock *vma_lock =3D vma- >vm_private_data; =20 down_write(&vma_lock->rw_sema); } else if (__vma_private_lock(vma)) { struct resv_map *resv_map =3D vma_resv_map(vma); =20 down_write(&resv_map->rw_sema); } =20 } At fork time, vma->vm_private_data gets cleared in the child process for MAP_PRIVATE hugetlb VMAs. I do not see anything that would leave behind a tiny, but non-zero value in that pointer. I'll keep poking at this, but I don't know if it will reproduce here. > general protection fault, probably for non-canonical address > 0xdffffc000000001d: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x00000000000000e8- > 0x00000000000000ef] > CPU: 0 PID: 5048 Comm: syz-executor139 Not tainted 6.6.0-rc7- > syzkaller-00142-g888cf78c29e2 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, > BIOS Google 10/09/2023 > RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004 > Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 c1 1e 42 0b 45 85 c0 0f 84 > be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> > 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 d9 5f 90 0f 84 96 0d 00 > RSP: 0018:ffffc90003aa7798 EFLAGS: 00010016 >=20 > RAX: ffff88807a0b9dc0 RBX: 1ffff92000754f23 RCX: 000000000000001d > RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8 > RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 > R10: 00000000000000e8 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > FS:=C2=A0 0000000000000000(0000) GS:ffff8880b9800000(0000) > knlGS:0000000000000000 > CS:=C2=A0 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020000280 CR3: 00000000758bf000 CR4: 0000000000350ef0 > Call Trace: > =C2=A0 > =C2=A0lock_acquire kernel/locking/lockdep.c:5753 [inline] > =C2=A0lock_acquire+0x1ae/0x510 kernel/locking/lockdep.c:5718 > =C2=A0down_write+0x93/0x200 kernel/locking/rwsem.c:1573 > =C2=A0hugetlb_vma_lock_write mm/hugetlb.c:300 [inline] > =C2=A0hugetlb_vma_lock_write+0xae/0x100 mm/hugetlb.c:291 > =C2=A0__hugetlb_zap_begin+0x1e9/0x2b0 mm/hugetlb.c:5447 > =C2=A0hugetlb_zap_begin include/linux/hugetlb.h:258 [inline] > =C2=A0unmap_vmas+0x2f4/0x470 mm/memory.c:1733 > =C2=A0exit_mmap+0x1ad/0xa60 mm/mmap.c:3230 > =C2=A0__mmput+0x12a/0x4d0 kernel/fork.c:1349 > =C2=A0mmput+0x62/0x70 kernel/fork.c:1371 > =C2=A0exit_mm kernel/exit.c:567 [inline] > =C2=A0do_exit+0x9ad/0x2a20 kernel/exit.c:861 > =C2=A0__do_sys_exit kernel/exit.c:991 [inline] > =C2=A0__se_sys_exit kernel/exit.c:989 [inline] > =C2=A0__x64_sys_exit+0x42/0x50 kernel/exit.c:989 > =C2=A0do_syscall_x64 arch/x86/entry/common.c:50 [inline] > =C2=A0do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 > =C2=A0entry_SYSCALL_64_after_hwframe+0x63/0xcd > RIP: 0033:0x7ff2b7a78ab9 > Code: Unable to access opcode bytes at 0x7ff2b7a78a8f. > RSP: 002b:00007fff926ea6b8 EFLAGS: 00000246 ORIG_RAX: > 000000000000003c > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff2b7a78ab9 > RDX: 00007ff2b7ab23f3 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: 000000000000cfda R08: 0000000000000000 R09: 0000000000000006 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff926ea6cc > R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001 > =C2=A0 > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:__lock_acquire+0x109/0x5de0 kernel/locking/lockdep.c:5004 > Code: 45 85 c9 0f 84 cc 0e 00 00 44 8b 05 c1 1e 42 0b 45 85 c0 0f 84 > be 0d 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 d1 48 c1 e9 03 <80> > 3c 11 00 0f 85 e8 40 00 00 49 81 3a a0 d9 5f 90 0f 84 96 0d 00 > RSP: 0018:ffffc90003aa7798 EFLAGS: 00010016 > RAX: ffff88807a0b9dc0 RBX: 1ffff92000754f23 RCX: 000000000000001d > RDX: dffffc0000000000 RSI: 0000000000000000 RDI: 00000000000000e8 > RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 > R10: 00000000000000e8 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > FS:=C2=A0 0000000000000000(0000) GS:ffff8880b9800000(0000) > knlGS:0000000000000000 > CS:=C2=A0 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000020000280 CR3: 00000000758bf000 CR4: 0000000000350ef0 > ---------------- > Code disassembly (best guess): > =C2=A0=C2=A0 0:=C2=A0=C2=A0=C2=A045 85 c9=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0test=C2= =A0=C2=A0 %r9d,%r9d > =C2=A0=C2=A0 3:=C2=A0=C2=A0=C2=A00f 84 cc 0e 00 00=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0je=C2=A0=C2=A0=C2=A0=C2=A0 0xed5 > =C2=A0=C2=A0 9:=C2=A0=C2=A0=C2=A044 8b 05 c1 1e 42 0b=C2=A0=C2=A0=C2=A0= =C2=A0mov=C2=A0=C2=A0=C2=A0 0xb421ec1(%rip),%r8d=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 # > 0xb421ed1 > =C2=A0 10:=C2=A0=C2=A0=C2=A045 85 c0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0test=C2=A0=C2= =A0 %r8d,%r8d > =C2=A0 13:=C2=A0=C2=A0=C2=A00f 84 be 0d 00 00=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0je=C2=A0=C2=A0=C2=A0=C2=A0 0xdd7 > =C2=A0 19:=C2=A0=C2=A0=C2=A048 ba 00 00 00 00 00=C2=A0=C2=A0=C2=A0=C2=A0m= ovabs $0xdffffc0000000000,%rdx > =C2=A0 20:=C2=A0=C2=A0=C2=A0fc ff df > =C2=A0 23:=C2=A0=C2=A0=C2=A04c 89 d1=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0mov=C2=A0=C2=A0= =C2=A0 %r10,%rcx > =C2=A0 26:=C2=A0=C2=A0=C2=A048 c1 e9 03=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0shr=C2=A0=C2=A0=C2=A0 $0x3,%rc= x > * 2a:=C2=A0=C2=A0=C2=A080 3c 11 00=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0cmpb=C2=A0=C2=A0 $0x0,(%rcx,%rdx,1) = <-- > trapping instruction > =C2=A0 2e:=C2=A0=C2=A0=C2=A00f 85 e8 40 00 00=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0jne=C2=A0=C2=A0=C2=A0 0x411c > =C2=A0 34:=C2=A0=C2=A0=C2=A049 81 3a a0 d9 5f 90=C2=A0=C2=A0=C2=A0=C2=A0c= mpq=C2=A0=C2=A0 $0xffffffff905fd9a0,(%r10) > =C2=A0 3b:=C2=A0=C2=A0=C2=A00f=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0.byte 0xf > =C2=A0 3c:=C2=A0=C2=A0=C2=A084=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0.byte 0x84 > =C2=A0 3d:=C2=A0=C2=A0=C2=A096=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0xchg=C2=A0=C2=A0 %eax,%esi > =C2=A0 3e:=C2=A0=C2=A0=C2=A00d=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0.byte 0xd >=20 >=20 > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ=C2=A0for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. >=20 > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status=C2=A0for how to communicate with syzbot. > For information about bisection process see: > https://goo.gl/tpsmEJ#bisection >=20 > If the bug is already fixed, let syzbot know by replying with: > #syz fix: exact-commit-title >=20 > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before > testing. >=20 > If you want to overwrite bug's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) >=20 > If the bug is a duplicate of another bug, reply with: > #syz dup: exact-subject-of-another-report >=20 > If you want to undo deduplication, reply with: > #syz undup >=20 --=20 All Rights Reversed.