From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29AB0E77173 for ; Mon, 9 Dec 2024 07:00:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 979066B00A4; Mon, 9 Dec 2024 02:00:17 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 902056B00A5; Mon, 9 Dec 2024 02:00:17 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 77B646B00A6; Mon, 9 Dec 2024 02:00:17 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 5113E6B00A4 for ; Mon, 9 Dec 2024 02:00:17 -0500 (EST) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id BF4DA801A4 for ; Mon, 9 Dec 2024 07:00:16 +0000 (UTC) X-FDA: 82874520162.17.C9655C9 Received: from mail-pj1-f52.google.com (mail-pj1-f52.google.com [209.85.216.52]) by imf15.hostedemail.com (Postfix) with ESMTP id 44B60A0007 for ; Mon, 9 Dec 2024 06:59:53 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=MiELYbkS; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf15.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.216.52 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733727605; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=H/pEaOYhoyBOV3MW2hj4YCW3wdLBLPY8BgO8x1Nkzys=; b=M5TZtu9hUXbqu9hS4MqSFVx9SyhsJ8wksAWQfMXhTDgUUxrY6QGH6V5FFL4ngS7fCajNgU MPKPoFOEyGka30vfFRd8kL/CmTBy1+DE514XyaPRX5uPiNQyw0nrbjzrtp4Q4e0bY/o6fI QbgQQs06Pg9vu+z+Q466y3D7SJ+zXm8= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733727605; a=rsa-sha256; cv=none; b=ZWIqlth4YTTVOA0tuVmnaQaN/W9jDVjuRKrenl7GvrYG1Sete3+aVRoiC+D0JWbqZNF5Ud dHLYJwJ6WPMPWFuv9aQPFwmVYe5SB95xr6S0JoVnn4Q84xUcRa1ZOf1AH5vcWhMGWroFB0 K8DEfPm05hADZmEO9GJxJlN1HYr/foo= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=MiELYbkS; dmarc=pass (policy=quarantine) header.from=bytedance.com; spf=pass (imf15.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.216.52 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com Received: by mail-pj1-f52.google.com with SMTP id 98e67ed59e1d1-2efa806acfdso573702a91.2 for ; Sun, 08 Dec 2024 23:00:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1733727612; x=1734332412; darn=kvack.org; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=H/pEaOYhoyBOV3MW2hj4YCW3wdLBLPY8BgO8x1Nkzys=; b=MiELYbkSZVrzL4T0qu6HLZ0S2bGGh+pWmSi/Bi1Rc2nJPd29yE0TKLWJVGPLPiEfU/ j+UdeWVlrpvqDesoYq4mPbw9r1fY/Hb1bdMG4ImyLSzNS9eMxKDoWLwUIjuisk9ASCMG s1s19oRvexrvX6gzhw1kDBo/TvG5GegE48SwWe8bKq37bwdibVp+nwQyXpNFzRXZfFVc GiDuzU1o5pfufZJOCeDFraKwqGxc+aVN/y/KqZtCfGPR73cE5C953kXCwRVdEPsxBW8r UXx9xZFXT2LVw4ZLobpWV54UEVFQ7iUB2DdoFtZgNU7tRtAzswJdXdrC+X1Nv+vIpWeK Wutg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733727612; x=1734332412; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=H/pEaOYhoyBOV3MW2hj4YCW3wdLBLPY8BgO8x1Nkzys=; b=M2uJqvazxG5FI2YVfv43+tM59tc9N10rhza3sglWHGNko/GS5XYDN27vqvAJDKp35A kLt59lHpNl+lGEndUR90k3hbUJoyqlgLtMpVci4RaOT1XUDvmIJxVtM9YZ6AiHdLDoFD HZ6Nuoya4jPb2RUHV0vaDPJ1cFJF5jETsOz9ymh24AD13V7qMxcaWVj1Mdjct6Rbjnil ZG6w6FrJBb/lDw1bTZprg6xqewRMFIaM2rLHJPMzP21GNPg7hlXO/oyeaQd2f6oXnZoy gH4xc6eX79oxp/laz7oHSNq90rKe0Js4PlxQRaXBW+sY1oBkUFIg+rtbIBa3Del+WNKc sp7Q== X-Forwarded-Encrypted: i=1; AJvYcCWdSUOFj8tBhG86UOaYngl4e/u3IGPOq1xCcV9KDkNpxYUFtbOZ4E4U/bAskkDeOCls9frQRavjSA==@kvack.org X-Gm-Message-State: AOJu0Yy4Jh3dlAASNw6f+t5KedXYmVpHUhFwJP3QuGsFZrm+hw/ky9qa BVmCizRikGOdNUT2GQQcbfjdhQAYd263sHQ4IL6UhPBSHadoUrpnG/hMCz0/jyo= X-Gm-Gg: ASbGncvBMlwTi1Wq9E6+E4BsbQZW1PG1gFqJYVuP3/5CJKiCte5wgQPQFzKQFlTL213 4WUqoHsrRPUTjtEFVfyUCsuGVbZFFk8D5yr21isRwOCR6IAkNfByMZKkymahJhzoQlH55U6G8HI sjnbGR7hxRV8bg1nOiXwOQWatxvNssWVIS2bHowTqbl0SHwyPnXJ3I3dk9nBtCDJ+rdVnYEf3go QpJI256PJ+kSAccMO6RljIl6dJQxyt4mzbRBv7dkhNPZxAYZxKJJEaGB5jbhGg0GfH2cgpIAw== X-Google-Smtp-Source: AGHT+IG1WmvnggAgcpXiipPhYAsZFZxyIR7zRP6GYflHCom9XW7jn7vvkgwM9hjmz136E89nG1d1tQ== X-Received: by 2002:a17:90b:5292:b0:2ee:b4bf:2d06 with SMTP id 98e67ed59e1d1-2ef6a6bd7f0mr17586932a91.19.1733727612330; Sun, 08 Dec 2024 23:00:12 -0800 (PST) Received: from [10.84.148.23] ([63.216.146.178]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-2ef26ff86d9sm9150536a91.1.2024.12.08.23.00.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 08 Dec 2024 23:00:11 -0800 (PST) Message-ID: Date: Mon, 9 Dec 2024 15:00:04 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in move_pages_pte Content-Language: en-US From: Qi Zheng To: syzbot Cc: David Hildenbrand , Jann Horn , Hugh Dickins , Muchun Song , akpm@linux-foundation.org, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@redhat.com, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, x86@kernel.org References: <67548279.050a0220.a30f1.015b.GAE@google.com> <51849c40-1bd5-49bb-ba2f-15cd06f45f48@bytedance.com> In-Reply-To: <51849c40-1bd5-49bb-ba2f-15cd06f45f48@bytedance.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Stat-Signature: 6ess4m8ka9r6dirx5kj9f7tqnn75yr44 X-Rspamd-Queue-Id: 44B60A0007 X-Rspam-User: X-Rspamd-Server: rspam01 X-HE-Tag: 1733727593-375957 X-HE-Meta: U2FsdGVkX18sEFaqjIUKDvXitzq5RHk7oTfWAodLCvZoG81+wu3C8yISQ970SuF6Pvvq+Do12dPxcr9Ebc23vuRCrJD8hXPa9TxDmXwIUGQKSbh99reCPVbq1PQkeUpr/AGlMByfN6VdLSohDfk2HCNP+MRN0vhmuZsFNPgUOdrD2wMtA3eXXW3ZFiih5/TLYipcKCn58Z05WicYcJ9jrT3FgRTPzYA17NzHSScFKUFAs/OHo6Wo9i70hKKRayfOZAONuvP+J4DOZ2sFl8bT9GrMLIAQdUwV13VroKjv0QepIVZzsfl16hQTK2RPOO/ZiZi8HTrcOfl/a9esFwCs95CcQbg2JFmHq8Z0rpSTZrcNnA/rH8T6lk9CYWCkP4tQnLMtoQ394we5icNAj3xx3oPs+KTKaH9c+jVlch09u8j3rgXxjqNpsrJtY0xPN39AORgAFBZD+DgSMd112FcKigbFPy50Kp+VXYanDoaOVUUFuR8UXf0lGLXC7rWg44pVMBCbvS2nphncfd1p1YkjYgMQCfotGRAtZPmFXt3JPPEituB7Uw93Hm2l5YakzAHrvnCz+5Ay7YJeZeK35MCzOh/hFOfbId8rXC1Gw77ljfx2IZOf9xDRv9xkqJk0jb+e6Bao66PcZUpR4HDB3PenXzNuQk59G2nWTtmi2BcPs532nKEpPe0NyTTVO5+sKHIBXw4A7HNY0+WfD9gyETmooDO41FiIpHCh97qxRZ/Y0Up45iTFdB66X5eaPBdVn3/R5flQgwfh0N7EEcJzhri2ilZw2hksY2EBz0OhGcPE3zOcYP+G70hayjCvoFUAmGWviMomNKirbg3YavG8M1kSuhD6cW+abD0dV2mT2osWqoOLsUyQAYpLah5NchHwum0thiwFFBF9X9T60iRcldOHt/12CdJDyugWD02fa7ogz9P/D4symFEby3Of1+EQnuPI3cuZY3IuYlSs/duTGrh 1OMc+kAt 9222Ec55J5yB8qzN+otrn5sje49bcEONwtd25480AzPY0CzK1RoVN2hHyaNh9ufPeg7rvPbj7hMbC+YIcWjbR69hOlWot5hiytlY2cLtNIZVBVzyBdIu4FrgtbNtqF1ix0JRpt8GBZJVCJztjh5uRpW582IoTnsp1RoeZth6TyesxMI1OVYuVtzy/uSWZfcZKIJrwuSLvAefGqF1eIy07aJyyn8BSh4IvU4PhzQxmIV6yVBtCqKexOaefyPkmscunR8Trt3w6yfibjgvzOyBOA+oES2YjYqUOYvRV7A9M6L1K1sOdAJm/Y9FINrZhEfCyuT4akvNnS/9uKbvge3hDhFJT2XRNiepf44h7bnnJ1tkHmuilqE19WSiz15wuxKP0MdTAV4n8T8RZ4jweRVhhw5gmYPoWZX8T5audf29mgg9l3et79fO0mpxNJtQ5lYHoR0oCS9RyCInatJ9czkB1cABExiLk4g1Wlx8yhzKyzXBjm9r5jT8YZL0QPnkfyoKZgmN0DeQbCmlb+pHHisUN6tZsm/mSlT5Bpk5phsMjt9Oj45pVI50HnuP6sgKv0n7oECFOW4v4pXb1VXdgABRlIG5x29l06l4S2XtQ5M14Ec950AcIsW7SMRHrmjuZGTgovN20VYGbj3px/eIOw9MNotjJ/ya5t9xJqRFqrOhLU1SRXS4074+jrqjj/pj0lYf5rqPBkHKYBHae8v4JOyViUr/dywwhm+VYnEnkTgrhu3iwrobnAUC+Ohj/X22CMhnvPy3qFEuSsU9OFn0p9n5MbSIMD4vGAEte88/yfhAvwNEkEp5Bcz+WDF2aUcRXidJ6LH8ge9A3oBXYbjLb0negapOQx0bGNIrys+b/kgq/V/jaPwo151jKCLm/qElZQfybYqO32Tymd/vZNRTIahBuYlbvR0ndkcfjUSFKot9tK9Fw1OvltiXYdVlFr2a/QnlM/LJU+y9y7Yl9GJBVYJiL7E2kQFiP RL5q0IJb Z1J4fQI9RieE27utCCyJVkYKIIg0RAVeHU2YR2riH+sWySo65piVx6wAlRdH5bEpZhwBPVq7nwt5/Z0wOGUBqolfNLH3I95n/Bwjcptzc2XZev3YlMgCam8MzKAeSzolzT4qpSYXpJES0H11SqsCAGxxdW3VYxbM5teyjI1p3wk+ghVYPmPSP2JE01nnVvDgarYgQIEWlFcYw1FKujHq9lE+qKOknqh3Q7puBcxoo/hjC25CUlX0TTj5zxZ6QVUR2ymmqhrmbPy9TfOWBmbqeA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/12/9 14:25, Qi Zheng wrote: > > > On 2024/12/8 01:14, syzbot wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit:    af2ea8ab7a54 Add linux-next specific files for 20241205 >> git tree:       linux-next >> console output: https://syzkaller.appspot.com/x/log.txt?x=13c4e8df980000 >> kernel config: >> https://syzkaller.appspot.com/x/.config?x=76f158395f6f15fd >> dashboard link: >> https://syzkaller.appspot.com/bug?extid=1c58afed1cfd2f57efee >> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for >> Debian) 2.40 >> syz repro: >> https://syzkaller.appspot.com/x/repro.syz?x=133850f8580000 >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17be9330580000 >> >> Downloadable assets: >> disk image: >> https://storage.googleapis.com/syzbot-assets/8af0861258fa/disk-af2ea8ab.raw.xz >> vmlinux: >> https://storage.googleapis.com/syzbot-assets/ffb38cf7a344/vmlinux-af2ea8ab.xz >> kernel image: >> https://storage.googleapis.com/syzbot-assets/6fbd2e50358a/bzImage-af2ea8ab.xz >> >> The issue was bisected to: >> >> commit 5b29c4156f5801fced2ec504b44ab98f60c480bf >> Author: Qi Zheng >> Date:   Wed Dec 4 11:09:51 2024 +0000 >> >>      x86: select ARCH_SUPPORTS_PT_RECLAIM if X86_64 >> >> bisection log: >> https://syzkaller.appspot.com/x/bisect.txt?x=16d344df980000 >> final oops: >> https://syzkaller.appspot.com/x/report.txt?x=15d344df980000 >> console output: https://syzkaller.appspot.com/x/log.txt?x=11d344df980000 >> >> IMPORTANT: if you fix the issue, please add the following tag to the >> commit: >> Reported-by: syzbot+1c58afed1cfd2f57efee@syzkaller.appspotmail.com >> Fixes: 5b29c4156f58 ("x86: select ARCH_SUPPORTS_PT_RECLAIM if X86_64") >> >> ================================================================== >> BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 >> kernel/locking/lockdep.c:5089 >> Read of size 8 at addr ffff888034718978 by task syz-executor352/6070 >> >> CPU: 0 UID: 0 PID: 6070 Comm: syz-executor352 Not tainted >> 6.13.0-rc1-next-20241205-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 09/13/2024 >> Call Trace: >>   >>   __dump_stack lib/dump_stack.c:94 [inline] >>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 >>   print_address_description mm/kasan/report.c:378 [inline] >>   print_report+0x169/0x550 mm/kasan/report.c:489 >>   kasan_report+0x143/0x180 mm/kasan/report.c:602 >>   __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 >>   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 >>   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] >>   _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 >>   spin_lock include/linux/spinlock.h:351 [inline] >>   move_pages_pte+0x8aa/0x3400 mm/userfaultfd.c:1248 >>   move_pages+0xe75/0x16a0 mm/userfaultfd.c:1754 >>   userfaultfd_move fs/userfaultfd.c:1899 [inline] >>   userfaultfd_ioctl+0x5221/0x6840 fs/userfaultfd.c:2022 >>   vfs_ioctl fs/ioctl.c:51 [inline] >>   __do_sys_ioctl fs/ioctl.c:906 [inline] >>   __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >>   entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7fed8de85af9 >> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 18 00 00 90 48 89 f8 48 >> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d >> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007fed8de40238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 >> RAX: ffffffffffffffda RBX: 00007fed8df10328 RCX: 00007fed8de85af9 >> RDX: 0000000020000080 RSI: 00000000c028aa05 RDI: 0000000000000003 >> RBP: 00007fed8df10320 R08: 00007fed8de406c0 R09: 00007fed8de406c0 >> R10: 00007fed8de406c0 R11: 0000000000000246 R12: 00007fed8dedd334 >> R13: 0000000000000010 R14: 00007ffc241241e0 R15: 00007ffc241242c8 >>   >> >> Allocated by task 6070: >>   kasan_save_stack mm/kasan/common.c:47 [inline] >>   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 >>   unpoison_slab_object mm/kasan/common.c:319 [inline] >>   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 >>   kasan_slab_alloc include/linux/kasan.h:250 [inline] >>   slab_post_alloc_hook mm/slub.c:4104 [inline] >>   slab_alloc_node mm/slub.c:4153 [inline] >>   kmem_cache_alloc_noprof+0x1d9/0x380 mm/slub.c:4160 >>   ptlock_alloc+0x20/0x70 mm/memory.c:7026 >>   ptlock_init include/linux/mm.h:2971 [inline] >>   pagetable_pte_ctor include/linux/mm.h:2998 [inline] >>   __pte_alloc_one_noprof include/asm-generic/pgalloc.h:73 [inline] >>   pte_alloc_one+0xd3/0x510 arch/x86/mm/pgtable.c:41 >>   __do_huge_pmd_anonymous_page mm/huge_memory.c:1229 [inline] >>   do_huge_pmd_anonymous_page+0x2fb/0xb30 mm/huge_memory.c:1374 >>   create_huge_pmd mm/memory.c:5737 [inline] >>   __handle_mm_fault mm/memory.c:5986 [inline] >>   handle_mm_fault+0x15a7/0x1bb0 mm/memory.c:6183 >>   do_user_addr_fault arch/x86/mm/fault.c:1338 [inline] >>   handle_page_fault arch/x86/mm/fault.c:1481 [inline] >>   exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539 >>   asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 >> >> Freed by task 6071: >>   kasan_save_stack mm/kasan/common.c:47 [inline] >>   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 >>   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 >>   poison_slab_object mm/kasan/common.c:247 [inline] >>   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 >>   kasan_slab_free include/linux/kasan.h:233 [inline] >>   slab_free_hook mm/slub.c:2338 [inline] >>   slab_free mm/slub.c:4598 [inline] >>   kmem_cache_free+0x195/0x410 mm/slub.c:4700 >>   pagetable_pte_dtor include/linux/mm.h:3009 [inline] > > OK, so the problem is that ptdesc->ptl is not freed via RCU: > > ___pte_free_tlb > --> pagetable_pte_dtor >     --> ptlock_free >         --> kmem_cache_free (free immediately!) >     paravirt_tlb_remove_table >     --> free PTE page via RCU > > In retract_page_tables(), it calls pte_free_defer() to free > ptdesc->ptl and PTE page via RCU, so there is no problem. > > To fix it, will also free ptdesc->ptl in ptlock_free() via RCU. > >>   ___pte_free_tlb+0x2b/0x140 arch/x86/mm/pgtable.c:63 >>   __pte_free_tlb arch/x86/include/asm/pgalloc.h:61 [inline] >>   free_pte+0x142/0x190 mm/pt_reclaim.c:31 >>   zap_pte_range mm/memory.c:1780 [inline] >>   zap_pmd_range mm/memory.c:1822 [inline] >>   zap_pud_range mm/memory.c:1851 [inline] >>   zap_p4d_range mm/memory.c:1872 [inline] >>   unmap_page_range+0x4062/0x48d0 mm/memory.c:1893 >>   zap_page_range_single+0x45c/0x630 mm/memory.c:2018 >>   madvise_dontneed_single_vma mm/madvise.c:859 [inline] >>   madvise_dontneed_free mm/madvise.c:940 [inline] >>   madvise_vma_behavior mm/madvise.c:1270 [inline] >>   madvise_walk_vmas mm/madvise.c:1502 [inline] >>   do_madvise+0x2774/0x4d90 mm/madvise.c:1689 >>   __do_sys_madvise mm/madvise.c:1705 [inline] >>   __se_sys_madvise mm/madvise.c:1703 [inline] >>   __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1703 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >>   entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> The buggy address belongs to the object at ffff888034718960 >>   which belongs to the cache page->ptl of size 64 >> The buggy address is located 24 bytes inside of >>   freed 64-byte region [ffff888034718960, ffff8880347189a0) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 >> pfn:0x34718 >> flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 00fff00000000000 ffff88801ac4f780 dead000000000122 0000000000000000 >> raw: 0000000000000000 00000000802a002a 00000000f5000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 0, migratetype Unmovable, gfp_mask >> 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5823, >> tgid 5823 (syz-executor352), ts 65548803787, free_ts 65433386693 >>   set_page_owner include/linux/page_owner.h:32 [inline] >>   post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1549 >>   prep_new_page mm/page_alloc.c:1557 [inline] >>   get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3475 >>   __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4752 >>   alloc_pages_mpol+0x30e/0x550 mm/mempolicy.c:2270 >>   alloc_slab_page mm/slub.c:2408 [inline] >>   allocate_slab+0x8f/0x3a0 mm/slub.c:2574 >>   new_slab mm/slub.c:2627 [inline] >>   ___slab_alloc+0xc27/0x14a0 mm/slub.c:3815 >>   __slab_alloc+0x58/0xa0 mm/slub.c:3905 >>   __slab_alloc_node mm/slub.c:3980 [inline] >>   slab_alloc_node mm/slub.c:4141 [inline] >>   kmem_cache_alloc_noprof+0x268/0x380 mm/slub.c:4160 >>   ptlock_alloc mm/memory.c:7026 [inline] >>   ptlock_init include/linux/mm.h:2971 [inline] >>   pmd_ptlock_init include/linux/mm.h:3078 [inline] >>   pagetable_pmd_ctor include/linux/mm.h:3116 [inline] >>   pmd_alloc_one_noprof include/asm-generic/pgalloc.h:141 [inline] >>   __pmd_alloc+0x10b/0x670 mm/memory.c:6436 >>   pmd_alloc include/linux/mm.h:2862 [inline] >>   copy_pmd_range+0x7352/0x77a0 mm/memory.c:1241 >>   copy_pud_range mm/memory.c:1298 [inline] >>   copy_p4d_range mm/memory.c:1322 [inline] >>   copy_page_range+0x99f/0xe90 mm/memory.c:1420 >>   dup_mmap kernel/fork.c:751 [inline] >>   dup_mm kernel/fork.c:1693 [inline] >>   copy_mm+0x12d2/0x2060 kernel/fork.c:1742 >>   copy_process+0x1845/0x3d80 kernel/fork.c:2393 >>   kernel_clone+0x226/0x8e0 kernel/fork.c:2805 >>   __do_sys_clone kernel/fork.c:2948 [inline] >>   __se_sys_clone kernel/fork.c:2932 [inline] >>   __x64_sys_clone+0x258/0x2a0 kernel/fork.c:2932 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >> page last free pid 6052 tgid 6051 stack trace: >>   reset_page_owner include/linux/page_owner.h:25 [inline] >>   free_pages_prepare mm/page_alloc.c:1127 [inline] >>   free_frozen_pages+0xe0d/0x10e0 mm/page_alloc.c:2658 >>   __folio_put+0x2b3/0x360 mm/swap.c:112 >>   __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] >>   __tlb_remove_table_free mm/mmu_gather.c:227 [inline] >>   tlb_remove_table_rcu+0x76/0xf0 mm/mmu_gather.c:282 >>   rcu_do_batch kernel/rcu/tree.c:2567 [inline] >>   rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 >>   handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 >>   __do_softirq kernel/softirq.c:595 [inline] >>   invoke_softirq kernel/softirq.c:435 [inline] >>   __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 >>   irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 >>   instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 >> [inline] >>   sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 >>   asm_sysvec_apic_timer_interrupt+0x1a/0x20 >> arch/x86/include/asm/idtentry.h:702 >> >> Memory state around the buggy address: >>   ffff888034718800: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00 >>   ffff888034718880: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc >>> ffff888034718900: 00 00 00 00 00 00 00 00 fc fc fc fc fa fb fb fb >>                                                                  ^ >>   ffff888034718980: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb >>   ffff888034718a00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc >> ================================================================== >> >> >> --- >> This report is generated by a bot. It may contain errors. >> See https://goo.gl/tpsmEJ for more information about syzbot. >> syzbot engineers can be reached at syzkaller@googlegroups.com. >> >> syzbot will keep track of this issue. See: >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >> For information about bisection process see: >> https://goo.gl/tpsmEJ#bisection >> >> If the report is already addressed, let syzbot know by replying with: >> #syz fix: exact-commit-title >> >> If you want syzbot to run the reproducer, reply with: >> #syz test: git://repo/address.git branch-or-commit-hash >> If you attach or paste a git patch, syzbot will apply it before testing. #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-unstable diff --git a/mm/memory.c b/mm/memory.c index 83fd35c034d7a..28526a4205d1b 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -7023,7 +7023,7 @@ static struct kmem_cache *page_ptl_cachep; void __init ptlock_cache_init(void) { page_ptl_cachep = kmem_cache_create("page->ptl", sizeof(spinlock_t), 0, - SLAB_PANIC, NULL); + SLAB_PANIC|SLAB_TYPESAFE_BY_RCU, NULL); } bool ptlock_alloc(struct ptdesc *ptdesc) >> >> If you want to overwrite report's subsystems, reply with: >> #syz set subsystems: new-subsystem >> (See the list of subsystem names on the web dashboard) >> >> If the report is a duplicate of another one, reply with: >> #syz dup: exact-subject-of-another-report >> >> If you want to undo deduplication, reply with: >> #syz undup