From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A5C2E7717D for ; Mon, 9 Dec 2024 06:48:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F12156B03C8; Mon, 9 Dec 2024 01:48:20 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id EC2366B03C9; Mon, 9 Dec 2024 01:48:20 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D3B906B03CA; Mon, 9 Dec 2024 01:48:20 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id ACFD66B03C8 for ; Mon, 9 Dec 2024 01:48:20 -0500 (EST) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 2258D8018F for ; Mon, 9 Dec 2024 06:48:20 +0000 (UTC) X-FDA: 82874490972.12.73D0AF7 Received: from mail-pf1-f172.google.com (mail-pf1-f172.google.com [209.85.210.172]) by imf22.hostedemail.com (Postfix) with ESMTP id 9ACFDC0002 for ; Mon, 9 Dec 2024 06:47:55 +0000 (UTC) Authentication-Results: imf22.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=LYtAO6BS; spf=pass (imf22.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.210.172 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1733726884; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=/tqYByDlTpvDY3g9bkOjyeueUGPdFCNhSOYdZLxj4js=; b=xXGskiSmkbC1l/lS23BDQ3LFpksKlmBs/mY9lNVE7dfrasHfl5EV/bGEENm2mZ+lyRD1H1 RgfEifM86YceQ55UpK2mN8tSaWlwaR74qzBZTjo3Imnd4BiaxLlmtm8plKrbZj5hNnf11C zXHhqzE8JYq04OgNagK0sT3K1PALR8k= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1733726884; a=rsa-sha256; cv=none; b=o7bd07ficJHBs8Q44lpojysi/rslIXr+BnBqvrNP708A3pqyfylepGSyYmiYPTomPtygq2 NBVug1N7CGmF7qgjnXjGfIck2D65r2VGkmFyflONUH9+S6KxVv85EkCTPaktKj+MavwQ2P tQeds/J9ICTRxXX/tGXAvasYmWHhxTM= ARC-Authentication-Results: i=1; imf22.hostedemail.com; dkim=pass header.d=bytedance.com header.s=google header.b=LYtAO6BS; spf=pass (imf22.hostedemail.com: domain of zhengqi.arch@bytedance.com designates 209.85.210.172 as permitted sender) smtp.mailfrom=zhengqi.arch@bytedance.com; dmarc=pass (policy=quarantine) header.from=bytedance.com Received: by mail-pf1-f172.google.com with SMTP id d2e1a72fcca58-7259a26ad10so3167328b3a.1 for ; Sun, 08 Dec 2024 22:48:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1733726896; x=1734331696; darn=kvack.org; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=/tqYByDlTpvDY3g9bkOjyeueUGPdFCNhSOYdZLxj4js=; b=LYtAO6BSZPLQlLuRBqxpJgso5S+1sVdNNmiSbi/IGtoiOWkbNFmaSlcNpXbkNfw9BU 6YvCvLlMNtjr2eAB7e4qRDs5FHh+dxebn4dAkWhC28I2DvSMpQmor6A2u2GjIf7NRU2b f4N+ECW2601UTyLCKPN8Op/Gcnk0dkv9hz0xG37NZfx2evMnQoieyEQS0XWwtTsP0ivD Xa9SL0Z0ufHgdc/gxbT7zKKIHg3UGEImiiNxRpR2WY3NkwrGMZhvALbgebNFZ6aqSOeR 6TyNpQOfi7rB7Mgoq1vpSeQJ78ythZ8hpjpIKOq5g3HxyjRCqZz2Cs/ui89kUOfgpzVX 6A2Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733726896; x=1734331696; h=content-transfer-encoding:in-reply-to:references:cc:to:from :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/tqYByDlTpvDY3g9bkOjyeueUGPdFCNhSOYdZLxj4js=; b=C5qaJ4isg4b2psymWSggUwF+fDpZ4i6M/plNR73fH2T9FCXEUDjIaRyJheknVhqvdN 5kBTxZ6TnRqFMbeyXbRpFRYF583c+ns7wK0CXdekS1ywKcE3s08wUfVLpyAW0S1uKQGf USgS9rvy9zK0zWft0L62NWjC0a2ulYov29eKIYIgJ9J2/aXSktMroahvO87fWby0V3hg YU5bBSDPRRFT0tlRK3hWRgjOYew4LkJ5/AWQhKt/fFlbrO0g7ybIJHxQpOX/iqZDQ0P7 /fFcicxharfUpAtPLug6bG1pLlGQC67EQHV4x0EvLHjUPwT9G1jgbBmn0a59pXZEWwEL 1PUw== X-Forwarded-Encrypted: i=1; AJvYcCVjtEPHOv4EbItlhYuqdPNxbliYIoiF5Fb76IIQT3zgl4uRU2aOWqfVM7NV8ham3Vj3+Q8XV4+pag==@kvack.org X-Gm-Message-State: AOJu0YyarDAzHML0BA1QYE+CSW3pHC+QxiAHv3vF0xerrqnnHdaqSM6l w2TBarN/x63nLwr+yeo3hVgxQOjq2/aXzOKQB94V5PBFi+0Uch2ZkTlWKR1QsFk= X-Gm-Gg: ASbGnculSe09eFwVF33hQ6XLGXDDc07LXUgfLtpntEM6JWtzIN/RMlAA4PK9krTpNlp DG256osv1cpgfSomY5MHf5rJiZhIaKYWAw0JAs3KMDMkYYjoPprTflBKqecF9DMIljNDKd1IEEi Od73AMfGoB5pcS0CJyI4LX91PR3GYYLXE/oB9TtXW5374ey5lv8E+V46O8I1cdjhcCg9PhxaP3N SXpwRrtdGaJer/SGPT+kqDoFaAKJlODkKdo1ilPqoYS7XhmvLBDN6DOkRks86y6zLWx1LP8cwU= X-Google-Smtp-Source: AGHT+IGsKk54bOu/Rxl9z1j61kfQOb0K9BXdkAsOfqqphA8fj0i9foycXXnzqkfUsQ0qxs2SHBQqsw== X-Received: by 2002:a05:6a00:124d:b0:725:ce39:4516 with SMTP id d2e1a72fcca58-725ce39462bmr12813090b3a.7.1733726895563; Sun, 08 Dec 2024 22:48:15 -0800 (PST) Received: from [10.84.148.23] ([203.208.167.149]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-725e59ec54esm1984650b3a.85.2024.12.08.22.48.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 08 Dec 2024 22:48:15 -0800 (PST) Message-ID: Date: Mon, 9 Dec 2024 14:48:07 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [mm?] KASAN: slab-use-after-free Read in move_pages_pte Content-Language: en-US From: Qi Zheng To: syzbot Cc: David Hildenbrand , Jann Horn , Hugh Dickins , Muchun Song , akpm@linux-foundation.org, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@redhat.com, syzkaller-bugs@googlegroups.com, tglx@linutronix.de, x86@kernel.org References: <67548279.050a0220.a30f1.015b.GAE@google.com> <51849c40-1bd5-49bb-ba2f-15cd06f45f48@bytedance.com> In-Reply-To: <51849c40-1bd5-49bb-ba2f-15cd06f45f48@bytedance.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 9ACFDC0002 X-Stat-Signature: irw8efew3ip3e83wr4dzu9myqgd633ya X-Rspam-User: X-HE-Tag: 1733726875-144974 X-HE-Meta: U2FsdGVkX19ZgveJgThE9nfjRaghMRSomHHrrIxsk9sgtoWnR8Ln9S4MwiVewTTxrxTk07xR6uPeYJ3fC0krje2hHR3BpDX8Zm2B9Ag3hviJ5PuDYgq8uNfVclq1TrX82ZcjNMw173QUeBJwYChB77PH9ATlWincmGp+pMQvuSis/m/nwn1V4pghQgUtbeQF+9od3axMwBVqLsYFYkeBWvBp2fe6btN2ZnpmK/r5gSSTElvgybqM0T2gZ1eysu4DqPGiVmrZVeBDCBehPyXFBoBX7ysgCqWHaZU1u15x5oesBFCLNj8FqJFjFb9kdIj0WDdTPK9GV/RVhEX1jGGhcAcWSg82WOag4cYT27GDH/vQOXs6pwWupEtXLBuyWjcRvSiGl0KP/SiOmG/ux0OP0h8G85vb/+P8KZqnq8RSo6rsZy2H/XqkYyk6Fqq5rUhJ8o3J4FjoGi8SD+Bf1oSMtLdbkZe+4IP1CKf994a5+6dHOnD4phnOBT2LNe/Tsgl1YvFAgBEAQ1nlG9wtA3TDhqrps0mJNgo+F5w44yhifQEJCykgkoS3DGK8gg7oIsAQnF+im7le+qYXTt0ix6Xh1aq0lIhIAhIo1/67+RiWJnkvcWsnJCaGyY6rVffrbl9k6zY2+Q+M6QsQ+VwD9ZuyzVaFRyDq6Hyw9VnYe3AOm8FXB0HGO7UQqPwhU9R2QJAHEbBkFqHZc8LOHXRjp2ZvLjIoPNv4sMA7XgN6MzT2SjsKQPCih3hy4VSMe1hfdviuSut2L29m8R50rdRtjvvNxHc884RtZKI/vcyuGQj1AvvRtv439d119je4idVghPpSLUU2aSnLkKhZowYbycmQvtUELKOTExiZFNmwTtJ54qvQe7mlxCVet27pf6XAwNGPDCRhDBqvw8+mqpPBj98KRJgryya4k0HPn4O8nmvL8Ure7BkR1TFo6VNimn72WdVxZYHJj0GtrRMj9YL938D nabJhgcf 0j/hB3zMmdPkeyqk1NqwXapSyWN4lyxtGStaH0QGqKH5zcAFDGvTuaP0v/pf/0EfsdxX/AdYgUnJk0b8dVwxbNvuk8xESp8nNHHhcPpr+kdFF2JSX1xOzzJtVph1eb+yFAwca/vmFUpl5upCObymm7gmHNz9TLMO4nhgIKDoYBlRZohZjSaS0QSA36coUuk0zmEEK2a0Q5zPA0ikyf+/F7a2QPkc2Wz4Zmwi+RquJ71bQhhzjSPYRbyW6GajjV8LevsgXwqbAat11h4szmG7wrXa3zH4oj2oG+dlOjTYpePbdSc+G3c0Gsahkp94HnlBKvKM4wSp2HPw0dCxr0d7+U23tW37/1kwxKYcTThwxlTzvfxuwzpyZqV8Wyu0h76oi/A3fvfZjiHEoZUnNLDbxzoVkOiyCjVRLzaF3GcH3/uUISoTRSaGwfmZSdwwuq4tZOt+GEt9zjDBYs+xX7svCDXelRpUmQlYhLnzSrxu/pPPXTnXpxfj5Gl+MTPndGwELSYH8Fv0tLM/36ZBkTAtMTNPX2SH2z9lUotqxt+xs2qFyp+2Dy68hAbZfny9QNW3nADSuU+iD/vGvtTjpT6a1daLcd2XQ2pF4bCD0mf1Uwkd/e+b5d4psZtQu641O8sdyYElNjm0bQmlc/fdT9gfrhc+Ry4Cfgw7ZR/QQH+sazfblmCteS+Foo/FdGcsrkblnyRhiswz0UeT4H4lamIpPEnfNTuMh4b5xMQEpwPB9wT7gyM0QevftrdKkVm27i2R45kLFpZYNGjyT/8m1+6TdNk8TIxgblLgk85EwbWdZ6dx9dpM7V+1MyUnwGsVuku+6oYe9Rm2R0O69jRCdTI9cJYsKl+zeEa8Dg9a8Tc43LhEAZG+9oe7rvqK3+ufNuG3w0U7ZWw3gQEc6NAV6cbRiJnvu4/m+pqw4g2PSYlHmQd3BgfeublUgEqObhgkhiFHJRcVTmsrJjbRSpAwG31cWrAms1es+ 3d0+4SOQ FfTFEqmKvLE7alUyQXmJ0mBbHJnjwe874bBedjUYBrVh/kFNlu5992i3FBX+cmf0duPkiRlFJpSIPZ2wT/OYvHIiT3mrbvYpc+nJo99Ky3MxtBkpIk4zkotbKSVr0m16hOFRyxVb2DMMIq5azY1Q6SXDaVgVIcYZHpHaaPrgpy4T9286YZfO6eh7bZOWs+Rmd1TCowQ17cn8nCCzYfA8A06m0Xph2U7X7mn4EyXQpGKzLQ5zi32747zqrZ3kZDhtXub5tZS03EpT2V/iLvkdGQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/12/9 14:25, Qi Zheng wrote: > > > On 2024/12/8 01:14, syzbot wrote: >> Hello, >> >> syzbot found the following issue on: >> >> HEAD commit:    af2ea8ab7a54 Add linux-next specific files for 20241205 >> git tree:       linux-next >> console output: https://syzkaller.appspot.com/x/log.txt?x=13c4e8df980000 >> kernel config: >> https://syzkaller.appspot.com/x/.config?x=76f158395f6f15fd >> dashboard link: >> https://syzkaller.appspot.com/bug?extid=1c58afed1cfd2f57efee >> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for >> Debian) 2.40 >> syz repro: >> https://syzkaller.appspot.com/x/repro.syz?x=133850f8580000 >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17be9330580000 >> >> Downloadable assets: >> disk image: >> https://storage.googleapis.com/syzbot-assets/8af0861258fa/disk-af2ea8ab.raw.xz >> vmlinux: >> https://storage.googleapis.com/syzbot-assets/ffb38cf7a344/vmlinux-af2ea8ab.xz >> kernel image: >> https://storage.googleapis.com/syzbot-assets/6fbd2e50358a/bzImage-af2ea8ab.xz >> >> The issue was bisected to: >> >> commit 5b29c4156f5801fced2ec504b44ab98f60c480bf >> Author: Qi Zheng >> Date:   Wed Dec 4 11:09:51 2024 +0000 >> >>      x86: select ARCH_SUPPORTS_PT_RECLAIM if X86_64 >> >> bisection log: >> https://syzkaller.appspot.com/x/bisect.txt?x=16d344df980000 >> final oops: >> https://syzkaller.appspot.com/x/report.txt?x=15d344df980000 >> console output: https://syzkaller.appspot.com/x/log.txt?x=11d344df980000 >> >> IMPORTANT: if you fix the issue, please add the following tag to the >> commit: >> Reported-by: syzbot+1c58afed1cfd2f57efee@syzkaller.appspotmail.com >> Fixes: 5b29c4156f58 ("x86: select ARCH_SUPPORTS_PT_RECLAIM if X86_64") >> >> ================================================================== >> BUG: KASAN: slab-use-after-free in __lock_acquire+0x78/0x2100 >> kernel/locking/lockdep.c:5089 >> Read of size 8 at addr ffff888034718978 by task syz-executor352/6070 >> >> CPU: 0 UID: 0 PID: 6070 Comm: syz-executor352 Not tainted >> 6.13.0-rc1-next-20241205-syzkaller #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, >> BIOS Google 09/13/2024 >> Call Trace: >>   >>   __dump_stack lib/dump_stack.c:94 [inline] >>   dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 >>   print_address_description mm/kasan/report.c:378 [inline] >>   print_report+0x169/0x550 mm/kasan/report.c:489 >>   kasan_report+0x143/0x180 mm/kasan/report.c:602 >>   __lock_acquire+0x78/0x2100 kernel/locking/lockdep.c:5089 >>   lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5849 >>   __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] >>   _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 >>   spin_lock include/linux/spinlock.h:351 [inline] >>   move_pages_pte+0x8aa/0x3400 mm/userfaultfd.c:1248 >>   move_pages+0xe75/0x16a0 mm/userfaultfd.c:1754 >>   userfaultfd_move fs/userfaultfd.c:1899 [inline] >>   userfaultfd_ioctl+0x5221/0x6840 fs/userfaultfd.c:2022 >>   vfs_ioctl fs/ioctl.c:51 [inline] >>   __do_sys_ioctl fs/ioctl.c:906 [inline] >>   __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >>   entry_SYSCALL_64_after_hwframe+0x77/0x7f >> RIP: 0033:0x7fed8de85af9 >> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 18 00 00 90 48 89 f8 48 >> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d >> 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 >> RSP: 002b:00007fed8de40238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 >> RAX: ffffffffffffffda RBX: 00007fed8df10328 RCX: 00007fed8de85af9 >> RDX: 0000000020000080 RSI: 00000000c028aa05 RDI: 0000000000000003 >> RBP: 00007fed8df10320 R08: 00007fed8de406c0 R09: 00007fed8de406c0 >> R10: 00007fed8de406c0 R11: 0000000000000246 R12: 00007fed8dedd334 >> R13: 0000000000000010 R14: 00007ffc241241e0 R15: 00007ffc241242c8 >>   >> >> Allocated by task 6070: >>   kasan_save_stack mm/kasan/common.c:47 [inline] >>   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 >>   unpoison_slab_object mm/kasan/common.c:319 [inline] >>   __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 >>   kasan_slab_alloc include/linux/kasan.h:250 [inline] >>   slab_post_alloc_hook mm/slub.c:4104 [inline] >>   slab_alloc_node mm/slub.c:4153 [inline] >>   kmem_cache_alloc_noprof+0x1d9/0x380 mm/slub.c:4160 >>   ptlock_alloc+0x20/0x70 mm/memory.c:7026 >>   ptlock_init include/linux/mm.h:2971 [inline] >>   pagetable_pte_ctor include/linux/mm.h:2998 [inline] >>   __pte_alloc_one_noprof include/asm-generic/pgalloc.h:73 [inline] >>   pte_alloc_one+0xd3/0x510 arch/x86/mm/pgtable.c:41 >>   __do_huge_pmd_anonymous_page mm/huge_memory.c:1229 [inline] >>   do_huge_pmd_anonymous_page+0x2fb/0xb30 mm/huge_memory.c:1374 >>   create_huge_pmd mm/memory.c:5737 [inline] >>   __handle_mm_fault mm/memory.c:5986 [inline] >>   handle_mm_fault+0x15a7/0x1bb0 mm/memory.c:6183 >>   do_user_addr_fault arch/x86/mm/fault.c:1338 [inline] >>   handle_page_fault arch/x86/mm/fault.c:1481 [inline] >>   exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539 >>   asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 >> >> Freed by task 6071: >>   kasan_save_stack mm/kasan/common.c:47 [inline] >>   kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 >>   kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:576 >>   poison_slab_object mm/kasan/common.c:247 [inline] >>   __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 >>   kasan_slab_free include/linux/kasan.h:233 [inline] >>   slab_free_hook mm/slub.c:2338 [inline] >>   slab_free mm/slub.c:4598 [inline] >>   kmem_cache_free+0x195/0x410 mm/slub.c:4700 >>   pagetable_pte_dtor include/linux/mm.h:3009 [inline] > > OK, so the problem is that ptdesc->ptl is not freed via RCU: > > ___pte_free_tlb > --> pagetable_pte_dtor >     --> ptlock_free >         --> kmem_cache_free (free immediately!) >     paravirt_tlb_remove_table >     --> free PTE page via RCU > > In retract_page_tables(), it calls pte_free_defer() to free > ptdesc->ptl and PTE page via RCU, so there is no problem. > > To fix it, will also free ptdesc->ptl in ptlock_free() via RCU. > >>   ___pte_free_tlb+0x2b/0x140 arch/x86/mm/pgtable.c:63 >>   __pte_free_tlb arch/x86/include/asm/pgalloc.h:61 [inline] >>   free_pte+0x142/0x190 mm/pt_reclaim.c:31 >>   zap_pte_range mm/memory.c:1780 [inline] >>   zap_pmd_range mm/memory.c:1822 [inline] >>   zap_pud_range mm/memory.c:1851 [inline] >>   zap_p4d_range mm/memory.c:1872 [inline] >>   unmap_page_range+0x4062/0x48d0 mm/memory.c:1893 >>   zap_page_range_single+0x45c/0x630 mm/memory.c:2018 >>   madvise_dontneed_single_vma mm/madvise.c:859 [inline] >>   madvise_dontneed_free mm/madvise.c:940 [inline] >>   madvise_vma_behavior mm/madvise.c:1270 [inline] >>   madvise_walk_vmas mm/madvise.c:1502 [inline] >>   do_madvise+0x2774/0x4d90 mm/madvise.c:1689 >>   __do_sys_madvise mm/madvise.c:1705 [inline] >>   __se_sys_madvise mm/madvise.c:1703 [inline] >>   __x64_sys_madvise+0xa6/0xc0 mm/madvise.c:1703 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >>   entry_SYSCALL_64_after_hwframe+0x77/0x7f >> >> The buggy address belongs to the object at ffff888034718960 >>   which belongs to the cache page->ptl of size 64 >> The buggy address is located 24 bytes inside of >>   freed 64-byte region [ffff888034718960, ffff8880347189a0) >> >> The buggy address belongs to the physical page: >> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 >> pfn:0x34718 >> flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) >> page_type: f5(slab) >> raw: 00fff00000000000 ffff88801ac4f780 dead000000000122 0000000000000000 >> raw: 0000000000000000 00000000802a002a 00000000f5000000 0000000000000000 >> page dumped because: kasan: bad access detected >> page_owner tracks the page as allocated >> page last allocated via order 0, migratetype Unmovable, gfp_mask >> 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5823, >> tgid 5823 (syz-executor352), ts 65548803787, free_ts 65433386693 >>   set_page_owner include/linux/page_owner.h:32 [inline] >>   post_alloc_hook+0x1f4/0x240 mm/page_alloc.c:1549 >>   prep_new_page mm/page_alloc.c:1557 [inline] >>   get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3475 >>   __alloc_frozen_pages_noprof+0x292/0x710 mm/page_alloc.c:4752 >>   alloc_pages_mpol+0x30e/0x550 mm/mempolicy.c:2270 >>   alloc_slab_page mm/slub.c:2408 [inline] >>   allocate_slab+0x8f/0x3a0 mm/slub.c:2574 >>   new_slab mm/slub.c:2627 [inline] >>   ___slab_alloc+0xc27/0x14a0 mm/slub.c:3815 >>   __slab_alloc+0x58/0xa0 mm/slub.c:3905 >>   __slab_alloc_node mm/slub.c:3980 [inline] >>   slab_alloc_node mm/slub.c:4141 [inline] >>   kmem_cache_alloc_noprof+0x268/0x380 mm/slub.c:4160 >>   ptlock_alloc mm/memory.c:7026 [inline] >>   ptlock_init include/linux/mm.h:2971 [inline] >>   pmd_ptlock_init include/linux/mm.h:3078 [inline] >>   pagetable_pmd_ctor include/linux/mm.h:3116 [inline] >>   pmd_alloc_one_noprof include/asm-generic/pgalloc.h:141 [inline] >>   __pmd_alloc+0x10b/0x670 mm/memory.c:6436 >>   pmd_alloc include/linux/mm.h:2862 [inline] >>   copy_pmd_range+0x7352/0x77a0 mm/memory.c:1241 >>   copy_pud_range mm/memory.c:1298 [inline] >>   copy_p4d_range mm/memory.c:1322 [inline] >>   copy_page_range+0x99f/0xe90 mm/memory.c:1420 >>   dup_mmap kernel/fork.c:751 [inline] >>   dup_mm kernel/fork.c:1693 [inline] >>   copy_mm+0x12d2/0x2060 kernel/fork.c:1742 >>   copy_process+0x1845/0x3d80 kernel/fork.c:2393 >>   kernel_clone+0x226/0x8e0 kernel/fork.c:2805 >>   __do_sys_clone kernel/fork.c:2948 [inline] >>   __se_sys_clone kernel/fork.c:2932 [inline] >>   __x64_sys_clone+0x258/0x2a0 kernel/fork.c:2932 >>   do_syscall_x64 arch/x86/entry/common.c:52 [inline] >>   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 >> page last free pid 6052 tgid 6051 stack trace: >>   reset_page_owner include/linux/page_owner.h:25 [inline] >>   free_pages_prepare mm/page_alloc.c:1127 [inline] >>   free_frozen_pages+0xe0d/0x10e0 mm/page_alloc.c:2658 >>   __folio_put+0x2b3/0x360 mm/swap.c:112 >>   __tlb_remove_table arch/x86/include/asm/tlb.h:34 [inline] >>   __tlb_remove_table_free mm/mmu_gather.c:227 [inline] >>   tlb_remove_table_rcu+0x76/0xf0 mm/mmu_gather.c:282 >>   rcu_do_batch kernel/rcu/tree.c:2567 [inline] >>   rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823 >>   handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561 >>   __do_softirq kernel/softirq.c:595 [inline] >>   invoke_softirq kernel/softirq.c:435 [inline] >>   __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662 >>   irq_exit_rcu+0x9/0x30 kernel/softirq.c:678 >>   instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 >> [inline] >>   sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049 >>   asm_sysvec_apic_timer_interrupt+0x1a/0x20 >> arch/x86/include/asm/idtentry.h:702 >> >> Memory state around the buggy address: >>   ffff888034718800: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00 >>   ffff888034718880: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc >>> ffff888034718900: 00 00 00 00 00 00 00 00 fc fc fc fc fa fb fb fb >>                                                                  ^ >>   ffff888034718980: fb fb fb fb fc fc fc fc fa fb fb fb fb fb fb fb >>   ffff888034718a00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc >> ================================================================== >> >> >> --- >> This report is generated by a bot. It may contain errors. >> See https://goo.gl/tpsmEJ for more information about syzbot. >> syzbot engineers can be reached at syzkaller@googlegroups.com. >> >> syzbot will keep track of this issue. See: >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot. >> For information about bisection process see: >> https://goo.gl/tpsmEJ#bisection >> >> If the report is already addressed, let syzbot know by replying with: >> #syz fix: exact-commit-title >> >> If you want syzbot to run the reproducer, reply with: >> #syz test: git://repo/address.git branch-or-commit-hash >> If you attach or paste a git patch, syzbot will apply it before testing. #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm.git mm-unstable diff --git a/mm/memory.c b/mm/memory.c index 1fc1f14839916..15f058f5091b6 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -7014,7 +7014,7 @@ static struct kmem_cache *page_ptl_cachep; void __init ptlock_cache_init(void) { page_ptl_cachep = kmem_cache_create("page->ptl", sizeof(spinlock_t), 0, - SLAB_PANIC, NULL); + SLAB_PANIC|SLAB_TYPESAFE_BY_RCU, NULL); } bool ptlock_alloc(struct ptdesc *ptdesc) >> >> If you want to overwrite report's subsystems, reply with: >> #syz set subsystems: new-subsystem >> (See the list of subsystem names on the web dashboard) >> >> If the report is a duplicate of another one, reply with: >> #syz dup: exact-subject-of-another-report >> >> If you want to undo deduplication, reply with: >> #syz undup