From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6922C47071 for ; Thu, 16 Nov 2023 07:40:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 40A336B00D9; Thu, 16 Nov 2023 02:40:08 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 3B9876B03FB; Thu, 16 Nov 2023 02:40:08 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2A8D26B0420; Thu, 16 Nov 2023 02:40:08 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 1C7EE6B00D9 for ; Thu, 16 Nov 2023 02:40:08 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id ED3171602B7 for ; Thu, 16 Nov 2023 07:40:07 +0000 (UTC) X-FDA: 81463018854.09.6E5993A Received: from mail-yb1-f181.google.com (mail-yb1-f181.google.com [209.85.219.181]) by imf17.hostedemail.com (Postfix) with ESMTP id 2D4834000C for ; Thu, 16 Nov 2023 07:40:05 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=OEDhQomt; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf17.hostedemail.com: domain of hughd@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=hughd@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1700120406; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=3XYrQdmJabhQq1WXoge8RXAC/vRLuqHvLCc6AkfpfcU=; b=k+U1d05EL8CiZ5oeWkezpjKd7nxysHuIWk86/FQPGS7BpblHDvp/KU1WKkQXXokULgyDHR oJ40Lo+gpjZ27qgsKy1x59TCWBscyLEWyuXsySywh+fLyjDwQ8M6dLm8qLlklb8K9MAiDn dtiyLmXPhgGvtv+qCaahFSLD76+TnGA= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=OEDhQomt; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf17.hostedemail.com: domain of hughd@google.com designates 209.85.219.181 as permitted sender) smtp.mailfrom=hughd@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1700120406; a=rsa-sha256; cv=none; b=oueEozb9GfTlr6iS2+WQJJuWbQv9ganAHe3fhEGKzjvhlvbwCRFM3rTunUX5hPzMLasyEo LUZoqD0x3DjKWpZr6Bm2v+r64hXxhcnxVgjdJWm3dBHAbATnVOBJiZ1JPAtsR1Bd1LnOd7 HZFQwqfKB9j+YakTWjtDCW2/4sM2XRg= Received: by mail-yb1-f181.google.com with SMTP id 3f1490d57ef6-daf4f0e3a0fso455093276.1 for ; Wed, 15 Nov 2023 23:40:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1700120405; x=1700725205; darn=kvack.org; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:from:to:cc:subject:date:message-id:reply-to; bh=3XYrQdmJabhQq1WXoge8RXAC/vRLuqHvLCc6AkfpfcU=; b=OEDhQomtc+b85khiZCIl1qKoR0HRiAUk89vzZcr7GcNMF4x7Od66iUWvQ9HXHgnB7w C+Eap52Qps4sm0Gl+mdLlmOZ0ao5k76AmJAh/w0d48Yny7EVa/QjcuuM3ntjHTi8o+Bj Fk4I3qufBZ9M9RoilzkjZI9HSwpDxaH89Ie/Vq32McO9zjHDsfJvnmMioA5jUZISBjU5 R2gAaLAI0sX+34N23ug+EXZ3zjoATks18kHTZ5Kbg8jKWSaKyG6NjRdwhCHTEZlp4Tq7 iE8BlAwsQ8KI/04LoF1eiv2FEg5zhzI5hSpRsILr+Hacn6By6+HooHj4h2ETOU0Scz77 qD5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700120405; x=1700725205; h=mime-version:references:message-id:in-reply-to:subject:cc:to:from :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3XYrQdmJabhQq1WXoge8RXAC/vRLuqHvLCc6AkfpfcU=; b=UiUWNdulziX8hC5mT2iF7hCNGljRSYLH2ZAtt6Co9dPc7k1FU09H5rX/+Y3eVu/0Xq hJCF4a2xTYkD17TAFi7DNTo8AeBARpzkd6y6ZC+V1KFebIuDSQgmPjb8/X6+WPnIysnx 5fpespbZgPT5Uetvyig294HZ6VM/49PLjfLDGAf19gAxZbJBYVBj/8jSuaN0v0bCawdU XxuIFNUWZVpFmD8AnZK8ScvnyisjXIsNbUb96rFJIFyxbNZEaDAqs8TBQZgusYjRT/TB WZXNtY/H5zGy/fqSya4LxoWk8+zM3wCjHQJSReeg50g6/XKWbR2YkvjRUeE3HG4rba4b JbzA== X-Gm-Message-State: AOJu0YwFxuiSQQ8qW0JUbXRhY9tL4m0/hNXmjPCfJ0ITP0dy6MR4B1GV Pq3rOICq//hN4nwFMyxaL4Nh+A== X-Google-Smtp-Source: AGHT+IEo5B/VhZW5obgiD5HYKqE738NPiAOf7BmZyJeNGSUUZxxyApujezlldFz6BcWvP9gOv0vP3w== X-Received: by 2002:a25:d3c3:0:b0:da1:13b7:8a87 with SMTP id e186-20020a25d3c3000000b00da113b78a87mr15185339ybf.15.1700120405134; Wed, 15 Nov 2023 23:40:05 -0800 (PST) Received: from ripple.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id d131-20020a254f89000000b00d9a4aad7f40sm757225ybb.24.2023.11.15.23.40.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Nov 2023 23:40:04 -0800 (PST) Date: Wed, 15 Nov 2023 23:39:54 -0800 (PST) From: Hugh Dickins X-X-Sender: hugh@ripple.attlocal.net To: syzbot cc: akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, jose.pekkarinen@foxhound.fi, willy@infradead.org, jannh@google.com, hughd@google.com Subject: Re: [syzbot] [mm?] BUG: unable to handle kernel paging request in __pte_offset_map_lock In-Reply-To: <0000000000005e44550608a0806c@google.com> Message-ID: References: <0000000000005e44550608a0806c@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 2D4834000C X-Stat-Signature: xi7txtbzi4a9g86mymdxs5xnabzfe4ja X-Rspam-User: X-HE-Tag: 1700120405-924638 X-HE-Meta: U2FsdGVkX1/yHawYt6TnnCs/eq7Np7GPZiFhhhkA5ZcaQOFoSK9BqpDRPpqIDG2o4/jxn+Ztyjc85CVS13n8JaeCVfh8ZIMxDSJj+CXPK3D2f2Dz2q+/7Y2e/OZxTW8TpvZTNl+WomQA1gBJP4zuypcvSrZalEla2BcGDWEWO9PGfq2t45VbYTQw4hcf01QrTqJJFG5VYMNJRCb5b1ziTz8k8Rtkd7tUYR54CVeCRoOYqIft7+fesBfNByy53UUh8+SgitE5RHlymAtSfsOoqtCYaknlcBkDbECnr1B0/J8LkUfipeFs0DqIqDcyzuSlCT/k7iiw4rqc8Ydz9r58Rfadz9D3ykOC1tVeA6MIe8154mHont4bVthrASzQRQwqfanK2uDEZr0GxyF/1yvUHs0Rewtynidgg9MMIeeCjGHLrUz44g3137xM2IcFLw5oZr8Oq+IpmOxp8rNE2kjy+JXVy3jLzhD6Z1/UtZi+rAuGmzcEu+LUqEav5bRxPH3C5Sz0IxxDXz51ikApNZl40Rrj2s4uK4/iPPO8vbohN9Oi24NftGqXAu5yg6r8/tmCW9hwMa8WYua0Xy9gYFHAFQN2h8A8Q3UbvNWBdl786iaBttOZ6/t55/rPEmmDE8Gr37tWWRvWsspuAxSTyPJr5EtEVfk257d0LG789YB+ALRfTX9iDCpKPEMgKmiJuzTmIPGg4XfEZlyoo2L4+4Czc53XBQ0lWSMpTATKN/5irdG77NbL+suzEA7BZwadMyEZlxJs2+FpEQg/MY9eTZfWXbM0/ikOgTwSEtn9dg1EL0+48cR2qZGVCBrRnRv8QodhDbs/TEWzscP97aOFW+8VAEcL8V9RtdlpJ6vFcQSVTSuiAD2Sv7gaFfVlCkeaevoSLC9PuolylJQqdDhyjMmpMw3cwltOhMI93Fd2fbCwWgNO2WWjMic/rPcEDhIIoYWdckrSB/sub1+LMcmatj6 x4mxkNUO uYwtyKrrq4P+iFB10rMMThAFYiKUcJTQBgslbIGqpf7RoEMmWJinK4RXheNhb+//S5Ai1aolxTThasQHDwKgYWaWmng+acHOXpKQX2ziwGZm4UtGafUUX84XAb9ov+7AbTE62Z2RZLoykxWUvnPne2OaTvIXmNcMQ/aS1frwRtqQkSEawzWEHvfcA5cGQ/nb/F/iDcMa6KC44iUnBA5WBqKPlzqBXSCWbkcNMBBaHz4Dr5HmPbsGhWobpo2/v7glpNemmodYZfqXAdGvM7OHQ8luW6cDQBoNRULvmde9rANo/XgyeqKxcAeBx5HxczY9zVfbSUDNfo/q2T9Fh2PHo+LS7UWo/nsclCS5FQhXSeHU7GREniVuVB7AzPDTGlYZBZm2iwJaxhtfTesCWatnEFPIdrV8KoZ015CWBC0lo5gD6AbpMP7mFbwVdwY3X9tpRVBiVGBfIRFWYFvMiU799hlR+uKDrtJbIM7YJtsundFs5umS9PoAHbWj0lKUuIzryMFJvlvuxo4QEkeZmq60IrwzZ/1wO/ZqcO3/XtvUPYr0w//Ayr39+x4rLoDHGqbL+ZFxbKSQgRA+ZIycb/JEHvWWsEHbMx18Oy7b5vJwf9VsZBiEUB8rqGcNzIv4nJ5+PD/Eb0zy4dHluHpwGuTFQwFrwjHvfBQBpuyMZjhk5JWakUZsL2ZeGsm/GpaoeaU6wYXLZgbonNuhShSdmyyGYwsLtWBkWtS756T8YCUa3r5JUqfceevvjQJxrTAfRPVG91S4ieVocMD/CF9HAtCy692EHDndeQ2QkbjijsrXpJXHkOs3GvriUYbNljnj/VC3S/QxACDQw5uvzGnXAsae7HvTYTqvDyHHpPlyE1mhcogXhzcBbRiaO0NcI4wcZ6us2OxlLCJkWQqnnvR+bVo/yQjzjECuBUvmlvsQ1THyL3MUbWODC67KIw3Fk81OGlbRYCZHF5pHDkV/L2BXIvy+DWsn3ojKs dS2E7O27 k349iOF54xaVvk4UqVJEjReByc1U+gp1QmdXfAvGMLUYW79jFWKxSZ9UHuuzLNrcSqlbqjcizF+NhrP67FOqUSSXAj1lTw8jOnykoUK/l8RmywNzjBXJhkkaBba+kzt6qOlbPOJYaC1L9EzVewjO7M9OUirvbdVwpeZBmX/uzNC53yG3dA5H/TAV982Lozns998lZ6lKpVT2z4xMPS9BEpj2nnzNXP6wODshW01/0gSqi2/99xDwtg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, 26 Oct 2023, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 78124b0c1d10 Merge branch 'for-next/core' into for-kernelci > git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci > console output: https://syzkaller.appspot.com/x/log.txt?x=111b0e71680000 > kernel config: https://syzkaller.appspot.com/x/.config?x=f27cd6e68911e026 > dashboard link: https://syzkaller.appspot.com/bug?extid=89edd67979b52675ddec > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > userspace arch: arm64 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16b8e671680000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=125a9df5680000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/bd512de820ae/disk-78124b0c.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/a47a437b1d4f/vmlinux-78124b0c.xz > kernel image: https://storage.googleapis.com/syzbot-assets/3ae8b966bcd7/Image-78124b0c.gz.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+89edd67979b52675ddec@syzkaller.appspotmail.com > > Unable to handle kernel paging request at virtual address dfff800000000004 > KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] > Mem abort info: > ESR = 0x0000000096000005 > EC = 0x25: DABT (current EL), IL = 32 bits > SET = 0, FnV = 0 > EA = 0, S1PTW = 0 > FSC = 0x05: level 1 translation fault > Data abort info: > ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 > CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > [dfff800000000004] address between user and kernel address ranges > Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP > Modules linked in: > CPU: 0 PID: 7952 Comm: syz-executor682 Not tainted 6.6.0-rc6-syzkaller-g78124b0c1d10 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 > pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) > pc : __lock_acquire+0x104/0x75e8 kernel/locking/lockdep.c:5004 > lr : lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753 > sp : ffff800098f26d40 > x29: ffff800098f27000 x28: ffff8000808df4bc x27: ffff7000131e4e18 > x26: 1ffff00011c340b9 x25: 0000000000000000 x24: 0000000000000000 > x23: ffff7000131e4dd0 x22: 0000000000000000 x21: 0000000000000000 > x20: 0000000000000000 x19: 0000000000000022 x18: ffff800098f27750 > x17: 0000ffff833dafff x16: ffff80008a632120 x15: 0000000000000001 > x14: ffff80008e1a05d0 x13: ffff800098f26e80 x12: dfff800000000000 > x11: ffff800080319468 x10: ffff80008e1a05cc x9 : 00000000000000f3 > x8 : 0000000000000004 x7 : ffff8000808df4bc x6 : 0000000000000000 > x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 > x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000022 > Call trace: > __lock_acquire+0x104/0x75e8 kernel/locking/lockdep.c:5004 > lock_acquire+0x23c/0x71c kernel/locking/lockdep.c:5753 > __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] > _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 > spin_lock include/linux/spinlock.h:351 [inline] > __pte_offset_map_lock+0x154/0x360 mm/pgtable-generic.c:373 > pte_offset_map_lock include/linux/mm.h:2939 [inline] > filemap_map_pages+0x698/0x11f0 mm/filemap.c:3582 > do_fault_around mm/memory.c:4525 [inline] > do_read_fault mm/memory.c:4558 [inline] > do_fault mm/memory.c:4705 [inline] > do_pte_missing mm/memory.c:3669 [inline] > handle_pte_fault mm/memory.c:4978 [inline] > __handle_mm_fault mm/memory.c:5119 [inline] > handle_mm_fault+0x326c/0x49fc mm/memory.c:5284 > faultin_page mm/gup.c:956 [inline] > __get_user_pages+0x3e0/0xa24 mm/gup.c:1239 > populate_vma_page_range+0x254/0x328 mm/gup.c:1666 > __mm_populate+0x240/0x3d8 mm/gup.c:1775 > mm_populate include/linux/mm.h:3305 [inline] > vm_mmap_pgoff+0x2bc/0x3d4 mm/util.c:551 > ksys_mmap_pgoff+0xd0/0x5b0 mm/mmap.c:1400 > __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline] > __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline] > __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21 > __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] > invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 > el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 > do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 > el0_svc+0x54/0x158 arch/arm64/kernel/entry-common.c:678 > el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 > el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 > Code: b006f948 b943a108 34000208 d343fe68 (386c6908) > ---[ end trace 0000000000000000 ]--- > ---------------- > Code disassembly (best guess): > 0: b006f948 adrp x8, 0xdf29000 > 4: b943a108 ldr w8, [x8, #928] > 8: 34000208 cbz w8, 0x48 > c: d343fe68 lsr x8, x19, #3 > * 10: 386c6908 ldrb w8, [x8, x12] <-- trapping instruction > > > --- > This report is generated by a bot. It may contain errors. > See https://goo.gl/tpsmEJ for more information about syzbot. > syzbot engineers can be reached at syzkaller@googlegroups.com. > > syzbot will keep track of this issue. See: > https://goo.gl/tpsmEJ#status for how to communicate with syzbot. > > If the bug is already fixed, let syzbot know by replying with: > #syz fix: exact-commit-title > > If you want syzbot to run the reproducer, reply with: > #syz test: git://repo/address.git branch-or-commit-hash > If you attach or paste a git patch, syzbot will apply it before testing. > > If you want to overwrite bug's subsystems, reply with: > #syz set subsystems: new-subsystem > (See the list of subsystem names on the web dashboard) > > If the bug is a duplicate of another bug, reply with: > #syz dup: exact-subject-of-another-report > > If you want to undo deduplication, reply with: > #syz undup Okay, let's try again by replying to the full orginal report (see thread Matthew linked to for discussion leading to this): #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git b85ea95d086471afb4ad062012a4d73cd328fa86 Subject: [PATCH] mm/pgtable: smp_rmb() to match smp_wmb() in pmd_install() Not-Yet-Signed-off-by: Hugh Dickins --- mm/memory.c | 2 ++ mm/pgtable-generic.c | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/mm/memory.c b/mm/memory.c index 1f18ed4a5497..8939357f1509 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -425,6 +425,8 @@ void pmd_install(struct mm_struct *mm, pmd_t *pmd, pgtable_t *pte) * being the notable exception) will already guarantee loads are * seen in-order. See the alpha page table accessors for the * smp_rmb() barriers in page table walking code. + * + * See __pte_offset_map() for the smp_rmb() at the pte level. */ smp_wmb(); /* Could be smp_wmb__xxx(before|after)_spin_lock */ pmd_populate(mm, pmd, *pte); diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c index 4fcd959dcc4d..3330b666e9c3 100644 --- a/mm/pgtable-generic.c +++ b/mm/pgtable-generic.c @@ -297,6 +297,11 @@ pte_t *__pte_offset_map(pmd_t *pmd, unsigned long addr, pmd_t *pmdvalp) pmd_clear_bad(pmd); goto nomap; } + /* + * Pair with the smp_wmb() in pmd_install(): make sure that the + * page table lock and page table contents are visibly initialized. + */ + smp_rmb(); return __pte_map(&pmdval, addr); nomap: rcu_read_unlock(); -- 2.35.3